GoKawiilResearchers have uncovered a low-dollar, high-volume ransomware campaign that may have been quietly running since at least 2020.
So-called "big game hunters" — threat actors who attack the biggest organizations they can find — have no trouble getting their accomplishments splashed onto news websites. You'll hear less about hunting small-game because the targets are of less interest to the general public, and the money involved is less enticing.
Both models appear to work in the attackers' favor, though. Bigger ransomware actors benefit from attention, as it allows them to build "brands" based on fear and reliability. And smaller actors are escaping notice, working beyond the gaze of the mainstream cybersecurity community and quietly piling up fortunes from scraps.
A report from Acronis this week documented a cyberattack campaign that seems to have benefitted from fishing in a smaller pond. It's highly localized to Turkey, and its gambit is simple: using modified commercial malware to extort individuals and small or medium-sized businesses (SMBs) for a few hundred dollars a pop, at scale.
Related:Fraud Rockets Higher in Mobile-First Latin America
"Large enterprise attacks tend to attract media attention and law enforcement pressure, whereas smaller incidents often go unreported, allowing campaigns to persist longer with less disruption," explains Santiago Pontiroli, team lead at Acronis' Threat Research Unit (TRU). And that's far from the only advantage that the smaller model has.
Ransomware Against Turkish SMBs
The phishing flow used for this campaign is hardly that interesting, perhaps because it doesn't have to be. Targets receive an email, follow a link to a cloud-hosted file, and find a malicious Java archive contained therein, and that sequence of steps isn't likely to be interrupted by sophisticated anti-phishing defenses.
The malware at the tail end is a custom variant of Adwind RAT, a nearly-decade-and-a-half-old and many-times-forked Java remote access Trojan (RAT). This variant establishes initial command-and-control (C2) and persistence by registering itself to run on startup, and runs through a series of checks.
Firstly and most strictly, the malware makes sure its victim is located in Turkey, and that their computer's language setting is set to Turkish. This allows the attacker to home in on victims they're most familiar with, and prevent their attacks from leaking into other regions where they might pick up unwanted attention. After the geofencing checks, the malware attempts to weaken a victim's system by disabling Microsoft Defender and checking for other antivirus software, blocking Windows updates, suppressing security notifications onscreen, and eliminating any means of data recovery.
... continue reading