MalasLocker ransomware has dethroned LockBit as the leading ransomware strain, witnessing a significant rise in the number of targets in the month of May, reported MalwarebyteLabs.
May saw an unprecedented 556 reported cases of ransomware victims, highlighting MalasLocker’s dominance, its focus on Italy and Russia as primary targets, and an alarming increase in attacks on the education sector.
MalasLocker ransomware emerges as a dominant player
MalasLocker ransomware popped up in cybersecurity news in May by claiming a list of 169 victims after being spotted exploiting Zimbra servers for ransomware attacks.
During the previous month, MalasLocker’s impact soared as it registered a staggering 171 victims, surpassing LockBit’s 76 attacks by nearly 100. This isn’t the first time LockBit has faced such a challenge.
In April, Cl0p claimed the top spot by exploiting a zero-day vulnerability in GoAnywhere MFT, successfully compromising over 100 victims. Similarly, MalasLocker leveraged vulnerabilities in Zimbra servers, specifically CVE-2022-24682, to achieve remote code execution.
MalasLocker ransomware, a unique approach
What truly sets MalasLocker apart is its unconventional methodology, pointed out Cyble Research and Intelligence Labs (CRIL).
Unlike typical ransomware groups, MalasLocker refrains from demanding monetary ransoms. Instead, the gang urges victims to contribute to approved charities.
Posing as the “Robin Hood” of ransomware, MalasLocker claims to oppose corporations and economic inequality. However, skepticism prevails regarding whether the gang upholds its promise to provide decryption services when a victim donates to charity.
Other ransomware groups too have noticeably evolved their modus operandi, focusing on exploiting known vulnerabilities for widespread attacks, said the MalwarebyteLabs report.
Cl0p and MalasLocker, for instance, have automated their targeting efforts to exploit specific system weaknesses, amplifying the scale and impact of their operations.
Italy and Russia take centerstage, education at risk
Italy and Russia topped the list of MalasLocker ransomware in May. The ransomware groups campaigns on the countries catapulted both Italy and Russia into the top three most targeted nations overall in May.
Italy experienced an astounding six-fold increase compared to the previous month, while Russia, previously unlisted, suffered 50 reported attacks.
MalasLocker ransomware played a significant role in targeting these countries, although the motivation appeared to be vulnerable targets rather than deliberate selection.
Of particular concern is the escalating onslaught of ransomware attacks on the education sector.
“May saw 30 known attacks—the highest we’ve seen in a single month since we started keeping records in early 2022, and the continuation of a trend that has seen a sustained increase over the past twelve months,” said the MalwarebyteLabs report.
“Between June 2022 and May 2023, Vice Society attacked more education targets than any other gang—a specialization that should alarm schools, colleges, and universities everywhere.”
MalasLocker ransomware and new entrants on the scene
Along with MalasLocker ransomware, several other novel ransomware variants have recently surfaced, including BlackSuit, Rancoz, 8BASE, and RA Group.
BlackSuit, a new entrant, bears a striking resemblance to Royal ransomware, noted CRIL researchers.
“This can be attributed to the fact that Linux is extensively utilized as an operating system across various sectors, including enterprise environments and cloud computing platforms,” said the CRIL report.
“The widespread use of Linux makes it an appealing target for ransomware groups, as a single attack can potentially compromise numerous systems.”
Rancoz, another newbie, modifies leaked source code to tailor attacks for specific industries or regions, noted the MalwarebyteLabs report.
8BASE, operating since April 2022, predominantly focuses on small and medium-sized businesses, with a notable concentration in the Professional/Scientific/Technical sector.
“The group behind this ransomware has adopted a double extortion strategy, wherein they first steal the victim’s data and then encrypt it,” reported CRIL researchers.
“If the victim refuses to pay the ransom, the attackers publish the stolen data on their leak site. The group has already disclosed information about 66 victims on its website.”
RA Group primarily targets pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea.
“The actor is swiftly expanding its operations. To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals,” said a CISCO Talos report.
Mitigating ransomware risk
To combat the growing threat of ransomware, organizations are advised to implement preventative measures such as blocking common entry points and employing intrusion detection systems.
Deploying robust endpoint security solutions, maintaining offsite and offline backups, and conducting thorough post-attack eradication helps in preventing subsequent attacks.
The surge of MalasLocker ransomware, the intensification of attacks in Italy and Russia, and the education sector’s vulnerability underscore the evolving ransomware landscape.
As these cybercriminals adapt their tactics, organizations must remain vigilant and adopt comprehensive security measures to safeguard against potential ransomware attacks.