Since the spread of blackmail virus, 360 anti blackmail service has received tens of thousands of blackmail virus infections. With the rapid spread of the new extortion virus, the risk of corporate data leakage continues to rise, and extortion cases with extortion amount of millions to nearly 100 million dollars continue to emerge. Extortion virus has brought more and more influence to government organs, enterprises and individuals, and its harm is also increasing. 360 security brain conducts comprehensive monitoring and defense against blackmail virus, and provides 360 anti blackmail service for users in need of help.
In July 2022, the newly added active extortion virus families in the world include stop247, robaj, redalert, checkmate, Lilith, Luna, Bianlian, 0mega and other families. Among them, redalert, Lilith, Bianlian and 0mega are all dual extortion families; Checkmate is a blackmail virus that attacks NAS devices; Although the yanluowang blackmail virus was not newly added in July, the blackmail virus family began to publicly release victim data in July.
The following are the most noteworthy hot spots in July:
- The new blackmail virus checckmate attacks NAS devices.
- The data of Bandai Nanmeng palace was leaked after being attacked by alphv blackmail virus.
- The lockbit blackmail virus spreads through fake copyright infringement emails.
- The safesound blackmail virus spread through the plug-in program has been cracked.
According to the statistics of extortion virus families among the victims of extortion virus in July, Phobos family accounted for 20.45%, ranking first, followed by targetcompany (mallox) accounting for 13.10%, and Beijing crypt family ranked third with 11.50%.
In several families of TOP10, rook blackmail virus mutated again and modified the file suffix to Lock, blackmail prompt information is no longer in Chinese; The magniber blackmail virus is no longer transmitted through the disguise of MSI files, but through the disguise of anti-virus update programs. At the same time, the main transmission targets are also changed to Hong Kong and Taiwan, China; Robaj blackmail virus is a new blackmail virus added in July. At present, it is found that the family mainly uses brute force to crack the remote desktop password and then manually inject the virus.
According to the statistics of the operating systems used by the victims in July, the top three are windows 10, Windows 7 and Windows Server 2008. The proportion of desktop system and server system among the infected systems in July 2022 shows that the type of system attacked is still dominated by desktop system. Compared with the previous month, there was no significant fluctuation.
The NAS equipment supplier QNAP warned users that they should be vigilant against the checkmate blackmail virus attacking the NAS equipment of QNAP. These attacks are mainly concentrated on devices that have enabled SMB services and are exposed to the Internet, and mainly on some accounts with weak login passwords – these accounts are easy to fall into the attack of brute force cracking with weak passwords.
Checkmate is a newly discovered blackmail virus. It first appeared in the attack around May 28. The virus will add an extension to the encrypted file Checkmate and place a blackmail file named “! Checkmate_decryption_readme”. Ask the victim for $15000 worth of bitcoin to decrypt.
After it was disclosed in June that weiunicom suffered two types of extortion viruses ech0raix and deadbolt, the number of NAS devices infected by extortion viruses in China has increased. At the same time, this is the fifth popular extortion virus that attacks NAS devices.
In early July, Blackcat blackmail virus (also known as alphv) claimed that in an attack, it captured the server of Bandai Namco and stole the company’s data, and destroyed the internal system of the Asian regional offices except Japan.
Although Bandai Namco did not provide any technical details about the network attack, according to the data items and related statements published by the Blackcat data disclosure website, it is very likely that Bandai Namco was attacked by Blackcat. According to the publicly displayed data, Bandai Namco has stolen 13.5gb of data, but it has not been publicly released.
Although there were no domestic victims in the public data in July, 360 security brain monitored that the family had successfully attacked two companies / organizations in July.
The lockbit blackmail virus is spreading itself by masquerading malware as a copyright notice email. These emails warn the recipient of copyright infringement, claiming that the recipient has used certain media files without the permission of the creator. The email requires the recipient to delete the infringing content from his website, or he will face legal proceedings.
At present, in the e-mail content captured by the analysts, they do not specify which files have infringed, but only tell the recipients to download and open the attachments to view the infringed content. The attachment is a password protected zip archive containing a compressed file, which is an executable file disguised as a PDF document (NSIS installer).
This method of layer upon layer compression and password protection is mainly to avoid the detection of e-mail security tools. Once the victim opens the so-called “PDF” to understand the specific “infringement reason”, the malicious software will release the lockbit 2.0 blackmail virus to encrypt the device.
At present, there are more and more extortion virus families making profits through double extortion or multiple extortion mode, and the risk of data leakage caused by extortion virus is also increasing. The following is the proportion of extortion virus families that made profits through data disclosure in July. This data is only the part that failed to pay the ransom or refused to pay the ransom in the first time (the enterprises or individuals that have paid the ransom may not appear in this list).