Kaspersky confirms APAC most targeted region for Ransomware 2.0

While there is still no clear reason why the Asia Pacific (APAC) region is highly targeted with ransomware in 2020, cybersecurity firm Kaspersky advises organizations to bolster their cyberdefenses and

In December, Kaspersky announced the proliferation of Ransomware 2.0, emphasizing the severity of attacks as opposed to the first versions of ransomware families and attacks.

Kaspersky defines Ransomware 2.0 as groups that moved from taking data hostage to exfiltrating data coupled with blackmailing. Subsequent events may include paying ransom The aftermaths of a successful attack include significant monetary loss and damaging reputation loss.

“In APAC, we at Kaspersky noticed the reemergence of two highly active groups: REvil and JSWorm,” said Alexey Shulmin, Lead Malware Analyst at Kaspersky. Both resurfaced as the pandemic rages in the region last year and we see no signs of them stopping anytime soon.”

Kaspersky saw a drop in ransomware attempts on SMBs in 2020

Kaspersky sheds light on the ransomware ecosystem

Shulmin said Kaspersky detected the activities of REvel and JSWorm in 2019.

“The REvil group, which is also known as Sodinokibi and Sodin, initially carried out its attacks on MSPs (managed service providers) and distributed itself using Oracle Weblogic but back then we have discovered that it also exploited the CVE-2018-8453 vulnerability to elevate privileges in Windows,” Shulmin explained. “It used legitimate processor functions to avoid detection by security solution.”

Kaspersky uncovers that REvil’s activities, which peaked in August 2019, affected 289 potential victims. However, the group remained quiet until July 2020. It turns out the group is preparing for acceleration of attacks. Kaspersky reported that its security solutions protected 877 users in July from only 44 in June or an increase of 1,893%.

The cybersecurity solutions company saw that the targets came from the engineering and manufacturing sectors (30%) finance (14%), professional and consumer Services (9%), legal, IT and telecommunications, and food and beverage industries all at 7%.

It is interesting to note that APAC is home to many manufacturing companies.


Another ransomware group that Kaspersky monitored is the JSWorm or also known by names such as Nemty, Nefilim, Offwhite, Fusion, and Milihpen, among others.

It shares many characteristics with REvil including the timeline of attacks. According to Kaspersky, like REvil, JSWorm also entered the ransomware landscape in 2019. The company, however, found JSWorm opted to go beyond the APAC borders and chose targets in in North and South America (Brazil, Argentina, USA), in the Middle East and Africa (South Africa, Turkey, Iran), in Europe (Italy, France, Germany), and in APAC (Vietnam).

“The number of JSWorm victims is relatively lower compared with REvil but it is clear that this ransomware family is gaining ground,” Kaspersky said. “Overall, Kaspersky solutions have blocked attempts against 230 users globally, still, a 752% increase compared to 2019’s only 27 users almost infected with this type of threat.

Experts from Kaspersky noticed a shift in the group’s attention towardthe APAC region. China emerged as the country with the most number of Kaspersky Security Network (KSN) users almost infected by JSWorm globally, followed by the United States, Vietnam, Mexico, and Russia. More than one-third (39%) of all the enterprises and individuals this group has targeted last year were also located in APAC.