The most malicious ramsomware attacks require cryptocurrency payments

As networking transforms the world into a global village, cyber attacks are expected to increase. Reports say there was an increase in average payments to ransomware attackers (or attackers requesting ransom payments) at the end of last year Several organizations had to pay millions of dollars to have their files released by malware attackers.

Aside from the fact that the current pandemic has made many people and businesses vulnerable to attack, the notion that cryptocurrencies are an incomprehensible and anonymous payment method has led to this Many ransomware attackers are demanding payment of ransom in Bitcoin (BTC) and other old coins.

Recently, a report by cyber security company Fox-IT on June 23 revealed a group of malware called Evil Corp. He has dealt with new rescue operations require their victims to pay a million dollars in Bitcoin.

The most malicious ramsomware attacks require cryptocurrency payments
The most malicious ramsomware attacks require cryptocurrency payments

The report also shows that groups like Evil Corp create Ransomware for database services, cloud environments and file servers with the intent to disable or interrupt the security applications of a company’s infrastructure. June 28th Cyber ​​security company Symantec reported that it blocked a ransomware attack by Evil Corp. It was aimed at around 30 American companies To request payment in Bitcoin.

These attempts are just the latest examples of the growing threat of ransomware attacks. Below are some of the more malicious bailouts that required payment in crypto.


WastedLocker is the latest rescue program from Evil Corp, a group that has been active since 2007 and is considered one of the deadliest cyber crime teams. Evil Corp has allegedly reduced its activities in connection with banking trojans Bugat / Dridex and Zeus following charges against two suspected members of the group, Igor Turashev and Maksim Yakubets.

However, Investigators are now of the opinion that the group has resumed the attacks from May 2020, with the WastedLocker malware as his latest creation. The malware was named “WastedLocker” because of the file name created by the malware, which means that the word “wasted” is abbreviated to the victim’s name.

By disabling and disrupting backup applications, database services, and cloud environments WastedLocker prevents its victims from restoring their files over an extended timespan, even if there is an offline backup configuration. In cases where a company lacks offline backup systems, restoration can be prevented indefinitely.

However, the researchers point out that unlike other rescue program managers who filter victims’ information, in Evil Corp. has not threatened to publish victims’ information to avoid drawing public attention.


DoppelPaymer is ransomware designed to encrypt your destination’s files and prevent access to them and then encourage the victim to pay a ransom to decrypt the files. Used by an eCrime group called INDRIK SPIDER. DoppelPaymer malware is a form of BitPaymer rescue and was first discovered in 2019 by the software endpoint protection company CrowdStrike.

Recently ransomware was used in an attack on the city of Torrance in California. More than 200 GB of data was stolen and the attackers ransomed 100 Bitcoin.

Other reports show that the same malware was used to attack the Alabama city’s information technology system. Attackers threatened to publish citizens’ private information online unless they received $ 300,000 in Bitcoin. The attack came after warnings from a Wisconsin-based cyber security company. A cybersecurity specialist who analyzed the case mentioned that the attack that had brought the city’s email system to a standstill was made possible by the username of a computer owned by the city’s information systems administrator.

Chain analysis data show that for DoppelPaymer malware made one of the biggest payments, one of only two to reach $ 100,000.


According to a report by the cyber security provider Check Point, Dridex malware was first included in the top 10 list in March 2020 after it first appeared in 2011. The malware, also known as Bugat and Cridex, specializes in the theft of bank details using a macro system in Microsoft Word.

However, New malware variants go beyond Microsoft Word and are now targeting the entire Windows platform. The researchers point out that, thanks to its sophistication, the malware can be lucrative for criminals and is now used as a ransomware downloader or rescue software.

Despite the fact that a botnet connected to Dridex was eliminated last year, experts believe that these successes have generally been short-lived since then Other criminal groups can collect malware and use it for other attacks. However, the current global pandemic has further intensifies the use of malware such as Dridex, which easily run through phishing email attacks, because more and more people have to stay to work from home.


Another malware that has reappeared as a result of the corona virus pandemic is Ryuk ransomware, known for attacking hospitals. On March 27, a spokesman for a UK-based computer security company confirmed that despite the global pandemic, Ryuk ransomware continues to be used to attack hospitals. Like most cyber attacks Ryuk malware is spread through spam emails or geographic download features.

Ryuk malware is a variant of Hermes associated with the SWIFT attack in October 2017. Attackers who have been using Ryuk since August are believed to have received more than 700 Bitcoin in 52 transactions.


Since the rescue landscape continues to be overcrowded with malicious new solutions, cybercriminals such as the ransom gang REvil (Sodinokibi) have apparently developed over the years with increasing sophistication in their way of working. The band REvil works like a RaaS (Ransomware-as-a-Service) and creates various types of malware that it sells to other criminal groups.

A report by the KPN security team shows that the malware REvil has infected more than 150,000 unique computers worldwide. However, these infections only occurred in a sample of 148 REvil strains. Each REvil strain is deployed according to the company’s network infrastructure to increase the risk of infection.

The notorious rescue band recently got out REvil started an auction to sell stolen data from companies that can’t pay the ransom with prices starting at $ 50,000, payable in Monero (XMR). For data protection reasons, the gang of REvil transferred to Monero from the request for Bitcoin payment, a data protection-oriented cryptocurrency.

As one of the most active and aggressive rescue workers The REvil gang is mainly aimed at companiesThey encrypt their files and request astronomical payments averaging $ 260,000.


On May 27, the Microsoft security team revealed information about a new one in a series of tweets Ransomware called “Final Pony”who uses brute force to Access your target network infrastructure to deploy the ransomware.

Unlike most malware programs that use phishing links and emails to trick users into activating the software, PonyFinal is distributed using a combination of a Java runtime environment and MSI files that deliver malware with a loader manually activated by the attacker. Like Ryuk, PonyFinal is used primarily to target healthcare facilities in the midst of the COVID-19 crisis.

Payments have dropped

Despite the general increase in the number of cyber attacks, experts believe that the number of successful attacks has decreased since then Rescue attacks for most companies (Ransomware) in the midst of a global pandemic prove to be the last blow and leave it behind unable to pay the ransom.

This is the result of a report released on April 21 by the Emsisoft malware lab that shows a significant decrease in the number of successful ransom attacks in the United States. In a report Chainalysis published in April, a Significant decrease in ransom payments since the escalation of the coronavirus pandemic in the United States and Europe.

So it seems that despite the increasing number of attacks, Victims do not pay a ransomCriminal groups like REvil have no choice but to auction the stolen data. It is also likely that paradoxically calling employees to work from home is a new challenge for hackers. Speaking to Cointelegraph, Emsisoft threat analyst Brett Callow said the following:

“It is very obvious to rescue software attackers that they have a potentially valuable target when they reach a corporate endpoint, but it may be less obvious when they reach a personal device that an employee uses while working remotely, and that is only temporarily connected with company resources. “

Do not stop reading:

Similar Posts