[BreachExchange] Kaspersky detected new ransomware attack on Russian companies

Destry Winant destry at riskbasedsecurity.com
Tue Mar 9 10:49:44 EST 2021


https://www.ehackingnews.com/2021/03/kaspersky-detected-new-ransomware.html

Kaspersky Lab has recorded a series of targeted attacks targeting
Russian financial and transport companies. Hackers used a previously
unknown ransomware virus

According to a statement from Kaspersky Lab, since December 2020, ten
Russian financial and transport companies have been subjected to
hacker attacks using the previously unknown Quoter ransomware. Experts
believe that the Russian-speaking group RTM is engaged in this.

The hackers sent out phishing emails, choosing topics that they
calculated should force the recipient to open the message, for
example, "Request for refund", "Copies of documents from the last
month" and so on. As soon as the recipient clicked on the link or
opened the attachment, the RTM Trojan was downloaded to their device.

Then the attackers tried to transfer money through accounting programs
by replacing the details in payment orders or manually using remote
access tools. If they failed, they used Quoter, which encrypted the
data using the AES cryptographic algorithm and left contacts for
communication with hackers. If the recipient did not respond, they
threatened to make the stolen personal data publicly available and
attached evidence, and demanded about $1 million as a ransom.

Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the
attacks pose a serious threat to companies, as hackers use several
tools at once: a phishing email with a banking Trojan and an
encryption program.

"Among the features of this campaign is that the Russian-speaking RTM
attackers changed the tools used for the first time, moreover, now
they are attacking Russian companies," said Mr. Golovanov, noting that
usually encryption programs are used in attacks on foreign
organizations.

Group-IB also warned about hacker attacks from RTM. According to the
company, from September to December 2018, they sent more than 11
thousand malicious emails to financial institutions from addresses
faked for government agencies. The emails contained a malicious
attachment. They had fake PDF icons, and after running the file
extracted from the archive, the computer was infected. On average, one
successful theft of this type brought the attackers about 1.1 million
rubles ($15,000).


More information about the BreachExchange mailing list