2020 was the year of "Ransomware 2.0" in Asia-Pacific, with two notorious ransomware families -- REvil and JSWorm -- causing considerable trouble.
Ransomware 2.0 is usually a targeted attack by a group that has moved from holding data hostage to exfiltrating data, coupled with blackmailing. The aftermath of a successful attack can include significant monetary loss and damaging reputation loss.
"Both REvil and JSWorm resurfaced as the pandemic raged in the region last year and we see no signs of them stopping anytime soon," said Alexey Shulmin, lead malware analyst at Kaspersky.
REvil, also known as Sodinokibi and Sodin, initially distributed itself through a vulnerability in Oracle Weblogic and carried out attacks on managed service providers (MSPs).
The activities of REvil peaked in August 2019 with 289 potential victims and appeared to subside, targeting only 44 Kaspersky users globally in June 2020. But the group accelerated its attacks the following month, when Kaspersky protected 877 users from the threat.
"Back in 2019, most of their victims were only from Asia-Pacific -- particularly in Taiwan, Hong Kong and South Korea," said Mr Shulmin. "But last year, Kaspersky detected their presence in almost all countries and territories.
"It's safe to say that during their 'silent months', REvil creators took their time to improve their arsenal, their method of targeting victims, and their network's reach."
However, Asia-Pacific remained one of the top targets for REvil. Out of 1,764 Kaspersky users targeted by the group in 2020, 635 (36%) of these companies were from the region. Brazil, however, logged the most number of users almost infected, followed by Vietnam, South Africa, China and India.
Based on an analysis of the group's data leak site, Kaspersky experts were also able to categorise the group's targets into several general industry classes, led by engineering and manufacturing (30%). This was followed by finance (14%) and professional and consumer services (9%). Legal, IT and telecommunications, and food and beverage industries received equal attention at 7%.
Like REvil, JSWorm also entered the ransomware landscape in 2019. However, the geographical distribution of its initial victims was more varied. During its first months, it was detected across the globe -- in North and South America (Brazil, Argentina, USA); in the Middle East and Africa (South Africa, Turkey, Iran); in Europe (Italy, France, Germany); and in Asia-Pacific (Vietnam).
The number of JSWorm victims is relatively lower compared with REvil but this ransomware family is gaining ground. Overall, Kaspersky solutions have blocked attempts against 230 users globally, up from 27 a year earlier.
China emerged as the country with largest number of users almost infected by JSWorm globally, followed by the US, Vietnam, Mexico and Russia. More than one-third (39%) of all the enterprises and individuals the group targeted last year were located in Asia-Pacific.
Nearly half (41%) of JSWorm attacks targeted companies in the engineering and manufacturing sector. Energy and utilities (10%), finance (10%), professional and consumer services (10%), transport (7%) and healthcare (7%) were also on the list.
To remain protected against Ransomware 2.0, Kaspersky experts suggest enterprises and organisations:
- Keep their operating systems and software patched and up to date
- Train all employees in cybersecurity best practices while they work remotely
- Only use secure technologies for remote connection
- Carry out a security assessment of the network
- Use endpoint security with behaviour detection and automatic file rollback
- Never follow the demands of the criminals. Do not fight alone -- contact law enforcement, a computer emergency response team or security vendors.
