In May 2022, the new active ransomware virus families in the world are: 7Locker, EAF, QuickBubck, PSRansom, Cheers, RansomHouse, Mindware, and other families, of which Cheers, RansomHouse, and Mindware are all families with double ransom family with dual ransom functions.
Based on the analysis and judgment of 360 anti-ransom data, 360 Government and Enterprise Security Group Advanced Threat Research and Analysis Center (a member of the CCTGA Ransomware Prevention and Response Working Group) released this report.
According to this month's ransomware victim ranking feedback statistics, the Magniber family accounted for 46.17% in the first place, followed by 15.52% of TargetCompany (Mallox), phobos family with 10.15% in third place.
This month, a large number of users were hit by the Magniber ransomware virus, which was intentionally or unintentionally downloaded as a patch/upgrade for Win10/Win11 while browsing websites, and for the first time, a single family accounted for nearly 50% of the infections.
The top three operating systems used by this month's victims were Windows 10, Windows Server 2008, and Windows 7.
The percentage of desktop and server systems infected in May 2022 shows that the Magniber ransomware attack targeted Windows 10 and Windows 11, resulting in desktop and server systems being infected by the Magniber ransomware. Windows 10 and Windows 11, resulting in a rise in the share of desktop PCs.
At the end of April this year, the Magniber ransomware virus disguised as a Wndows10 upgrade patch package for the big spread, 360 Security Brain warned about it.
And in early May, 360 Security Brain once again monitored the family's new attacks on Windows 11 systems, and the names of the packages it mainly spreads have been updated, such as:
win10-11_system_upgrade_software.msi
covid.warning. readme.xxxxxxxxxx.msi
It is still spreading through various forums, cracked software sites, fake porn sites, etc. When users visit these sites, they will be lured to a third-party Web site to download ransomware disguised as patches or updates. In addition, there are also some websites with automatic downloads.
Below is a graphical representation of the recent spread of the virus targeting Windows 11:
After being encrypted by the ransomware, the file extension is changed to a random suffix, and each victim is given a separate payment page - if the ransom is not paid within the specified time, the link will expire. . If a victim can pay the ransom within 5 days, they will only have to pay 0.09 Bitcoin (roughly $17,908 at the time of writing), and the ransom will be doubled after 5 days.
This month, 360 Security Brain monitored and found multiple Mallox ransomware attacks. The virus mainly targets enterprise Web applications to launch attacks, including Spring Boot, Weblogic, Tongda OA and so on. In its take down the target device permissions will also try to move horizontally in the intranet, to obtain more device permissions, the harm is very great. 360 reminds users to strengthen the protection, and recommended the use of 360 terminal security products provided by the security patches, defense to check and kill the virus.
360 Security Brain monitoring history shows that Mallox (also known as Target Company) entered China in October 2021, and in the early days, mainly through the SQLGlobeImposter channel to disseminate (through the access to the database password, remotely sent ransomware virus. This channel was used by GlobeImposter ransomware for a long time). This year, the GlobeImposter ransomware has been declining, and Mallox has gradually taken over this channel.
In addition to the distribution channels, 360 analyzed the recent attacks and found that the attackers would implant a large number of WebShells into Web applications, and the file names of these files would contain the characteristic character "kk". Once the target device is successfully invaded, the attacker will try to release PowerCat, lCX, AnyDesk and other hacking tools to take control of the target machine, create an account, and try to remotely log in to the target machine. In addition, the attacker will use the fscan tool to scan the intranet where the device is located and try to attack other machines in the intranet. After gaining access to the maximum number of devices start deploying the ransomware virus.
Recently, 360 Security Brain monitored a new ransomware virus, 7Locker, which is written in java language and spreads through OA system vulnerabilities. It essentially uses a 7z compression tool to compress files after adding passwords, and after being encrypted and compressed, the files are added with the new extension .7z. Each victim can view the specific ransom demand and the specified ransom payment address through a unique Client Key.
In addition, according to the information currently available speculation: the family of dissemination events have a high probability of China Taiwan hackers for the Chinese inland ransom attacks launched.
On Sunday, May 8, newly-elected Costa Rican President Hugo Chavez declared a state of emergency in the country on the grounds that multiple government agencies were being attacked by the Conti ransomware virus.
The Conti ransomware virus initially claimed to have attacked the Costa Rican government last month. The country's public **** health agency, the Costa Rican Social Security Fund (CCSS), had earlier said that it was "conducting a perimeter security review of the Conti ransomware in order to validate and prevent the possibility that it could launch another attack."
Currently, Conti has released about 672 GB of data, which appears to contain data belonging to Costa Rican government agencies.
Here are the hacker email messages collected this month:
Currently, there is a growing family of ransomware viruses that profit from a double or multiple ransom model, and the risk of data breaches from ransomware viruses is increasing. Below is the percentage of ransomware families that have profited from data breaches this month, and this data is only for the portion that failed to pay the ransom or refused to pay the ransom in the first place (companies or individuals that have already paid the ransom may not appear in this list).
Below are the businesses or individuals that have been hit by dual ransomware families this month. Businesses or individuals who are not aware of being at risk of a data breach are also encouraged to check themselves at the first opportunity, prepare for data having been compromised, and take remedial action.
This month's total **** 220 organizations/enterprises suffered ransom attacks, including 10 organizations/enterprises in China (including 5 organizations/enterprises in Taiwan Province of China) suffered double ransom/multiple ransom this month.
Table 2. Victimized Organizations/Enterprises
Among the attacked system versions this month, the top three were Windows Server 2008, Windows 7, and Windows Server 2003, in that order.
The statistics on the geographic regions of the attacked systems in May 2022 show that, compared with the data collected in previous months, the regional rankings and the number of systems attacked are the same as those in the previous months. The regional rankings and percentages have not changed much in comparison with the data collected in the previous months. Developed digital economy regions are still the main target of attacks.
Looking at the weak password attack dynamics in May 2022, we found that there were no major fluctuations in RDP weak password attacks and MYSQL weak password attacks, and MSSQL weak password attacks fluctuated, but were still within the normal range and on the rise.
The following are the active ransomware keywords on the list this month, with data from the 360 ransomware search engine.
Looking at Decryption Master's decryption data for this month, the highest volume of decryptions was for GandCrab, followed by Coffee. the highest number of users using Decryption Master to decrypt files was for devices encrypted by the Crysis family, followed by those encrypted by the CryptoJoker family.