Threat Intelligence Report June 27 - July 3 2023

Researchers have recently unveiled significant insights into the operations of a newly discovered ransomware group called "Akira." This group is actively engaging in a relentless pursuit of various organisations, compromising their invaluable data. Notably, Akira ransomware has broadened its scope to encompass the Linux platform. Since its emergence in April 2023, Akira ransomware has already infiltrated and victimised 46 entities that have been publicly disclosed, with an additional 30 victims identified subsequent to our previous blog post. The majority of these victims are situated in the United States. Akira ransomware has targeted a diverse array of industries, spanning Education, Banking, Financial Services and Insurance (BFSI), Manufacturing, Professional Services, and others. Initially focusing on Windows systems, Akira ransomware has now expanded its repertoire to include Linux platforms. This strategic shift exemplifies an emerging trend among ransomware groups, indicating an imminent upsurge in assaults aimed at Linux environments. The fact that a formerly Windows-centric ransomware group has redirected its focus towards Linux highlights the growing vulnerability of these systems to cyber threats.

A new ransomware variant known as Wagner has emerged in the cybersecurity landscape, believed to be a derivative of the Chaos ransomware. What sets this ransomware apart is its ransom note, which deviates from the usual demand for money and instead encourages users to join the PMC Wagner.

The ransom note intriguingly begins with the phrase "Official Wagner PMCs Employment Virus." PMC Wagner refers to the Wagner Group, a Russian paramilitary organisation recognised as a private military company consisting of mercenaries. The ransomware sample was initially submitted from Russia, and the ransom note itself is written in Russian, indicating a possible focus on targets within Russia. The intentions of this ransomware appear to be centred around spreading messages of rebellion and incitement against the Russian authorities.

EarlyRAT is a remote access trojan (RAT) that has emerged as a sophisticated and stealthy malware threat. Initially identified in 2020, EarlyRAT is designed to infiltrate systems and gain unauthorised access, enabling attackers to remotely control infected machines and steal sensitive information. Known for its advanced evasion techniques and modular architecture, EarlyRAT poses a significant risk to organisations and individuals, highlighting the need for robust cybersecurity measures to detect, prevent, and mitigate its impact.

Warzone RAT is a remote access trojan (RAT) that has gained notoriety for its potent capabilities and malicious intent. Operating stealthily in the background, Warzone RAT infiltrates systems undetected and establishes a covert connection between the attacker and the compromised machine. By providing remote control access, Warzone RAT enables threat actors to execute malicious commands, exfiltrate sensitive data, and carry out various malicious activities, making it a significant cybersecurity threat. Its advanced features and evasive techniques highlight the critical need for robust security measures to protect against such sophisticated RAT attacks.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 89 new ransomware victims from 21 distinct industries across 34 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (33) spread across various countries. Akira and 8base groups follow closely with each hitting 11 and 7 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 34 countries around the world, we can conclude that the USA was once again the most ransomware affected country, with a total of 45 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 18 industries globally. Last week, the Business Services and Insurance sectors were hit particularly hard, with the loss of 11 and 10 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.