The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing ransomware news, trends, and research from the previous month. Read the debut issue (July 2021) here.
Highlight of the month: REvil a.k.a Sodinokibi
On September 16, our security researchers, in collaboration with a trusted law enforcement partner, released a universal decryptor to help victims of REvil ransomware recover their data. REvil is an example of a cybercrime group that prefers high-value targets because potential payouts are massive. Attacks are well-planned and professionally executed, and the group is likely based in the Commonwealth of Independent States region making it difficult for law enforcement to pursue and prosecute. With each paid ransom, they grow bigger and attack larger targets, further improving their methodology – and gaining more infamy. They claimed an annual revenue of $100 million USD.
On July 13, parts of REvil’s infrastructure went offline after their previous representative “UNKN” disappeared and was supposedly arrested. As criminal organizations like this have done in the past, security experts expected the group to re-emerge after some time, with a new name and improved tools.
Surprisingly, the group decided to return under the same name. REvil’s servers and supporting infrastructure recently came back online after a two-month hiatus. On September 7, “Happy Blog”, (the groups blog on its latest victims) came back as well. While UNKN disappeared, they have a new mouthpiece, simply called “REvil”. It is not clear if this revamped version of REvil will pose the same level of threat under the new management, but we urge organizations to be on high alert and to take necessary precautions.
Due to the group’s temporary shutdown, many victims have not been able to recover their files even if they elected to pay. Our universal decryptor restores files from all attacks made before July 13th, 2021 – you can download the tool, and read step-by-step tutorial.
To learn more about REvil’s history and attack timeline, check out our new infographic (and feel free to share it):
World in Numbers
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, our Labs operations discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time view of the evolving threat landscape.
For this report, we analyzed malware detections collected in August 2021 from our static anti-malware engines. We are only counting total cases, not considering how significant the impact of infection is. Opportunistic adversaries and Ransomware-as-a-Service (RaaS) groups will represent a higher percentage compared to groups that are more selective about their targets, since they prefer more volume instead of higher value.
When looking at this data, remember that these are ransomware detections, not infections. Technology companies are ranking at the top of our list with the most detections, while non-profit organizations are trailing at the end. Detection rates vary based on technologies in place and security maturity.
Figure: Our data is reporting detections, not infections. And if have no idea what WWII airplanes have to do with it, read this great story about survivorship bias.
Top 10 Ransomware Families
For this report, we analyzed 19.8 million malware detections from August 1st to August 31st. In total, we identified 250 ransomware families.
Top 10 Countries
In total, we detected ransomware from 174 countries in our dataset this month. Ransomware continues to be a global threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Most ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Top 10 Industries
For our dataset, we have been able to assign almost 40% of detections to specific industries. Telecommunications services are particularly high as their customers are included within the detections.
From our Petri digi-dish
In this section, we highlight some of the research from our own Bitdefender Labs:
FIN8 is still a hot topic. A new whitepaper was released about the backdoor component (“Sardonic”) discovered during a recent forensic investigation. We believe this component is part of a larger project and is still under development. To learn more about our research, read the blog post FIN8 Threat Actor Spotted Once Again with New “Sardonic” Backdoor.
Adversaries sometimes take a break, but they often re-emerge with an improved toolkit utilizing a new name. In the case of REvil, we expect to see more targeted attacks. To stay ahead of attackers, keep up to date with the latest threats and best practices. Subscribe to the Business Insights blog, follow us on Twitter, and don’t miss the next BDTD for September 2021.
We hope you have found this BDTD report interesting. Leave us a comment and let us know what you think.
We would like to thank Oana Acostachioaiei, Mihai Leonte, Andrei Mogage and Ioan Marculet for their help with putting this report together.