16 October 19, 07:53
Quote:Continue Reading
Ransomware attacks continued to become more focused and sophisticated in Q2 and Q3 2019. In contrast to the spray-and-pray campaigns of the past, threat actors are increasingly targeting larger and more profitable targets such as businesses, schools and government organizations.
Ransomware strains such as Ryuk played a dominant role, crippling dozens of public entities across the U.S., while ransomware-as-a-service like Sodinokibi and GandCrab enabled ransomware distributors to generate millions, perhaps even billions, of dollars in ransom payments.
This report is based on data from more than 230,000 submissions to Emsisoft and ID Ransomware between April 1 and September 30, 2019. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a website that enables both businesses and home users identify which ransomware strain has encrypted their files by uploading the ransom note, a sample encrypted file and/or the attacker’s contact information. It also directs the user to a decryption tool, should one be available.
For details on ransomware attacks against U.S. governments, education and healthcare entities, see State of Ransomware in the U.S.: 2019 Report for Q1 to Q3.
What are the most commonly reported ransomware strains?
1. STOP (DJVU): 56%
The most commonly reported ransomware strain during the period April 1 to September 30 was STOP (sometimes referred to as DJVU), which accounted for 56 percent of all submissions. There were more than 76,000 STOP/DJVU submissions to ID Ransomware, which probably represents only a fraction of the total number of victims. First spotted in late 2018, STOP/DJVU has grown to include dozens of variants.
STOP targets home users and is often distributed via torrent sites. It is typically hidden in applications such as software cracks and key generators, which are tools that allow users to activate paid software for free.
Once executed, STOP encrypts files with AES-256 encryption and instructs the victims to pay a ransom of $490 worth of Bitcoin in exchange for decryptor software and a private decryption key. After 72 hours, the ransom demand doubles to $980. Free decryption tools are available for a limited number of variant, but newer versions cannot be decrypted.
2. Dharma (.cezar family): 12%
The second most common ransomware submitted to ID Ransomware over Q2 and Q3 2019 was a Dharma variant that appends the .cezar extension to encrypted files. It accounted for 12 percent of submissions.
Dharma has been around in one form or another since 2016, but has seen a spike in activity in recent months. This may be due to threat actors making more effective use of multiple attack vectors such as malicious email attachments, infected installers and weak or leaked RDP login credentials. Unlike many other types of ransomware, Dharma (.cezar family) does not specify a ransom amount; instead, it instructs victims to contact the ransomware distributors via email to negotiate the ransom. The ransom amount tends to be higher for larger companies.
Dharma primarily targets businesses. It has affected a number of major organizations, including Altus Baytown Hospital, Texas. The attack encrypted hospital records and files containing important patient information such as names, social security numbers, credit card information and more. The hospital refused to pay the ransom, and instead hired a cybersecurity consultant to restore the hospital’s systems from backups.
...