Dutch internet service provider and telco KPN has mapped out attacks by the Sodikinobi or REvil ransomware, and found a staggering number of infections around the world over the past five months.
REvil is monetised through an affiliate scheme, and KNP said it was able to track some 150,000 unique infections worldwide.
Ransom notes from 148 REvil samples showed criminals attempting to extort US$38 million from victims whose files have been encrypted by the malware.
KNP said there could be many more victims, as the provider only had limited visibility of the total and only extracted samples from copy and paste site Pastebin.
Some of the REvil malware attacks like the New Year's Eve incident that took out foreign exchange giant Travelex have been well documented in media.
Many companies hit by ransomware elect to remain silent however, making it difficult to get a complete picture of how many victims there are.
"The actual problem is even. bigger than what we can measure," KNP wrote.
Security experts commenting on the research chimed in about the massive scale of the ransomware epidemic, which appears to be done completely in the open by criminals.
New research into REvil ransomware. This is totally out of control.
— Kevin Beaumont (@GossiTheDog) January 28, 2020
- Over 150k unique infections demanding $38m in ransom in last few months.
- The last 30 days have been most active yet.
REvil has by and large replaced the earlier Gandcrab ransomware-as-a-service business, very successfully since early 2019.
Some REvil attacks are on a huge scale, KNP said, and pointed to malware-spreading affiliates being able to encrypt over 6500 unique systems in just two attacks in Europe and Africa last week.
The United States, South Korea and China are the hardest REvil-hit countries followed by Canada and France; the malware checks computers' system language settings and won't run if it's set to Russian or one of the Commonwealth of Independent States countries.
KNP suggested that the strongest line of defence against ransomware attacks is to have offsite backups that can't be deleted from people's operational infrastructure.
In addition to backups, organisations should consider segmentation, patch management, penetration testing and security base lines.
