Study: hackers are increasingly renting Trojans for rent

The geography of cyber attacks in the II quarter of 2017

Experts at Positive Technologies note that in the second quarter of 2017, the “extortionists as a service” services for leasing Trojans continue to gain popularity. The United States and Russia are still the most frequent victims of cyber attacks, but in the second quarter of 2017, more than a quarter of the attacks (28%) were widespread and affected tens of countries and hundreds (in some cases thousands) of companies at the same time.
')
According to statistics from Positive Technologies, 67% of the attacks were carried out in order to obtain direct financial benefits. At the same time, more than half of the attacks were massive and mainly used malicious software.

The epidemic of the extortionist virus WannaCry (WanaCypt0r, WCry) showed that it is possible to become a victim of an attack even if you do not open suspicious letters and do not click on the links in them. According to Intel, the total number of infected computers exceeded 530 thousand. Victims of WannaCry bitcoin wallets received more than 50 BTC ($ 128,000) from victims, and the total damage to the companies was more than a billion dollars.



WannaCry distribution map

Another large-scale malware campaign at the end of June was caused by the NotPetya cipher (also known as ExPetr, PetrWrap, Petya, Petya.A, and others). A distinctive feature of this epidemic was that the purpose of the criminals was not financial gain, they did not seek to send a recovery key in exchange for payments. HPE was distributed for disabling information systems, file destruction and sabotage. More than 40 victims paid a ransom totaling the equivalent of $ 10,000.

The trend “extortionists as a service” (ransomware as a service), about which analysts of Positive Technologies told in the last report, is gaining momentum. There are new services for leasing Trojans: for example, the distributor Petya or Mischa receives from 25% to 85% of the sum of payments to victims, and another Trojan cipher Karmen is sold on the black market for $ 175.

While some attackers prefer cryptocurrency to obtain illegal income (victims of Trojan cryptographers are invited to transfer money to Bitcoin wallets), others attack the cryptocurrency exchanges and accounts of their clients. For example, having gained access to the personal data of 31,800 users of the South Korean Bithumb Stock Exchange, the attackers were then able to gain access to their accounts. Losses from this attack were estimated at 1 billion won ($ 890,000). During another attack on Tapizon, the attackers gained access to four wallets and a total of about 3816 bitcoins ($ 5.3 million) were stolen.

Analysts have noted the emergence of new non-standard chains of penetration into the target system. For example, the Cobalt grouping used arbitrary vulnerable sites as a hosting for malware. During targeted attacks, members of the APT10 group first gained access to the corporate networks of cloud service providers, and then through trusted channels penetrated the network of victim organizations.

While everyone is discussing large-scale attacks of ransomware viruses, the attackers are not sitting idly by working on a new malicious software and are planning future attacks. For example, researchers discover new botnets from IoT devices, but there is little news of new incidents involving high-load attacks. It is impossible to exclude the possibility that attackers are saving up resources in order to further implement large-scale attacks.

Full version of the study: www.ptsecurity.com/upload/corporate/ru-ru/analytics/Cybersecurity-2017-rus.pdf

On August 24, at 14:00 , Positive Technologies analyst Olga Zinenko will hold a free webinar on topical cyber threats of the first half of 2017.

Listeners will get acquainted with the most popular techniques and mechanisms of cyber attacks, learn which objects are most often attacked by attackers and from what motives they come from. In addition, we will give recommendations to organizations and ordinary users on how to protect against typical attacks.

Registration: www.ptsecurity.com/ru-ru/research/webinar/283988