Kaspersky Says 2020 Most Productive Year For Ransomware 2.0 In Asia Pacific

It’s no surprise that you’ve been hearing about a lot more ransomware attacks lately. Cybersecurity firm Kaspersky confirmed a significant increase in Ransomware 2.0 attacks in the Asia-Pacific (APAC) region last year.

Ransomware 2.0 refers to the hacker shift from locking data to stealing data and holding it for ransom. “2020 was the most productive year for ransomware families who moved from hostaging data to exfiltrating data, coupled with blackmailing,” said Kaspersky Lead Malware Analyst Alexey Shulmin.

He added, “In APAC, we noticed an interesting re-emergence of two highly-active groups, REvil and JSWorm. Both resurfaced as the pandemic raged in the region last year and we see no signs of them stopping anytime soon.”

REvil, in particular, has achieved quite a bit of infamy in the last few months. The hacker group reportedly claimed they breached Acer and demanded from the company the largest known ransom ever of US$50 million (~RM205.6 million). Separately, it was reported that REvil ransomware can apparently change Windows passwords and then automate a system’s file encryption via Safe Mode.

Kaspersky noted that, back in 2019, REvil hackers mostly targeted victims in the Asia Pacific – particularly in Taiwan, Hong Kong, and South Korea. Last year, however, the cybersecurity firm detected the group’s presence in almost all countries and territories.

According to Kaspersky, the biggest chunk of REvil’s industrial targets falls under the Engineering and Manufacturing category (30%) followed by Finance (14%) and Professional and Consumer Services (9%).

JBS paid $11 million in ransomware attack

Meatpacker JBS USA paid the equivalent of $11 million ransom in a cyberattack that disrupted its North American and Australian operations, the company’s CEO said in a statement on Wednesday.

The subsidiary of Brazilian firm JBS SA (JBSS3.SA) halted cattle slaughtering at all of its U.S. plants for a day last week in response to the cyberattack, which threatened to disrupt food supply chains and further inflate already high food prices.

The cyberattack followed one last month on Colonial Pipeline, the largest fuel pipeline in the United States. It disrupted fuel delivery for several days in the U.S. Southeast.

The JBS meat plants, producing nearly a quarter of America's beef, recovered faster than some meat buyers and analysts expected.

"This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, CEO of JBS USA of the ransom payment. "However, we felt this decision had to be made to prevent any potential risk for our customers."

The Brazilian meatpacker’s arm in the United States and Pilgrims Pride Corp (PPC.O), a U.S. chicken company mostly owned by JBS, lost less than one day’s worth of food production. JBS is the world’s largest meat producer.

Third parties are carrying out forensic investigations and no final determinations have been made, JBS said. No company, customer or employee data was compromised in the attack, it said.

A Russia-linked hacking group is behind the cyberattack against JBS, a source familiar with the matter said last week. The Russia-linked cyber gang goes by the name REvil and Sodinokibi, the source said.

The Wall Street journal reported on Wednesday that the JBS ransom payment was made in bitcoin.

The Justice Department on Monday recovered some $2.3 million in cryptocurrency ransom paid by Colonial Pipeline Co, cracking down on hackers who launched the attack.

REvil Ransomware Now Able To Change Windows Passwords And Automate File Encryption In Safe Mode

The REvil Ransomware recently received an update that effectively allows malicious hackers to change Windows passwords, as well as automate a system’s file encryption via Safe Mode directly after that.

According to Bleeping Computer, the update was reportedly added in an effort to help these actors evade detection and to shut off backup software and database servers when encrypting the target’s files. Breaking down the update further, the new REvil ransomware reportedly changes the user’s password to “DTrump4ever” when the -smode argument is used.

As dastardly as this ransomware is, the silver lining in all this is that the affected person would still need to manually log in to Windows Safe Mode before the encryption can occur, and that alone could tip off the victim to the ransomware’s actions.

Of course, it should surprise no one that this isn’t the first time REvil has been cast into the spotlight. Last month, the hacker collective claimed responsibility for attacking the Taiwanese tech brand, Acer, and holding their servers hostage to the tune of US$50 million (~RM206 million).

In addition to the attack, the group also warned victims that it would not think twice about launching DDoS attacks on them or email their business partners about their activities. Should they choose not to pay the ransom.

Acer Breached By Ransomware; Hackers Demand US$50 Million In Largest Ransom Ever

Taiwanese tech giant Acer has been breached by a ransomware attack and hackers are demanding the largest known ransom ever of US$50 million (~RM205.6 million), Bleeping Computer reported.

REvil, the hacker group responsible for the attack, reportedly announced the breach on their data leak site and showed images of allegedly stolen files as proof – documents including financial spreadsheets, bank balances, and bank communications.

Bleeping Computer’s report suggested that hackers may have exploited a Microsoft Exchange vulnerability to carry out their attack. Recently, Microsoft blamed China-backed hackers for breaching their Exchange servers, resulting in tens of thousands of victims around the world.

Attacks using that route reportedly spiked dramatically since Microsoft’s announcement.

In response to enquiries, Acer issued a generic statement to Bleeping Computer and other media outlets, saying that the company constantly monitors its IT systems and that it has “reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

The company did add that there was an ongoing investigation and that it couldn’t comment further due to security reasons.

At US$50 million, the ransom is the largest on record, surpassing REvil’s previous US$30 million (~RM123.3 million) demand for the cyberattack on Dairy Farm, a multinational retail chain operator.

Ransomware attacks have become startlingly frequent in recent times. CD Projekt Red, developer of The Witcher games and Cyberpunk 2077, was hit with a ransomware attack in February, resulting in its employees being reportedly locked out of their work VPN. The company refused to pay the ransom.