Ransomware was identified as the number one threat that businesses are now facing, according to respondents in a recent report from Palo Alto Networks Unit 42. The report notes:

“84 per cent of IT teams saw ransomware as representing a significant or very significant risk. Other threats posed included: unpatched vulnerabilities and firmware attacks on laptops (83 per cent), data leakage (82 per cent), account/device takeover (81 per cent), targeted attacks and man-in-the-middle attacks (79 per cent), IoT threats (77 per cent), and printer firmware attacks (76 per cent).”

The report notes three trends in ransomware:

The full report can be downloaded at this link (registration required).

If an engaged and educated user population is one of the greatest defences against ransomware, the statistics from a report from HP Wolf Security paint a dismal picture. The stats are organized into three categories – apathy, frustration, and circumvention.

One statistic alone should set off alarm bells. One third of those surveyed admitted to attempts to circumvent security. That is, however, only one of many alarming numbers in the report:

We know that most cybersecurity breaches require an action or an omission or a mistake on the part of an employee. That has led to much greater emphasis on employee training. Unfortunately, despite all of those efforts, little progress appears to have been made. According to these results, employees view cybersecurity as an impediment and not a protection for their business.

 The number of new variants in ransomware is growing at an alarming rate.  Last week we discussed new variants, including Lilith and omega, as well as some “upgrades” to existing variants. This week, two new major ransomware threats were identified.

One, called Luna, is part of a new trend of ransomware that can encrypt devices running several operating systems – Windows, Linux and ESXi systems.

Discovered by Kaspersky security researchers via a dark web ransomware forum ad spotted by the company’s Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors. That, and the name “Luna” which is Russian for “moon”, makes it likely that this has been developed and spread from Russia.

While the researchers noted that this variant appears to be still “under development”, with what they termed “limited capabilities”, the cross-platform nature of this ransomware presents a new type of threat.

The group developed their software in Rust, which enables it to port to multiple platforms with very little change to the source code. The researchers noted that “both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version. The rest of the code has no significant changes from the Windows version.”

Using a cross-platform language not only makes it more easily spread, but may enable it to evade automated static code analysis.

Kaspersky says there is very little data on what victims, if any, have been encrypted using Luna ransomware, given that the group has just been discovered and its activity is still being monitored.

The Hacker News published a piece on a North Korean group that has been linked to ransomware attacks targeting small businesses since September 2021.

The group calls itself H0lyGh0st after the ransomware of the same name. It was identified by the Microsoft Threat Intelligence Center and classified as DEV-0530 under new and developing threats. It aims primarily at small-to-midsize businesses including manufacturing, banks and financial organizations, schools, and even other segments like event and meeting planning companies.

The group is reputed to try to not only encrypt data, but to threaten companies with release of data on social media.

Holy Ghost is looking for amounts between 1.2 and 5 bitcoins, placing the average ransom somewhere between US$30,000 and US$50,000. It’s an amount that would be possible for a small business to pay. Whether this pricing strategy will work is an open question, as researchers couldn’t identify any payments made to the organization’s cryptocurrency wallet.

Their dark web portal mirrors messaging from an earlier ransomware called Goodwill, in that it says it is to “close the gap between the rich and poor” and “help the poor and starving people.”

The group is active and growing, and researchers have identified four variants of the H0lyGh0st ransomware.

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

ITWorldcanada.com is the leading Canadian online resource for IT professionals working in medium to large enterprises. IT World Canada creates daily news content, produces a daily newsletter and features IT professionals who blog on topics of industry interest.

© 2021 IT World Canada. All Rights Reserved.

Produced by ITWC publishers of ChannelDailyNews.com, ITbusiness.ca and DirectionInformatique.com