Fraud Management & Cybercrime , Ransomware

Russian Hackers Deploy New Ransomware Variant

Kaspersky Says RTM Group Attempts Extortion
Russian Hackers Deploy New Ransomware Variant

The Russian hacker group RTM is deploying a new ransomware variant dubbed "Quoter" along with a banking Trojan as part of an extortion campaign, according to the security firm Kaspersky.

See Also: Value Drivers for an ASM Program

RTM, which has been active since 2015, mainly uses malware written in Delphi, Kaspersky says. Its latest campaign, which began in December 2020, has targeted 10 organizations in Russia so far, the security firm reports.

Step by Step

The attackers begin by sending phishing emails that purport to be messages related to business operations but that contain malicious attachments.

If a victim opens the attachment, the Trojan is downloaded. "To further secure themselves in the system and move inside the local network of the organization, the attackers used legitimate remote access programs, such as LiteManager and RMS, as well as several small homemade malicious utilities," the Kaspersky report notes. "The main task of the cybercriminals was to search for computers belonging to accounting employees."

Once the Trojan is loaded, the hackers deploy the Quoter ransomware to encrypt data. The victim then receives a message that their data has been stolen "and it would cost literally a million dollars to return it (in bitcoins, of course)," Kaspersky reports. If the ransom is not paid, then the extortionists resort to blackmail, threatening to post confidential information on the internet for free download.

Big Ransomware Profits

The ransomware operators' new tactics - setting up data leaking sites and charging for promises to delete stolen data - have increased the number of victims willing to pay and their willingness to pay higher amounts. As a result, ransoms paid in 2020 totaled almost $370 million, a 336% increase over 2019, according to Chainalysis (see: Mark of Ransomware's Success: $370 Million in 2020 Profits).

On Monday, security firm Sygnia reported that the Lazarus Group in North Korea was likely behind the TFlower ransomware variant.

Derek Manky, chief security insights and global threat alliances at FortiGuard Labs, notes that Egregor, Ryuk, Conti, Thanos, Ragnar, WastedLocker, Phobos/EKING and BazarLoader were some of the most active ransomware strains in 2020.

"Sectors that were heavily targeted in ransomware attacks included healthcare, professional services firms, consumer services companies, public sector organizations and financial services firms," Manky says. "To effectively deal with the evolving risk of ransomware, organizations will need to ensure data backups are timely, complete and secure off-site. Zero trust access and segmentation strategies should also be investigated to minimize risk."

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.