Raj Samani, Chief Scientist at Rapid7
Raj Samani, Chief Scientist. Image: Rapid7

New research from cybersecurity firm Rapid7 shows that ransomware attacks faced by IT and security professionals in Asia-Pacific are far from uniform and they would be better off taking advantage of intelligence that reveals attack trends in their specific jurisdiction or sector.

Raj Samani, chief scientist at Rapid7, said actual ransomware threats often differ from assumptions based on news reports. He added that attack surface research revealed significant existing vulnerabilities such as open ports and buckets and compromised credentials.

How the ransomware threat in Asia Pacific varies by jurisdiction and industry

Rapid7’s research into ransomware activity in Asia Pacific during the second half of 2023 found differences across company locations and industries, suggesting that organizations taking a comprehensive approach to ransomware defense may be losing critical information.

For example, the most popular ransomware group targeting Australia is ALPHV (aka BlackCat). The group was found to primarily target the financial sector, with some activity in the government and education sectors as well. The second largest group is Trigona, followed by 8Base (Figure A).

Figure A

Ransomware organizations in Australia by sector.
Ransomware organizations in Australia by sector. Image: Rapid7

Japan was also hit hardest by ALPHV, but the technology industry was most affected, followed by manufacturing (Picture B). The next largest attacker group in Japan is LockBit 3.0, which also targets the manufacturing industry, while Royal targets the financial and technology industries.

Picture B

Ransomware targeting Japan organized by sector.
Ransomware targeting Japan organized by sector. Image: Rapid7

A comparison of Australia and India shows that while many threat groups have emerged in both countries, there are differences in the prevalence of ransomware groups across different industries; for example, LockBit 3.0 is important in the financial sector in India, but not in Australia (Figure C).

Figure C

Ransomware groups target Australia and India by industry.
Ransomware groups target Australia and India by industry. Image: Rapid7

Differences between departments exceed Rapid7 researchers’ expectations

Rapid7 concluded that for regionally targeted ransomware campaigns, the range of threat groups is quite broad, but the most prevalent groups vary by targeted geography or sector. “We do anticipate there will be more overlap between threat actors across different sectors,” Samani said.

“What’s interesting is the segmentation and skewing of common threat groups in the Asia-Pacific region,” Samani explained. “What we can see from the data is that there are active ransomware groups specifically targeting individual sectors or specific countries in the Asia-Pacific region.”

Samani added that while CISOs in Indonesia, Malaysia or China may often hear about LockBit or ALPHV, there may be other ransomware threat groups to worry about. “There are multiple other threat groups that have had great success that no one is talking about at all.”

Attack surface opens the organization to agents

One worrying finding is how open organizations are to ransomware attacks. “We looked at the attack surface of sectors within markets like Australia and asked, is it something that attackers would do reconnaissance and break in to carry out a ransomware attack? Is that something that would be easy to do?”

Rapid7 found that while the “doors and windows” were not open to the attackers, they were “unlocked.” Samani cited the number of open ports and buckets in the region, access and availability of compromised credentials, and unpatched systems.

“This stuff isn’t glamorous or exciting. But by seeing if there are open or test systems on the internet, or if the buckets are locked, you start to create difficulties for access brokers, who are good at gaining access and selling it to Threat groups.”

Rapid7’s analysis uses machine learning to analyze the external access surface across multiple sectors across Asia Pacific in the second half of 2023. It handles available data “beyond openRDP and unpatched systems,” including leaked sites and compromised data sets.

Enhance ransomware defense with an intelligence-based approach

Ransomware attacks are on the rise in the Asia-Pacific region. A recent report from Group-IB found a 39% increase in regional attacks, bringing the total to 463, with the largest number (101) occurring in Australia, based on companies posting information on ransomware data breach websites.

SEE: Cybersecurity trends to watch in Australia in 2024

Rapid7 recommends that organizations in Asia Pacific take a more intelligence-based, nuanced approach to combating ransomware risks. Samani said they should not prioritize or “speculate based on headlines involving organizations on the other side of the world.”

“Everyone is talking about the same ransomware families. But no one sits down and looks at it and says, ‘Well, that doesn’t really apply here, it’s this group that applies here,'” Samani explained.

The company believes that a combination of external attack surface management and actionable intelligence to identify vulnerable assets being exploited in the wild should be the highest priority, especially when ransomware campaigns target departments or geographies of an organization.

“Having visibility and intelligence is critical,” Samini said. “This level of intelligence means you know who you’re dealing with and how to protect yourself.”

#Rapid7 #ransomware #threats #Asia #Pacific #depend #country #industry

Leave a Reply

Your email address will not be published. Required fields are marked *