Last week in security news, researchers revealed that the average ransomware demand grew 14 times over a one-year period from 2018 to 2019. Ransomware wasn’t the only malware category that made headlines this past week. A strain of Android malware caught researchers’ attention by limiting its malicious activity to a single capability. Yet another threat received some attention for its growing interest in creating backdoor functionality on infected Windows machines.
Top Story of the Week: A Leap in Ransomware Demand Amounts
Citing industry researchers, Group-IB revealed that the average ransom demanded from a victim increased 14 times, from $6,000 to $84,000, in the span of one year. And this observation didn’t even capture some of the largest ransomware demands of 2019.
Out of all the ransomware families, Ryuk was the worst, according to researchers. In one attack, the crypto-malware coerced two cities in Florida into handing over a combined ransom payment of $1 million. In another attack, threat actors demanded $5 million — the largest demand ever recorded, noted Group-IB — from a town in Massachusetts.
Also in Security News
- Portuguese Banks Caught in the Crosshairs of New Grandoreiro Variant: Segurança Informática revealed that it spotted a new variant of the Grandoreiro malware family targeting Portuguese banks. This variant operated similarly to previous versions, but it also improved the way in which it communicated with its command-and-control (C&C) server.
- Malicious Functionality of DEFENSOR ID Limited to Single Action: Researchers at ESET learned that an Android malware strain called “DEFENSOR ID” had succeeded in bypassing Google Play’s security checks. It did so by limiting its malicious functionality to a single action: requesting access to Accessibility Services for the purpose of emptying victims’ financial accounts.
- New Flaw Allows Malicious Apps to Masquerade as Legitimate: Promon researchers detected a critical severity vulnerability that enabled malicious Android applications to camouflage themselves as legitimate programs in order to remain hidden. They named the flaw “StrandHogg 2.0” due to its similarities with the original StrandHogg flaw discovered in 2019.
- Phishers Target Office 365 Details With Fake Supreme Court Subpoenas: A phishing campaign detected by Armorblox sent out attack emails that used “Supreme Court” as the sender identity and used authoritative language to coerce recipients into clicking a “View Subpoena” button. Those who complied found themselves redirected to a fake Office 365 login page.
- Continued Interest in Backdoor Functionality Held by Sarwent Malware: SentinelOne came across a new sample of the Sarwent malware family that demonstrated sustained interest in using PowerShell commands and other techniques to perform backdoor functionality. Updates to the threat also provided evidence of a preference for abusing Remote Desktop Protocol (RDP).
- Plaintext Passwords Targeted by Modified Discord Client: According to Bleeping Computer, attackers released a new version of the AnarchyGrabber malware family called “AnarchyGrabber3.” This threat abused a modified Discord client to steal users’ plaintext passwords and relied on commands to spread to victims’ friends on Discord.
- New Versions of Valak Malware Deployed in U.S., German Campaigns: In April 2020, Cybereason identified multiple attack campaigns leveraging new variants of the Valak malware family to prey on targets in the United States and Germany. Researchers found over 30 versions of the malware, a discovery that suggests that Valak’s authors made many improvements to their creation over a short period of time.
- Brute-Force Attacks Employed by PonyFinal Ransomware for Gaining Initial Access: Microsoft Security Intelligence revealed that a PonyFinal ransomware campaign leveraged brute-force attacks against a target organization’s systems management server as a means of gaining initial access. The campaign ultimately spread to endpoints with Java Runtime Environment (JRE) enabled to install its payload.
Security Tip of the Week: Strengthen Your Anti-Ransomware Defenses
Security professionals can help their organizations defend against a ransomware attack by making sure they have access to the latest threat intelligence. They can then use that information to stay on top of the latest ransomware attacks and techniques. Additionally, companies should leverage an endpoint management solution to monitor their endpoints for suspicious activity that could be indicative of a ransomware attack.