Ransomware attacks will become more sophisticated in the second half of 2020–F-Secure Report

On April 9, F-Secure released a report summarizing security trends in the second half of 2020 (July to December). It is said that ransomware attacks that combine data theft and intimidation have become more sophisticated.

Calvin Gan, Senior Manager, F-Secure Tactical Defense Unit According to Calvin Gan, Senior Manager, Tactical Defense Unit, the first half of 2020 (January-June) is an online crime that provides a mechanism for executing ransomware attacks. The service Ransomware as s Service emerged, and its content became more sophisticated in the latter half of the same year. “The tactics of using ransomware have changed, and there is a growing tendency to target large organizations that are capable of paying large sums of money, threatening not only to encrypt confidential information but also to steal and disclose information, and money. In this case, the target organization’s choice would be to pay money or disclose the fact that it is facing a ransomware attack, “Gan said.

Sophistication of ransomware attacks (from F-Secure report) Gan explains that there are several steps before an attacker can use ransomware to intimidate a targeted organization. An attacker first sends an email to approach the target organization, then invades the organization’s system via the email to search for or steal the location of IT environment or confidential information (information-stealing malware). ) Is sent. The attacker then demands payment of money by encrypting or threatening to “disclose” the stolen confidential information. According to the company’s observations, email was the 51% method for sending information-stealing malware. In addition, 35% of the respondents used e-mail to trick users into installing information-stealing malware. According to Gan, attackers are devising security systems to evade malware detection at this stage. 32% of attachments in emails sending malware were in PDF format. The link is embedded in the PDF, and the malware is downloaded and installed by having the recipient of the email open the file and click the link. Most of the malware infected in this way is information theft type and remote control type (RAT = remote access tool), and the ratio is 33% for information theft type and 32% for remote control type. In addition to email, there are many ways to exploit phishing and software vulnerabilities. In 2020, due to the corona sickness, many companies introduced remote work on a large scale as an infection countermeasure, and there was a remarkable movement to move to cloud applications. Attackers also took advantage of this trend, and phishing was rampant in spoofing sites that spoofed services such as Microsoft 365, Outlook, Teams, and Zoom to steal user credentials. Hosting services are abused by 73% of fake sites, saying, “Because it can be used free of charge or cheaply, attackers can build innumerable fake sites and immediately continue attacks on other sites even if one is closed.” .. Vulnerability exploitation is a tool used by many organizations to exploit organizational deficiencies, such as targeting systems that have been unpatched for several years after the vulnerability information was released. There are conspicuous methods of trying to invade in various fields by exploiting the vulnerability of. The latter is also called a “supply chain attack,” and attackers target vendors who develop and provide tools as the first entry point. In addition, Gan pointed out that there has been a growing tendency to target open source software (OSS) vulnerabilities in recent years. “In 2021, there are more and more ways to break into OSS repositories, make minor modifications that are difficult for the community and users to notice, and set up backdoor functions.” Cyber ​​attacks targeting organizations are various in this way. It is common for cases where a number of techniques are combined and executed step by step. For the organization, Mr. Gan prepares a response plan assuming the occurrence of an incident due to a cyber attack, and confirms the status of security measures including related parties such as business partners, outsourced companies, and vendors of installation tools. We advise you to put your efforts into practice.