therecord.media Open in urlscan Pro
2606:4700:4400::ac40:9b4b  Public Scan

URL: https://therecord.media/ransomware-targeting-small-business-individuals-remains-robust
Submission: On August 25 via api from TR — Scanned from DE

Form analysis 1 forms found in the DOM

<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

Accept


 * Leadership
 * Cybercrime
 * Nation-state
 * People
 * Technology

 * Mobile App
 * About
 * Podcast
 * Contact

Go


SUBSCRIBE TO THE RECORD

Subscribe

Image: Dan Burton via Unsplash/Photomosh
Jonathan GreigAugust 24th, 2023
 * Cybercrime
 * News

 * 
 * 
 * 
 * 
 * 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.


RANSOMWARE ECOSYSTEM TARGETING INDIVIDUALS, SMALL FIRMS REMAINS ROBUST

Ransomware attacks on major companies and large government organizations have
dominated the headlines in 2023 but researchers from several companies are
warning that smaller-scale attacks on individuals and small businesses are
causing significant harm and damage too.

Researchers at Netenrich examined the Adhubllka ransomware, which has targeted
regular people and small businesses with ransoms ranging from $800 to $1,600
since at least January 2020.

Rakesh Krishnan, senior threat analyst at Netenrich, said it is common for
ransomware gangs to eschew larger targets in favor of victims they know will not
have the technical know-how to deal with an incident.

Many gangs crib their ransomware from leaked versions of established brands like
Conti or LockBit, Krishnan explained.

“They might not have the bandwidth to develop something from scratch. Another
possibility is: They might have a simple ransomware which can be decoded by
researchers and those who could obtain decryption keys for free,” he said.

“So it would be their aim to keep their project under the hoods so that no one
picks it up. Hence, a small amount is being ransomed as compared to the big
fishes in this industry.”

In a report last month, Chainalysis noted this trend, highlighting that while
media attention and focus is on the gangs demanding millions from large
companies, there was also a significant growth in activity from groups like
Dharma, Phobos and Stop/Djvu that demanded ransoms under $1,700.

Dharma and Phobos are ransomware-as-a-service strains that are “typically used
in spray and pray attacks against smaller targets and can be deployed by
relatively unsophisticated actors,” they explained.

Allan Liska, senior security architect at cybersecurity firm Recorded Future,
noted that these kinds of strains were almost all of what ransomware was before
2017 and is still the most popular type of ransomware despite the shift in media
and researcher coverage.

“I think most people don’t realize this, but for the last 4 years the most
popularly deployed ransomware, and it is not even close, have been variants of
STOP/DJVU. The second most popular have been variants of Phobos ransomware. Both
STOP and Phobos are single machine ransomware that encrypt and extort,” he said.
The Record is an editorially independent unit of Recorded Future.

“There isn’t (usually) data theft involved in these attacks, and there is
definitely no double extortion. We tend to see these hitting individual users or
small businesses that don’t have the resources for any sort of security
measures. We often see them disguised as popular software downloads or delivered
through mass phishing campaigns.”


ADHUBLLKA ORIGINS

The Netenrich report focuses on a ransomware strain the company observed in the
wild this month. They were able to trace the ransomware back to Adhubllka,
noting that it is increasingly common for groups to tweak ransomware codebases
to create their own version with new encryption schemes and ransom notes.

The researchers also found ties to CryptoLocker, a ransomware that has been
around since 2016.

Krishnan looked at the negotiation tactics and other clues that revealed a web
of strains that all descended from Adhubllka. Many of the ransom notes were
identical and took victims to similar interfaces where they could communicate
with the hackers. Similar email addresses were used by those operating a range
of different strains, indicating ties between them all.

He said Adhubllka was an “anchor point” because of the “the large number of
reports covering the same email address pr0t3eam@protonmail.com, which belongs
to the ransomware group.”

The researchers noted that they also saw Adhubllka used in attacks on businesses
in Australia throughout 2020.

Krishnan warned that it may continue to get more difficult for researchers and
experts to identify ransomware gangs and strains as groups crib from each other
and amend leaked versions of ransomware.

But researchers may have luck tracing ransomware gangs through their
communication channels and more – as he did with Adhubllka.

“In the future, this ransomware may be rebranded with other names; or other
groups may use it to launch their own ransomware campaigns,” he said. “However,
as long as the threat actor does not change their mode of communication, we will
be able to trace all such cases back to the ADHUBLLKA family.”

 * 
 * 
 * 
 * 
 * 

Tags
 * business
 * Ransomware
 * security research
 * SMB


JONATHAN GREIG



Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has
worked across the globe as a journalist since 2014. Before moving back to New
York City, he worked for news outlets in South Africa, Jordan and Cambodia. He
previously covered cybersecurity at ZDNet and TechRepublic.

Previous articleNext article
English council warns residents after suspected ransomware attack
Privacy regulators tell social media companies to fear the scrapers


BRIEFS

 * Privacy regulators tell social media companies to fear the scrapersAugust
   24th, 2023
 * Ransomware ecosystem targeting individuals, small firms remains robustAugust
   24th, 2023
 * Proposed bill would require vulnerability disclosure policies for all federal
   contractorsAugust 24th, 2023
 * MacOS version of info-stealing XLoader gets an upgradeAugust 22nd, 2023
 * Cyberattack on Belgian social service centers forces them to closeAugust
   22nd, 2023
 * Ukrainian hackers claim to leak emails of Russian parliament deputy
   chiefAugust 22nd, 2023
 * Ecuador’s national election agency says cyberattacks caused absentee voting
   issuesAugust 21st, 2023
 * Somalia bans TikTok, Telegram over ‘horrific' contentAugust 21st, 2023
 * Tesla blames data breach affecting 75,000 on ‘insider wrongdoing’August 21st,
   2023


H1 2023: RANSOMWARE'S PIVOT TO LINUX AND VULNERABLE DRIVERS


H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers


THREAT ACTORS LEVERAGE INTERNET SERVICES TO ENHANCE DATA THEFT AND WEAKEN
SECURITY DEFENSES


Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken
Security Defenses


REDHOTEL: A PROLIFIC, CHINESE STATE-SPONSORED GROUP OPERATING AT A GLOBAL SCALE


RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale


BLUECHARLIE, PREVIOUSLY TRACKED AS TAG-53, CONTINUES TO DEPLOY NEW
INFRASTRUCTURE IN 2023


BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New
Infrastructure in 2023


BLUEBRAVO ADAPTS TO TARGET DIPLOMATIC ENTITIES WITH GRAPHICALPROTON MALWARE


BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware
 * 
 * 
 * 
 * 

 * Privacy Policy

© Copyright 2023 | The Record from Recorded Future News