November 6, 2020 — Eric Swotinsky
Malware analysisIncident reportsClient education

Cyberthreat update from Acronis CPOCs: Week of November 2, 2020

Cyber Protect Home Office

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as successful ransomware attacks against major targets, and how current events are shaping today’s cyberthreats. Here’s a look at some of the most recent breaking news and analyses:

Energy firm Enel Group hit by second ransomware attack

The Enel Group, one of the largest energy companies in Europe, has fallen victim to a Netwalker ransomware attack. This comes after having been hit by Snake ransomware in June of this year, although the Snake attack was stopped before it could spread.

The Netwalker group has demanded a ransom of roughly $14 million in Bitcoin. This value appears to represent an increase over the original demand, due to the Enel Group’s refusal to pay up quickly. Netwalker claims to have stolen around 5 TB of data, and are threatening to begin releasing sensitive information if the ransom is not paid within a week.

The behavioral-based detection in Acronis Cyber Protect stops ransomware attacks like Snake and Netwalker before data can be stolen or widespread encryption can occur, and restores any encrypted data within seconds.

Ransomware attack impacts voting systems in US state of Georgia

Just days before the 2020 election, Georgia’s Hall County was struck by Doppelpaymer ransomware, bringing down the voter signature database as well as phone systems and a voter precinct map. The attack hindered election workers’ ability to match signatures on absentee ballots against scanned signatures on file.

Doppelpaymer has a diverse network of tools aimed at getting their victims to download their malware — including botnets, malicious advertisements, fake software updates, and infected installers. They also follow a growing trend of ransomware groups that names, shames, and leaks the data of victims who don’t pay up.

So far this year, 82 government bodies in the U.S. have been hit by ransomware, with an average ransom demand of around $400,000. Doppelpaymer and other ransomware gangs are constantly evolving their attacks — but Acronis Cyber Protect, with its advanced heuristic engine and endpoint management tools, provides layers of protection to block these threats.

Psychotherapy patients targeted directly in ransomware attack

Cybercriminals have attacked Vastaamo, a psychotherapy practice in Finland, and gotten their hands on over 40,000 patient records — including personal details about patients and their sessions. This incident appears to have taken place in 2018, but is only now surfacing as the attackers have demanded a ransom of $450,000 for not publishing this sensitive data.

When Vastaamo refused to pay, the threat actors began releasing private records on their underground site. They also starting contacting patients directly, demanding around $200 from each in order to keep data about their sessions private — a traumatizing prospect for anyone.

Going after end users directly is still quite rare in ransomware attacks, but this isn't the first time we’ve seen it happen. Regardless of the malware variant used, Acronis Cyber Protect can stop such attacks through its multilayered protection before attackers can exfiltrate sensitive data.

Educational sector hit hardest by phishing attacks

A recent study has shown that schools, colleges, and universities are experiencing over 10% more spear-phishing than other sectors, and business email compromise (BEC) attacks are more than twice as likely to be used on education institutions compared to other organizations.

Of the attacks documented in the study, 3% were a form of extortion, while 28% were typical scam attempts. Over 40% of the attacks were spear phishing, though these attacks did drop off as would be expected over the summer break. One attack ended up costing a school in Texas over $2.3 million, in what appeared to be a normal vendor transaction.

Phishing attacks often encourage you to interact with malicious links or documents, either to steal information like user credentials, or to install malware on your computer. The URL filtering in Acronis Cyber Protect prevents access to known malicious URLs, while the multi-layered detection engines stop ransomware and other malware that may be installed through interactions with documents or links.

Natural disasters wreaking havoc worldwide

Typhoon Molave, one of the strongest storms in the region in decades, battered Vietnam on October 28, leaving 40 people missing and 13 dead. 56,000 homes were damaged, and millions left without power.

In the same day, category 2 Hurricane Zeta made landfall in the Gulf Coast area of the United States, leaving five dead and 2.1 million without power. With sustained winds of 50 mph, Zeta also brought heavy rains and a storm surge along the coast, causing significant flooding in an area that was still trying to recover from previous storms.

In addition to Molave and Zeta, the week also saw nearly 40 moderate or strong earthquakes around the world, some leading to tsunami warnings in coastal regions. When natural disasters strike, Acronis Cyber Protect keeps your data safe with cloud-based backups and simple disaster recovery options, while Smart Alerts keep you informed of events that might put your data at risk.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.