There was a re-emergence of two highly active ransomware groups, REvil and JSWorm, in Asia Pacific (APAC) last year, with 2020 being dubbed the year of ‘ransomware 2.0’ in the region by cyber security firm Kaspersky.
‘Ransomware 2.0’, according to Kaspersky, refers to the cyber crime groups that have moved on from simply hostaging data to exfiltrating data and using it for blackmail purposes. It is almost always ‘targeted ransomware’, the company said.
The aftermath of a successful ‘ransomware 2.0’ attack includes significant monetary and damaging reputation loss.
“In APAC, we noticed an interesting re-emergence of two highly active groups, REvil and JSWorm. Both resurfaced as the pandemic raged in the region last year and we see no signs of them stopping anytime soon,” Alexey Shulmin, lead malware analyst at Kaspersky, said.
Kaspersky first wrote about REvil ransomware in July 2019. Also known as Sodinokibi and Sodin, this group initially distributed itself through an Oracle Weblogic vulnerability and carried out attacks on managed service providers (MSP).
According to Kaspersky, the activities of REvil peaked August of 2019 with the cyber security vendor’s telemetry monitoring lesser detections until July 2020.
However, from targeting only 44 Kaspersky users globally last June 2020, the ransomware group accelerated their attacks. Kaspersky said its software protected 877 users in July from the rising threat, logging a 1,893 per cent increase in a span of just one month.
In addition, expert monitoring also showed how the group has actively spread their malicious arms from the APAC region to the world, but APAC remained one of the top targets for REvil.
“Back in 2019, most of their victims were only from APAC -- particularly in Taiwan, Hong Kong, and South Korea. But last year, Kaspersky has detected their presence in almost all countries and territories,” Shulmin said. “It is safe to say that during their ‘silent months’, REvil creators took their time to improve their arsenal, their method of targeting victims, and their network’s reach.”
Out of 1,764 Kaspersky users targeted by the group in 2020, 36 per cent of companies were from the APAC region. However, Brazil logged the greatest number of users almost infected with this threat, followed by Vietnam, South Africa, China and India.
JSWorm, like REvil, also entered the ransomware landscape in 2019, Kaspersky said. During its first months on the scene, it was detected across the globe, including North and South America, the Middle East and Africa, Europe and in APAC, specifically Vietnam.
While the number of JSWorm victims is relatively low compared to REvil’s, this ransomware family is also gaining ground.
Experts from Kaspersky have noticed a shift of the group’s attention towards the APAC region. China emerged as the country with the greatest number of Kaspersky Security Network users almost infected by JSWorm globally, followed by USA, Vietnam, Mexico and Russia.
More than one-third (39 per cent) of all the enterprises and individuals this group targeted last year were also located in APAC.
Kaspersky claimed its solutions have blocked attempts against 230 users globally, representing a 752 per cent increase compared with 2019’s 27 users that were almost infected with this type of threat. The latest data from Kaspersky comes just weeks after a ransomware attack hit the Thai operations of a subsidiary of French insurance giant Axa Group, Inter Partners Assistance (IPA), with some data accessed.
“A vendor of KT Axa and Axa GI, Inter Partners Assistance, was recently targeted by a ransomware hacker,” a spokesperson for Axa Asia told Channel Asia earlier this month. “As a result, certain data processed by IPA in Thailand has been accessed. At present, there is no evidence that any further data was accessed beyond IPA in Thailand.
“A dedicated taskforce, with external forensic experts, is investigating the incident. Since the incident, systems have been restored and regulators and business partners have been informed.
“Axa takes data privacy very seriously and if IPA’s investigations confirm that sensitive data of any individuals have been affected, the necessary steps will be taken to notify and support all corporate clients and individuals impacted,” the spokesperson said.