Ransomware Rises: Unmasking the Increasing Threat to Small Businesses and Individuals

Ransomware Strain TZW Targets Individuals and Small Businesses

Researchers at security and operations analytics firm Netenrich have identified a new strain of ransomware called TZW, which targets individuals and small businesses. Unlike typical ransomware attacks that demand millions of dollars in ransom, TZW demands smaller ransoms from each client. This approach allows the threat actors to fly under the radar, as victims often pay the relatively low ransom amounts without attracting media attention.

Difficulties in Identifying TZW

Identifying TZW as a spinoff of the Adhubllka ransomware family proved to be challenging for researchers. Over the years, many samples of Adhubllka had been misclassified or mistakenly tagged as other ransomware families. This confusion made it difficult for threat hunters and security researchers to accurately report on incidents. Multiple antivirus engines had previously detected TZW but found traces of other malware, further complicating the identification process.

The Importance of Proper Attribution

Netenrich’s research not only sheds light on the identification of TZW but also highlights the importance of properly attributing ransomware strains. To accurately trace a family of ransomware to its origin, researchers analyzed threat actors’ communication channels, contact emails, ransom notes, and execution methods. These elements played a vital role in the analysis and enabled the correct identification of TZW as part of the Adhubllka ransomware family.

Past Activity and Growth Potential

Adhubllka first gained attention in January 2020 but had been highly active the previous year. Threat group TA547 used Adhubllka variants in their campaigns targeting various sectors in Australia in 2020. The small ransom amounts demanded by Adhubllka allowed the group to operate stealthily and evade media attention. However, researchers anticipate that this ransomware may be rebranded with other names in the future, and other threat actors may use it to launch their own campaigns. Nevertheless, as long as the communication methods remain unchanged, researchers can trace these cases back to the Adhubllka family.

Identification Techniques

Researchers used various techniques to tie the latest TZW campaign to Adhubllka. They tracked previously linked Tor domains used by the threat actors and found clues within the ransom notes dropped to victims. The notes instructed victims to communicate via a Tor-based victim portal for decryption keys after paying the ransom. The researchers also noted that the group changed its communication channel from v2 Tor Onion URLs to v3 Tor URLs. Additionally, unique attributes in the ransom notes and the use of specific email addresses helped narrow down the attribution to the latest variant of Adhubllka.

Defense Against Ransomware

Netenrich’s research underscores the importance of defending against ransomware attacks and the need for cybersecurity education and measures. While setting up an endpoint security solution is crucial, organizations must also focus on preventing ransomware from entering their environments in the first place. This involves monitoring for behavior anomalies, privilege escalation, and suspicious removable media, and providing basic security education to employees to avoid clicking on malicious links delivered through email.

In an ever-evolving landscape of cyber threats, organizations and individuals need to remain vigilant and proactive in their cybersecurity practices to protect against the growing threat of ransomware.