What are Redline and Vidar Stealers?

RedLine is an infostealer malware that appeared back in 2020, offered under Malware-as-a-service model. It is appreciated by cybercriminals for its wide functionality, that includes not only automated data gathering, but also manual commands for scanning the directories. And, typically for any stealers, it relies on stealthiness, that is additionally enhanced by a crypter software that comes as a side to the malware.

Vidar is similar but different. Aiming at a similar list of desktop apps, browsers and crypto wallets, it is closer to the definitive stealer. Once it finishes collecting information, all the gathered info is packed into the archive and sent to the command server. When this transfer is over, Vidar performs “melting” – or deletes itself, simply.

RedLine and Vidar Ransomware Delivery

In late summer 2023, the developers of RedLine and Vidar stealers started spreading ransomware under their own rule. The methods of gaining initial access remained the same – crooks send to victims an email with awaited or unpleasant information and an attachment. This attachment – you guessed it right, is a payload. The use of double extensions (pdf.htm, in one of the cases noticed by analysts) is quite typical for such attacks. As Microsoft disabled macros from running when they have come from the Web, the new, and quite old ways of spreading were put into use.

Once the victim runs the file, the chain of executions starts. First, the JScript applet connects to the intermediary server, downloads and executes the .exe file. This file, in turn, initiates the downloading of a PNG picture, which appears to be a bitmap image. Further, the image decodes into a shellcode, which transforms into yet another shellcode, saved to the Temp folder.

The second shellcode is getting launched in a Command Prompt instance spawned by the aforementioned .exe file. This way, the final payload comes into view – an infected console instance of 7-Zip utility. Upon execution, it launches the ransomware attack.

RedLine Uses EV Certificates to Conceal Itself

Another interesting, though not novel tactic used by hackers, is embedding EV certificates into malware. RedLine started using this practice in June 2023, starting with its stealers. Extended Validation (EV) code signing certs appeared as a shortcut for large companies for signing their software. Instead of thorough checks that prime the issue of a regular code certificate, this one needs only the request from a company. To get the right of EV requesting, the co should undergo a 16-stage checkup that verifies all edges of its identity. But, as it commonly happens, cybercriminals found a way to use it for their benefit.

It is not uncommon for certificates to leak, but the trust level is critical this time. Common certs require less authentication to issue, and consequently have less trust. Meanwhile, EV certificates rarely fall under suspicion, and frequent recalls may turn into a problem for the company. There is also no clear info on how EV certificates leaked. In the case of RedLine, such application turns exceptionally threatening due to the number of its samples that appear every day.

How to protect against ransomware?

Surely, modern ransomware amazes with the diversity of evasion techniques and damage done to the system. However, the spreading methods remain more or less the same for most families and samples. Email spam, questionable software downloaded from third-party sources – they have no reason to change a well-working scheme. And your best counteraction to this is your attention with spreading methods.

Do not interact with questionable emails. Hackers commonly use buzzwords that induce urgency of required actions. That is what drastically differs genuine messages from spam ones – companies never do that. Even though some of the messages are styled so they look legit and repeat what you’re waiting for, avoid haste and check the details of the message. Aside from the text style, the email address in spam messages is typically wrong from a normal one. Fortunately, there is no way to hide the sender’s address.

Be diligent to the files from the Internet you are going to run. The trick with double extensions (like .pdf.exe) exists over two decades, and hackers never shy away from using it. Since Windows does not show you the extensions of your files, it is extremely easy to get fooled in such a way. In your File Explorer settings, you can make it showing the extensions. Go to the View button on the upper panel, then click Show → File Name Extensions option in the drop-down list. This will make it much easier to detect such tricky files.

Use a reliable anti-malware software with advanced heuristic features. As you could have guessed, it is quite hard to detect the ransomware from RedLine developers statically. It disguises as deeply encoded files that are hard to identify in any way. Even the final payload masquerades as a legit console utility. In such a sophisticated case, only a heuristic detection method can help. GridinSoft Anti-Malware has multi-stage heuristic analysis with a neural scanning engine on hand. This can effectively detect such threats – try it out!

The post Redline and Vidar Stealers Switch to Ransomware Delivery appeared first on Gridinsoft Blog.

Some statistics

According to the X-Force Threat Intelligence Index 2023, ransomware’s share of incidents decreased by 4% between 2021 and 2022. While ransomware accounted for 21% of all incidents in 2021, it dropped to 17% in 2022. However, for some groups, 2022 was not the most successful year. For example, the Russian group Trickbot was forced to terminate Conti ransomware operations and decommission two known malware families. This resulted from joint sanctions imposed by the United Kingdom and the United States against group members. LockBit, on the other hand, took the lead in the market and covered all 17% of incidents for 2022.

What caused the decrease in the number of incidents?

On the one hand, the decrease in incidents may be due to reduced incident reporting. For example, the FBI claims that only about 20% of victims report an incident. That is, some affected organizations do not report the incident. On the other hand, experts attribute this to the recent problems faced by threat groups. In addition, experts say that this is a temporary phenomenon and do not rule out that the criminals are regrouping and starting new operations. Also, lately, some attackers have begun cooperating with other “colleagues in the industry,” which only strengthens their results.

Efficiency of protective measures

Another important reason ransomware attacks are becoming less effective is to pump up and improve EDR solutions. EDR solutions are practical and significantly reduce the negative effect of ransomware attacks. However, there are still many effective means against cyber attacks, including firewalls and UBA/SIEM/SOAR technologies. These technologies detect and analyze abnormal behavior of users and entities in an information system. In addition, they collect, aggregate and analyze data on security events, allowing you to identify potential cyberattacks and take appropriate security measures. Experts emphasize that the more organizations invest in protection, the less effective ransomware attacks will be, which is obvious.

War in Ukraine

The war in Ukraine has created significant problems for the ransomware industry. Since most of the gangs are based in Russia, the latter’s full-scale invasion of Ukraine has disrupted the business model of ransomware attackers. Some gangs – even major ones, like Conti – had members all over Eastern Europe, thus the war outbreak inevitably influenced their operations. In addition, U.S. sanctions against cryptocurrency exchanges, which Russian criminals use to launder ransoms, disrupted the activities of these bad actors. Therefore, the decrease in ransomware activity is closely related to Russia’s situation on the world stage.

Disruption of Darknet marketplaces

There have been significant recent successes in the fight against cybercrime. Intelligence agencies have shut down two major darknet sites that had served as essential trafficking points for criminals. We are talking about Breached Forums and Genesis Market, which significantly impacted cybercriminal activity. Purchasing malware, accesses, and merchandising stolen data is now way harder than it used to be. Not surprisingly, the closure of these sites created problems for cybercriminals.

Fewer organizations willing to pay ransoms

According to statistics, the number of victims willing to pay ransom in 2022 has also dropped by 14% compared to the previous year. While in 2021, the percentage to pay criminals to decrypt files was 82%, in 2022, the number was 68%. This could also have been influenced by an increase in the average payment of almost 71% compared to the previous year. If we talk about the reasons pushing victims to make this decision, there are several:

• Paying a ransom does not guarantee data return but doubles the recovery cost. In addition, statistics show that 1 in 4 victims do not receive encryption keys.
• More and more organizations are using practical data backup tools.
• Paying a ransom indicates a successful attack and encourages criminals to go even further.

Information Sharing in Incident Response

Effective threat prevention strategies require robust defense mechanisms, including information sharing. While there have been improvements, there is still much room for progress. As one expert noted, “Information is power and, in cybersecurity, it’s the power to prevent similar events from happening.” Cybercriminals target sectors that cannot be idle by ransomware. It may be in mining and industrial sectors, where operational interruptions can result in millions of dollars in losses. ISACs have a critical role to play in helping industries combat ransomware attacks.

Analytical note

Experts find it hard to say whether the incidents have decreased. Still, the number of ransoms being paid has gone down. This may be due to organizations improving their backup protection and the risk of paying due to OFAC (Office of Foreign Access Control) sanctions. This trend may continue in 2023. Analytics is hopeful about the decline but also concerned that groups may adopt more extreme tactics to increase their conversion rates. Specifically, groups may use stolen data to target customers and business partners. The current trend is to target businesses and sectors that cannot afford to be affected, have significant tech debt, and are likely to pay to alleviate the damage. However, this does not only apply to Fortune 500 companies. Small and medium enterprises are also vulnerable to these attacks.

Recommendations to prevent ransomware attacks

To avoid ransomware attacks, organizations should implement various measures. For example, application control, disabling macros from email attachments, and adopting a zero-trust posture. In addition, experts suggest taking a proactive approach to cybersecurity, especially in areas vulnerable to such attacks as identity and access controls. It can be achieved by using methods like password vaulting and multi-factor authentication. Implementing frequent data backups, establishing an incident response plan, and investing in cyber insurance are essential. Threat intelligence platforms can also help track ransomware gangs and their tactics to prevent attacks. Organizations can prevent ransomware actors from launching a debilitating encryption attack by catching the initial intrusion or malicious activity. In addition, I have a couple of solutions that can significantly reduce the problem of ransomware:

• Make it absolutely illegal to pay the ransom. As long as some companies/organizations keep paying, it would never stop. However, financing crime needs to be absolutely illegal anyway. Not to mention, why ransomware gangs would still continue doing attacks in countries which absolutely ban ALL ransomware payments? Wouldn’t that be just a lot of cost/effort/risk w/o making any money for them?
• Make it mandatory for all companies/organizations do periodical (automated) full data backups. They all need to have a plan ready to reinstall all their software & reload most recent backup data. Aside from the ransomware, regular automated full data backups help safeguard against various risks such as hardware failures, natural disasters, and human errors. By periodically backing up data, organizations can capture and store a snapshot of their critical information, ensuring they have a recent copy available for recovery if data loss or system failure occurs.

The post Ransomware Attacks Decline in 2023 – Is It True? appeared first on Gridinsoft Blog.

More Interesting Ransomware Attacks

Westrock ransomware attack

Active: January-February 2021
Damage: $269 million in idle losses
Ransom: $20 million for file recovery

Westrock, a US-based packaging producer that has leading positions in its market, was struck by a ransomware attack on January 25, 2021. The exact attack was uncovered on January 23, however, understanding what happened and giving the press release took two days. The consequences were solved by February 5, but the overall loss because of the two-week idle led to a sales loss of $189 million and operating losses of $80 million. While the corporate network was rendered defunct, the company failed to deliver 85 thousand tonnes of packaging.

AXA ransomware attack

Active: May 2021
Damage: 3TB of confidential data leaked
Ransom: undisclosed

French insurance giant, actually, its branches in Malaysia, Hong Kong, Thailand and Philippines, were struck by Avaddon ransomware on May 4, 2021. Ironically, this happened days after the company’s note about the cancellation of any coverage of ransomware-related incidents. AXA seems to keep the information about the financial impact of that case secret. However, Avaddon’s leak site contained information about 3 terabytes of data they’ve got from a company.

Cloudstar ransomware attack

Active: mid-July 2021
Damage: Over a month of idle, money losses undisclosed
Ransom: undisclosed

Cloudstar, the provider of cloud virtual desktops, was hacked on July 19, 2022. First notices of these attacks appeared on July 18, and the following day the company’s services were not available. Soon after, the company issued a press release saying about a “highly-sophisticated ransomware attack”. They did not say about any certain numbers, like money loss or ransom demanded. Even after a month of a shutdown, Cloudstar was not fully operational – as August reports on this case claim.

Bad Rabbit ransomware

Active: mid-2017 – late 2017
Damage: ~200 victims
Ransom: $280 (in Bitcoin)

Being an offspring of a noble family is always a risk to remain in the shadow of your parents. So happened to Bad Rabbit ransomware, which is based on Petya/NotPetya ransomware. First notice of this malware appeared shortly after the Petya ransomware attack we mentioned above. Possibly, the early reaction to that threat caused its low spreadness. Despite having a pretty unique spreading way – JS exploitation on the websites – it had only around 200 victims. Same as its predecessors, it was blocking access to the system, showing a ransom note instead. By the end of 2017, it completely ceased the activity.

REvil Ransomware group

Active: April 2019 – October, 2021
Damage: over 5000 victims over the globe
Ransom: ~$600,000 on average, peaking at $70 million

Along with Conti and LockBit, REvil (first known as Sodinokibi) is one of the most notorious ransomware gangs that was active during the last 3 years. Actually, its nominal shutdown in October 2021 only means disabling their Darknet infrastructure. Key actors, including Maksim Yakubets, their chief, remain free. The latter is also known for not shaming his cybercrime gains and riding different cars with a “BOP” (Russian for “thief”) number plate. Attacking companies, REvil mostly relies upon RDP vulnerabilities and network vulnerabilities. Most analysts tie codebase and threat actors to GandCrab ransomware – the group which ceased its activity in 2018. REvil group applies both double extortion tactics and RaaS operating methods. The latter makes its chiefs pretty hard to catch, despite their publicity.

HelloKitty ransomware

Active: January 2021 – now
Damage: uncalculated
Ransom: depending on the victims’ financials

It is a pretty rare case when malware receives its name for one of its elements. HelloKitty ransomware is called so for the mutex it creates in the attacked system. Still, that is not their main difference. Contrary to most cybercriminals who use well-known and trite ways like phishing or RDP breaches, they opt for a rather unpopular security violation. Their current option is Dell SonicWall firewall vulnerabilities, which allow them to break into the targeted network. Among the most famous victims of such an attack is Polish game developer CD Projekt Red. Another unusual detail about HelloKitty ransomware is adjusting their ransom sum depending on the company’s income. It may look like a good deed, but that also may be a sign that the gang analyses the leaked files in order to have detailed information about the company’s financials. Some gang members were captured in October 2021 in Ukraine, but that did not stop the gang activity.

MedusaLocker Ransomware group

Active: October 2019 – now
Damage: uncalculated
Ransom: $12,500 at average

MedusaLocker definitely refers to a Greek legend about Medusa, a female which could turn to stone anyone who meets its eyes. Such a dangerous association is complemented by a wide range of anti-detection and anti-removal methods that malware features in the infected system. Disabling security tools, modifying the registry, re-running the cryptor, scanning and encrypting connected directories – all this makes this malware even more dangerous. Spreading ways this group uses, however, cannot boast of originality – crooks use “classic” RDP breaches. Double extortion technique, pretty common for all groups, is used by MedusaLocker as well.

BitLocker Ransomware

Active: Late 2021 – now
Damage: uncalculated
Ransom: $300 – $100,000

The name of this ransomware may look familiar to users who apply some enhanced data security measures in Windows. Yes, it goes from BitLocker – the default Windows utility for disk encryption. Actually, this malware does not feature any ransomware code – it uses the BitLocker functionality to restrict users from accessing data. Such attacks are proven pretty hard to mirror, as almost no malicious code is used. Still, crooks who used this technique also managed to exploit MS Exchange vulnerabilities. This attack approach was used by different cybercrime groups, despite it was not a massive application.

BlackByte Ransomware gang

Active: July 2021 – now
Damage: ~700 companies hacked
Ransom: $200,000 – $6.5 million

BlackByte is yet another example of ransomware that tries to be the best at everything. Constant updates to both ransomware and auxiliary software made it really dangerous and prolific. In particular, this gang practices archiving the files from the attacked network before sending them to cloud storage. Another interesting thing is their switch to Golang from C#, which happened in early 2022. Still, similar to other gangs, they do not invent anything new when it comes to distribution. Typical ways for BlackByte are phishing emails and network security breaches.

Avaddon Ransomware gang

Active: February 2020 – June 11, 2021
Damage: 2934 companies hacked
Ransom: $40,000-$600,000

Only a few ransomware groups go offline because of their success. Most of the time, they’re forced to, by law enforcements or white hat hackers. Avaddon is an example of the former – they voluntarily shut down their operations after over a year of successful hacks. The biggest gem of their victims’ collection is the French insurance company AXA. The key way of spreading that this group used was email spam that contained a malicious archive. Further, they also adopted exploiting vulnerabilities in RDP and VPN connections. As a motivation for their victims to pay, they used to set a payment deadline of 10 days. Once a victim fails to pay, Avaddon operators publish the leaked data on their Darknet website.

Makop ransomware

Active: January 2020 – now
Damage: uncalculated
Ransom: $31,382 (haggling is possible)

Some ransomware developers, after acknowledging that their brainchild’s cipher is vulnerable, try to upgrade it and fix the issue. That is not the case with Makop ransomware – which uses multiple encryption techniques in a random order. Such an approach makes it nearly impossible to create a centralised solution that could possibly decipher the files. Makop, exactly, has a flaw in the way it generates the encryption keys, so there is a possibility to find a key with brute force. Could have been, actually. Another interesting detail is its ability to use several CPU threads to encrypt the files on each specific drive. Spreading ways, however, are pretty trivial – RDP vulnerabilities exploitation and email phishing became the alpha and omega of the vast majority of cyberattacks.

STOP/Djvu Ransomware family

Active: February 2018 – now
Damage: uncalculated
Ransom: $490-$980

Favourite, main threat, key threat actor upon the entire market – all these words are about STOP/Djvu ransomware. Despite having a kind of activity drop over the last 6 months, STOP ransomware did not give anyone the first place, retaining over 50% of all infections. It attacks mostly individuals and thus bears on automated spreading methods. Email spam, fake programs cracks, hacktools – they act as the most popular source for this malware. Currently, Djvu ransomware features over 600 variants – they differ by the extensions they add to the files during the encryption. This ransomware features a pretty unique anti-detection tactic: each new sample is repacked in a specific way, so it is not possible to detect it with signature-based mechanisms.

Matrix Ransomware group

Active: December 2016 – now
Damage: uncalculated
Ransom: $120,000 at average

Matrix is yet another old-timer, which has been running since late 2016. That’s an immensely long time for ransomware to run without any interruption, rebranding or restructuring. Group can boast of such a term only because of their flexibility in the rapid-changing environment. Through these 6 years, they’ve changed the spreading ways multiple times, and adjusted the exact ransomware as well. First, they managed to get into the system and expand their activity via Windows shortcuts vulnerabilities, RIG exploit kit and phishing. Currently, their option is pretty much classic – RDP vulnerabilities exploitation. The distinctive feature of this malware is its readme banners – scary and funny simultaneously.

Snatch Ransomware group

Active: late 2018 – now
Damage: over 200 companies hacked
Ransom: $2,000 – $35,000

Using references to popular movies is not typical for ransomware. But that did not stop this gang from naming themselves after Guy Ritchie’s Snatch (2000). One of their members uses the nickname BulletToothTony, and their contact email is imboristheBlade@protonmail.com. They’ve claimed about themselves openly on Darknet forums, along with searching for new affiliates there. Last time the gang became less public, preferring attacking companies to spare talks. Ransomware the Snatch group uses is written on Golang – not a very common feature that makes it harder to detect. Spreading generally relies upon RDP brute forcing, rarely – email phishing.

VoidCrypt Ransomware

Active: April 2020 – now
Damage: >800 companies attacked
Ransom: heavily depends on a victim

Some ransomware are dangerous because of their consistency and high-quality software. That’s not a story about VoidCrypt – which is dangerous because of its unpredictability. First of all, their malware is often modified, making it both hard to detect and impossible to predict its effects. Meanwhile, contacting them by email quite often gives no effect – you may receive no response at all. And in the exact message, you receive threats to increase the sum if you fail to contact them in time. Such a behaviour is embarrassing, especially because VoidCrypt generally attacks sole users. The codebase of this malware seems to see usage in numerous other ransomware samples, despite the fact that they don’t claim any relations.

Xorist Ransomware family

Active: December 2010 – now
Damage: uncalculated
Ransom: 0.05-2 BTC

This, apparently, is the oldest ransomware family that runs these days. Sure, modern variants share only a few details with the original, released in 2010. But the numerous offsprings it made during this 12-year history makes it quite hard to calculate the number of victims. The first versions of Xorist featured contacting the extorters not through email, but via SMS. It also uses a weaker cipher – AES-128 instead of the 256-bit version. Still, that didn’t bother this ransomware to be effective. The builder for this ransomware was leaked to the public, and it looks like a poorly-designed tool for skiddies. Apparently, that builder is a key for such a big number of offshoots.

HiddenTear Ransomware family

Active: August 2015 – now
Damage: uncalculated
Ransom: depends on the variant

Maybe, the oddest thing you can imagine is open-source ransomware. And here it is – HiddenTear. This malware was initially designed for educational purposes, by Turkish researcher Utku Sen. However, once its source code appeared on GitHub, crooks began using it after slight adjustments. The original variant featured the encryption of only 1 folder and used a cipher with a flaw that made it possible to brute force the key. Fixing these issues is not a hard task, thus after certain “advancement”, it was as good as full-fledged ransomware. It is used by multiple cybercrime gangs around the globe.

Dharma Ransomware family

Active: February 2016
Damage: around 1000
Ransom: average $8,620, peaking at $15,000

The first name for this ransomware was CrySiS – and it was actual until early 2017. Only then did the Dharma name come into view, that’s why you can sometimes see that it is called Dharma/CrySiS. In pretty much the same shape, it exists nowadays, in 2022, attacking primarily companies. Dharma is known for hiring inexperienced hackers – they post a lot of messages on forums regarding their recruiting program. Still, besides dealing with amateurs, they mastered RDP breaching. Typically, they get through by phishing credentials for remote connection or a simple brute force.

The post Huge Ransomware List by Gridinsoft Research – Part #2 appeared first on Gridinsoft Blog.

What is ransomware?

If you are not completely familiar with this malware type, let me remind you about it. Ransomware is malicious software that aims at ciphering the files within the attacked system. Once finished its job, it notifies the user about what happened with numerous ransom notes, pop-up windows or the like. These notes also contain information about the ways to pay the ransom. A common way for that is paying in cryptocurrency by sending it to a designated wallet. Sums vary depending on the target: individuals usually pay $500-1000, while the average ransom for corporations is around $150,000.

Ransomware does not appear out of the blue; it is created by skilled hackers who do their best by making the cipher unbreakable, and the exact malware – undetectable. Under those conditions, the ones who create ransomware rarely do the dirty job – exactly, distributing it to the victims. They grant this task to other cybercriminals, who purchase the malignant thing and manage it as they wish. Besides paying for the “product”, affiliates commit pay-offs for each successful attack – a share of the ransom they receive. This form is called “ransomware-as-a-service”, or RaaS. Needless to say that most of the risks related to possible accusations and detaining also lay upon the affiliates’ heads. Ransomware seems to give birth to a perfectly-organised cybercrime, where millions of dollars circulate each month.

Notorious Ransomware Attacks You Should Know About

What can be named an attention-worthy ransomware attack? From the perspective of an attacked victim or a company, their cases are as important as any other. But get a look from a bigger scale – and most of the cases will be pretty much the same. Here, we will review ransomware attacks that became a worldwide phenomenon and hit the headlines of newspapers.

WannaCry Ransomware attack

Active: 12-15th May 2017.
Damage: ~200,000 computers over the world; billion-dollar idle losses
Ransom: Total of $130,634 (327 payments)

WannaCry is possibly the most-known attack among the ones that have ever happened. Some say it was the first attack that rendered ransomware a real danger in the eyes of ones who learn of it. An outbreak that happened in May 2017 touched 150,000 machines on the first day. It generally targeted corporations in Russia, Ukraine, India and Taiwan. On the second day, security analysts found a way to suspend the malware execution and make it self-destruct. That seriously restricted the further spreading and fixed the victims counter at the number of around 200,000. The investigation following the attack shows that key threat actors are two North Korean citizens. They used the EternalBlue exploit to deploy ransomware. North Korean cybercrime group Lazarus – the only one in this country – did not claim responsibility.

Locky Ransomware attack

Active: 2016-2017
Damage: up to 1 million computers
Ransom: 0,5-1 Bitcoin ($275-450)

The outbreak of Locky ransomware had an extended time. Since the beginning of 2016, it has been delivering its first version, using the Necurs botnet. This network resided in both single-user computers and ones placed in corporations. Originally, malware was spread through classic email spam – with an Office document that contains malicious macros attached. Around June 2016, the botnet was shut down due to a glitch in the command centre. But soon after everything came back to normal – with even more intensive spamming. Besides almost ceased activity by the end of 2017, it still appears here and there, without any system.

Cryptolocker malware attack

Active: September 2013 – May 2014
Damage: around 70,000 machines, 42,928 BTC paid
Ransom: $400 (in Bitcoin)

Cryptolocker appears to be one of the earliest cases of a large-scale ransomware attack. After the mess created by amendments to bank regulation laws, hackers were forced to seek another way of payment, and cryptocurrencies were the best option. The distribution of this malware generally relied on malicious email attachments and extensions doubling. Victims were receiving a ZIP file, which contained what looked like a PDF file. In fact, it was an executive file with a .pdf.exe extension, and a PDF file icon attached to it. Cryptolocker ransomware is also notable for ransom sum increase if victims fail to pay within 72 hours. In 2014, a free decryption tool appeared, making this malware useless.

Petya/NotPetya

Active: June 2017
Damage: $10 billion losses
Ransom: $300

Analysts detected the first samples of this ransomware in March 2016, but its premiere happened in June of the next year. This attack is considered to be politically motivated, as the hackers who managed the attack are from Russia, and the country that suffered the most was Ukraine (over 80% of total submissions). Moreover, the attack happened at the end of Ukrainian Constitution day – a typical Russian “spoil-the-celebration” act. Still, several European countries reported the attack as well. Malware deployment was performed through the backdoor in the tax preparation software M.E.Doc, widely used in Ukrainian companies. The attack was reportedly prepared by the Russian hacking group Sandworm, however, they deny all the blames.

Conti Ransomware group

Active: Late 2019 – March 2022
Damage: over 1000 companies hacked
Ransom: average 110,000$, peaking at $25 million

Conti is yet another cybercrime gang that is tied to Russia. Contrary to numerous others who are tagged as Russian, they never deny their origins. The group started their activity in November 2019, and quickly gained the image of principleless rascals. Striking any kind of company and organisation, Conti group earned huge capital as well. At some point, their average ransom peaked at ~$1 million. Key malware spreading ways this group opted for is email spamming and RDP brute force. They actively used double extortion – when the victims should pay not only for file decryption but also for keeping the leaked data in secret. As CISA researchers say, Conti also applies a pretty unique way of RaaS implementation. Instead of collecting commission payments for each successful attack, the administration gets the entire cash flow and pays a “salary” to its hackers-for-hire.

Ryuk Ransomware gang

Active: Since 2019
Damage: total ransom amount exceeds $150 million
Ransom: $100,000 – $500,000, peaking at $5.3 millions

Its name comes from the Death Note manga character. Ryuk ransomware is believed to be operated by Russian cybercrime gangs, but there is no straightforward evidence for it. Another study describes that Ryuk may probably be operated by the aforementioned Lazarus Group. This malware bears upon TrickBot dropper in its spreading; still, crooks don’t disdain using RDP vulnerabilities. Contrary to most other groups that attack companies, it does not use double extortion technique. There are no facts of using the RaaS model either.

DarkSide Ransomware

Active: August 2020 – June 2021
Damage: 90 known victims
Ransom: $200,000 – $2 million

DarkSide gang is a representation of taking French leave. This cybercrime gang is most known for its attack upon Colonial Pipeline, which led to massive fuel supply disruptions along the entire U.S. East Coast. After that case, the FBI started an investigation of the case, and DarkSide admins hastened to claim their shutdown. Aside from that, hackers often claimed that they’re apolitical, despite researchers detecting their origins in Russia. Studies also believe that group is a spin-off from the other gang – REvil.

LockBit group

Active: September 2019 – now
Damage: 850 companies ransomed
Ransom: ~$85,000 at average

LockBit is an example of a next-generation ransomware gang. This group applies a thorough candidate pick and watches for affiliates to follow the “codex”. They declared about avoiding the attacks on critical infrastructure, government, non-profit and educational institutions. And they really do so – even if such an attack happens, they quickly retreat, giving out a decryption key for free. Gang administrators proved to be pretty talkative, giving interviews here and there, although remaining anonymous. LockBit group is also famous for its software, which provides one of the fastest file encryption and data extraction capabilities. They jokingly name themselves “postpaid pentesters”.

Magniber Ransomware

Active: Late 2017 – now
Damage: ~250 users attacked
Ransom: 0.35–0.7 BTC

Ransomware that strikes individuals rarely opts for such a sophisticated spreading way as vulnerability exploitation. Social engineering is easier and cheaper – thus way more proficient. Magniber ransomware is an exclusion that proves that fact. Despite being an old-timer – it was first seen around December 2017 – this malware barely scored a hundred victims by the beginning of 2022. Its activity is inconsistent, with numerous idle periods which may last more than 1 year. Analysts pay attention to Magniber because of its unique behaviour and attacking almost exclusively South Korean folks. In early 2022, it saw another activity spike – possibly, the biggest in its entire history. Using security breaches in the Chrome browser, it got over a hundred victims.

Cl0p ransomware

Active: September 2019 – now
Damage: >1000 victims/~$500 million in ransoms
Ransom: $80,000 – $220,000

Cl0p is an example of a sole ransomware sample used by multiple different cybercrime groups. Being the further development of CryptoMix ransomware, it has seen active usage in attacks of TA505, FIN11, UNCA2546 and UNCA2582 groups. All of them originate from Russia or Russian-speaking countries. Key method used to spread Cl0p is spear phishing that contains a malicious attachment. For a better disguise, the attached file has a certificate that legitimates it for protection systems. Along with the ransomware, the payload commonly contains an SDBOT worm that acts as stealer malware.

Egregor Ransomware gang

Active: early 2020 – February 2022.
Damage: 71 companies hacked
Ransom: averages at $700,000

Egregor made a brief, but bright show at the edge of 2021. Some analysts believe that its key actors were recruited from the Maze gang, which dissolved in October 2020. Exploiting RDP vulnerabilities, it was breaking into the networks of pretty large companies. Among their victims are K-mart retail chain and Randstad – a recruiting platform. Despite being formally shut down, the group never claimed that directly. Their last attack happened in December 2020. In February 2021, some of the group members were captured in a joint action of Ukrainian and French cyberpolice. After that, the entire gang went offline. In February 2022, one of Egregor members published the decryption keys for Maze, Sekhmet and Egregor ransomware victims. That may be not that straightforward, but a pretty clear claim about the shutdown.

Babuk Ransomware

Active: December 2020 – July 2021
Damage: ~12 companies hacked
Ransom: $100,000

Similarly to the prior gang, Babuk had a pretty short lifetime of less than a year. Still, ransomware samples that use Babuk codebase keep appearing in the wild even in 2022. The first versions that can be attributed to Babuk appeared in October 2020, but they had no name. Vasa locker was the first name for that ransomware, appearing around November 2020. Babuk name was seen in usage in December of the same year. Group was attacking primarily the companies with gross profits of over $4 million. It is notable for attacking Washington’s Metropolitan Police Department, asking for a ransom of over $4 million. Key penetration ways this group used are RDP vulnerabilities and email phishing. Its end was pretty notorious – a 17-year-old gang member leaked the administrative panel credentials and a source code, claiming he was suffering from terminal cancer and wants to “live as a human”.

Phobos Ransomware

Active: early 2019 – now
Damage: not calculated
Ransom: averaged at ~$37,000

Phobos appears to be a unique malware by different factors. It is a rare example of malware that targets both companies and individuals. Although companies they usually attack are small, they compensate for that with a number of attacks. Key spreading ways Phobos applies is email phishing and RDP exploitation for individuals and companies correspondingly. The peculiar moment about Phobos is that the same group seems to be spreading Dharma ransomware as well.

PYSA Ransomware group

Active: October 2019 – now
Damage: up to 800 companies hacked
Ransom: $347,000 at average

PYSA is an acronym that stands for “Protect your system amigo”. This, and the use of a sombrero and moustache pic on their logo on the Darknet leak site definitely refers to Mexican origins. Aiming at corporations, it uses a whole bunch of tools in order to create as a convenient environment for ransomware deployment as possible. To get into the network, crooks generally use email phishing. Because of a massive amount of manual work to do after gaining the initial access, this ransomware works in a full-manual mode.

That is roughly a half of all attacks I am willing to talk about. Consider checking out the second part of this list to be aware of even more noteworthy ransomware attacks!

The post Huge Ransomware List by Gridinsoft Research – Part #1 appeared first on Gridinsoft Blog.

U2K ransomware (U2K files encrypted) – what happened?

Numerous analysts report the analysts about the new ransomware variant stomping the users’ devices. It likely uses the same distribution methods as most of other ransomware families – via software cracks and dubious tools, spread through the torrent downloadings. Still, there are no details about the spreading way, since the threat is only 4 days old. However, it already struck over 10 thousand users – an enormous number for a no-name ransomware. There are several similarities with the other ransomware variant that does not belong to any family – MME ransomware – but it was far from being so widespread.

The other ransomware variant that was dominating the ransomware market in recent years – STOP/Djvu – was pushed down at the moment, as its latest HHEW variant barely scored 5k infections. Such news is overwhelming, since Djvu ransomware was a complete monopolist among ransomware groups that attack individual users. It accounted for over 70% of all attacks on single users, and such a high share was constant for over 2 years.

U2K files – how to decrypt them?

Currently, cybersecurity analysts consider that there is no free way to decrypt the files after the U2K ransomware attack. It likely uses the AES ciphering algorithm, typical for other ransomware. Even if it has certain flaws that make it possible to decrypt it, it will take a certain amount of time to uncover these breaches and make them exploitable. As of now, neither brute force nor decryption tools can do anything with the encrypted files. If there are no breaches in the AES mode crooks applied in the ransomware, it will take millions of years to find a key with brute force.

After finishing the encryption process, this malware adds to each file its specific extension (.U2K) and leaves a ransom note on the desktop. In the ReadMe.txt file, the victim will see the link that leads to the Darknet page. Other rows ensure that there is no way to get the files back, and all the victim has to do is to contact the crooks to agree to the payment. The full contents of the ransom note are the following:

Red Stealer comes together with U2K ransomware

Analysts who had a look at U2K ransomware file notice that there is a stealer malware that goes together with the main payload. This tactic is not new, as most of the modern ransomware examples do the same. In particular, STOP/Djvu ransomware brings Azorult spyware to steal the victim’s credentials. Having the spyware or stealer in the bundle does not always mean the double extortion – the credentials hackers receive will then be used directly to hijack your accounts in social networks. Hackers don’t notify you about that, and don’t give you a chance to buy-off your login info.

The ransom size is likely individual for each victim. Crooks name the sum after the conversation on the Darknet site, where you should create the ticket (like in the tech support) and wait for the response. That is not typical for the rascals who aim at individuals as well, since communication through the Darknet is a prerogative of the groups that aim at corporations. For the latter it is essential since the ransom sum is obviously unique for every hacked company, and haggling is allowed. Among gangs that attack individuals, only Magniber ransowmare practices this trick.

How to protect yourself?

Ransomware is considered one of the most dangerous viruses nowadays. It is better to avoid it at all rather than getting ready to solve the post-attack issues. Fortunately, it uses pretty straightforward delivery methods when it tries to break into the sole users’ PCs. Still, it will be much better to have all measures taken regardless of the possibility of the attack.

• Don’t use software cracks and dubious tools. These two are probably the most popular malware spreading ways, and the longest lasting ones. Malicious applications can have different disguises, but most often they hide under the guise of the apps that ask you to disable the antivirus to be installed.
• Avoid the offers on forums. You can sometimes find extremely generous offers on different forums – like a free key for the certain application. When you are not sure about the personality of this user, it is better to avoid such offers. It is especially recommended when you visit that forum for the first time, searching for the solution of the problem.
• Use anti-malware software. A proper anti-malware program will stop even the newest ransomware variant with the heuristic engine. It will also prevent you from getting into traps of this kind. GridinSoft Anti-Malware is a great security program that can protect you from several directions.
• Apply using advanced backup tools. Most of the ransomware variants can disable the general backup utilities, like System Restore, Onedrive or Volume Shadow Copy. However, it is useless against the copies of important files on the removable drive, or when you store the backup on the cloud storage.

The post U2K Ransomware Strikes, Thousands Of Victims appeared first on Gridinsoft Blog.

More and more amateur hackers appeared after February, 24

The most common hacks were attacks of viruses-lockers, which put on the screen the national inscription “Slava Ukraini” as researchers of the region claim. Lockers are the precursors of ransomware, they do not encrypt files, but lock the screen, displaying a banner over the top. Statistics showed that about 11% of all cyberattacks from January-April 2022 were aimed at Ukraine and 40% at Russia. The cybernetics world boomed from that. The cybernetics world boomed from that.

Also connected to the #WarinUkraine, the number of lockscreen ransomware variants also grew in T1 2022. Russia was targeted by 40% of such attacks, while Ukraine only by 11%. The Win/Lockscreen.AWI variant even displayed the title “Slava Ukraini”. 2/5 pic.twitter.com/r1IjvhRVP2

— ESET research (@ESETresearch) June 10, 2022

It is believed that many hackers live in the CIS countries, so until this year their activities were not so clearly manifested on the territory of Russia and Ukraine, most likely because of their location or retaliation from Russia. After February 24, 2022, when Russia launched the so-called special operation, that is, the war, the number of extortion programs has grown exponentially. This is also confirmed by Igor Kabina, the senior ESET detection engineer.

Russia reached the all-time high in its share in ransomware attacks

The infamous Conti group could not help but distinguish itself against the background of all this. In the beginning, the backgrounds were announced to be valiant to Vladimir Putin, after which the Ukrainian insider created a Twitter account in which he exposed this Ransomware gang. Of course, after the revelation in May, this group magically left the arena. Since then, other companies, such as LockBit, have not expressed their preferences brightly to avoid this.

Igor Kabina, the senior ESET detection engineer, claims in her interview that such hacks and attacks will be even more focused on all of this because the military ideology and propaganda are escalating. And as the number of pro-Russian and pro-Ukrainian extortion programs grows, the news will continue to be disappointing for many companies that will fall under the risks of hacking and attacks by these extortionists.

The post War in Ukraine triggered a Stream of amateurish ransomware appeared first on Gridinsoft Blog.

Knowing about cybersecurity threats is crucial because it livens up the safety measures. In addition, when you’re aware of what is up against you on the Internet, you understand the meaning of cybersecurity.

The following article is not a list of cybersecurity threats in a strictly scientific sense. Instead, we have gathered some of the trending phenomena from modern cyber-warfare (some of them are threats indeed) to present them in the form of an explanatory dictionary.

#1. Hacking Attacks

Any activity toward getting unauthorized access to and control over computers, data storage, online servers, websites, etc., is called “hacking”. The term is old, and hacking computer systems does not necessarily imply going online, although it mostly happens on the Internet nowadays.

Hacking cybersecurity threats may involve malicious software (malware¹) but not necessarily, since social engineering, i.e., trespassing digital security by deception, using human and not computer vulnerabilities, can be seen as a form of hacking.

Hacking started as idle entertainment but evolved into a lucrative cybercriminal industry. Counteracting potential crooks and developing anti-malware software is now an indispensable element of modern computer technology.

#2. Malware Attacks

“Malware” is a portmanteau for malicious software. There are different ways to classify unwanted programs. Some security specialists distinguish between software that does actual harm and annoying applications that can be easily detected and removed from a device by a standard procedure. Other experts consider unwanted programs and malware synonyms.

Harmful software can itself be classified according to different criteria. For example, Malware may be a file or non-file entity executed via scripts when no code is saved on the targeted device.

Malware files can be the ones that trespass the defenses of the victim system, or they can be downloaded later by the former. As for the infectious agents, these can be viruses, worms, or Trojans. Other types might emerge too, but these three are the most widespread. Besides, viruses ², which gave malware its first collective name, are obsolete nowadays. But do you know the difference between malware and virus?

The functions of malware are immense. It can collect data, destroy or tamper with it, flood users with unwanted advertising, etc. However, the vilest malware these days is arguably ransomware.

Trojan Horse (Cybersecurity Threat)

Trojan horse, or just Trojan³ is a term that describes the way malware ends up on the victim’s device. It is incorrect to say “Trojan virus,” as Trojans are essentially not computer viruses; the latter are self-replicating pieces of code. Trojans, unlike that, are shaped as “normal” files, and they do not clone themselves. What is specific about them is that users install Trojans themselves, mistaking them for what this malware tries to seem. This disguising is what gave Trojans their name (remember Odyssey’s clever way to get beyond the walls of Troy.)

When the Trojan is already “behind the enemy lines,” it can execute one of many possible functions. It can either deliver its malicious payload or download additional malware, and one doesn’t exclude the other.

#3. Ransomware Attacks

Ransomware⁴ are a kind of malware that encrypts data on the victim’s device. It provides instructions on how to pay ransom in cryptocurrency to the crooks, who promise to deliver a decryption key to the injured side in return.

Trojans usually deliver ransomware. Victims often catch this infection from email attachments, malicious links in messages, or unchecked downloads from dangerous websites. Ransomware encodes data files, such as text documents, images, and videos, after which all the encrypted files get an additional extension to their names. As a result, the user cannot read the files until they are decrypted.

Ransomware attacks have become a functioning business model for crooks within the last several years. State governments have started a real war on ransomware. The US authorities have started shutting down black markets where hackers have been selling ransomware as a service.

MedusaLocker Ransomware

MedusaLocker is classic ransomware with one mean peculiarity. Unlike the majority of ransomware operators, who would love to have the publicity of “trustworthy thieves,” racketeers behind MedusaLocker don’t give the decryption key to the victims, who pay ransom to them. Jeopardizing the whole business scheme, MedusaLocker developers are another illustration of the advice not to negotiate with the terrorist.

#4. Formjacking Cybersecurity Threat

A modern way of stealing money is to get a copy of the credit card details an unaware user inputs in a payment form, let us say, at an online shop. As the shopper confirms the credit card details, a copy of the entered data immediately goes right to the crooks. This vile procedure requires injecting a malicious JavaScript code into the third party’s payment form, usually not the website itself. Hackers can use the same technique to steal logins and passwords with the subsequent identity theft.

#5. Password Attacks

Password attacks are the sum of measures hackers may undertake to pick a password to a password-protected account or device, considering that they do not have that password and do not have any software to obtain it precisely. Therefore, password attacks are attempts to guess the password using computer powers to do it as fast as possible. The most “fair” method is a brute force attack when the machine bluntly tries all possible password variants until it guesses it.

A strong password might take thousands of years to break. But, of course, it is not about trying every value without any relation to what is being hacked. For example, There are usually sets of words and numbers that are more likely to be the correct password in every particular case. That is what the machine does: it realistically varies the entered values.

#6. Cryptojacking Malware

Since cryptocurrency strengthened its position in the world economy, hackers have been developing ways to benefit from other people’s resources. Bitcoins and other tokens are produced via mining – solving the cryptographic problems by the obtaining machine. Thus, criminals sought to enslave as many computers on the Web as possible for their remote mining farms. They found different methods for crypto-jacking (that’s what this process is called.)

The two most common ways to exploit remote machines for cryptocurrency mining are infecting them with so-called coin miners (mostly Trojans) or making them run coin-mining scripts. Precaution measures against these cybersecurity threats are known and familiar – be careful around questionable email attachments and links.

#7. Man-in-the-middle attack (MITM)

Spoofing a wi-fi networkname allows crooks to lure their victims into a network fitted with data-collecting software or even hardware. The user’s incoming and outbound traffic gets into the crooks’ possession. This spying scheme is called man-in-the-middle. It can equally serve criminals to attack a specific target or conduct identity theft of random persons, unlucky to fall into their trap.

#8. Cloud Vulnerabilities

Users consider cloud storage an excellent and convenient place to keep their data and have their hard drives back up there. That is true! But is the cloud safe? People seldom care about cloud data security because they do not expect anyone to hunt for their information. However, any company with competitors or an influential person should know that there are vulnerabilities in cloud services.

Some of them are trivial, like the absence of two-factor authentication, which can allow someone to get someone to benefit from a logged-in machine. Others involve commands written in inner script languages of the cloud services, DDoS attacks, compromising APIs, and other vulnerabilities that raise questions about the security of cloud services.

#9. Botnet Cybersecurity Threat

A botnet⁵ is a network of compromised computers that act in concert to perform various possible actions. Each botnet host is a computer with specialized software installed and running on it, usually unbeknownst to the user. Regardless of what the botnet does, the botnets, in general, are mostly vile. These networks are used for posting commentaries on social media, creating DDoS attacks, mining cryptocurrency, distributing malware, etc.

#10. Denial of Service (Dos) Attack

Denial of service Dos attack happens to a resource that is supposed to provide said service but gets overloaded by the enormous number of requests or receives crafted data that triggers the crash. This type of attack is usually undertaken against websites of business competitors, political opponents, ideological enemies, or other states’ critical resources by the cybersecurity threats from the opposing countries.

If a DoS assault involves multiple attackers (real people or a botnet), it is called distributed denial of service (DDoS.) An international hacktivist group Anonymous is well known for its capacity for quick organization of massive DDoS attacks. However, the usage of VPNs and onion routing makes tracking of attackers virtually impossible.

#11. Spam Cybersecurity Threat

Spam is a well-known practice of throwing unwanted and unneeded advertising at random users. However, if earlier spam was a type of advertising and fraud, the hackers later caught on and started using spam to spread malware. The combination of spam and malware distribution is called malspam. The difference between malspam and hacking attacks involving email is that the former is a wild distribution of dangerous attachments in random mailing sprees.

#12. Phishing Attack

Phishing is a hacking technique that does not necessarily involve malware at all! The attack’s name comes from the word “fishing,” with letters changed to distinguish it from real fishing. But the point is similar. Hackers use social engineering, in other words – skillful deception, to make victims think that people who address them are some trustworthy company or person. But it is very important not to confuse the difference between phishing and pharming!

After such a connection is established, criminals lure unaware users into providing their credentials (login, password, credit card details, etc.) Without knowing the real identity of the asker, victims can bear considerable losses up to identity theft. Therefore, education and vigilance are the best countermeasures to such attacks.

#13. Spoofing Cybersecurity Threats

Spoofing is undividable from phishing. For example, imagine someone who impersonates a police officer to make you lend him your car. That person says there is phishing, while his fake uniform and the policeman’s badge are spoofing. Likewise, email letterhead, email address, web page appearance, website address, wi-fi network name, browser shortcut and interface, and whatnot can be an object of spoofing.

Experienced users are likely to distinguish a genuine webpage from a spoofed one. There are also basic rules of Internet communication that can safeguard users from buying into deceptive baits. However, the problem is that phishing generally targets inexperienced users.

#14. SQL Injection (SQLi) Cybersecurity Threats

SQL code injection is one of the common ways of hacking websites and data-driven software. It exploits software vulnerabilities that allow a specially crafted piece of SQL code to override the intended principles of the program and grant hackers access to the data from a database to which they don’t have legal access.

The vulnerability emerges because the flaws in programming may result in SQL requests being read and executed as commands out of correct context in certain conditions. Knowing these conditions and how to exploit them makes SQL injection attack possible.

#15. Rootkit Malware Attack

Rootkits are the programs that perfectly fit the definition and popular idea of a hacking tool. Rootkits are strongly associated with malware. Cybercriminals use them to reach the data closed for the user with the current level of access. As the tool’s name reveals, it aims to provide its user with access to the very core of the system, its root.

This kind of software grants evil-doers a broad scope of opportunities: collecting information from the system, controlling the system, and masking the objects within it. Modern security software automatically clears the known rootkits attack, but it will be a problem for an average user to detect and delete.

#16. Advanced Persistent Threat (APT)

Nation-state threat actors gaining unauthorized access to computer systems and remaining undetected for a long time are designated as advanced persistent cybersecurity threats. APTs are among the most disturbing menaces in the modern digital world because they target countries’ vital industries like banks, electronic election systems, electric energy supply, etc. Moreover, being legalized in their own countries, nation-state threat actors are well-equipped, and they aim to harm , not make money like the ransomware operators. That radically distinguishes APTs from the other threats.

#17. Backdoor Attacks

A backdoor is a way of bypassing standard authentication or encryption processes in a device or a program. The item’s name in question speaks for itself; it is a vulnerability of a program, but it is left there on purpose. It allows hackers (who are, in the case of a backdoor, the very developers of the software containing it) to get quick and free access to data or even control over the system.

A backdoor is not necessarily a hacking instrument; it might be a tool for emergency troubleshooting. However, hackers use backdoors introduced via seemingly ordinary applications (in fact – Trojans) to fetch additional malware beyond the security perimeter of the operating system. Luckily, backdoors are recognizable, and anti-malware systems manage to detect them.

#18. Darknet Cybersecurity Threats

Darknet is not a cybersecurity threat, but it sounds menacing. However, it would be false to say that the darknet has no relation to cybersecurity threats. It is more of a place where designers and users of malware meet and communicate. Darknet is an anonymous overlay peer-to-peer file-sharing network (existing within the Internet) wherein connections are only established between trusted peers and via non-standard ports and protocols. Access to the darknet is only possible via special software, like Tor Browser. While the dark web is associated with illegal activity, accessing and browsing the dark web is legal. We recommend interesting useful tips for the darknet from Gridinsoft.

Darknet is associated with black markets, cybercrime, and terrorism, well-protected privacy, freedom of thought, and liberty from governmental control. Beware of these dangerous cybersecurity threats!

The post 20 Dangerous Types of Cybersecurity Threats appeared first on Gridinsoft Blog.

The commercial element makes the danger more tangible and serious. Let us list and describe the nastiest and most dangerous malware attacks in all areas likely to cause trouble in 2022.

#1. Attacks by Nation-State Threat Actors

Nation-state threat actors are the most dangerous cyber criminals on the Web. There are several reasons for thinking so. Nation-state hackers are professionals. They possess the best available technology. They work together with the countries’ secret services and can afford long-term preparations. They are legal in their own countries, and finally, they stake on stealth, so it is hard to detect them.

For example, the malware used by nation-state hackers recently discovered Pipedream is not targeting private computers. The aim of such attacks is industrial objects and programmable logic controllers on plants, factories, gasworks, etc.

These actors can also target banks or state registries. However, the most shocking news was the warning by the US authorities about Pipedream-armed hackers being ready to strike the electricity and natural gas supply facilities with the possibility of damaging real industrial objects.

#2. Clop Ransomware Attacks

Like any other ransomware, Clop encodes the targeted data files, making them inaccessible. Then the user finds a ransom note wherein racketeers tell where to send money (in the form of cryptocurrency) to get a decryption key. Clop ransomware is extremely dangerous as it works on most versions of Windows, highly evasive regarding security programs.

Note: Clop ransomware (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the last three years.

After the malware infiltrates the system, it gets escalated privileges and gains permission to alter and overwrite system files. Clop creates an entry in the Windows registry that broadens its capabilities.

Afterward, it sends data about the system right to the crooks. Clop then begins to scan the computer looking for files to encode. The target is images, videos, text documents, mp3, and other data files. The malware settings may vary, though.

Since Clop ransomware aims mainly at corporations, the range of ways it infiltrates the victim’s devices can probably be narrowed to links and attachments in messages and emails pretending to be sent by recognizable companies. Theoretically, ransomware can penetrate the system in many ways, though.

#3. Agent Tesla Malware Attacks

Agent Tesla is a highly elusive multifunctional malware complex combining features of spyware and stealers. It is an example of a harmful program that can be ordered as a service. That means Agent Tesla is a highly targeted weapon.

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. On a special website that sells this malware, it is incorrectly positioned as legitimate software. Unpacking the final payload after the malware’s primary injection is a sophisticated process that involves steganography and unfolds in several stages. Such complexity allows Agent Tesla to avoid signature-based detection by security software.

The list of malicious functions of Agent Tesla is impressive: collecting and stealing device and system data, keylogging, screen capture, form-grabbing, stealing credentials, stealing browser data, etc.

#4. Ransomware-as-a-service (RaaS)

Ransomware-as-a-service (RaaS) is not anything that substantially differs from the usual ransomware. What makes the difference is what happens behind the scenes. RaaS is a business model wherein one side provides the software and the infrastructure for paying the ransom (bitcoin wallet and technical support for victims). In contrast, the other side deals with delivering ransomware and provides the prey likely to fall victim to ransomware.

AS A FACT: I want to remind you that the introduction of ransomware is one of the most dangerous forms of cyberattacks. These include: Conti ransomware, Matrix ransomware, Makop ransomware, STOP/Djvu ransomware, etc.

RaaS does not guarantee the campaign’s success as it works just as usual in a software-as-a-service scheme. However, such a commercial attack is more likely to succeed because it is less random. The one who orders a service has a better approach to the victim, unlike a ransomware author trying to perform an attack by guesswork.

#5. AlienBot Malware Attacks

AlienBot malware is a password stealer targeting Android devices. It is a part of a malware-as-a-service scheme. AlienBot compromises legitimate banking applications, and although its primary goal is to harvest logins, passwords, banking credentials, and other fillable forms data, AlienBot provides criminals with a much broader range of possible malfeasance.

If Alienbot infiltrates the system, it lets criminals download any applications, backup data, control the device via TeamViewer, etc. .

Alienbot inhabited nine applications that crooks distributed via Google Play. This vulnerability has been fixed, and such a flagrant campaign is impossible with this malware. Nevertheless, users are still endangered if they carelessly follow dubious links and download unchecked applications onto their Android devices.

#6. Cryptojacking Malware Attacks

Cryptojacking is a state-of-the-art and relatively light type of attack. The already mentioned coin miners are a type of cryptojacking. However, we are talking now about a different case – when victims receive no malicious code on their computers.

Cryptojackers perform their attacks by luring users to click on banners and links, leading them to the script-wired web pages. The security software will not allow malicious scripts to run if the victim uses an antivirus program. It will simply block the dangerous webpage from opening.

However, if the victim has no protection – the enslaved processor will keep working for the sake of criminals until the end of the session. The crooks count on the massive quantities of people who will click this dangerous link.

#7. Social Engineering Attacks

Social engineering is an indispensable tool in a wide range of frauds aimed at fishing critical data such as logins and passwords for social media accounts from the victims without even employing malware. These campaigns are called phishing, and they most often use deceptive emails that make people think they are dealing with an actual company. Frauds disguise themselves as social media platforms, delivery services, banks, money transfer services, etc.

Phishing attacks are often combined with spoofing – the visual design of emails and fake websites that aims at the same goal – to make a person believe that the site they are viewing is what it tells it is.

Then the victim does not fear inputting their credentials in the signup form or any other trap. The login and password, or it might be the banking data or credit card details, go right to the crooks.

#8. Gameover ZeuS Virus

Zeus Gameover is a botnet that steals banking information from browsers by keylogging and form-grabbing executed by a Trojan. The main danger of malware attacks is its antivirus-evasion method.

NOTE: Often, botnets will launch a spam campaign on someone’s social media page or do it under someone’s YouTube video.

Unlike its predecessor, ZeuS, Zeus Gameover connects to its command and control servers via an encrypted peer-to-peer communication system. That makes the Trojan much harder to detect.

As the connection is established, besides stealing their victims’ credentials, hackers can control the system of the infected device up to installing and removing programs. Another menace comes from an extra function of Zeus Gameover – distribution of the Cryptolocker ransomware.

#9. Browser Hijacking

Browser hijackers are not a new phenomenon, but they are still active and dangerous throughout the web. The main characteristic of this type of malware is that it modifies the settings of the infected PCs’ web browsers. Usually, the user notices that the browser homepage and default search engine are suddenly changed. Other effects may vary.

A browser hijacker is a vehicle for the malicious payload, most likely spyware, adware, or both. Spyware collects data from the user and sends it to the threat actors. The consequences range from the data sold to third parties to identity theft and tangible harm.

Adware is a different thing – it throws pop-up banners with advertising right over webpages, opens unwanted pop-ups, and adds hyperlinks on webpages where they have not existed initially. It might seem that adware is comparatively harmless, but it is not so since any ad banner rendered by adware is also a menace.

Avoiding Virs Malware Attacks: Choosing a Security Solution

Modern security software is a must-have for today’s Internet users. Despite not being a panacea, for the malware is constantly transforming and antiviruses have to catch up, a decent security program protects its user from most malware specimens. GridinSoft Anti-Malware is a technically masterful and economically beneficial solution. It is a versatile program that can serve as a primary antivirus or an auxiliary scanning utility alongside another security system.

GridinSoft Anti-Malware features on-run defense (background protection,) Internet protection (blocks dangerous and warns about suspicious webpages) and deep scanning. The program is regularly updated, especially paying attention to the latest ransomware.The World Wide Web is not a hostile realm by itself, but any Internet user should be aware of the dangers lurking on the Net. If earlier harmful software was just fun for the hackers or vandalism in the worst case, today, malware attacks are a viable business model.

The commercial element makes the danger more tangible and more serious. Let us list and describe the nastiest and most dangerous malware attacks in all areas likely to cause trouble in 2022.

#1. Attacks by Nation-State Threat Actors

Nation-state threat actors are the most dangerous cyber criminals on the Web. There are several reasons for thinking so. Nation-state hackers are professionals. They possess the best available technology. They work together with the countries’ secret services and can afford long-term preparations. They are legal in their own countries, and finally, they stake on stealth, so it is hard to detect them.

For example, the malware used by nation-state hackers recently discovered Pipedream is not targeting private computers. The aim of such attacks is industrial objects and programmable logic controllers on plants, factories, gasworks, etc.

These actors can also target banks or various state registries. However, the most shocking news was the warning by the US authorities about Pipedream-armed hackers being ready to strike the electricity and natural gas supply facilities with the possibility of damaging real industrial objects.

#2. Clop Ransomware Attacks

Like any other ransomware, Clop encodes the targeted data files, making them inaccessible. Then the user finds a ransom note wherein racketeers tell where to send money (in the form of cryptocurrency) to get a decryption key. Clop ransomware is extremely dangerous as it works on most versions of Windows, highly evasive regarding security programs.

Note: Clop ransomware (sometimes stylized as “Cl0p”) has been one of the most prolific ransomware families in the last three years.

After the malware infiltrates the system, it gets escalated privileges and gains permission to alter and overwrite system files. Clop creates an entry in the Windows registry that broadens its capabilities.

Afterward, it sends data about the system right to the crooks. Clop then begins to scan the computer looking for files to encode. The target is images, videos, text documents, mp3, and other data files. The malware settings may vary, though.

Since Clop ransomware aims mainly at corporations, the range of ways it infiltrates the victim’s devices can probably be narrowed to links and attachments in messages and emails pretending to be sent by recognizable companies. Theoretically, ransomware can penetrate the system in many ways, though.

#3. Agent Tesla Malware Analysis

Agent Tesla is a highly elusive multifunctional malware complex combining features of spyware and stealers. It is an example of a harmful program that can be ordered as a service. That means Agent Tesla is a highly targeted weapon.

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. On a special website that sells this malware, it is incorrectly positioned as legitimate software. Unpacking the final payload after the malware’s primary injection is a sophisticated process that involves steganography and unfolds in several stages. Such complexity allows Agent Tesla to avoid signature-based detection by security software.

The list of malicious functions of Agent Tesla is impressive: collecting and stealing device and system data, keylogging, screen capture, form-grabbing, stealing credentials, stealing browser data, etc.

#4. Ransomware-as-a-service (RaaS)

Ransomware-as-a-service (RaaS) is not anything that substantially differs from the usual ransomware. What makes the difference is what happens behind the scenes. RaaS is a business model wherein one side provides the software and the infrastructure for paying the ransom (bitcoin wallet and technical support for victims). In contrast, the other side deals with delivering ransomware and provides the prey likely to fall victim to ransomware.

AS A FACT: I want to remind you that the introduction of ransomware is one of the most dangerous forms of cyberattacks. These include:Conti ransomware, Matrix ransomware, Makop ransomware,STOP/Djvu ransomware, etc.

RaaS does not guarantee the campaign’s success as it works just as usual in a software-as-a-service scheme. However, such a commercial attack is more likely to succeed because it is less random. The one who orders a service has a better approach to the victim, unlike a ransomware author trying to perform an attack by guesswork.

#5. AlienBot Malware

AlienBot malware is a password stealer targeting Android devices. It is a part of a malware-as-a-service scheme. AlienBot compromises legitimate banking applications, and although its primary goal is to harvest logins, passwords, banking credentials, and other fillable forms data, AlienBot provides criminals with a much broader range of possible malfeasance.

If Alienbot infiltrates the system, it lets criminals download any applications, backup data, control the device via TeamViewer, etc. .

Alienbot inhabited nine applications that crooks distributed via Google Play. This vulnerability has been fixed, and such a flagrant campaign is impossible with this malware. Nevertheless, users are still endangered if they carelessly follow dubious links and download unchecked applications onto their Android devices.

#6. Cryptojacking Malware

Cryptojacking is a state-of-the-art and relatively light type of attack. The already mentioned coin miners are a type of cryptojacking. However, we are talking now about a different case – when victims receive no malicious code on their computers.

Cryptojackers perform their attacks by luring users to click on banners and links, leading them to the script-wired web pages. The security software will not allow malicious scripts to run if the victim uses an antivirus program. It will simply block the dangerous webpage from opening.

However, if the victim has no protection – the enslaved processor will keep working for the sake of criminals until the end of the session. The crooks count on the massive quantities of people who will click this dangerous link.

#7. Social Engineering Attacks

Social engineering is an indispensable tool in a wide range of frauds aimed at fishing critical data such as logins and passwords for social media accounts from the victims without even employing malware. These campaigns are called phishing, and they most often use deceptive emails that make people think they are dealing with an actual company. Frauds disguise themselves as social media platforms, delivery services, banks, money transfer services, etc.

Phishing attacks are often combined with spoofing – the visual design of emails and fake websites that aims at the same goal – to make a person believe that the site they are viewing is what it tells it is.

Then the victim does not fear inputting their credentials in the signup form or any other trap. The login and password, or it might be the banking data or credit card details, go right to the crooks.

#8. Gameover ZeuS Virus

Zeus Gameover is a botnet that steals banking information from browsers by keylogging and form-grabbing executed by a Trojan. The main danger of this malware attacks is its antivirus-evasion method.

NOTE: Often, botnets will launch a spam campaign on someone’s social media page or do it under someone’s YouTube video.

Unlike its predecessor, ZeuS, Zeus Gameover connects to its command and control servers via an encrypted peer-to-peer communication system. That makes the Trojan much harder to detect.

As the connection is established, besides stealing their victims’ credentials, hackers can control the system of the infected device up to installing and removing programs. Another menace comes from an extra function of Zeus Gameover – distribution of the Cryptolocker ransomware.

#9. Browser Hijacking

Browser hijacker is not a new phenomenon, but they are still active and dangerous throughout the web. The main characteristic of this type of malware is that it modifies the settings of the infected PCs’ web browsers. Usually, the user notices that the browser homepage and default search engine are suddenly changed. Other effects may vary.

A browser hijacker is a vehicle for the malicious payload, most likely spyware, adware, or both. Spyware collects data from the user and sends it to the threat actors. The consequences range from the data sold to third parties to identity theft and tangible harm.

Adware is a different thing – it throws pop-up banners with advertising right over webpages, opens unwanted pop-ups, and adds hyperlinks on webpages where they have not existed initially. It might seem that adware is comparatively harmless, but it is not so since any ad banner rendered by adware is also a menace.

Avoiding Malware: Choosing a Security Solution

Modern security software is a must-have for today’s Internet users. Despite not being a panacea, for malware attacks are constantly transforming and antiviruses have to catch up, a decent security program protects its user from most malware specimens. GridinSoft Anti-Malware is a technically masterful and economically beneficial solution. It is a versatile program that can serve as a primary antivirus or an auxiliary scanning utility alongside another security system.

GridinSoft Anti-Malware features on-run defense (background protection,) Internet protection (blocks dangerous and warns about suspicious webpages) and deep scanning. The program is regularly updated, especially paying attention to the latest ransomware.

The post TOP 9 Malware Attacks: Compilation 2022 appeared first on Gridinsoft Blog.

*Before understanding how to avoid and neutralize, you need to understand how to decrypt ransomware and what it is.

Why Ransomware Protection Matters?

The problem of ransomware protection is pretty hot since more than a dozen ransomware groups target different categories of users. Each has different spreading ways, disguises, and toughness. Some of the ransomware¹ attacks may be decrypted due to the recklessness of its developers, some have design flaws that make the cipher decryptable with the simple brute force.

RECOMMENDATION: You can try the best ransomware protection tool – Gridinsoft Anti-malware. This anti-ransomware tool detects, removes, and prevents ransomware.

To avoid such reactions, we will show you how to protect yourself when you are an individual user and in the corporation, bearing on typical tricks they use. Moreover, we’ll also explain the working steps of protecting against ransomware.

Is Protect Against Ransomware Your PC Important?

First, let me explain why ransomware attack is such a bad omen. It is not only about making your data inaccessible. Several other malware types prevent the users from accessing the files. However, they did not get any significant spreading. Things like screen lockers, archiving, and shortcutting malware ceased to exist – not just because of a bad accident. That is why it is vital to find a good and working ransomware attack protection solution.

Ransomware (at least most) uses a tough cipher that makes it almost impossible to get your data back. Even if you use a modern quantum computer, you’ll probably spend several thousand years decrypting this cipher.

NOTE: The list of dangerous ransomware includes: avaddon ransomware², STOP/Djvu ransomware, lockBit ransomware³, makop⁴, etc.

But it is still not the only disaster – some ransomware samples carry spyware attacks together with their main payload and collect all credentials it can reach. Unfortunately, nobody (despite crooks on their own) can delete the stolen credentials. That is why it is important to find working solutions for best ransomware protection software to be armed.

At, file recovery after a ransomware attack is complicated if you are not going to pay the ransom. Modern ransomware variants can disable Volume Shadow Copies, OneDrive backups, and other popular backup methods. Crooks often scare the victims that any attempt at file recovery will lead to data loss.

They may also say that your data will be deleted if the ransom payment demand is unmet. While the first thing is partially true, the second is a complete lie – to scare you and force you to pay the ransom. However, dealing with the consequences of an attack is never a pleasant case. Let’s figure out how to prevent ransomware attacks.

You can explore some working tips to protect yourself from ransomware in the picture above.

Tips to Prevent Ransomware Attacks

The advice on how to stay secure depends on your environment. Crooks will apply different approaches to attack the individual user or company employee. Even when you are working from home on your personal computer, you will be attacked differently when crooks aim at your PC and the whole company.

1. Don’t use dubious/untrustworthy sources of software, films and other risky stuff. Around 90% of ransomware cases are accounted for by the use of third-party sites to get the program or film they want without paying a penny.
2. Remember – the only thing for free is a piece of cheese in a mouse trap. Major players of the ransomware market, such as STOP/Djvu, even create their one-day sites that mimic the forums with hacked software or pages with new films to download for free. Torrent trackings that are spread through these sites contain a payload that executes as soon as the downloading is over.
3. Don’t open email attachments from unknown senders. Crooks will try to mask their email addresses to look legitimate, but an attentive look at them will show you the truth.
4. If you are not sure if the email from Amazon you’ve received is a real one, don’t be lazy to check the list of real Amazon support/delivery email addresses. And don’t be naive – no one will offer you to get a prize for a lottery you never took part in.
5. Be careful with software you’ve found on the forums or social networks. Not all of them are dangerous, and not all of the dangerous ones carry ransomware. But still, using such programs is like buying drinks in a dirty doorway.
6. You never know if it is good or counterfeit, but you definitely know who to blame for your heavy hangover the next day. This spreading way is rare but must not be crossed out, especially considering the high trust in such apps.

Tips to Prevent Ransomware Injection in Corporation

These tips will be useful for both administrators and employees who have to deal with potential attack surfaces. Generally, attacks on companies are committed with specific methods and ones that repeat the attack vectors on individuals. Thus, you may see the things that are common in both situations.

• Use the protected RDP connection. RDP brute force attacks are one of the most widespread attack vectors. They are used to deploy ransomware, spyware, advanced persistent threats, and only God knows what else.
• Controlling this moment is essential; it will be ideal if system administrators will set all RDPs by their own – to prevent any wrong moves. Brute forcing the RDP connection is available only when the ports used to establish the connection are not secure. Unfortunately, these ports are used by default, so inexperienced users who set up the RDP for the first time will likely choose them
• Cluster the internal corporate network. Most companies have all the computers connected to a single local network inside a single office. Such a step eases the management but makes it much easier to infect. When there are 4-5 pieces, each of them controlled by a separate administrator PC, and only then – by the domain controller, hackers will likely fail to make it through.

Sure, one segment of this network will likely be down, but all others will be OK, and your office will not be idle, having any ability to use the computers.

The picture above shows tips and ransomware prevention best practices that can help.

• Apply the 2FA for logging into all vulnerable places. To extend their presence in the infected network, attackers try to steal credentials or brute force all places that may be used to spread the malware in the network. Their final target is the domain controller – the computer which handles the whole network and has access to the servers. Its protection must be as high as possible.
• Initiate regular password changes among the personnel. Some known attacks happened after the password leak from one of the networks. Besides that, advanced attacks may last for several months – and suddenly changed passwords will confuse their cards.
  So changing the passwords on the internal accounts is about to happen each 4-6 weeks. It may look like it too often, but believe me – that’s worth it.

As a post scriptum, I want to recommend avoiding some common passwords – “qwerty,” “12345”, or something like that. The success of brute forcing particularly bears upon such easy passwords. Even the cheapest (or free) password databases for brute forcing contain them. Use strong passwords so that they cannot be cracked – this is one of the main the key to success.

* PLEASE NOTE: Another widespread mistake is adding some personal information to the passwords. Your or your spouse’s birth date, the name of your pet, and the date you joined the company are all effortless to figure out with open-source intelligence. Keep that in mind when creating such an important thing!

Show the employees how to distinguish the counterfeited email. While individuals rarely fall victim to email scams, companies are the primary targets of such an event.

*Cybercriminals are not lazy to create some ingenious disguise for their emails. They may mimic the requests to your tech support, offers from other companies, notifications about the bills the company needs to pay, and so on. There is nothing dangerous in seeing the exact message, but any links in it and attached files expose you to potential danger.

It is better to avoid interacting with them at all, but if it may inflate your working process, check the sender’s address meticulously. Companies’ officials never text you from personal email addresses and never contact you.

*I WANT TO REMIND: it is essential to choose the best ransomware protection solution for yourself to protect yourself and your PC. After studying the necessary materials and research, you protect your PC from adware, spyware, ransomware, and other threats.

The best anti-ransomware protection is possible when you have constant database updates and, more importantly, proper proactive protection. These two things will already give you a pretty high protection ratio.
Nonetheless, the problems of most of the mass-market antiviruses don’t disappear: they still may overload your CPU/RAM, as well as scatter your privacy by sending a lot of telemetrics.

That’s why I’d recommend you the one that does not have both of those disadvantages – Gridinsoft Anti-Malware. Its databases are updated every hour, and the overall CPU and RAM consumption is low enough to fit even the weakest systems.

Proactive protection, based simultaneously on heuristic engine and neural network, will make your device much more protected from most of the malware types.

The post The Best Ransomware Protection – Steps to Help appeared first on Gridinsoft Blog.

Experts write that, first of all, everyone will remember 2020 due to the coronavirus pandemic. While some hacker groups have used the COVID-19 theme in their attacks, Microsoft says these operations were only a small part of the overall malware ecosystem, and the pandemic appears to have played a minimal role in the attacks of the past year.

“The number of phishing attacks on the corporate sector continues to grow and are becoming the dominant vector. Most phishing lures are centered around Microsoft and other SaaS vendors, and the top five fraudulent brands include Microsoft, UPS, Amazon, Apple and Zoom”, – write Microsoft analysts.

In total, Microsoft blocked more than 13,000,000,000 malicious and suspicious emails in 2019, more than a billion of which contained phishing URLs.

Moreover, successful phishing operations are often the first step in BEC attacks. That is, fraudsters gain access to the mailbox of a company executive, examine his email, and then trick the compromised user’s business partners into paying bills and sending funds to their bank accounts. The report states that BEC scammers are most often interested in credentials from the C-suite accounting product.

However, phishing isn’t the only way to break into someone else’s account.

Also, hackers use the password spraying technique and often exploit the fact that users reuse the same passwords. In the mentioned technique, attackers go through different usernames and try to use them with the same simple, easily guessed password, in the hope of finding a poorly secured account.

“These attacks are most often used against IMAP and SMTP. They allow attackers to bypass multi-factor authentication because login via IMAP and SMTP does not support this feature”, – say Microsoft researchers.

Microsoft experts unambiguously call ransomware the most serious threat over the past year.

Most of this activity came from hack groups that specialize in attacks on large corporations or government organizations, since they can get the most significant ransom. Most of these groups either exploit infrastructure provided by other hackers or massively scan the Internet for recently discovered vulnerabilities.

In most cases, hackers infiltrate the system and stay there, waiting until they are ready to launch an attack.

Microsoft reports that ransomware has been particularly active this year and has dramatically reduced the time it takes to launch attacks, especially during the COVID-19 pandemic.

“Attackers used the COVID-19 crisis to reduce the time spent on the victim’s system. They compromise, steal data, and, in some cases, quickly activate ransomware, apparently in the belief that they would be more likely to get paid that way. In some cases, cybercriminals went from initial infiltration to encrypting the entire network and demanding a ransom in less than 45 minutes”, — said the report.

Let me remind you that the researchers also calculated that Ransomware attacks most often occur at night and on weekends.

The post Microsoft estimated that ransomware attacks take less than 45 minutes appeared first on Gridinsoft Blog.