Technology These two unusual versions of ransomware tell us a lot about how attacks are evolving

03:53  07 march  2021
03:53  07 march  2021 Source:   zdnet.com

Hundreds of health care facilities were hit by ransomware last year amid pandemic

  Hundreds of health care facilities were hit by ransomware last year amid pandemic At the University of Vermont Medical Center in October, a cyberattack knocked out 5,000 computers on the hospital's IT network, disrupting everything from its financial systems to its radiology services and sleep studies. Patient care ground to a halt -- and the outage lasted for weeks. © Shutterstock "We really did not anticipate the scope or the impact the attack had on our system and how far-reaching it was," the organization's president, Dr. Stephen Leffler, told reporters at a December news conference. Staff at the facility had been trained to handle outages of 3 to 5 days at most.

a man using a laptop computer sitting on top of a wooden table: Ransomware attack on a laptop © Image: iStock

Ransomware attack on a laptop

a close up of a sign © Provided by ZDNet
How ransomware could get even more disruptive in 2021
Watch Now

Two newly discovered forms of ransomware with very different traits show just how diverse the world of ransomware has become as more cyber criminals attempt to join in with cyber extortion.

Both forms of ransomware emerged in February and have been detailed by cybersecurity researchers at Trend Micro –AlumniLocker and Humble - with the two versions attempting to extort a bitcoin ransom in different ways.

AlumniLocker is a variant of Thanos ransomware and immediately stands out for demanding a payment of 10 Bitcoins from the infected victim – a figure currently equivalent to around $450,000.

For Mikaela Shiffrin, a world Alpine skiing championships like no other

  For Mikaela Shiffrin, a world Alpine skiing championships like no other Mikaela Shiffrin plans to enter her most races ever at next week's world Alpine skiing championships, but she may not be a favorite in any of them.Yet she won twice in 10 starts since November (about the career winning percentage for many of the greatest ski racers in history). She made two other podiums and hasn’t finished lower than sixth in any World Cup. Shiffrin is ranked third in the world in slalom and fifth in giant slalom, events she won at the Olympics.

The ransomware is delivered to victims via a malicious PDF attachment claiming to be an invoice which is distributed in phishing emails. The PDF contains a link which will extract a ZIP archive which runs a PowerShell script to drop the payload and execute the ransomware.

Like an increasing number of ransomware campaigns, the attackers behind AlumniLocker threaten to publish data stolen from the network of their victim if they're not paid within 48 hours – although given the ransom demand is so large, victims may decide it's too much to pay.

The ambitious ransom demand and other inconsistencies in their attack techniques – including how the data leak site doesn't actually work - could indicate that those behind AlumniLocker are probably just starting out.

Ransomware: Sharp rise in attacks against universities as learning goes online

  Ransomware: Sharp rise in attacks against universities as learning goes online Higher education is struggling with ransomware attacks, with gangs seeing an easy target in institutions busy making the switch to remote operations.The number of ransomware attacks targeting universities has doubled over the past year and the cost of ransomware demands is going up as information security teams struggle to fight off cyberattacks.

"It does seem like this might be a new group that does not have experience in successfully ransoming their victims as the ransom demand is much higher than typical. Being that the leak site doesn't work is another example of showing their hand of being newbies. " Jon Clay, director of global threat communications at Trend Micro told ZDNet.

Humble ransomware also first appeared during February, but is very different in a number of ways. Firstly, the ransomware is much smaller, demanding just 0.0002 Bitcoins – currently just under $10 – for the return of files, indicating that Humble might be targeting individuals rather than organisations.

It's still unknown how exactly Humble is distributed, but researchers note that it's likely to be via phishing attacks.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

In an effort to push victims towards paying the ransom, Humble threatens the victim by stating that if they restart their system, the Master Boot Record (MBR) will be rewritten, rendering the machine unusable. A second version of Humble carries the same threat, but instead says this will happen if the victim doesn't pay after five days.

How ransomware is evolving as a threat to organizations

  How ransomware is evolving as a threat to organizations Cybercriminals know they can make money with ransomware and keep getting bolder with their demands, says Palo Alto Networks' Unit 42.The number of victimized organizations hit by each ransomware family with their data publicly leaked in 2020.

Humble is unusual for ransomware in being compiled with an executable wrapper (Bat2Exe) in batch file. What's also strange is that it uses Discord – a voice, text and video communications service popular among gamers – to send reports back to its author.

Both forms of new ransomware are unusual, but both demonstrate that ransomware continues to be appealing to cyber criminals who see how the top gangs are making so much money, and want to do the same.

Organisations can help protect themselves from ransomware attacks with cybersecurity procedures including applying patches and using multi-factor authentication.


  • Ransomware as a service is the new big problem for business
  • How to protect your organization's remote endpoints against ransomware TechRepublic
  • Ransomware: How clicking on one email left a whole business in big trouble
  • How to avoid a spear-phishing attack. 4 tips to keep you safe from timeless scams CNET
  • Ransomware: Attacks could be about to get even more dangerous and disruptive

Ransomware as a service is the new big problem for business .
Easy-to-use ransomware as a service schemes are booming, accounting for almost two-thirds of ransomware campaigns during the past year, warn researchers.Ransomware as a service is proving effective for cyber criminals who want a piece of the cyber-extortion action but without necessarily having the skills to develop their own malware, with two out of three attacks using this model.

usr: 3
This is interesting!