therecord.media
Open in
urlscan Pro
2606:4700:4400::ac40:9b4b
Public Scan
URL:
https://therecord.media/ransomware-targeting-small-business-individuals-remains-robust
Submission: On August 25 via api from TR — Scanned from DE
Submission: On August 25 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * People * Technology * Mobile App * About * Podcast * Contact Go SUBSCRIBE TO THE RECORD Subscribe Image: Dan Burton via Unsplash/Photomosh Jonathan GreigAugust 24th, 2023 * Cybercrime * News * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. RANSOMWARE ECOSYSTEM TARGETING INDIVIDUALS, SMALL FIRMS REMAINS ROBUST Ransomware attacks on major companies and large government organizations have dominated the headlines in 2023 but researchers from several companies are warning that smaller-scale attacks on individuals and small businesses are causing significant harm and damage too. Researchers at Netenrich examined the Adhubllka ransomware, which has targeted regular people and small businesses with ransoms ranging from $800 to $1,600 since at least January 2020. Rakesh Krishnan, senior threat analyst at Netenrich, said it is common for ransomware gangs to eschew larger targets in favor of victims they know will not have the technical know-how to deal with an incident. Many gangs crib their ransomware from leaked versions of established brands like Conti or LockBit, Krishnan explained. “They might not have the bandwidth to develop something from scratch. Another possibility is: They might have a simple ransomware which can be decoded by researchers and those who could obtain decryption keys for free,” he said. “So it would be their aim to keep their project under the hoods so that no one picks it up. Hence, a small amount is being ransomed as compared to the big fishes in this industry.” In a report last month, Chainalysis noted this trend, highlighting that while media attention and focus is on the gangs demanding millions from large companies, there was also a significant growth in activity from groups like Dharma, Phobos and Stop/Djvu that demanded ransoms under $1,700. Dharma and Phobos are ransomware-as-a-service strains that are “typically used in spray and pray attacks against smaller targets and can be deployed by relatively unsophisticated actors,” they explained. Allan Liska, senior security architect at cybersecurity firm Recorded Future, noted that these kinds of strains were almost all of what ransomware was before 2017 and is still the most popular type of ransomware despite the shift in media and researcher coverage. “I think most people don’t realize this, but for the last 4 years the most popularly deployed ransomware, and it is not even close, have been variants of STOP/DJVU. The second most popular have been variants of Phobos ransomware. Both STOP and Phobos are single machine ransomware that encrypt and extort,” he said. The Record is an editorially independent unit of Recorded Future. “There isn’t (usually) data theft involved in these attacks, and there is definitely no double extortion. We tend to see these hitting individual users or small businesses that don’t have the resources for any sort of security measures. We often see them disguised as popular software downloads or delivered through mass phishing campaigns.” ADHUBLLKA ORIGINS The Netenrich report focuses on a ransomware strain the company observed in the wild this month. They were able to trace the ransomware back to Adhubllka, noting that it is increasingly common for groups to tweak ransomware codebases to create their own version with new encryption schemes and ransom notes. The researchers also found ties to CryptoLocker, a ransomware that has been around since 2016. Krishnan looked at the negotiation tactics and other clues that revealed a web of strains that all descended from Adhubllka. Many of the ransom notes were identical and took victims to similar interfaces where they could communicate with the hackers. Similar email addresses were used by those operating a range of different strains, indicating ties between them all. He said Adhubllka was an “anchor point” because of the “the large number of reports covering the same email address pr0t3eam@protonmail.com, which belongs to the ransomware group.” The researchers noted that they also saw Adhubllka used in attacks on businesses in Australia throughout 2020. Krishnan warned that it may continue to get more difficult for researchers and experts to identify ransomware gangs and strains as groups crib from each other and amend leaked versions of ransomware. But researchers may have luck tracing ransomware gangs through their communication channels and more – as he did with Adhubllka. “In the future, this ransomware may be rebranded with other names; or other groups may use it to launch their own ransomware campaigns,” he said. “However, as long as the threat actor does not change their mode of communication, we will be able to trace all such cases back to the ADHUBLLKA family.” * * * * * Tags * business * Ransomware * security research * SMB JONATHAN GREIG Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. Previous articleNext article English council warns residents after suspected ransomware attack Privacy regulators tell social media companies to fear the scrapers BRIEFS * Privacy regulators tell social media companies to fear the scrapersAugust 24th, 2023 * Ransomware ecosystem targeting individuals, small firms remains robustAugust 24th, 2023 * Proposed bill would require vulnerability disclosure policies for all federal contractorsAugust 24th, 2023 * MacOS version of info-stealing XLoader gets an upgradeAugust 22nd, 2023 * Cyberattack on Belgian social service centers forces them to closeAugust 22nd, 2023 * Ukrainian hackers claim to leak emails of Russian parliament deputy chiefAugust 22nd, 2023 * Ecuador’s national election agency says cyberattacks caused absentee voting issuesAugust 21st, 2023 * Somalia bans TikTok, Telegram over ‘horrific' contentAugust 21st, 2023 * Tesla blames data breach affecting 75,000 on ‘insider wrongdoing’August 21st, 2023 H1 2023: RANSOMWARE'S PIVOT TO LINUX AND VULNERABLE DRIVERS H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers THREAT ACTORS LEVERAGE INTERNET SERVICES TO ENHANCE DATA THEFT AND WEAKEN SECURITY DEFENSES Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses REDHOTEL: A PROLIFIC, CHINESE STATE-SPONSORED GROUP OPERATING AT A GLOBAL SCALE RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale BLUECHARLIE, PREVIOUSLY TRACKED AS TAG-53, CONTINUES TO DEPLOY NEW INFRASTRUCTURE IN 2023 BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023 BLUEBRAVO ADAPTS TO TARGET DIPLOMATIC ENTITIES WITH GRAPHICALPROTON MALWARE BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware * * * * * Privacy Policy © Copyright 2023 | The Record from Recorded Future News