May 21, 2021 — Eric Swotinsky
Malware analysisIncident reportsClient education

Cyberthreat update from Acronis CPOCs: Week of May 17, 2021

Acronis
Cyber Protect

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as ransomware strikes against major organizations and current phishing campaigns to watch out for. Here’s a look at some of the most recent breaking news and analyses:

The lights go out on DarkSide ransomware

Just over a week after a DarkSide ransomware attack on one of the largest U.S. oil pipelines, the DarkSide gang may be shutting down operations. While DarkSide claimed to be apolitical and motivated solely by money, this may not have been enough to avoid focused law enforcement action against them.

Several cybersecurity reporters have announced that DarkSide has chosen to shut down operations after losing access to some of their servers and networks. Still, with the ransomware having stolen 740 GB of data from tech giant Toshiba over the weekend, it remains unclear whether this shutdown is simply a rumor, or whether the gang plans to rebrand under a new name. The Toshiba attack may also be an affiliate trying to score one final haul before shutting down entirely.

Darkside initially earned nearly $5 million in the attack on Colonial Pipeline, though their crypto wallets were since seized alongside their servers thanks to law enforcement action. A fuller picture will become clear with time, but at this point it looks like DarkSide felt too much pressure after the Colonial Pipeline attack, and that we aren't likely to see future attacks from them.

Whether you’re facing known or unknown malware threats, the Active Protection included in Acronis Cyber Protect stops ransomware before your data is stolen or encrypted.

RATs on a plane: Spear-phishing campaign targets the aerospace sector

New research released by Microsoft discusses an ongoing spear-phishing campaign targeting the aerospace and travel sectors.

This campaign makes use of well-tailored lures that appear to originate from legitimate businesses and request help with organizing transportation charters. It also utilizes a newly-discovered loader by the name of Snip3, which delivers RevengeRAT or AsyncRAT but also observed the use of Agent Tesla and NetWire. These RATs can steal passwords, log keystrokes, capture webcam and screenshot data, and access browser and clipboard data.

The average ransom demanded after a successful spear-phishing attack is a whopping $1.6 million. Microsoft found that around 30% of phishing emails end up being opened, with 12% of these leading to users clicking on malicious links. Acronis Cyber Protect’s AI-powered behavioral heuristic capabilities effectively detect and block all forms of RATs and Trojans — even those never seen before — keeping your systems safe from harm.

Ransomware insurer ransomed by ransomware

Insurance giant AXA has been successfully hit with a ransomware attack by the Avaddon ransomware group. This is happening roughly a week after AXA — which has a net worth of over €3.85 billion and employs more than 120,000 people — decided to stop reimbursement for ransomware claims.

On their leak site, Avaddon is claiming have stolen over 3 TB worth of sensitive data from AXA's Asian operations. This includes customer medical reports, copies of ID cards, bank statements, claims, payment records, contracts, and more. Avaddon is currently slamming AXA’s branches in Asia with DDoS attacks in an attempt to force prompt payment.

Avaddon continues a spree with no end in sight. Thankfully, Acronis Cyber Protect's advanced heuristic engine recognizes the key behaviors that ransomware exhibits, and stops them completely before harm can come to your data or systems.

Even the data breaches got COVID

Verizon's Data Breach Investigations Report for 2021 has been released, and some of the results may be surprising. What should come as no surprise, however, is that threat actors are preying on reactions to the global pandemic.

Phishing remained a top tactic in data breaches, with 36% of all breaches including a phishing action — up from 25% in last year’s report. Phishing lures have become more targeted, and have relied heavily on public desire to get information about the pandemic. Even without phishing directly, 85% of breaches involved a human element, demonstrating the need for better security controls and training.

The big change this year was ransomware doubling its presence in data breaches, accounting for 10% of all such breaches as the operators began to name-and-shame victims as an extortion tactic. The good news is that leaks due to errors are down 5%.

Data breaches are mostly financially motivated, and organized crime groups account for over 80% of attacks. These cybercriminals are sophisticated and driven to make as much money as possible from any given attack.

Acronis Cyber Protect takes a multi-layered approach to system protection. AI-powered behavioral analysis identifies and blocks both known and unknown cyberthreats, while tamper-proof backups that can be run as virtual machines in the cloud enable you to avoid operational downtime in the event of disaster.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.