Russian orgs heavily targeted by smaller tier ransomware gangs – BleepingComputer

Even though American and European companies enjoy the lion’s share of ransomware attacks launched from Russian ground, companies in the country aren’t spared from having to deal with file encryption and double-extortion troubles of their own.

The actors who trouble Russian and CIS-based companies in general though, aren’t REvil, LockBit, DarkSide, and any of the more notorious groups that launch high-profile attacks on critical infrastructure targets.

As Kaspersky explains in a detailed roundup on cyberattacks in the first half of 2021, the CIS (Commonwealth of Independent States) is also the target of a vivid cyber-criminal ecosystem targeting Russian firms every month, and most of them go unreported.

Number of monthly ransomware attacks against CIS targets. – Kaspersky

The groups that comprise this largely ignored subcategory of ransomware actors are typically less sophisticated, predominately use older strains or leaked malware,and establish intrusion on their own instead of buying access to the targets. 

The most notable the ransomware families that were deployed this year against Russian targets are the following: 

  • BigBobRoss
  • Crysis/Dharma
  • Phobos/Eking
  • Cryakl/CryLock
  • CryptConsole
  • Fonix/XINOF
  • Limbozar/VoidCrypt
  • Thanos/Hakbit
  • XMRLocker 

Those that stand out as the historically most successful strains are Dharma and Phobos. 

Dharma first appeared in the wild five years ago under the name Crysis, and despite its age, it still features one of the strongest and most reliable encryption schemes. Dharma actors typically gain unauthorized RDP access after brute-forcing credentials and deploy the malware manually. 

Phobos came out in 2017 and reached its culmination point in early 2020. In this case too, the main entry point for the actors is unauthorized RDP access. It’s a C/C++ malware that has contextual technical similarities to the Dharma strain, but no underlying relation. 

Another noteworthy example is CryLock, a veteran of a strain that has been circulating since 2014. The samples that Kaspersky analyzed this year are modern versions that were entirely rewritten from scratch in Delphi. 

The cases of opportunistic attacks using leaked ransomware strains concern mainly Fonix, which wrapped up its RaaS program in January this year. The others are still operational, but are all considered lower-tier operations in the cybercrime world. 

A Fonix ransomware notice – Kaspersky

Although these RaaS programs come and go, they’re not without firepower. Kaspersky warns that some of these strains are still developing, with authors working on making their strains more potent, so none should be ignored.

Russian companies can prevent many of these threats by simply blocking RDP access, using strong passwords for domain accounts that are changed regularly, and accessing corporate networks through VPN.