Positive Technologies: ransomware operators are banding together

Positive Technologies has released its most recent Cyber Threatscape report, an analysis of Q2 2020 cyberincidents. Key findings include: manufacturing and industry are increasingly targeted in attacks, 16 percent of phishing attacks took advantage of COVID-19 concerns, and there is evidence that ransomware operators have started cooperating with each other.

In the second quarter of 2020, the number of attacks increased by 9 percent compared to the first quarter—and by 59 percent compared to the second quarter of 2019. April and May 2020 were record-breaking in terms of the number of successful cyberattacks, likely the result of epidemiological and economic turmoil. Significant world events consistently lead to increases in cybercrime, providing fertile ground for social engineering attacks. Among social engineering attacks in Q2 2020, 16 percent capitalized on the COVID-19 pandemic (compared to 13% in Q1). More than a third (36%) of such attacks did not target a specific industry, 32 percent targeted individuals, and 13 percent were aimed at government institutions.

Attacks Against Industry

The report shows that manufacturing and industrial companies are receiving a significantly larger share of attacks than before. Among attacks on organizations in Q2, such companies were targeted in 15 percent of cases, compared to 10 percent in Q1. Ransomware operators and cyberespionage APT groups are among those who seem to be the most interested in industrial companies. In Q2, news about the first victims of the Snake ransomware became public: automaker Honda and energy giant Enel Group. Industrial companies were also struck by other ransomware, including Maze, Sodinokibi, NetWalker, Nefilim, and DoppelPaymer. The initial penetration vector in attacks on manufacturing and industrial companies was most frequently phishing emails (83% of attacks) or vulnerabilities on the network perimeter (14%).

Ransomware Operators Join Forces

Maze and Sodinokibi operators were the most active perpetrators of ransomware attacks in Q2 2020. 

Positive Technologies analyst Yana Avezova said: "Ransomware is one of the fastest-growing varieties of cybercrime. Groups now routinely threaten victims with publication of data if the victim fails to pay up. To sell the stolen data, many ransomware operators create special data leak sites where they publish a list of victims and the stolen information. Others publish the data on hacker forums. The operators of LockBit and Ragnar Locker went even further, teaming up with the "industry leader" Maze. The Maze operators now publish data stolen by other groups on their data leak site. Together, the groups have formed the so-called Maze cartel."

Experts say that although ransomware operators are paying a commission to their accomplices, they still enjoy substantial profits. In Q2 2020, they made millions of dollars, as illustrated by the NetWalker attack on a medical school in California, from which the ransomware operator received $1.4 million in ransom. After an American legal firm refused to pay a ransom of $21 million, the operators of the Sodinokibi ransomware doubled the requested amount and began to sell off lots of files concerning various celebrities, including Donald Trump and Madonna (starting bid: $1 million).

Credential Theft on the Rise

Experts estimate that in Q2, theft of credentials rose to 30 percent, compared to 15 percent previously, of the total amount of data stolen from organizations. Corporate credentials of employees are in especially high demand. Criminals sell them on the darkweb or use them for further attacks, such as impersonating the hacked company to send emails with malicious attachments. In Q2, attackers primarily targeted online services, e-shops, and service sector companies. In most cases, they exploited web vulnerabilities or bruteforced passwords to access websites. Other common data theft scenarios included phishing emails and malware infection.

Avezova noted: "When targeting credentials with phishing, attackers tend to forge the authentication forms of Microsoft products, such as Office 365, Outlook, and SharePoint. With the pandemic in Q2, we saw attacks aimed at pilfering credentials for audio and videoconferencing services. In one such case, attackers deployed a phishing campaign against remote employees who use Skype, sending them emails with fake Skype notifications. Clicking the link in the email took the employee to a fake authentication form prompting to enter the employee's Skype username and password. Similar attacks in Q2 hit users of WebEx and Zoom."