Symantec has warned of significant growth in ransomware attacks targeting enterprises, as well as an increase in the number of groups believed to be behind the campaigns.
Although 2018 saw an overall decrease in the number of ransomware infections, attacks against businesses and other organisations grew significantly, Symantec warned in a white paper released today.
The security vendor said that ransomware infections had dropped by a fifth, but attacks targeting organisations grew by 12 per cent, with enterprises accounting for 81 per cent of all ransomware infections in 2018.
In late 2015/early 2016, security companies including Symantec warned that attackers were using unpatched JBoss servers as a pathway into enterprise networks to deploy ransomware.
An increasing number of groups have sought to emulate the success of the ‘SamSam’ ransomware group, Symantec’s white paper states.
While in 2017 SamSam was believed alone in specifically targeting enterprises with ransomware, in early 2018 Ryuk emerged. Since then other ransomware gangs including GoGalocker, MegaCortex and Robbinhood have been identified.
“As recently as January 2017, Symantec observed a little more than a dozen organizations a month being attacked,” the security vendor’s white paper said. “However, recent months have seen that figure grow to above 50 organizations a month.”
GoGalocker “typifies the current type of targeted ransomware attack being deployed against businesses,” states a Symantec blog entry.
“The attackers behind the ransomware are skilled and knowledgeable enough to penetrate the victim’s network, deploy a range of tools to move across and map the network while using a variety of techniques to evade detection, before simultaneously encrypting as many machines as possible.
“In carrying out its attacks, GoGalocker borrows many of the tools and techniques used by espionage groups, making extensive use of publicly available hacking tools and living off the land tactics. Once inside the victim’s network, the attackers run PowerShell commands to run shellcode that enables them to connect to the attacker’s command and control server.”
Tools such as Mimikatz and Wolf-x-full are used to traverse an organisation’s network and steal credentials, Symantec said. Attackers will often seek to disable security software and then deploy ransomware across the network.
The security company said GoGalocker has attacked organisations in industries including computer services, accountancy and auditing, consultancy, financial services, power tools, building and construction, financial services, publishing, printing, metals, and warehousing and storage.