“Ransomware Pandemic”: Data Trends and Notes on Ransomware Group Suspected to be behind JBS Attack

20

Following the Massachusetts Streamline Authority and JBS ransomware attacks, Check Point Research (CPR) shares its notes on the Russian-speaking ransomware group, REvil, suspected to be behind some of the latest ransomware attacks. CPR also shares its latest snapshot on ransomware trends across the globe and in the United Arab Emirates. 

·         REvil is known for its use of the double-extortion technique and partnership with affiliates 

·         CPR shares REvil’s “working rules” found on an underground Russian forum, including how working in CIS (and Ukraine) is forbidden 

·         102% global increase in organizations impacted by ransomware this year, compared to the beginning of 2020

·     52% increase in cyber attacks year-over-year in the United Arab Emirates 

Ram Narayanan, Country Manager, Check Point Software Technologies, Middle East

REvil is one of the most prominent ransomware families on the planet. Operated by the Russian-speaking REvil group, the ransomware family is responsible for dozens of major breaches since 2019. One of the key factors driving REvil’s success is their use of the Double Extortion technique, a technique where threat actors steal data from organizations in addition to encrypting files. This means that, as well as demanding a ransom to decrypt data, attackers can later threaten to leak the stolen information, if an additional payment is not made.

REvil is also known for their collaboration with affiliate hackers, as in they join forces with advanced attackers, who are responsible for breaching new targets, exfiltrating data, and encrypting networks. In turn, the REvil group in turn provides affiliates with the ransomware itself, the leak site and everything money related: from negotiation to payment.

On a wider scale, the REvil ransomware group announced in February 2021 that they added two stages to their Double Extortion scheme: DDoS attacks and phone calls to the victim’s business partners and media. The group now offers DDoS attacks and voice-scrambled VOIP calls to journalists and colleagues as a free service for its affiliates, which is designed to apply further pressure on the victim company to meet ransom demands within the designated timeframe.

In April 2021, REvil demonstrated the use of what we call a Triple Extortion technique. Here, the gang successfully breached Quanta Computer, a prominent Taiwan-based notebook original design manufacturer (ODM), who is a prominent business partner of Apple. Following the ransomware attack, a payment of some $50 million was demanded from the manufacturer, along with a warning that the sum will be doubled unless it was paid on time. Since the company refused to communicate with the threat actors, the threat actors went on to extorting Apple directly, demanding that Apple purchase back blueprints of their products found on Quanta Computer’s network. Approximately a week later, REvil peculiarly removed Apple’s drawings from their official data leak website.

Closing note: Following DarkSide’s ransomware attack on Colonial Pipeline and the subsequent international law-enforcement pressure, major underground Russian communities banned the future promotion of ransomware affiliate projects such as REvil. We are still waiting to see how this will unfold and affect ransomware operations such as REvil in the future.

Ransomware Impacts 1,000 Organizations each week

Since the beginning of April, CPR sees an average of over 1,000 organizations impacted by ransomware every week. The statistic follows significant increases in the amount of impacted organizations so far in 2021 – 21% in Q1 and 7% in Q2 – netting a staggering 102% overall increase in organizations impacted by Ransomware compared to the beginning of 2020.

General Cyber Attack Trends in the United Arab Emirates 

·      Currently an organization in United Arab Emirates is being attacked on  average 289 times per week in the last 6 months.

·         When comparing to May 2020 we see an increase of 52% in the amount of cyberattacks in the UAE.

 ·     The most common vulnerability exploit type in United Arab Emirates is Remote Code Execution, impacting 62% of the organizations.

Quote: Ram Narayanan, Country Manager, Check Point Software Technologies, Middle East

“Right now we are clearly in the middle of a ‘ransomware pandemic’. By now, we’ve seen attack after attack dominate headlines, from the Colonial Pipeline, to JBS, to now the Massachusetts Steamship Authority. Hackers have gone after everything and exploited every industry from oil to food and utilities. I’m afraid that it’s only going to get worse, as ransomware is big business, and word is quickly getting out that it pays well. The more organizations pay these ransoms, the more they fund a hacker’s R&D efforts to launch more sophisticated attacks. The technique of triple extortion, where hackers threaten not only their targets, but their target’s customers and partners, is a good example of this. It’s safe to say that ransomware is now one of the largest national security threats we face.