Although American and European firms receive a lot of ransomware attacks originating from Russian soil, Russian businesses are not immune to file encryption and double-extortion issues. The actors that cause concern for Russian and CIS-based businesses aren’t REvil, LockBit, DarkSide, or other well-known organizations that carry out high-profile cyberattacks on critical infrastructure targets, but much smaller, little known groups.
According to Kaspersky’s report on cyberattacks in the first half of 2021, the CIS (Commonwealth of Independent States) is also the target of a thriving cyber-criminal ecosystem that targets Russian businesses monthly, with the majority of attacks going unnoticed.
The entities who make up this primarily unnoticed subgroup of ransomware operators are usually less skilled, rely on older or released software, and initiate intrusions on their own rather than purchasing access to targets.
The following are the most prominent ransomware families that have been used against Russian targets this year:
- BigBobRoss
- Phobos/Eking
- Crysis/Dharma
- CryptConsole
- Cryakl/CryLock
- Limbozar/VoidCrypt
- Fonix/XINOF
- XMRLocker
- Thanos/Hakbit
Out of these, Dharma and Phobos are the strains that have had the most success in the past.
Dharma was initially released in the open under the name Crysis five years ago. Despite its age, it still has one of the most robust and dependable encryption systems available. After brute-forcing passwords, Dharma actors generally acquire unauthorized RDP access and manually distribute malware.
Phobos was released in 2017 and will be completed in early 2020. Unauthorized RDP access is the principal entry point for the actors in this scenario as well. It’s a C/C++ virus with technical similarities to the Dharma strain in the context but no underlying relationship.
Even though these RaaS programs come and go, they are not without power. According to Kaspersky, some of these strains are still in development, with writers striving to make them more potent, so none should be dismissed.
Many of these dangers can be avoided by simply limiting RDP access, using strong passwords for domain accounts that are updated regularly, and connecting to business networks using VPN.
