Ransomware operators Dharma, Crylock and Thanos were the most active this year, with approximately 100 attacks on Russian businesses each, according to a Group-IB study “How Ransomware Operators Attacked Russian Businesses in 2021” (available “ Vedomosti “).
According to experts, in general, in 2021, the number of attacks by all ransomware on domestic companies increased by 200% compared to 2020. The average ransom paid to cybercriminals was 3 million rubles, the maximum amount was 40 million rubles. At the same time, the record for the amount of funds requested was set by the OldGremlin group, which wanted to receive 250 million rubles from the victim. Nevertheless, these figures are significantly lower than the world ones. For example, recently extortionists from Hive demanded a ransom of $ 240 million from the German holding Mediamarkt, Group-IB noted.
Most often, ransomware managed to penetrate the networks of Russian companies by compromising publicly accessible terminal servers using the Remote Desktop Protocol (RDP): about 60% of attacks were based on this scheme. It was especially popular with Dharma and Crylock.
Another 22% of cyberattacks occurred in phishing mailings, mainly by email. For example, experts discovered the Rat Forest group, which received initial access to corporate networks precisely through such mailings. At the same time, the cybercriminals used legitimate software for remote access RMS or TeamViewer, and instead of an encryptor, they used a VeraCrypt crypto container, where they moved important information and demanded a ransom for it.
In addition, 14% of incidents are related to the presence of vulnerabilities in publicly available applications. For example, a fairly old vulnerability still remains in Fortigate VPN servers and is critical for many Russian companies, Group-IB warned.
The head of the Group-IB Computer Forensics Laboratory, Oleg Skulkin, assessed the general level of cybersecurity of domestic companies as “extremely low” and weakly able to resist “even low-skilled extortionists.” According to the expert, many attacks are now carried out in simple ways and could be prevented by setting up multifactor authentication.
.