Especially in our region, from where two illustrious ransomware threat groups spread their data exfiltration and extortion tentacles.

Which two notorious ransomware families have been targeting the Asia Pacific region in the past year?

If you guessed REvil and JSWorm, cybersecurity firm Kaspersky would say you are right, as far as their own data on ransomware 2.0 attacks shows.

Ransomware 2.0 refers to the groups that have adding blackmailing to their typical data exfiltration crime. The aftermath of a successful ransomware 2.0 attack includes significant monetary loss and reputational loss, if a victim corporate fails to contain the situation.

According to Alexey Shulmin, Lead Malware Analyst, Kaspersky: “2020 was the most productive year for (hackers) that moved to ransomware 2.0. In the Asia Pacific region (APAC), we noticed an interesting re-emergence of two highly-active groups, REvil and JSWorm. Both resurfaced as the pandemic raged in the region last year, and we see no signs of them stopping anytime soon.”

More about REvil (aka Sodinokibi, Sodin)

Also known as Sodinokibi and Sodin, this REvil ransomware group initially distributed itself through an Oracle Weblogic vulnerability and carried out attacks on managed-service providers.

While the activities of REvil peaked in August 2019 with 289 potential victims, Kaspersky telemetry had discerned fewer detections until July 2020. From targeting only 44 corporate customers globally last June 2020, the ransomware group had accelerated their attacks since. As a result, the firm had intercepted 877 attacks in July 2020, logging a 1,893% increase in a span of just one month.

In addition, the group has actively spread its tentacles from the Asia Pacific (APAC) to the world. Added Shulmin: “Back in 2019, most victims were only from APAC, particularly in Taiwan, Hong Kong, and South Korea. But last year, we detected their presence in almost all countries and territories. It is safe to say that during their ‘silent months’, REvil creators had taken their time to improve their arsenal, their method of targeting victims, and their network’s reach.”

One thing was unchanged, though. APAC remained one of the top targets for REvil. Out of 1,764 Kaspersky customers targeted by the group in 2020, 36% were from the region. Brazil, however, logged the highest number of users almost infected with this threat, followed by Vietnam, South Africa, China, and India.

Based on the data published by the threat actors on their data leak site, Kaspersky experts now know the hackers’ target industry classes: Engineering and Manufacturing (30%), Finance (14%) and Professional and Consumer Services (9%). Legal, IT and Telecommunications, and Food and Beverage industries received equal attention at 7%.

More about JSWorm

Like REvil, JSWorm (aka Nemty, Nefilim, Offwhite, Fusion, Milihpen, etc.) also entered the ransomware landscape in 2019. However, the geographical distribution of its initial victims was more varied. During its first months, it was detected across the globe in North and South America (Brazil, Argentina, USA); in the Middle East and Africa (South Africa, Turkey, Iran); in Europe (Italy, France, Germany); and in Vietnam.

The number of JSWorm victims is relatively lower compared with REvil but it is clear that this ransomware family is gaining ground. Overall, the cybersecurity firm had blocked attempts against 230 customers globally, a 752% increase compared with 2019’s 27 users attacked by this type of threat.

The firm has also noticed a shift of the group’s attention towards the APAC. China emerged as the country with highest number of customers attacked by JSWorm globally, followed by the USA, Vietnam, Mexico, and Russia. Some 39% of all the enterprises and individuals targeted last year were located in APAC.

As for the group’s target industries, critical infrastructure and major sectors across the world are in their gunsights: Engineering and Manufacturing industry (41%); Energy and Utilities (10%); Finance (10%); Professional and Consumer Services (10%); Transportation (7%); and Healthcare (7%).

This is based on the data published by the threat actors on their data leak site.