Ransomware roundup: System-locking malware dominates headlines

As we head into the unofficial start of summer, it does not appear the criminal groups that run ransomware schemes are planning to take any time to rest. Ransomware was all over the infosec news headlines in the past week, with one new report revealing that its presence has grown more in the last year than in the past several years combined.

Here’s roundup of noteworthy ransomware stories you might have missed.

DBIR finds ransomware increased by double digits

Verizon Business’ annual Data Breach Investigations Report (DBIR) is out and confirms what many CISOs already know: ransomware continues to plague business. Ransomware-related breach instances rose 13%, an increase larger than in the past 5 years combined.

Analysts looked at 23,896 security incidents between November 1, 2020 and October 31, 2021, for the report. Of those, 5,212 were confirmed breaches.

“As criminals look to leverage increasingly sophisticated forms of malware, it is ransomware that continues to prove particularly successful in exploiting and monetizing illegal access to private information,” Verizon Business said in a statement on the findings.

As Rick Holland (@rickholland), a security veteran and CISO of Digital Shadows, noted on Twitter, “25% of all breaches are ransomware related. #DBIR And that is just what is reported. Actual number much higher in my opinion.”

Andy Jabbour (@andyjabbour), an analyst with security firm Gate15, referring to the section of the report on ransomware tweeted,  “This section is the perfect sequel to last year’s finding of #Ransomware dramatically increasing…That trend has continued with ***an almost 13% increase this year*** (an increase as large as the last five years combined).”

GoodWill hunting victims with malware

In a new twist on ransomware, researchers from CloudSek say a ransomware group is using the malware to raise money for charity. The so-called GoodWill ransomware group demands victims perform a charitable act in exchange for the decryption key.

“The Robin Hood-like group is forcing its victims to donate to the poor and provides financial assistance to the patients in need,” researchers say in a blog post about the malware.

Once infected, victims get to “choose” which charitable act to perform in exchange for the key. The choices include:

• Donate new clothes to the homeless, record the action, and post it on social media.
• Take five less fortunate children to Dominos, Pizza Hut or KFC for a treat, take pictures and videos and post them on social media.
• Provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators.

Whether based on good intentions or not, infosec and legal pros say don’t give in to these demands.

“The goodwill ransomware encrypts all files & requests the victim to pay in acts of kindness (instead of money) to get it back. Don’t do it. Keep a good backup,” tweeted Courtney Troutman and Emily Worle, who tweet under the handle @SCBar_PMAP.

Cheerscrypt ransomware is not so festive

Researchers at Trend Micro say they have observed a Linux-based ransomware family called Cheerscrypt that targets VMware’s ESXi servers. Researchers says the ransomware uses the now-common double-extortion tactic, which not only forces victims to pay a ransom, but also steals data and threatens to leak it if victims do not pay.

Researchers conclude their blog by noting ESXi is widely used in enterprise settings for server virtualization and is a popular target for ransomware attacks.

“Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices,” they say.

REvil is back … maybe

Researchers from Akamai say the infamous ransomware group known as REvil may be back to mess with systems again. REvil first became known as the gang responsible for the Kaseya and JBS ransomware attacks in 2021. Russian officials claimed to have dismantled REvil in March, but in the last week, the Akamai Security Intelligence Response Team (SIRT) was called in to assist with what it called a Layer 7 attack on a hospitality customer by a group claiming to be REvil.

Akamai SIRT member Larry Cashdollar reports the group launched a coordinated DDoS attack. The attack was not a ransomware attack but instead included a 554-byte message demanding payment in Bitcoin in order to halt the attack. Whether or not it is actually REvil, or a copycat group, is still being investigated.

“When a threat group changes its techniques, it could be a possible pivot into a new business model, a result of a dramatic change in its skill set, a schism among the group, or an unaffiliated copycat trying to leverage that group’s hype into easy money from short-sighted and emotionally reactive victims,” he wrote. “It’s possible that REvil is testing the waters of DDoS extortion as a profitable business model, but we think it’s more likely that we’re seeing the scare tactics associated with prior DDoS extortion campaigns recycled for a fresh round of campaigns.”