DBIR finds ransomware increased by double digits
Verizon Businessâ annual Data Breach Investigations Report (DBIR) is out and confirms what many CISOs already know: ransomware continues to plague business. Ransomware-related breach instances rose 13%, an increase larger than in the past 5 years combined.
Analysts looked at 23,896 security incidents between November 1, 2020 and October 31, 2021, for the report. Of those, 5,212 were confirmed breaches.
âAs criminals look to leverage increasingly sophisticated forms of malware, it is ransomware that continues to prove particularly successful in exploiting and monetizing illegal access to private information,â Verizon Business said in a statement on the findings.
As Rick Holland (@rickholland), a security veteran and CISO of Digital Shadows, noted on Twitter, â25% of all breaches are ransomware related. #DBIR And that is just what is reported. Actual number much higher in my opinion.â
Andy Jabbour (@andyjabbour), an analyst with security firm Gate15, referring to the section of the report on ransomware tweeted, âThis section is the perfect sequel to last yearâs finding of #Ransomware dramatically increasingâ¦That trend has continued with ***an almost 13% increase this year*** (an increase as large as the last five years combined).â
GoodWill hunting victims with malware
In a new twist on ransomware, researchers from CloudSek say a ransomware group is using the malware to raise money for charity. The so-called GoodWill ransomware group demands victims perform a charitable act in exchange for the decryption key.
âThe Robin Hood-like group is forcing its victims to donate to the poor and provides financial assistance to the patients in need,â researchers say in a blog post about the malware.
Once infected, victims get to âchooseâ which charitable act to perform in exchange for the key. The choices include:
- Donate new clothes to the homeless, record the action, and post it on social media.
- Take five less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos and post them on social media.
- Provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators.
Whether based on good intentions or not, infosec and legal pros say donât give in to these demands.
âThe goodwill ransomware encrypts all files & requests the victim to pay in acts of kindness (instead of money) to get it back. Don't do it. Keep a good backup,â tweeted Courtney Troutman and Emily Worle, who tweet under the handle @SCBar_PMAP.
Cheerscrypt ransomware is not so festive
Researchers at Trend Micro say they have observed a Linux-based ransomware family called Cheerscrypt that targets VMwareâs ESXi servers. Researchers says the ransomware uses the now-common double-extortion tactic, which not only forces victims to pay a ransom, but also steals data and threatens to leak it if victims do not pay.
Researchers conclude their blog by noting ESXi is widely used in enterprise settings for server virtualization and is a popular target for ransomware attacks.
âCompromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices,â they say.
REvil is back ⦠maybe
Researchers from Akamai say the infamous ransomware group known as REvil may be back to mess with systems again. REvil first became known as the gang responsible for the Kaseya and JBS ransomware attacks in 2021. Russian officials claimed to have dismantled REvil in March, but in the last week, the Akamai Security Intelligence Response Team (SIRT) was called in to assist with what it called a Layer 7 attack on a hospitality customer by a group claiming to be REvil.
Akamai SIRT member Larry Cashdollar reports the group launched a coordinated DDoS attack. The attack was not a ransomware attack but instead included a 554-byte message demanding payment in Bitcoin in order to halt the attack. Whether or not it is actually REvil, or a copycat group, is still being investigated.
âWhen a threat group changes its techniques, it could be a possible pivot into a new business model, a result of a dramatic change in its skill set, a schism among the group, or an unaffiliated copycat trying to leverage that groupâs hype into easy money from short-sighted and emotionally reactive victims,â he wrote. âItâs possible that REvil is testing the waters of DDoS extortion as a profitable business model, but we think itâs more likely that weâre seeing the scare tactics associated with prior DDoS extortion campaigns recycled for a fresh round of campaigns.â
|
