Kaspersky today confirms that 2020 was the year of “Ransomware 2.0” in Asia Pacific (APAC). Expert from the global cybersecurity company also discussed two notorious ransomware families particularly eyeing victims in the region — REvil and JSWorm.
Almost always a “targeted ransomware”, Ransomware 2.0 refers to the groups who moved from hostaging data to exfiltrating data, coupled with blackmailing. The aftermaths of a successful attack include significant monetary loss and damaging reputation loss.
“2020 was the most productive year for ransomware families who moved from hostaging data to exfiltrating data, coupled with blackmailing. In APAC, we noticed an interesting re-emergence of two highly-active groups, REvil and JSWorm. Both resurfaced as the pandemic rages in the region last year and we see no signs of them stopping anytime soon,” says Alexey Shulmin, Lead Malware Analyst at Kaspersky.
REvil (aka Sodinokibi, Sodin)
It was July 2019 when Kaspersky first wrote about REvil ransomware. Also known as Sodinokibi and Sodin, this group initially distributed itself through an Oracle Weblogic vulnerability and carried out attacks on MSP providers.
While the activities of REvil peaked August of 2019 with 289 potential victims, Kaspersky telemetry monitored lesser detections until July 2020. From targeting only 44 Kaspersky users globally last June 2020, the ransomware group accelerated their attacks. As a result,Kaspersky solutions protected 877 users in July from this threat, logging a 1893% increase in a span of just one month.
In addition, expert monitoring also showed how the group has actively spread their malicious arms from the Asia Pacific (APAC) to the world.
“Back in 2019, most of their victims were only from APAC — particularly in Taiwan, Hong Kong, and South Korea. But last year, Kaspersky has detected their presence in almost all countries and territories. It is safe to say that during their “silent months”, REvil creators took their time to improve their arsenal, their method of targeting victims, and their network’s reach,” adds Shulmin.
One thing was unchanged, though. APAC remained one of the top targets for REvil.
Out of 1,764 Kaspersky users targeted by the group in 2020, 635 (36%) of these companies were from the region. Brazil, however, logged the most number of users almost infected with this threat followed by Vietnam, South Africa, China, and India.
Based on the data published by the threat actors on their data leak site, Kaspersky experts were also able to categorise the group’s targets into several general industry classes. The biggest chunk of their targets in terms of industry falls under Engineering and Manufacturing (30%). This is followed by Finance (14%) and Professional and Consumer Services (9%). Legal, IT and Telecommunications, and Food and Beverage industries received equal attention at 7%.
JSWorm (aka Nemty, Nefilim, Offwhite, Fusion, Milihpen, etc.)
Like REvil, JSWorm also entered the ransomware landscape in 2019. However, the geographical distribution of its initial victims was more varied. During its first months, it was detected across the globe — in North and South America (Brazil, Argentina, USA), in Middle East and Africa (South Africa, Turkey, Iran), in Europe (Italy, France, Germany), and in APAC (Vietnam).
The number of JSWorm victims is relatively lower compared with REvil but it is clear that this ransomware family is gaining ground. Overall, Kaspersky solutions have blocked attempts against 230 users globally, still a 752% increase compared with 2019’s only 27 users almost infected with this type of threat.
Most notably, experts from Kaspersky noticed a shift of the group’s attention towards the APAC region. China emerged as the country with most number of KSN users almost infected by JSWorm globally, followed by USA, Vietnam, Mexico, and Russia. More than one-third (39%) of all the enterprises and individuals this group has targeted last year were also located in APAC.