Ransomware operators work together to maximize effectiveness of attacks
The numerous challenges of 2020 have proved to be fertile ground for ransomware attacks, with the number up by nine percent compared to the first quarter and by 59 percent compared to the second quarter of 2019.
The latest Threatscape report from Positive Technologies shows that 16 percent of phishing attacks took advantage of COVID-19 concerns, and there is also evidence that ransomware operators have started cooperating with each other.
To sell their stolen data, many ransomware operators create special data leak sites where they publish a list of victims and the information stolen. Others publish the data on hacker forums. Those behind LockBit and Ragnar Locker have gone even further, teaming up with the 'industry leader' hacking group Maze. The Maze operators now publish data stolen by other gangs on their data leak site. Together, these gangs have formed a so-called Maze cartel. In addition ransomware attackers are often buying access to victim companies' networks from other criminals.
The report shows that manufacturing and industrial companies are receiving a significantly larger share of attacks than before. Among attacks on organizations in Q2, this sector was targeted in 15 percent of cases, compared to 10 percent in Q1. Ransomware operators and cyberespionage APT groups are among those who seem to be the most interested in industrial companies.
Theft of credentials is estimated to account for up to 30 percent, compared to 15 percent previously, of the total amount of data stolen from organizations. Corporate credentials of employees are in especially high demand as criminals sell them on the Dark web or use them for further attacks, such as impersonating the hacked company to send emails with malicious attachments.
"When targeting credentials with phishing, attackers tend to forge the authentication forms of Microsoft products, such as Office 365, Outlook, and SharePoint," says Positive Technologies analyst Yana Avezova. "With the pandemic in Q2, we saw attacks aimed at pilfering credentials for audio and videoconferencing services. In one such case, attackers deployed a phishing campaign against remote employees who use Skype, sending them emails with fake Skype notifications. Clicking the link in the email took the employee to a fake authentication form prompting to enter the employee's Skype username and password. Similar attacks in Q2 hit users of WebEx and Zoom."
More on the findings is available on the Positive Technologies site.