Targeted ransomware doubled in 2022, new techniques and groups emerge
During the first ten months of 2022, the proportion of users attacked by targeted ransomware has almost doubled compared to the same period of 2021. Such a striking growth indicates that ransomware gangs have continued mastering their techniques – the infamous ones as well as those just entering the scene. Following the developments in the ransomware world, the last crimeware report of 2022 by Kaspersky uncovers new features introduced by the notorious LockBit group, and a newcomer, Play that employs of self-propagation techniques.
According to Kaspersky security solutions, the share of users affected by targeted ransomware attacks, accounted for 0.026% of all users attacked by malware in 2022 – versus 0.016% in 2021. These figures show that cybercriminals are steadily shifting from opportunistic assaults to precisely tailored ransomware attacks to accomplish their goals.
As recent investigations by Kaspersky show, ransomware groups continue to improve their techniques. One of them, Lockbit, remains one of the most popular, innovative and rapidly developing ransomware variants that are currently used. And this group can still ambush cybersecurity specialists by adding new options – and the practice of credential dumping. This technique means that the actor can take over the infected machine’s domain and create a named pipe to reset the operating system’s credentials.
Still, there are new ransomware variants that continue to emerge. In the course of 2022, Kaspersky has detected over 21 400 ransomware strains.
Kaspersky’s most recent discovery is Play, a new highly obfuscated ransomware variant that makes analysis more difficult. Itscode bears no resemblance to other ransomware samples – but luckily Play is in early stages of development. When the investigation was conducted, thelocation of the leak could not be detected and victims were required to contact the criminals via an email address left in the ransom note. What captivated researchers’ attention was that Play contains a functionality that was recently found in other advanced ransomware variants: self-propagation. First, the attackers find a server message block (SMB) and establish a connection. Next, Play tries to mount the SMB mentioned above and distribute and execute ransomware in the remote system.
“Ransomware developers keep a close eye on the work of competitors. If one successfully implements a certain functionality, there is a big chance that others will do as well. This makes their ransomware more interesting to their affiliates. The self-propagation of ransomware is a clear example of this. More and more ransomware groups take on inventive techniques that make ransomware attacks even more targeted and destructive – and this year’s statistics do prove it. Another thing we'll never stop reminding the public of, is the need to make regular backups and store them offline,” comments Jornt van der Wiel, a security expert at Kaspersky.
Learn more about the Kaspersky’s latest crimeware report on Securelist.
To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:
- Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
- Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals' connections.
- Back up data regularly. Make sure you can quickly access it in an emergency when needed.
- Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
- Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.
Targeted ransomware doubled in 2022, new techniques and groups emerge
Kaspersky
Related Articles Press Releases
Companies state it takes more than 6 months to fill cybersecurity positions
The latest Kaspersky survey found that 48% of companies require over half a year to find a qualified cybersecurity professional. A lack of proven experience was cited as one of the biggest challenges, along with the high cost of hiring and global competition in talent acquisition.Read More >More than half of companies use AI and IoT in their business processes
A recent Kaspersky study has revealed that more than 50% of companies have implemented Artificial Intelligence (AI) and Internet of Things (IoT) in their infrastructures. Additionally, 33% are planning to adopt these interconnected technologies within two years. Business owners must ensure they have the right caliber of cybersecurity solutions to secure them, experts recommend.Read More >Kaspersky: more than 36 million AI & gaming credentials compromised by infostealers in 3 years
Staggering amounts of stolen login credentials were discovered by Kaspersky Digital Footprint Intelligence experts as they conducted an analysis in light of the Mobile World Congress 2024.Read More >
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.