A study by ProofPoint has reported that ransomware attackers are using COVID-19 themed messages and native languages to lure victims
Cybersecurity firm ProofPoint has released a report that has revealed an increase in email-based phishing attacks meant to extract ransom in the past few months.
The firm has identified that first-stage deployments of ransomware have been on a rise since many companies across the world have shifted to work from home models amid the coronavirus pandemic. Countries such as the US, France, Germany, Greece and Italy have largely been the target of these cyber-attacks, according to the report.
Mr. Robot, Avaddon, Philadelphia and Buran are among the noteworthy ransomware ‘families’ that have been targeted victims in the recent ransomware spike. The daily volumes of messages per campaign ranged from one to as many as 350,000, with over a million ransomware messages sent in six days in a campaign featuring Avaddon.
Each of these campaigns uses ransomware to encrypt the victim’s files and data to extract a ransom. Sectors such as education and manufacturing, followed by transportation, entertainment, technology, healthcare and telecommunication were identified as prime targets. Research has further indicated that ransom demands have been very low compared to the past, with attackers mostly demanding payment in cryptocurrency.
“A small increase in the amount of ransomware sent as a first stage payload via email campaigns may herald the return of large ransomware campaigns, we saw in 2018,” the report hinted. Attackers have been capitalising on the influx of people into the digital space due to the pandemic and have also exploited the victims with COVID-19 based ransomware messages. They have also used native languages and messages with various customised themes to lure victims, the report explained.
This recent emergence of ransomware as an initial payload is unexpected after such a long, relatively quiet period. The change in tactics could be an indicator that threat actors are returning to ransomware and using it with new lures,” the report said.
Avaddon uses opening messages such as “Do you know him?”, “Our old picture” etc. to lure victims and later demand $800 payment in bitcoin via TOR. The attackers have also set up a 24/7 helpline to aid victims to pay the ransom and recover their files.
“Various actors trying ransomware payloads as the first stage in email has not been seen in significant volumes since 2018. While these volumes are still comparatively small, this change is noteworthy,” the report cautioned. “The full significance of this shift isn’t yet clear, what is clear is that the threat landscape is changing rapidly, and defenders should continue to expect the unexpected,” it added.