Ransom gangs target Italy and Germany as attacks rise


Italy and Germany are increasingly being attacked by ransomware gangs, though the US remains the prime target, says cybersecurity analyst Cyble. Its quarterly report also sheds light on a fast-rising new threat actor that forces victims to donate money to charity instead of extorting them.

All in all, Cyble tracked the debut of more than 20 ransomware groups between April and June, a 30% spike on the number of entrants to the field in the first three months of the year.

The rise in threat actors was seemingly echoed by a surge in ransomware attacks on Italy and Germany, which saw respective quarterly increases of 294% and 119%.

All told, 1,298 organizations were registered as victims of an attack in the second quarter, with US corporations taking the lion’s share of hits — 711 as opposed to just 430 between January and March.

Just three countries, Italy, the US, and UK, sustained 60% of ransomware attacks for the quarter between them.

LockBit remained at the top of the list for the most prolific offender, despite a 5% slump in cyberattacks, notching up 252. But MalasLocker, a newcomer and close competitor with 171 attacks, arguably makes for more interesting reading. And that’s down to the unusual nature of its motivation and demands.

Robin Hood ransomers?

Most ransomware gangs encrypt data beyond use and extort victims for personal financial gain by threatening to leave it inaccessible, leak it, or both. MalasLocker does much the same, but with one key difference: on an apparently anti-capitalist ticket, it instructs target organizations to pay the ransom to a charity of the victim’s choosing.

First spotted by cybersecurity analysts in May, MalasLocker is thought to be a Spanish-language outfit that goes after servers running on Zimbra to steal sensitive emails and encrypt files.

In further evidence that this is no ordinary nationalist partisan group, MalasLocker has focused most of its attacks on both the US and Russia, with — once again — Italy also featuring prominently.

“The Spanish-speaking ransomware group has leaked emails of over 170 organizations, mainly from Italy, Russia, and the United States,” said Cyble. “However, instead of requesting a ransom payment, the threat actors insist on [the victim] donating to a charitable cause to provide an encryptor and prevent data leaks.”

Another notable difference is the rarity of the encryption tool deployed by MalasLocker.

“The ransomware group’s Base64-encoded section within the ransom note reveals an Age encryption tool header relatively rarely seen among ransomware groups,” said Cyble. “Further, the MalasLocker ransomware group is observed to target non-Windows devices that suggest similar tactics as that of AgeLocker ransomware discovered in 2020 and the QNAP campaign of 2022.”

Another recent cybersecurity report by SocRadar, published last month, notes that MalasLocker is a ransomware actor that purports to rob from the rich to (force them to) give to the poor.

“MalasLocker, much like Robin Hood, claims to have a distaste for corporate entities and economic inequality,” it said. “It operates outside the conventional norms of ransomware groups, posing an unusual demand that throws its victims off balance. However, whether this group is [...] truly committed to their stated cause, or simply another band of digital outlaws exploiting a narrative for their nefarious deeds remains to be seen.”

Expect more ransom demands

Other new actors on the scene named by Cyble include NoEscape, Akira, Rhysida, Obsidian, and BlackSuit ransomware gangs. After LockBit and MalasLocker, the most prolific identified for the quarter were Alphv/BlackCat, Cl0p — which has enjoyed quite a profile boost from its notorious MOVEit hack earlier this year — and Play.

What all of this adds up to, in Cyble’s view, is a continuing ransomware headache for businesses and organizations, despite increased efforts of regulators to make life more difficult for cybercriminals.

“Governments worldwide are tightening the noose on the ransomware groups to prevent financial and data loss in their industries,” it said. “Despite that, the proliferation of new ransomware groups remains challenging for businesses to safeguard their operations.”

And far from curtailing their activities, tighter regulations could end up just spurring ransomware gangs to refine their nefarious craft in response.

“Governments are adopting stricter regulations for such incident reporting on affected organizations,” said Cyble. “Ransomware groups may use this situation to adopt new extortion techniques, thereby pressuring the affected entity to pay the ransom.”

As such, it expects that the rest of the year will see ever more hapless organizations cave in to demands for ransom payments.

Bounty hunters to the rescue

Cyble also expects increased use of automation by ransomware groups, as more of them deploy AI programs to expedite their illegal operations.

“Ransomware groups will quickly adopt AI to automate their operations,” it said. “Further aggressive use of AI is anticipated for reverse engineering the security patches of critical vulnerabilities to promptly exploit more zero-days.”

In like fashion, increased “automation of reconnaissance” will allow threat actors to beat cybersecurity professionals to the punch, striking at widespread vulnerabilities such as the MOVEit breach before they’ve had a chance to take action.

Finally, Cyble says that transport, logistics, and energy-sector organizations may find themselves increasingly targeted in 2023.

However, there is some light at the end of the tunnel. Cyble also notes that many of the new ransom gangs themselves practice poor cybersecurity, leaving them vulnerable to online bounty hunters going after rewards put up by the authorities for catching serial offenders.

“We have observed that the operational security practiced by the new groups is relatively low,” it said. “Also, [...] governments [...] are promoting bounties for apprehending persistent ransomware groups. Therefore, we may witness an increase in takedowns.”


More from Cybernews:

Cl0p dumps all MOVEit victim data on clearnet, threat insiders talk ransom strategy

TikTok banned on government devices in New York

Anonfiles shuts down, citing user abuse

Edit your favorite influencer’s posts, earn money as you do it

Musicians can now license and monetize AI singers

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked