Security specialist company ESTsecurity (CEO Jung Jin-il) announced on the 8th that it had blocked a total of 148,689 ransomware attacks in the second quarter of 2022 through the 'ransomware behavior-based pre-blocking' feature installed in its antivirus program 'ALYac'.

According to statistics from the Security Response Center (hereinafter ESRC), the ransomware attacks blocked through ALYac in the second quarter are ▲a total of 148,689 cases, which, when converted to a daily basis based on 30 days, average ▲about 1,652 blocked ransomware attacks per day. This is a decrease of about 29,000 cases compared to the first quarter, but the threat of ransomware is still considered to be high.

This statistic only includes the number of ransomware blocks through the 'ransomware behavior-based blocking function' of the public ALYac product, which is offered free of charge to individual users. If pattern (signature) based detections were added, the total number of attacks is expected to increase significantly.

Currently, the number of behavior-based ransomware blocks based on ALYac users has shown a stark difference since June, shifting to a noticeable decrease. However, there has not been a significant change in the pattern-based detection figures, suggesting several possibilities such as a temporary lull due to variant attacks and highlighting the need to observe this trend through the third quarter.

ESTsecurity has selected the following as major trends in ransomware for the second quarter of 2022: ▲the resurgence of Korea-specific Makop and LockBit ransomware spread through resume and copyright infringement phishing emails by the VenusLocker group, ▲distribution of Magniber ransomware through typosquatting techniques, ▲ransomware-disguised Wiper attacks related to Russia's invasion of Ukraine.

The ransomware distribution organization known as the VenusLocker group has been active in Korea for a long time. Recently, they have been spreading modified Makop or LockBit ransomware based on NSIS, and ESRC is continuously tracking this group. In addition, the possibility of another third party threat actor mimicking the vector used by the VenusLocker group in the past is not excluded, and further investigations are underway.

Currently, the organization is continuously unfolding ransomware threats using ingenious methods, exploiting users' business needs and psychological anxiety. For instance, they have employed tactics such as disguising the ransomware as resume attachments or utilizing copyright infringement claims regarding image files.

Magniber ransomware also grew in prominence. This ransomware utilizes a 'typosquatting' attack method, where incorrectly entered internet site addresses lead to similar malicious sites. Many users were tricked by these ransomware attacks disguised as Windows update installation programs during this quarter.

Furthermore, as the war continues amidst Russia's invasion of Ukraine, anonymous cyber groups have been openly supporting their countries and carrying out cyber attacks against rival nations. A variant of Chaos ransomware discovered in May infects users' computers and changes the extension to 'fuckazov', where 'azov' is known to refer to Ukraine's Azov Battalion.

New ransomware has also emerged, such as WannaFriendMe, which uses the .Ryuk extension. This ransomware is known to be closely related to the Chaos ransomware variant. An interesting aspect of this ransomware was its attempt to sell the Ryuk Decrypter through the Roblox game store, instead of using Bitcoin or Ethereum, urging ransom payments in Robux coins. Relevant posts have since been deleted.

In addition, ransomware targeting the VMware ESXi virtualization platform, commonly used by enterprises, has also been encountered. Black Basta ransomware discovered in April initially targeted Windows systems, but a Linux variant found later was specifically designed to target ESXi servers. Variants of Cheers ransomware, such as Cheerscrypt, that only target ESXi servers have also been discovered, and the expectation is that ransomware targeting ESXi servers will continue to increase in the future.

Director Moon Jong-hyun of ESRC stated, "Ransomware is still one of the most significant existing cyber threats that cannot be taken lightly. Although the statistics showed a slight decline in June, it continues to be deployed through various means such as typosquatting, APT attack combinations, and traditional email tactics," and emphasized, "Especially, web servers in operation should always be kept up to date and constant security management is required to prevent ransomware attacks through vulnerabilities like file uploads and Webshell registrations." He also added, "Periodic data backups and security awareness training for employees are essential to prepare for known similar threats."

Meanwhile, ESTsecurity continues to collaborate closely with the Korea Internet & Security Agency (KISA) to prevent potential domestic user damages from ransomware infections through the collection of ransomware information and organic response cooperation.