Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Russian orgs heavily targeted by smaller tier ransomware gangs
#1
https://www.bleepingcomputer.com/news/se...are-gangs/      Russian orgs heavily targeted by smaller tier ransomware gangs
By Bill Toulas
October 8, 2021 10:40 AM      Even though American and European companies enjoy the lion’s share of ransomware attacks launched from Russian ground, companies in the country aren’t spared from having to deal with file encryption and double-extortion troubles of their own.

The actors who trouble Russian and CIS-based companies in general though, aren’t REvil, LockBit, DarkSide, and any of the more notorious groups that launch high-profile attacks on critical infrastructure targets.

As Kaspersky explains in a detailed roundup on cyberattacks in the first half of 2021, the CIS (Commonwealth of Independent States) is also the target of a vivid cyber-criminal ecosystem targeting Russian firms every month, and most of them go unreported.

The groups that comprise this largely ignored subcategory of ransomware actors are typically less sophisticated, predominately use older strains or leaked malware,and establish intrusion on their own instead of buying access to the targets.

The most notable the ransomware families that were deployed this year against Russian targets are the following:

BigBobRoss
Crysis/Dharma
Phobos/Eking
Cryakl/CryLock
CryptConsole
Fonix/XINOF
Limbozar/VoidCrypt
Thanos/Hakbit
XMRLocker
Old but still active
Those that stand out as the historically most successful strains are Dharma and Phobos.

Dharma first appeared in the wild five years ago under the name Crysis, and despite its age, it still features one of the strongest and most reliable encryption schemes. Dharma actors typically gain unauthorized RDP access after brute-forcing credentials and deploy the malware manually.

Phobos came out in 2017 and reached its culmination point in early 2020. In this case too, the main entry point for the actors is unauthorized RDP access. It’s a C/C++ malware that has contextual technical similarities to the Dharma strain, but no underlying relation.

Another noteworthy example is CryLock, a veteran of a strain that has been circulating since 2014. The samples that Kaspersky analyzed this year are modern versions that were entirely rewritten from scratch in Delphi.

The cases of opportunistic attacks using leaked ransomware strains concern mainly Fonix, which wrapped up its RaaS program in January this year. The others are still operational, but are all considered lower-tier operations in the cybercrime world.

Fonix ransomware notice
A Fonix ransomware notice - Kaspersky
Although these RaaS programs come and go, they’re not without firepower. Kaspersky warns that some of these strains are still developing, with authors working on making their strains more potent, so none should be ignored.

Russian companies can prevent many of these threats by simply blocking RDP access, using strong passwords for domain accounts that are changed regularly, and accessing corporate networks through VPN.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Eugene Kaspersky Targeted attack on our management with the Triangulation Trojan. mrtrout 0 482 06-02-2023 , 03:59 AM
Last Post: mrtrout
  Google ads push BumbleBee malware used by ransomware gangs mrtrout 0 761 04-23-2023 , 03:59 AM
Last Post: mrtrout
  Ransomware gangs abuse Process Explorer driver to kill security software mrtrout 0 424 04-20-2023 , 07:56 PM
Last Post: mrtrout
  Kaspersky’s Advanced Targeted Threat Predictions For 2022 mrtrout 0 571 11-16-2021 , 02:55 AM
Last Post: mrtrout
  Ransomware gangs hit several tribal-owned casinos in the last year mrtrout 0 508 11-08-2021 , 02:11 AM
Last Post: mrtrout

Forum Jump:


Users browsing this thread: 1 Guest(s)