Newer Ransomware Groups Are Publishing Confidential Information Online, Kaspersky Analyzes

WOBURN, Mass.--()--Over the past couple of years, widespread ransomware attacks have been replaced by more targeted attacks against specific companies and industries. In these more targeted campaigns, attackers not only threaten to encrypt data but also to publish confidential information online. Kaspersky researchers observed this trend in a new analysis of two notable ransomware families: Ragnar Locker and Egregor.

Ransomware attacks, in general, are considered one of the more serious types of threats facing companies. Not only can they disrupt critical business operations, but they can also lead to massive financial losses and, in some cases, even bankruptcy, due to fines and lawsuits incurred. The WannaCry attacks, for example, are estimated to have caused more than $4 billion in financial losses. Ransomware attacks used to be more widespread, but now, newer ransomware campaigns are modifying their modus operandi and threatening to take stolen company information public.

Ragnar Locker and Egregor are two well-known ransomware families practicing this new method of extortion.

Ragnar Locker was first discovered in 2019, but it didn’t become well-known until the first half of 2020 when it was seen attacking large organizations. Attacks are highly targeted, with each sample specifically tailored to the intended victim. Those who refuse to pay have their confidential data published in the “Wall of Shame” section of the attackers’ leaks site. If the victim chats with the attackers and then refuses to pay, this chat is also published. The primary targets are companies in the United States across different industries. This past July, Ragnar Locker stated that it had joined the Maze ransomware cartel, meaning the two will share stolen information and collaborate. Maze has become one of the most notorious ransomware families in 2020.

Egregor is much newer than Ragnar Locker, having first been discovered this past September. However, it uses many of the same tactics, and it also shares code similarities with Maze. The malware is typically dropped by breaching the network. Once the target’s data has been exfiltrated, it gives the victim 72 hours to pay the ransom before the stolen information goes public. If the victims refuse to pay, the attackers publish the names of the victims and links to download the confidential company data on their leaks site.

Egregor’s attack radius is much more extensive than Ragnar Locker’s. It’s been seen targeting victims across North America, Europe, and parts of the APAC region.

“What we’re seeing right now is the rise of ransomware 2.0,” said Dmitry Bestuzhev, head of the Latin American Global Research and Analysis Team (GReAT), Kaspersky. “By that I mean, attacks are becoming highly targeted and the focus isn’t just on encryption; instead, the extortion process is based around publishing confidential data online. Doing so puts not just companies’ reputations at risk, but also opens them up to lawsuits if the published data violates regulations like HIPAA or GDPR. There’s more at stake than just financial losses.”

“This means organizations need to think about the ransomware threat as more than just a type of malware,” added Fedor Sinitsyn, security expert, Kaspersky. “In fact, oftentimes the ransomware is only the final stage of a network breach. By the time the ransomware is actually deployed, the attacker has already carried out a network reconnaissance, identified the confidential data and exfiltrated it. It’s important that organizations implement the whole range of cybersecurity best practices. Identifying the attack at an early stage, before attackers reach their final goal, can save a lot of money.”

Read more about Ransomware 2.0 on Securelist.

To keep your company protected against these types of ransomware attacks, Kaspersky experts recommend:

  1. Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  2. Always keep software updated on all the devices you use. To prevent ransomware from exploiting vulnerabilities, use tools that can automatically detect vulnerabilities and download and install patches.
  3. Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways to your network.
  4. Treat email attachments, or messages from people you don’t know, with caution. When in doubt, don’t open it.
  5. Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response to identify and stop the attack at an early stage, before attackers complete their objective.
  6. Focus your defensive strategy on detecting lateral movements and data exfiltration to the internet. Pay a special attention to outgoing traffic to detect cybercriminals connections. Back up data regularly. Make sure you can quickly access it in an emergency.
  7. To protect the corporate environment, educate your employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect from ransomware attacks is available here.
  8. For personal devices, use a reliable security solution like Kaspersky Security Cloud that protects against file-encrypting malware and rolls back the changes made by malicious applications.
  9. If you’re a business, enhance your protection with Kaspersky’s free Anti-Ransomware Tool for Business. Its recently updated version contains an exploit prevention feature to prevent ransomware and other threats from exploiting vulnerabilities in software and applications. It is also helpful for customers that use Windows 7: with the end of support for Windows 7, new vulnerabilities in this system won’t be patched by the developer.
  10. For superior protection, use an endpoint security solution, such as Integrated Endpoint Security, that is powered by exploit prevention, behavior detection and a remediation engine that is able to roll back malicious actions.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Contacts

Sawyer Van Horn
sawyer.vanhorn@Kaspersky.com
(781) 503-1866

Release Summary

Ransomware groups switch from encrypting data to posting it online

Contacts

Sawyer Van Horn
sawyer.vanhorn@Kaspersky.com
(781) 503-1866