304 North Cardinal St.
Dorchester Center, MA 02124
Ransomware attacks during the first half of this year increased by 51% compared to the previous year, according to a CERT-In report published on Tuesday. She cited post-COVID digitization, hybrid work culture, modernization of attack toolkits and the evolution of ransomware as a service as the main reasons for these attacks.
Hackers used known unpatched vulnerabilities in public networks to initially enter the network. Some of the common ways to exploit the vulnerability were compromised credentials for remote access services including VPN and RDP, which are used by threat actors to gain access to networks, the report said. Cyber thieves have also taken advantage of legitimate tools like “AnyDesk” used for remote administration.
They used them to run scripts in safe mode and bypass installed security solutions to perform other attacks. It also targeted multiple platforms such as Linux-based operating systems, virtual environments such as ESXI, backup storage and cloud environments.
For cloud-based systems, ransomware groups chose to erase data after exfiltration rather than encrypting it, the report said. The main sectors affected by these attacks include data centers, IT/IT, manufacturing and finance, oil and gas, transportation and energy.
The report states that among the prominent ransomware families observed in H1 2022, Djvu/Stop and Lockbit were the most used. While Djvu/Stop was used for attacks targeting citizens, Lockbit was mostly used for targeted attacks. Citizen-targeted attacks refer to attacks on the personal devices of prominent individuals such as CAs, lawyers, journalists, and politicians, while targeted attacks refer to attacks on organizations.
Other ransomware families used for attacks included Phobos for both civilian and targeted attacks, while Hive group activity was observed in targeted attacks.
And while various families like Djvu/Stop have mostly been used in attacks targeting citizens, they can also be used to target organizations, similarly Lockbit can be used in attacks targeting citizens.
CERT-In suggested that victims of these attacks must isolate infected systems from networks, report such attacks to CERT-In or other regulatory authorities and file FIRs with law enforcement agencies.
However, he urged victims to avoid negotiating or paying ransom in the event of such attacks.