Targeted ransomware groups spotted in Southeast Asia – Kaspersky expert

Global cybersecurity firm Kaspersky revealed on Tuesday that there were “evolving” ransomware groups in Southeast Asia (SEA) region, targeting to blackmail public and private organizations.

According to a 2020 research conducted by Kaspersky, it reiterated the need for “proactive and intelligence-based security” in SEA as cybercriminals are taking advantage the combined digital aftermath of the pandemic and the geopolitical situation in the region.

“This year is not only the time of changes, but it changed the time itself. It changed the way we travel, the way we shop, the way we interact with each other. The computer threat model has evolved since COVID-19 started,” said Vitaly Kamluk, director for Global Research and Analysis Team (GReAT) Asia Pacific at Kaspersky.

Maze ransomware group and attack process

Kamluk said among the notorious ransomware families, and is one of the first to conduct such operation, is the Maze family. The group behind Maze ransomware has leaked the data of their victims’ who refused to pay the ransom — more than once.

In November 2019, the group leaked 700MB of internal data online with an additional warning that the published documents are just 10% of the data they were able to steal. They have also created a website where they revealed the identities of their victims as well as the details of the attack — date of infection, amount of data stolen, names of servers, and more.

The cybersecurity expert said the attack process being used by this group is they will infiltrate the system, haunt for the most sensitive data, and then upload them to their cloud storage. After that, these will be encrypted with RSA.

RSA is an algorithm used by modern computers to encrypt and decrypt messages that are widely used for secure data transmission. The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977.

Kamluk said a ransom will be demanded based on the size of the company and the volume of the data stolen. The group will then publish the details on their blog and even make anonymous tips to journalists.

“The next step is to blackmail with threatening to publish these data online, and nobody would care if they published it or sold their private website, but of course they know that the publicity will destroy the image and reputation of the victim so they also keep them on the most deeps to the journalists to, you know, highlight a breach of the particular company,” he said.

In January, the group was also involved in a lawsuit with a cable maker company. This resulted in the website being shut down.

“We are monitoring an uptick on Maze detections globally, even against a few companies in Southeast Asia, which means this trend is currently gaining momentum,” the researcher said.

Target companies in the Southeast Asia region

Target organizations are government enterprise, aerospace and engineering, manufacturing and trading steel sheet, beverage company, palm products, hotel and accommodation services, and the information and technology (IT) services.

Kamluk advised enterprises and organizations to make backups of data, simulate attacks, prepare an action plan for disaster recovery, monitor software activity on endpoints, record traffic, and check hardware integrity to remain protected against these threats.

Kaspersky is a global cybersecurity company founded in 1997 and has a deep threat in intelligence and security expertise. Over 400 million users are protected by Kaspersky technologies.