Der IT-Sicherheitsdienstleister Kaspersky hat bereits vor einigen Monaten eine detailierte Analyse (lokale Kopie) veröffentlicht, in der die Autoren die mutmaßlich russische Hackerszene, der lt. Analysten die meisten aktuellen Varianten von Verschlüsselungs-Malware – unter anderem auch Petya – zugeschrieben werden veröffentlicht. Die Autoren stützten sich dabei auf die Statistiken, die sich im Rahmen ihrer jährlichen Malware-Fallanalysen-Erhebungen sammeln und auswerten:
One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals. This conclusion is based on our observation of underground forums, command and control infrastructure, and other artefacts which can be found on the web. It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries.
Another possible reason is that the Russian cybercriminal underground has the richest background when it comes to ransomware schemes. Prior to the current crypto ransomware wave, there was another ransomware-themed malware epidemic. Between approximately 2009 and 2011, thousands of users in Russia and its neighboring countries experienced attacks which used so-called Windows- or browser-lockers. This type of ransomware blocks the user’s access to their browser or OS and then demands a ransom in exchange for unlocking access. The epidemic withered for a number of reasons: law enforcement agencies responded adequately and caught several criminals involved in the business; mobile operators made the process of withdrawing money through premium SMS services harder; and the security industry invested a lot of resources into developing free unlocking services and technologies. (Q: Kaspersky auf Threatpost)
Der Bericht geht dabei sowohl auf die Geschäftsmodelle als auch die z.T. automatisierten Prozesse bei der Erstellungen und Verwendung von derartiger Malware und den dahinter stehenden Akteuren ein. In ihren beiden Hauptschlußfolgerungen kommen die Autoren zu dem Ergebnis, dass:
1. Thanks to multiple successful massive campaigns they’re now funded well enough to invest big money in sophisticated operations.
2. A ransomware attack against a large corporation makes total sense, because it is possible to paralyze the work of a whole company, resulting in huge losses. Due to this, it is possible to demand a ransom larger than the one requested from home users and small companies. (Q: Kaspersky auf Threatpost)
Sehr lesenswert!