The 4 most common types of ransomware: This is how dangerous they are for SMBs
by Tina Siering
For years, ransomware attacks on companies and organizations have been increasing significantly worldwide - including in Germany. More and more hacker groups are developing increasingly sophisticated attack strategies with which they corner their victims. As a study by the US cyber security company Intel 471 has now discovered, almost 70 percent of all attacks are attributable to just four types of malware. Small and medium-sized companies in particular are increasingly becoming the focus of attackers and are forced to develop strong defense mechanisms despite low personnel capacities and limited financial resources. This can only succeed with the right protection strategy.
These are the Big 4 of encryption Trojans
For its study, Intel 471 analyzed a total of 722 ransomware attacks between October and December 2021. During this period, four types of ransomware had particularly stood out: the LockBit 2.0 malware alone was responsible for 29.7 percent of all attacks. Behind it, the Conti Group's ransomware lined up with a share of 19 percent - followed by the Pysa and Hive extortion Trojans, which were used to commit 10.5 and 10.1 percent of attacks, respectively.
The top 4 most used encryption Trojans can be characterized as follows:
1. LockBit 2.0
LockBit 2.0 is a malware that first appeared in September 2019 and was initially known as ABCD virus. It enables the encryption of computer systems, allowing hackers to blackmail companies and organizations around the globe with business disruption and data theft. The targeted attacks are carried out in an infection-like manner using automated processes and achieve an extremely fast encryption speed. The development team also rents Lockbit 2.0 as Ransomware-as-a-Service (RaaS) to cybercriminals and earns a share of the hackers' revenue. Among the most prominent victims are the French Ministry of Justice and the consulting firm Accenture.
The Conti ransomware first appeared in 2020 and was developed by the TrickBot gang. This encryption Trojan can also be rented as a RaaS - including detailed instructions on how to handle the malware and identify suitable targets. Just as with LockBit 2.0, the Conti Group earns money from the ransoms that its criminal customers collect through hacking attacks. In this way, more than 2.5 billion euros are said to have already flowed into the Conti account. Currently, ransomware is also being used as a "political tool". Since the Conti Group had officially taken a position for the Russian side at the beginning of the Russian war of aggression against Ukraine, the source code was leaked. The leaked source code was then used by the hacker group NB65 to target Russian organizations. Accordingly, the group justified its attacks with the massacre in Butcha, Ukraine: as soon as Russia ends the war against Ukraine, the attacks would also stop. Targets outside Russia would not be attacked.
The Pysa malware belongs to the Mespinoza ransomware family and is typically spread via fraudulent file attachments, downloads or updates. After encryption, file names are given the extension ".pysa". Via a .txt text file, the perpetrators ask their victims to contact them via email in order to receive information about ransom payment and subsequent data recovery. Do not pay ransom under any circumstances! Because you won't always get your data back as a result - and if you do pay, you're doing exactly what the cybercriminals want you to do, encouraging them to repeat. Read more on the topic in the blog post "Cyber attack on your company? Here's how to respond properly in an emergency!"
The Hive extortion software was first discovered in June 2021 and has spread rapidly since then. In the past, the developers had already targeted hospitals several times and paralyzed medical care. In the process, they not only encrypted mission-critical data, but also threatened to publish patient information. Furthermore, the hacker group made public the names of victims who had not complied with the ransom demand. The hive developers typically gain access to the network via infected file attachments in phishing emails and then use the Remote Desktop Protocol to move laterally on the network.
Update as of 27 January 2023: Hive hacker network busted
In January 2023, German investigators in cooperation with Europol, the FBI and other US authorities succeeded in striking a blow against the hacker group "Hive": Cyber specialists were able to penetrate the criminal IT infrastructure of the perpetrators, seize a large number of servers and secure data and accounts of the network and its users. The website of the hackers in the Darknet is now offline.
"Hive" is said to have been responsible for more than 1500 cyber attacks against companies and organisations worldwide in recent years - more than 70 in Germany alone. Among the victims were mainly hospitals, educational institutions, financial companies and companies from the critical infrastructure sector.
This is why small and medium-sized enterprises are particularly at risk
The widespread assumption that primarily corporations are affected by such ransomware attacks no longer corresponds to reality. While large companies are particularly lucrative targets, they are by no means the most promising ones. For example, a recent study by cybersecurity service provider Cynet shows that small and medium-sized companies are particularly at risk due to a lack of human and monetary resources.
Of 200 CISOs of small and medium-sized companies surveyed, 58 percent said they faced a higher risk of attack compared to large companies. The reason for this cited by 40 percent of the study participants was the lack of qualified personnel. In each case, 37 percent of respondents believe that, on the one hand, largely manual analysis and, on the other, the increase in remote workstations are responsible for inadequate IT security in their company.
In addition, small IT security teams often lack expertise, time and the right tools to defend against successful ransomware attacks. Since they usually only have a small budget at their disposal, they shy away from the high acquisition and maintenance costs for SIEM solutions. Hackers are also aware of this and effectively exploit the security gaps in SME networks for their own purposes.
How even small companies can protect themselves effectively
So what to do when your own options for operating functioning IT security solutions are limited? It's simple: the vast majority of SMBs rely on outsourcing. Instead of managing prevention and early attack detection with their own SOC team, 90 percent of companies surveyed by Cynet outsource threat hunting to an external "managed detection and response" (MDR) service provider.
Allgeier secion offers such a reliable MDR service at a fixed price with its Active Cyber Defense Service (ACD). Based on threat-hunting and incident-response mechanisms, the solution proactively scans your network 24/7 for conspicuous activity and immediately makes a compromise visible. Attackers don't even get the chance to move around your systems unnoticed for months with Active Cyber Defense, but are exposed early on. Ransomware attacks are averted and data encryption is prevented.
Successful ransomware cyberattacks today pose an equally significant threat to businesses and organizations of all industries and sizes. Even though the four most commonly used types of malware (LockBit 2.0, Conti, Pysa, and Hive) are known by name, most small and mid-sized businesses will continue to have great difficulty standing up to the increased threat of attacks on their own. This is because acquiring SIEM solutions (as a way to detect attacks) and building internal, in-house SOC teams are difficult to implement on small budgets.
To ensure that SMBs nevertheless do not have to do without effective protection, Allgeier secion's 24/7 Active Cyber Defense service (ACD) has proven itself as a lean managed detection and response (MDR) solution. With relevant features from threat-hunting technology, it differs significantly from other incident detection and response solutions for early attack detection.
The solution can be booked on a monthly basis as a managed service and offers the following advantages, among others:
- ACD involves monitoring all systems on a network, such as desktops, laptops, cell phones, tablets, servers, network devices, printers, IoT, ICS, BYOD.
- By detecting conspicuous communication behavior, ACD identifies compromised systems. This allows them to be isolated in a targeted manner and cleaned up quickly.
- There is no need to install agents on clients to use it - it checks at network level whether systems are communicating with command & control servers, for example, and are therefore compromised.
- Optimal preparation for emergencies with the help of our IR Readiness Program: The comprehensive Incident Response Readiness Strategy includes detailed guidelines and processes for the appropriate handling of security incidents. We help you provide the necessary tools and recommended actions.