The rise of ransomware in South Korea

This is a contributed piece by Jérôme Segura, Lead Malware Intelligence Analyst at Malwarebytes

No country is safe from ransomware, WannaCry showed it doesn’t discriminate against who it targets. It hit Russia, the US, the UK, but also spread widely in Asia. In South Korea four companies reported problems and one cinema chain was unable to display trailers.

South Korea made the headlines again back in June this year for paying the largest ransom ($1m) to date. The caveat here of course is that many ransom payments are never made public - but this is widely believed to be a record amount.

It seems the region continues to be a key target for cyber criminals as our own research found the Magnitude Exploit kit has been hitting the country hard.

Digging deeper, we found the Magnitude Exploit Kit is being used to exclusively deliver Cerber ransomware. Following the shakeup in the Exploit Kit landscape, Magnitude went private and is now only used by one actor. Said actor decided to focus exclusively on countries in Asia and notably South Korea which we spotted in our telemetry.


Why exclusively Cerber?

Due to its well-written code, Cerber currently dominates other types of ransomware and has stood the test of time. However, it might not have the same media attention as WannaCry, for example, which caught the media’s attention due to the novel worm component.

Cerber is also evolving, it’s recently added a password stealer functionality to its core, this means organisations are not only hit by the ransomware itself, but it simultaneously also tries to steal your passwords and locate a Bitcoin wallet on your device.


South Korea in the spotlight

Typically Exploit Kits will target go-to regions, such as the UK, the US and Canada. These countries have greater ROI as they are more likely to pay a ransom and have a higher income. This makes the choice of Asia and South Korea all the more interesting. Although we can’t say for sure, we believe the actor likely has a connection or at least deep knowledge of Asian culture.

In my recent blog, I discuss a particular gate to the Exploit Kit which was unexpected. Indeed, users were screened through an additional filtering server located in South Korea. The server was used to do some fingerprinting on what video driver users had and to discover their local IP address. Of all the places it could have been located, it was in South Korea, suggesting perhaps it was not an accident.


How can businesses tackle this problem?

If you’re hit with ransomware, it’s not just about losing data, it’s about the business shutting down. Our recent Osterman report revealed ransomware attacks caused 22 per cent of infected SMEs to cease business operations immediately. And one day down without operations is not something many businesses can afford.

So, what we’d advise businesses not just in South Korea, but across the globe to do first, is a backup. No, I’m not just talking about doing it once a year, they need to be completed on a regular basis. Real-time ones are the best option for this and many cloud-based vendors currently offer it.

On top of this, plan for redundancy and have a physical backup. We’ve seen countless cases before where businesses think they have a solid system in place but it fails – you need more than one to rely on.  

Additionally, as NotPetya showed, it might not be you who’s affected primarily but you can suffer the consequences if you’re tied to someone that was. For instance, multinationals that weren’t in Ukraine were still infected because they had remote access to machines in the Ukraine. This is a big reminder to organisations that all it takes is one chink in your supply chain, to not have a robust security policy in place, for you to be hit and deal with the damage from ransomware.


« Hack alert: Do you know who is watching your CCTV?


How Alexa can benefit your company »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?