Spotlight on Current & Emerging Ransomware Attacks

Coveware's new study shows that giving in to ransomware threats could lead to more ransomware attacks and more complex ones.

In a study released on Monday, the security company said that average and median ransom payments were up in the first quarter of this year, and it looks like some ransomware groups used the money they made to buy better ways to get into organizations. In the first quarter, Coveware saw a drop in fake emails and increased abuse of software vulnerabilities. According to the study, the most common exploits were known flaws in Fortinet and Pulse Secure VPN products.

Overall, the average ransomware attack amount went up by 43%, from $154,108 in the fourth quarter of 2020 to $220,298 in the first quarter of 2021. In Q1, the average amount went up by more than 50% to $78,398.

The study says that many threat groups, like the ones behind Sodinokobi, Conti V2, and Lockbit, pushed the average and median. But Clop ransomware, in particular, was very busy in the first quarter and hit many people with very high payment demands.

Coveware said that giving in to these requests gives people a false sense of security, leads to unexpected effects, and creates future obligations.

So, what does this mean? What are the current and emerging ransomware attacks to look out for? Check out this whitepaper to learn more. 

Understanding What is WannaCry & DearCry

Ransom: Win32/DoejoCrypt.A, also known as "DearCry," is a new family of ransomware that infected several organizations through multiple zero-day vulnerabilities in on-premises versions of Microsoft Exchange Server. These vulnerabilities were first used by different threat actors, including a Chinese nation-state group, to attack organizations.

The first report of DearCry came from Michael Gillespie on Tuesday. He is the author of the free cybersecurity ransomware tracking service ID Ransomware. On Thursday, he tweeted that a new version with "DEARCRY!" file marks were being sent into the ID Ransomware system from Exchange servers.

Gillespie said that as of Thursday, ID Ransomware had received reports of DearCry from six IP addresses in the United States, Canada, and Australia. MalwareHunterTeam, a group of security researchers who work with ID Ransomware, said in a tweet that they had also heard from people in Austria and Denmark who had been affected.

BleepingComputer released a report on the cybersecurity ransomware on Thursday evening. The ransomware attack report linked it to Microsoft Exchange Server flaws, the most dangerous of which is ProxyLogon. Later that evening, Microsoft Security Intelligence sent out a tweet that was its first clear response to DearCry.

Black Kingdom malware by changing the Mega password

Recent ProxyLogon attacks against Microsoft Exchange servers found Black Kingdom ransomware. A simple password change stopped it, at least temporarily. Brett Callow, a security researcher at Emsisoft, told SearchSecurity that the Black Kingdom made encryption keys and sent them to the cloud storage site Mega. But, he said, if the ransomware attack can't reach Mega, it will use a static, local key instead. During recent strikes, Black Kingdom didn't seem to be able to secure the computers it was after, and in some cases, it used the static key instead.

"Someone changed the password to the Mega account, so the ransomware can't get to it and goes back to using the hardcoded key," Callow said. "Because we have the hardcoded key, we may be able to help people recover their data."

It's unclear when the password was changed, but Callow told SearchSecurity about it on Monday morning. SearchSecurity decided not to post the information immediately so that Black Kingdom threat players wouldn't know the ransomware attack had been stopped.

Mark Loman, the head of engineering for next-generation technologies at Sophos, wrote a blog post about cybersecurity ransomware on Tuesday. In it, he talked about how it works with Mega. Loman told SearchSecurity that it can be decoded with the same static key to secure it. He also said for sure that the software can't connect to Mega.

Download Tech Target's whitepaper to learn more about Spotlight on Current & Emerging Ransomware Threats only on Whitepapers Online.