Security specialist company ESTsecurity (CEO Sang-Won Jung) announced on the 13th that it had blocked a total of 143,321 Ransomware attacks in the third quarter of 2021 through its antivirus program 'ALYac'.

According to statistics, the Ransomware attacks blocked through ALYac in the third quarter of 2021 amounted to ▲ a total of 143,321 cases, which can be seen as about ▲ an average of 1,592 Ransomware attacks being blocked daily when converted to a daily basis.

Additionally, the total number of Ransomware attacks blocked through ALYac in the first half of this year amounted to 313,075 cases, which when combined with the attacks blocked in the third quarter, reaches a current total of 456,396 cases.

This statistic only counts the attacks blocked through the 'Ransomware Behavioral-Based Pre-blocking Feature' of the publicly available free version of the ALYac antivirus program, and it is estimated that the total number of attacks would be much higher if pattern-based attacks were also included.

However, it was analyzed that the total number of Ransomware detections has been continuously decreasing over the past two years, and the third quarter also showed a slight decrease compared to the second quarter.

ESTsecurity's Security Response Center (ESRC) selected the following as the main Ransomware attack trends for this third quarter: ▲ Sodinokibi Ransomware, a large-scale Kaseya supply chain attack performed ▲ The emergence of BlackMatter Ransomware, similar to DarkSide ▲ An increase in Lockbit 2.0 attacks with damage occurring in various companies both domestically and internationally ▲ The 'Makop' Ransomware spread by the VenusLocker group continuing to attack individuals and companies in Korea.

The most significant threat of the third quarter can be attributed to the massive Kaseya supply chain attack by the Sodinokibi Ransomware group. In July, the Sodinokibi Ransomware group, consisting of Russian hackers, carried out the supply chain attack through a Kaseya update, which resulted in at least 1,500 organizations being affected. The attackers exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya VSA software. The Sodinokibi hackers initially demanded $70 million in ransom money.

The discovery of the BlackMatter Ransomware, which is similar to the well-known Ransomware DarkSide, also needs attention. BlackMatter, known for attacking Japan's Olympus, is operated in the form of Ransomware as a Service (RaaS), and is provided for various operating systems and architectures, including Windows and Linux. In May, the US pipeline company Colonial Pipeline also suffered significant damage due to a DarkSide Ransomware attack.

In August, various domestic and international companies suffered from the new and upgraded LockBit 2.0 Ransomware attack. It is known that the global IT consulting firm Accenture and domestic companies Jinyang Oil Seal and Pulmuone's US branch were among those affected by the LockBit 2.0 Ransomware attack. The attackers used a double extortion strategy by threatening to leak the corporate data they acquired demanding payment of ransom money.

Furthermore, following the second quarter, the Makop Ransomware spread by the VenusLocker group was continuously found in Korea during the third quarter. The attackers primarily used spear-phishing emails with EXE files disguised as job applications, resumes, work experiences, portfolios, quotation requests, or documents relating to copyright infringement. Makop samples using the HWP icon, discovered in the second quarter, again began to be seen from September, and cases utilizing GOMPlayerGlobal Setup File and PDF icons were confirmed in August. The attackers varied the file names, descriptions, extensions, mail addresses, etc., skillfully evading detection methods.

In addition to this, new Ransomware based on Babuk Ransomware in August, as well as Penta Ransomware using the Chuseok keyword and Korea-targeted Gwisin Ransomware, were discovered in September. The newly discovered or noteworthy Ransomware of the third quarter are as follows.