TeamT5's ThreatVision APT identification engine is now integrating with PolySwarm malware analysis platform to help power the growing crowdsourced malware analysis marketplace.

PolySwarm is a crowdsourced malware analysis platform specialized in new and emergent threats. It is powered by a network of research-driven engines, like TeamT5, which are highly specialized and focused on detecting the latest malware. Unlike in other multiscanners, engines in PolySwarm are incentivized to respond just when confident, and are compensated based on performance, improving signal-to-noise ratio and reducing false positives. Multiscanning, threat scoring and hunting in a single platform give analysts a novel tool to detect, analyze and respond to threats.

TeamT5's alliance with PolySwarm will be beneficial to our specialized research in APT intelligence in Asia-Pacific. And we as a team will definitely bring the experience of our clients to the next level.

With TeamT5's solid technical background and frontline expertise, we provides more in-depth information about the malware, such as threat level, adversary and linkage discovery information, to help our clients dealing with the APT attacks they are facing from all over the world.

TeamT5's ThreatVision Cyber Threat Intelligence Platform Joins PolySwarm Malware Analysis Marketplace

TeamT5のThreatVision APT識別エンジンはPolySwarmのマルウェア分析プラットフォームへ統合され、発展中のクラウドソーシングされたマルウェア分析マーケットプレイスに参加しました。

PolySwarmは、新興の脅威を専門に扱う、クラウドソーシング型のマルウェア分析プラットフォームです。TeamT5のように、高度に専門化され最新のマルウェア検出に焦点を当てる、調査主導型エンジンのネットワークで構成されています。他のマルチスキャナーとは異なり、PolySwarmのエンジンは確信を得た場合にのみ対応するようインセンティブが与えられています。成果に応じて報酬が与えられるため、重要な情報を抽出しやすくして誤検出を減らせます。マルチスキャン、脅威のスコア付け、単一プラットフォームでの摘発を通じて、アナリストが脅威を検出、分析、対応できる斬新なツールとなっています。

TeamT5のPolySwarmとの提携は、アジア太平洋地域でのAPTインテリジェンスに関する専門調査に役立ちます。また、この提携を通じて、顧客へさらに高水準のサービスを提供できます。

TeamT5が持つ堅固な専門技術と最前線での専門知識をもって、当社は脅威レベル、敵対者と関連性の摘発に関してより詳細な情報を提供し、顧客が世界中で猛威を振るうAPT攻撃に対抗できるよう支援します。


TeamT5のThreatVisionサイバーインテリジェンスプラットフームがPolySwarmのマルウェア分析マーケットプレイスに参加

**By TeamT5 CTO Charles Li**

2020 was considered to be a year of chaos and disaster. Big events such as the outbreak of COVID-19, geopolitical conflicts escalations in several areas, Brexit, and the U.S. president election, all influenced people around the world. In 2020, TeamT5 continued helping numerous security breaches caused by state sponsored targeted instruction attacks (APT) . In the meantime, TeamT5 intelligence Team proactively tracked APT actors’ new activities. Compared with real world, the cyber world was also full of turmoil in 2020 and many of them are reflections or extensions to events in real world. In this article, we will discuss our observation of APT trends in Taiwan in 2020.

In this article, we will first walk you through some remarkable trends, including:

- Evolution of APT tactic
- Supply Chain attack became a primary method in APT attacks
- COVID-19 driven cyber attacks

We will try to dissect the attacks happened in Taiwan in industrial view and adversarial view, which is a common method in threat intelligence analysis. Last part will be our conclusion and suggestions to respond with APT attacks.

 

## Evolution of APT tactic

In 2020, the most notable APT event in public would be the ransom-attack that strike several energy related companies in May [1]. TeamT5 research shows it to be a well-organized campaign from a notorious Chinese adversary group. Whether financial gain or political deterrence is the real motivation behind the ransom-attack remains a mystery. However, it has marked a milestone of China’s cyber-attacks against Taiwan: Chinese APT have aimed Taiwan for more than 20 years but only limited in cyber espionage operations in the past but the threat actors are now exercising new tactics to evade us.

Another cyber-attack supporting our hypothesis occurred on PTT, the most popular BBS platform in Taiwan. TeamT5 tracked a series of posts related to some scandals, with attempts to uglify Taiwanese governments or military, on PTT in July 2020. The actors abused hopping servers from various countries to hide their footprints. However, TeamT5 intelligence database shows that one of the source IP address was also used by a Chinese APT that has targeted Taiwan for more than ten years. Besides, another private source also verified the same APT group to be the culprit behind the attack. We consider both events to be indicators of China’s expansion on offensive cyber operations, which we have not observed in the past.

 

## Supply Chain attack becoming a primary method in APT attacks

Supply chain attack has become a major intrusion method for threat actors in 2020 and TeamT5 had warned such tactic in advance [2]. SolarWinds breach was undoubtedly the most successful story among them. Many high-profile US government agencies, Fortune 500 companies and even cybersecurity vendors were affected. It is so sophisticated that the scope is still uncertain yet. In Taiwan, we also observed at least three waves of similar attacks that infiltrated service providers and further leveraged their products or services to infect more victims. The first two had been published by the Ministry of Justice Bureau (MJIB) of Taiwan in August [3]. The third was still under investigation and the impact could be even bigger. We have seen a significant numbers of government agencies or private corporates in Taiwan being compromised. TeamT5 research shows that at least 3 distinct China nexus group were involved in these operations.

 

## COVID-19 driven cyber attacks

Another interesting phenomenon would be COVID-19 related cyber-attacks. Soon after the outbreak of COVID-19 pandemic, we observed state sponsored actors collecting intelligence for the pandemic. In the second half of 2020, threat actors shifted their focus to chasing COVID-19 vaccine information with the advance of COVID-19 vaccine development. In Taiwan, TeamT5 also intercepted several spear phishing emails using COVID-19 as lure theme or even more campaigns related to healthcare related entities. We believe the trend will continue as long as the COVID-19 pandemic still exists.

TeamT5 Intelligence Team had analyzed around one hundred APT attacks from China in 2020. Our statistic shows government and military agencies are still the biggest target and attacks against them counts for more than 1/4 in total and almost every APT groups that are active in Taiwan are coveting them. This trend has lasted for long since the ultimate goal of Chinese espionage operation is to obtain confidential national information. Information Technology (IT) industry also got attention a lot by APT actors and TeamT5 has observed a dramatical increase of attacks against IT industry. We believe this phenomenon is a result of threat actors’ attempts to abuse supply chain attacks and IT companies are considered to be good hopping points by actors to access various industries.

The third industry being targeted in 2020 is Energy industry and TeamT5 had observed at least attacks from 5 adversary groups. It could be a sign of our adversaries’ ambitions to control our critical industries because they will be top priorities of sabotages in wartime. Education or think tanks have been long ranked as the most attacked victims because they tend to involve in classified research projects hosted by governments or political decision makings. There were several targeted attacks against companies in semiconductor industries. It makes sense since Semiconductor industry is listed as a priority to be fostered by Chinese authority in their thirteen and fourteen Five-Year projects. Cyber espionage was also adopted as a mean to improve their techniques. Healthcare and transportation are also two industries that got coveted by APT actors. As we mentioned in the previous paragraph, COVID-19 could be an incentive for APT actors to attack Healthcare industries. Lastly, we would like to raise a phenomenon TeamT5 observed: There was an adversary group which we called GouShe (a.k.a TroppicTropper, Keyboy) focus on infiltrating Transportation related entities in Taiwan. More than 70% of transportation related cases we observed were from this specific group.

![0510-1.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1620618167/0510_1_bceb3b6be1.png)
_2020 APT target industries distribution_

 

TeamT5 has tracked activities from at least 9 APT groups and 8 of them are from China. HUAPI (a.k.a BlackTech/PLEAD) was definitely the most ambitious group in Taiwan. Their attacks counts around 30% of incidents we analyzed and the targeting scope includes almost all the industries we listed. The supply chain attacks we mentioned in previous paragraphs were also conducted by them. APT27 (a.k.a EmissaryPanda, IronTiger, LuckyMouse, BronzeUnion), GouShe and AMOEBA (a.k.a APT41, Barium, Winnti) are groups that are quite active in 2020. APT27 was mostly attacking government, healthcare, and financial entities. GouShe showed a peculiar interest in transportation related entities while their footprints are also observed in energy and government entities. TeamT5 has tracked this group for many years. Our research shows that the actors might bear some responsibility from their higher commands to monitor some critical infrastructure facilities in Taiwan and take control of them in case of emergency status.

AMOEBA attacked energy companies, semiconductor companies, educational institutes, and IT companies. Their primary goal appears to be more for intellectual property or secret theft. But the possibilities exist that the actor might further leverage their achievement, like what they did in the ransom-attack in May. SLIME1, SLIME9 and SLIME13 are temporary code names for three Chinese APT campaigns against Taiwan that have lasted for a few years. Their activities still continued in 2020. Polaris (a.k.a MustangPanda) is another Chinese APT group that attacked almost all neighboring countries of China. We intercepted several of their spear phishing emails against government and research institutes in early stage of COVID-19 and we surmise they were gathering for information related to pandemic. One last interesting discovery: we discovered some Linux based malware used by Lazarus, a notorious North Korean APT group, circulated in Taiwan but we are unable to obtain the victim identity information. Although Taiwan is not a primary target of North Korean APT. But the Lazarus actors are believed to bear financial supporting responsibilities for their government agencies. For example, Lazarus is believed to be the culprit behind a Taiwanese bank SWIFT heist in 2017 [4]. The sample we uncovered might suggest their activities still exist in Taiwan.

![0510-2.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1620615927/0510_2_a0a7b82a23.png)
_Adversaries attacking Taiwan in 2020_

 

## Conclusion

The purpose of this article is to provide a high-level overview of APT threat landscape of Taiwan in 2020, since TeamT5 believes knowing your enemy is the first step of effective defense. TeamT5 research shows that APT attacks keep evolving to become very complex and impossible for a security product to defend. TeamT5 has a cyber threat intelligence (CTI) centered solution, [ThreatVision](https://teamt5.org/en/products/threatvision/), and we rely on a dedicated team of security experts to keep us steps ahead of threat actors. Feel free to contact TeamT5 in case you want to know more about our products, solutions or discuss about threats you are facing.

> Contact us: [https://teamt5.org/en/request-information/](https://teamt5.org/en/request-information/)

 

### Reference

[1] https://www.ithome.com.tw/news/139331

[2] https://www.slideshare.net/codeblue_jp/cb19-resistance-is-futilethe-undefendable-supplychain-attack-by-sungting-tsai-linda-kuo

[3] https://www.youtube.com/watch?v=1KXb-sf_wos

[4] https://www.reuters.com/article/us-cyber-heist-north-korea-taiwan-idUSKBN1CL2VO

APT Threat Landscape of Taiwan in 2020

**By TeamT5 杜浦數位安全 技術長 李庭閣 Charles Li**

2020 年被公認為充滿混亂與災禍的一年。各式各樣的大事件諸如新冠肺炎、中亞東歐台海等地的地緣政治衝突、英國脫歐、美國總統大選都將世界各地的人們帶向跟過去截然不同的生活。TeamT5 在過去一年中持續幫助受到國家力量支持的針對性攻擊行動（或稱 APT 攻擊）所受害的單位。同時間 TeamT5 的威脅情資團隊也主動追蹤 APT 攻擊者的各類行蹤。跟真實世界相比較，網路世界的混亂情況並不亞於我們於現實世界所見，同時網路世界的衝突有很大一部份是真實世界的映射或延伸。本篇文章將探討 TeamT5 在 2020 年所觀察到的台灣威脅態勢。

在本篇文章中，我們首先會為您介紹我們在 2020 年所觀察到的重大趨勢，包含了：

- APT 攻擊的演進，網路間諜不再是唯一的攻擊手段
- 供應鏈攻擊成為 2020 年 APT 攻擊的主要攻擊方式之一
- 由新冠肺炎所引發的網路攻擊

接著我們會針對所觀察到的攻擊行動進行分析，試圖以產業別以及攻擊族群視角來進行網路威脅情資的剖析。文章的最後則是我們對如何應對網路攻擊不斷變化的建議作為總結。

 

## 網路間諜不再是唯一的攻擊手段

2020 年所公開的網路攻擊中，影響最深遠的當數中國 APT 攻擊者於五月時針對多個能源產業公司所進行的勒索軟體攻擊 [1]。TeamT5 研究顯示，這是一個來自中國惡名昭彰的 APT 攻擊族群，規畫已久的攻擊行動。這個行動究竟是攻擊者單純以獲取金錢為目的所發起的勒索行動，抑或是以勒索軟體為掩護的政治嚇阻行動（時值 520 台灣總統上任前），背後的答案依舊成謎。無論如何，本次的攻擊行為已為中國對台 APT 攻擊行動劃下新的里程碑：中國 APT 已針對台灣進行二十年以上的攻擊，但行動範圍都維持在竊取機密為目的而進行的網路間諜行動，這次攻擊意味著攻擊者將開始採用更多元的戰術來對台灣進行網路打擊行動。

另一個發生在 PTT BBS 論壇上的攻擊行動可以佐證我們的臆測：在 2020 年七月，TeamT5 追蹤了一連串的 BBS 爆料貼文，試圖詆毀台灣政府與軍方的形象，攻擊者使用了多個境外跳板 IP 位址來試圖隱藏他們的來源，然而 TeamT5 的情資資料庫顯示，其中一個來源 IP 曾被某個鎖定台灣已久的 APT 攻擊族群所使用；無獨有偶，我們也獲得某訊息來源指出，該 APT 族群正是隱身在此次行動背後的攻擊者。我們相信這兩個事件正是一個警訊，告訴我們中國 APT 族群正在嘗試各種過去沒使用過的手法來做更多樣性的攻擊行動。

 

## 供應鏈攻擊成為 2020 年 APT 攻擊的主要攻擊方式之一

TeamT5 曾在過去示警過供應鏈攻擊手法的危險性 [2]，研究顯示它在 2020 年已經成為 APT 攻擊的一種主要入侵手法之一：2020 年十二月被揭露的 SolarWinds/SUNBURST 攻擊行動無疑是當前最成功的案例之一，受害目標包含了許多美國高層政府部門，全球前五百大公司，甚至數個資安廠商本身也在本次攻擊中被攻擊者攻陷，它的手法精細而行動縝密，以致於目前仍無法掌握整個攻擊全貌。在台灣，TeamT5 也觀察到至少三波的攻擊行動使用了類似的手法：攻擊者先針對服務供應商進行滲透，再進一步利用供應商的產品或服務當跳板來直接進入終端用戶，包含政府部門或其他各產業的公司。前兩波的攻擊行動已於八月間被法務部調查局所公開揭露 [3]，而第三波攻擊行動仍在調查中。我們目前已觀察到數十家甚至上百的台灣公私單位被這些行動所成功滲透，而且至少有三個來自中國的 APT 族群參與其中。

 

## 由新冠肺炎所引發的網路攻擊

第三個攻擊趨勢則為新冠肺炎所趨使的網路攻擊行動。隨著新冠肺炎疫情爆發數週內，TeamT5 就觀察到有國家支持的網路攻擊者開始疫情相關的情報蒐集；隨著時序進入下半年，攻擊者的目標開始轉向疫苗發展資訊的蒐集，可以看出網路攻擊行動隨著現實世界改變的趨勢。在台灣，TeamT5 也分析了數個以新冠疫情為主題所進行的攻擊行動，甚至有數波針對醫療相關部門的針對性攻擊行動。我們相信只要疫情尚未消散的一天，相關的攻擊行動就會持續進行。

TeamT5 威脅情資團隊在 2020 年分析了近百個來自中國的 APT 攻擊。統計結果顯示，政府和軍方部門仍為最大的攻擊目標，相對應的攻擊事件超過了總數的四分之一，幾乎每個在台灣地區有活動的 APT 族群都會嘗試攻擊相關部門，主要的原因在於 APT 的主要目標是獲取國家相關的機密情資。值得注意的是，針對資訊產業的攻擊在 2020 年躍升為第二大，顯示 APT 攻擊對資訊公司的高度興趣，主要的原因應與前述的供應鏈攻擊趨勢有關：這些資訊產業公司往往同時服務許多客戶並橫跨不同部門產業，攻陷這些資訊公司提供攻擊者一個絕佳的跳板來進一步滲透終端客戶。

能源產業是 2020 年被針對的第三大產業，TeamT5 觀察到至少有五個族群針對能源產業鏈中的多個部門進行滲透，我們認為這是一個徵兆，顯示敵人試圖控制台灣關鍵基礎設施的野心，因為這些部門在戰爭時期將會成為優先被癱瘓的目標。教育和智庫單位長久以來也名列 APT 攻擊目標排行榜中，相對應的攻擊數量在 2020 年位居第四名，主要的原因在於這些單位中的研究人員往往參與了政府的研究計畫或是政策制定。半導體產業是我們觀察到第五大被針對的目標，由於中國官方將半導體明定為十三五和十四五計畫中重點扶植的產業，這些攻擊應為有計劃性的網路間諜活動，目的在於竊取台灣相關的智慧財權或產業機密。醫療和運輸產業也是兩個在 2020 年被中國 APT 重點性針對的目標產業，如同前述，我們相信新冠肺炎可能是一個趨使攻擊者針對醫療產業的主要因素；交通相關產業部份，TeamT5 觀察到一個值得注意的現象：有一個我們稱為 GouShe（亦稱為 TroppicTropper、Keyboy）的 APT 族群特別針對台灣的交通運輸相關部門進行滲透，2020 年間的相關攻擊事件有七成以上均來自該族群。

![0510-1.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1620618167/0510_1_bceb3b6be1.png)
_2020 年 APT 攻擊目標產業分佈_

 

TeamT5 於 2020 年間共追蹤了至少九個 APT 族群的攻擊行動，當中有八個是來自中國。HUAPI（亦稱為 BlackTech、PLEAD）是所有族群中最具野心的一群，他們的攻擊行動佔了我們所觀察到總數近三成，而且攻擊目標幾乎涵蓋了上述的所有產業。我們在前面所提到的台灣供應鏈攻擊行動他們也都有參與。APT27（亦稱 EmissaryPanda、IronTiger、LuckyMouse、BronzeUnion）、GouShe 和 AMOEBA（亦稱 APT41、Barium、Winnti）也是在 2020 年攻擊台灣的數個主要攻擊來源族群：據 TeamT5 研究，APT27 主要攻擊政府、醫療和金融相關單位和產業。GouShe 近一、兩年的攻擊行動，展現了針對交通運輸部門和產業的高度興趣，同時我們也在能源和政府單位觀察到他們的蹤跡，TeamT5 針對此族群追蹤了近十年，研究結果顯示該族群可能接受所屬單位指令來監控台灣的關鍵基礎設施，並可能在關鍵時刻針對這些單位進行控制和接管。

AMOEBA 在過去一年間主要攻擊目標包含了能源、半導體產業，教育智庫單位和資訊產業，從攻擊目標推斷，他們的主要目的偏向於智財和產業機密竊取，但我們不排除攻擊者會嘗試利用攻擊獲取成果進行二次利用，如同他們在五月間所進行的勒索攻擊行動一樣。SLIME1、SLIME9、SLIME13 是 TeamT5 對三個中國 APT 攻擊行動的暫時行動代稱，我們在近幾年都有持續觀察到他們的行動。Polaris（亦稱 MustangPanda）則是一個針對幾乎中國鄰近國家的 APT 族群，我們在三、四月間發現有多個來自他們的釣魚信件針對台灣政府和研究單位進行攻擊，我們推測他們試圖蒐集新冠肺炎相關疫情資訊。最後，我們在台灣也有發現一個由北韓 APT 族群 Lazarus 所使用的 Linux 後門工具，但沒有進一步資訊可以確認受害者身份資訊，雖然台灣在政治上並非北韓 APT 的主要攻擊目標，但由於 Lazarus 族群被公認肩負為北韓政府籌措財源的責任，舉例來說，2017 年發生在台灣銀行的 SWIFT 系統攻擊事件就是由 Lazarus 所為，此樣本也許是一個顯示 Lazarus 仍持續在台灣地區有活動跡象的警訊。

![0510-2.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1620615927/0510_2_a0a7b82a23.png)
_2020 年間攻擊台灣的 APT 族群_

 

## 結語

TeamT5 相信認識敵人是有效對抗針對性攻擊的第一步，而本文章主要針對 2020 年間所觀察到的 APT 網路攻擊態勢，提供一個概觀說明。TeamT5 威脅情資研究顯示 APT 攻擊手法持續進化，真正高端複雜的行動已經不可能由單一個資安產品做有效的防護。TeamT5 [ThreatVision](https://teamt5.org/tw/products/threatvision/) 是一個以網路威脅情資為核心概念的防護方案，同時我們有一群專業的專家分析師持續做研究來讓我們持續領先於攻擊者的腳步。

> 如果您希望進一步了解我們的資安產品、解決方案或是想跟我們討論您所面臨的網路威脅，我們誠摯歡迎您與我們聯絡：[https://teamt5.org/tw/request-information/](https://teamt5.org/tw/request-information/)

 

### 參考資料

[1] https://www.ithome.com.tw/news/139331

[2] https://www.slideshare.net/codeblue_jp/cb19-resistance-is-futilethe-undefendable-supplychain-attack-by-sungting-tsai-linda-kuo

[3] https://www.youtube.com/watch?v=1KXb-sf_wos

[4] https://www.reuters.com/article/us-cyber-heist-north-korea-taiwan-idUSKBN1CL2VO

2020 年台灣 APT 網路攻擊態勢

Threat Intelligence

> We are honored to be interviewed by  [Cybernews](https://cybernews.com/), a research-based online publication that helps people navigate a safe path through their increasingly complex digital lives. In the interview, we share how TeamT5 originated with our cyber threat intelligence researches and how we do to help clients fight against ransomware. The whole interview report is below or can be viewed at [Cybernews](https://cybernews.com/security/sung-ting-tsai-teamt5-companies-shouldnt-claim-themselves-as-100-secured-or-unhackable/)。

**A ransomware attack may be a once-in-a-lifetime event for some, while for others, it is more so of an evergoing battle of wits, technology, and speed, which requires constant diligence and preparations.**

While more and more companies invest in proper cybersecurity measures, both by investing in professional infrastructures and [relying on commercial privacy and data protection management tools](https://cybernews.com/best-password-managers/), not many are involved in actively hunting threats that may as well have already penetrated their defenses.

To discuss such issues, Cybernews sat down with Sung-ting Tsai, the Chief Executive Officer of [TeamT5](https://teamt5.org/en/) – a cybersecurity intelligence firm. We talked about the dos and don’ts in the event of a ransomware attack and what cybersecurity measures are most important to take.

### Tell us about your story. How did TeamT5 originate?

Previously, I worked in a big cybersecurity company and led a research team. I found that clients often got hacked even though we made great solutions. I think the key is we didn’t have insights on attackers’ TTP (tactics, techniques, and procedures) so our defense couldn’t protect clients from those attackers.

Therefore, I became interested in cyber threat intelligence (CTI) research and decided to build TeamT5 to do CTI research. Back then, our team already discovered that the latest and advanced cyberattacks happened in Taiwan first. It gives us advantages to publish in-depth analysis and research.

Our niche is that we have focused on cyberattacks and cyber espionage for a long time. As not many people focus on this area, our research results are even more valuable and help many people and organizations around the world, especially in the US, Japan, and Korea.

Then, we made our reports of cyber threat intelligence into a solution – ThreatVision, a portal to see through the chaos. In 2017, we developed ThreatSonar which is an engine to hunt down intruders. It helps clients to defend against cyberattacks. When others can’t catch malicious cyberattacks – we can.

Since we established, we consider cyber threat intelligence research as the most important task. We have published more than 30 research papers in international cybersecurity seminars and conferences, including Black Hat Asia, SANS Institute – CTI Summit, Virus Bulletin (VT), and CodeBlue. Our findings are recognized by many clients, including one of the top five international banks, top telecom and business groups in Japan, and governmental critical infrastructures in Taiwan.

### Can you tell us a little bit about what you do? What challenges do you help navigate?

Our mission is to become the best partner to defend against advanced persistent threats (APTs).

Clients are facing two challenges:

1. While attackers know a lot about clients, our clients know a little about what they’re facing.
2. Clients don’t have sufficient technology to defend against attackers.

To help a client beat ransomware and cyber espionage, we provide three types of solutions:

1. **Threat Intelligence** – let clients know the enemies well and plan defense strategies.
2. **Defense Technology **– let clients be equipped with good tools in order to hunt down the enemies.
3. **Professional Service** – we work with clients to help them deal with various cyber threats.

### You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?

Traditionally, the idea of cybersecurity protection is to do multi-layered defense. However, the current problem is that enterprises don’t know whether attackers are already on the intranet.

So, we suggest that “proactive threat hunting” is a better idea for cyber protection nowadays. It means enterprises use our tool ThreatSonar Anti-Ransomware to do active and aggressive scans on logs from SIEM (security information and event management). Enterprises can even apply new screening rules on previous logs to discover previous malicious activities.

### How do you think the recent global events influenced the ways in which threat actors operate?

Looking into cyber attackers' behaviors, you can see that cyberattacks are effective and their impacts are bigger than ever. These impacts can be categorized into two types – one is leaking important information, while the other is data sabotage and ransom.

We observe that more operations with more power are conducted by many countries. Countries are also focusing on information operations (InfoOps). They invest more resources in public opinion operations, social media operations, and media operations. Their goal is to achieve impacts with certain purposes.

Recently, Ukraine conducts such operations really well. It indicates that if there are wars or disputes between counties in the future, such InfoOps will be common scenes.

### In the age of frequent cyberattacks, do you think small businesses and big enterprises require the same security measures?

In fact, it’s unlikely that small businesses apply the same cybersecurity measures as big enterprises. Our suggestion is for small businesses to use the same cybersecurity framework and ideas as big enterprises do. And small businesses shall prioritize each task and start with the most important parts.

We found that the most challenges that small businesses are not willing to invest in are cybersecurity measures. However, it’s important to do that in order to make business operations go smoothly.

### Since ransomware is one of your main fields of focus, could you give us a few tips on what should and shouldn't be done in the event of such an attack?

I advise companies to do defense in four steps:

1. **Threat awareness** – catch up on the latest cyber intelligence to understand the potential threats.

2. **Before attack** – deploy tools and measures to be prepared, e.g. backup your data and deploy anti-ransomware solutions.

3. **During attack** – have tools to see attacks that are happening (which means to make attacks visible); if there are attacks happening, enterprises shall have response measures.

4. **After attack** – companies shall have a standard operation procedure (SOP) on how to recover files and services. If companies prepare well, they may return to normal operations within a day; otherwise, they may still be shut down for a week, or even have to pay a ransom. Companies shall prepare for a negotiation. Some professional teams can help with that and lower the ransom amount.

Other things one should and shouldn't do:

1. Should – backup your files and patch up security

2. Shouldn't – threaten attackers

### In your opinion, what are the worst cybersecurity habits that make companies attractive targets for ransomware hackers?

Do not provoke actors! They are more capable than you think. Companies shouldn’t claim themselves as 100% secured or unhackable as tall trees catch much wind. For ransomware prevention, the most important thing is to do backups and put them offline.

### What new threats do you think the public should be ready to take on in the next few years? What security tools should be implemented by every internet user?

Firstly, there will be more ransomware attacks. The reason is that attackers are protected and hidden behind various technologies, such as the dark web (run on Tor), cryptocurrencies, and secured instant messengers. And victims are willing to pay to get files back. It makes ransomware attacks a profitable business.

The second threat is that countries will invest more in cyberattacks, including developing cyber weapons, increasing the power of cyberattacks, and recruiting more talents.

We suggest enterprises and government units invest more in cybersecurity in order to defend against the threats mentioned above. We think the key is cyber threat intelligence rather than tools. When enterprises and government units know more about attackers, they can defend better. As the old saying goes – know the enemy and know yourself in a hundred battles, and you will never be in peril.

### Share with us, what’s next for TeamT5?
We hope to increase our influence through cyber threat intelligence research. We believe our experience, research, and technology shared with more people can help them deal with APT threats.

【Cybernews】Sung-ting Tsai, TeamT5: “companies shouldn’t claim themselves as 100% secured or unhackable”

> 我們很高興受到  [Cybernews](https://cybernews.com/) 專訪，該線上媒體以資安研究為核心，協助人們在日益複雜的數位生活中，走出一條安全的道路。在本次專訪中，執行長蔡松廷(Sung-ting Tsai)分享公司成立的緣起，乃是基於威脅情資研究；並分享我們如何協助客戶防禦勒索軟體入侵。完整訪問內容可參考下方轉載，或至 CyberNews 官網閱讀 ([全文連結](https://cybernews.com/security/sung-ting-tsai-teamt5-companies-shouldnt-claim-themselves-as-100-secured-or-unhackable/)).

**A ransomware attack may be a once-in-a-lifetime event for some, while for others, it is more so of an evergoing battle of wits, technology, and speed, which requires constant diligence and preparations.**

While more and more companies invest in proper cybersecurity measures, both by investing in professional infrastructures and [relying on commercial privacy and data protection management tools](https://cybernews.com/best-password-managers/), not many are involved in actively hunting threats that may as well have already penetrated their defenses.

To discuss such issues, Cybernews sat down with Sung-ting Tsai, the Chief Executive Officer of [TeamT5](https://teamt5.org/en/) – a cybersecurity intelligence firm. We talked about the dos and don’ts in the event of a ransomware attack and what cybersecurity measures are most important to take.

### Tell us about your story. How did TeamT5 originate?

Previously, I worked in a big cybersecurity company and led a research team. I found that clients often got hacked even though we made great solutions. I think the key is we didn’t have insights on attackers’ TTP (tactics, techniques, and procedures) so our defense couldn’t protect clients from those attackers.

Therefore, I became interested in cyber threat intelligence (CTI) research and decided to build TeamT5 to do CTI research. Back then, our team already discovered that the latest and advanced cyberattacks happened in Taiwan first. It gives us advantages to publish in-depth analysis and research.

Our niche is that we have focused on cyberattacks and cyber espionage for a long time. As not many people focus on this area, our research results are even more valuable and help many people and organizations around the world, especially in the US, Japan, and Korea.

Then, we made our reports of cyber threat intelligence into a solution – ThreatVision, a portal to see through the chaos. In 2017, we developed ThreatSonar which is an engine to hunt down intruders. It helps clients to defend against cyberattacks. When others can’t catch malicious cyberattacks – we can.

Since we established, we consider cyber threat intelligence research as the most important task. We have published more than 30 research papers in international cybersecurity seminars and conferences, including Black Hat Asia, SANS Institute – CTI Summit, Virus Bulletin (VT), and CodeBlue. Our findings are recognized by many clients, including one of the top five international banks, top telecom and business groups in Japan, and governmental critical infrastructures in Taiwan.

### Can you tell us a little bit about what you do? What challenges do you help navigate?

Our mission is to become the best partner to defend against advanced persistent threats (APTs).

Clients are facing two challenges:

1. While attackers know a lot about clients, our clients know a little about what they’re facing.
2. Clients don’t have sufficient technology to defend against attackers.

To help a client beat ransomware and cyber espionage, we provide three types of solutions:

1. **Threat Intelligence** – let clients know the enemies well and plan defense strategies.
2. **Defense Technology **– let clients be equipped with good tools in order to hunt down the enemies.
3. **Professional Service** – we work with clients to help them deal with various cyber threats.

### You often emphasize the importance of proactive threat hunting. Can you briefly describe this practice?

Traditionally, the idea of cybersecurity protection is to do multi-layered defense. However, the current problem is that enterprises don’t know whether attackers are already on the intranet.

So, we suggest that “proactive threat hunting” is a better idea for cyber protection nowadays. It means enterprises use our tool ThreatSonar Anti-Ransomware to do active and aggressive scans on logs from SIEM (security information and event management). Enterprises can even apply new screening rules on previous logs to discover previous malicious activities.

### How do you think the recent global events influenced the ways in which threat actors operate?

Looking into cyber attackers' behaviors, you can see that cyberattacks are effective and their impacts are bigger than ever. These impacts can be categorized into two types – one is leaking important information, while the other is data sabotage and ransom.

We observe that more operations with more power are conducted by many countries. Countries are also focusing on information operations (InfoOps). They invest more resources in public opinion operations, social media operations, and media operations. Their goal is to achieve impacts with certain purposes.

Recently, Ukraine conducts such operations really well. It indicates that if there are wars or disputes between counties in the future, such InfoOps will be common scenes.

### In the age of frequent cyberattacks, do you think small businesses and big enterprises require the same security measures?

In fact, it’s unlikely that small businesses apply the same cybersecurity measures as big enterprises. Our suggestion is for small businesses to use the same cybersecurity framework and ideas as big enterprises do. And small businesses shall prioritize each task and start with the most important parts.

We found that the most challenges that small businesses are not willing to invest in are cybersecurity measures. However, it’s important to do that in order to make business operations go smoothly.

### Since ransomware is one of your main fields of focus, could you give us a few tips on what should and shouldn't be done in the event of such an attack?

I advise companies to do defense in four steps:

1. **Threat awareness** – catch up on the latest cyber intelligence to understand the potential threats.

2. **Before attack** – deploy tools and measures to be prepared, e.g. backup your data and deploy anti-ransomware solutions.

3. **During attack** – have tools to see attacks that are happening (which means to make attacks visible); if there are attacks happening, enterprises shall have response measures.

4. **After attack** – companies shall have a standard operation procedure (SOP) on how to recover files and services. If companies prepare well, they may return to normal operations within a day; otherwise, they may still be shut down for a week, or even have to pay a ransom. Companies shall prepare for a negotiation. Some professional teams can help with that and lower the ransom amount.

Other things one should and shouldn't do:

1. Should – backup your files and patch up security

2. Shouldn't – threaten attackers

### In your opinion, what are the worst cybersecurity habits that make companies attractive targets for ransomware hackers?

Do not provoke actors! They are more capable than you think. Companies shouldn’t claim themselves as 100% secured or unhackable as tall trees catch much wind. For ransomware prevention, the most important thing is to do backups and put them offline.

### What new threats do you think the public should be ready to take on in the next few years? What security tools should be implemented by every internet user?

Firstly, there will be more ransomware attacks. The reason is that attackers are protected and hidden behind various technologies, such as the dark web (run on Tor), cryptocurrencies, and secured instant messengers. And victims are willing to pay to get files back. It makes ransomware attacks a profitable business.

The second threat is that countries will invest more in cyberattacks, including developing cyber weapons, increasing the power of cyberattacks, and recruiting more talents.

We suggest enterprises and government units invest more in cybersecurity in order to defend against the threats mentioned above. We think the key is cyber threat intelligence rather than tools. When enterprises and government units know more about attackers, they can defend better. As the old saying goes – know the enemy and know yourself in a hundred battles, and you will never be in peril.

### Share with us, what’s next for TeamT5?
We hope to increase our influence through cyber threat intelligence research. We believe our experience, research, and technology shared with more people can help them deal with APT threats.

【Cybernews 專訪】TeamT5 執行長蔡松廷表示企業不宜宣稱自身100%不會被駭入

News

In March 2021, another REvil's attack was announced. Targeting the computer giant Acer, the actors behind the ransomware asked for 50 million dollars, the highest ransom they have demanded so far. Acer was not the only victim of the notorious ransomware. Debuted in April 2019, REvil has attacked hundreds of high-profile agencies in multiple sectors. In 2020, REvil has earned more than 100 million.[1] In this report, we will introduce the basic profile of REvil and share the techniques they used in operations. 


## What is REvil 

REvil, a.k.a Sodinokibi, is a Ransomware as a Service (RaaS) operation deployed by a Russian cybercrime group named GOLD SOUTHFIELD or Pinchy Spider. The group is believed to be based in Russia, as it does not attack organizations in Post-Soviet States, and refuse to cooperate with English speaking cyber criminals.[2] 

REvil was highly possible the successor of GandCrab, another notorious ransomware, because of code similarities and REvil's active operations right after GandCrab's retirement.[3]

![REvil_1.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1621845336/R_Evil_1_035a848033.png)
_Figure 1: The timeline of REvil's appearance and GandCrab's retirement_

 

![REvil_2.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1621845337/R_Evil_2_804b2676dc.png)
_Figure 2: REvil and GandCrab's similarity on string decoding_

 

![REvil_3.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1621845337/R_Evil_3_e9724a2992.png)
_Figure 3: REvil and GandCrab's similarity on building ransom wallpaper_

 

Numerous campaigns attacking multiple sectors were observed all over the world. The REvil actors has attacked local governments, giant law firms, multinational retailers, etc. The highest ransom they have asked was 42 million for the law firm but was now surpassed by the 50 million Acer attack. (References for the events, please see the end of this page.[4])

 

![REvil__4.jpeg](https://res.cloudinary.com/dvgomg5gh/image/upload/v1621845337/R_Evil_4_56bc894487.jpg)
_Figure 4: The timeline of REvil's notorious attacks_

 

## The Ransomware as a Service model (RaaS)

The actors of REvil adopt the Ransomware as a Service business model. In this model, Ransomware developers are responsible for development and maintenance of the ransomware, while the groups of cyber criminals, named affiliates in this model, are responsible for accessing victims' system to distribute the ransomware. The business model allows cyber criminals who are not capable of developing their own ransomware to buy the service on dark web and deploy ransomware attack. 
 
Through this model, REvil actors provide REvil or the customized version of REvil to their affiliates. After they successfully breached victims' systems, REvil actors will ask for ransom by themselves, providing the ransom payment link. After the collection of money, their affiliates will receive 60% to 75% of the profit. Moreover, the actors also provide other paid services, such as money laundering assistance for the affiliates. 

![May_blog_3.jpeg](https://res.cloudinary.com/dvgomg5gh/image/upload/v1620634812/May_blog_3_71c24e74f2.jpg)

 

## Tactic, Techniques and Procedures
### Initial Access
For REvil, different affiliates may use different methods for initial access. The ransomware is now distributed primarily through compromised RDP sessions (65%), phishing (16%), and software vulnerabilities (8%).[5] However, a supply chain attack distributing REvil was also observed.

REvils' actors said in an interview that they used brute force attacks to compromise RDP sessions.[1] As for phishing emails, the cyber criminals have once disguised their email as a new booking from "booking.com". They also exploit vulnerabilities. In fact, REvil's debut was exploiting the Oracle Weblogic vulnerability, CVE-2019-2725. Moreover, the actors are able to deploy new vulnerabilities after its disclosure. For example, the group used the recent disclosed Microsoft Exchange server vulnerability to access Acer's system.

The most astounding technique they deployed is supply chain attack. Around June 2019, a WINRAR distributor site in Italy was hacked.[6][7] The software downloaded from the site at that time was not the WINRAR installer but the REvil installer. Although no public announcements showing that any company was infected in this attack, the successful replacement shows that their affiliates were able to deploy a supply chain attack. 

Apart from their various method on initial access, the cyber criminals also adopted several unique techniques. For example, REvil used Elliptic-curve Diffie-Hellman key exchange to encrypt files, while other ransomware often used RSA, Salsa20 or AES to do so. This method is more efficient as it used shorter key and is difficult to decrypt. 

 

## The Effective Methods for Ransom Collection
Nowadays, as ransomware attacks become a serious problem, most companies have learned to back up crucial data in case they are hit by a ransomware. However, ransomware actors develop several new methods to ensure that the victims will pay the ransom, including Double-extortion, VoIP calling, and DDoS attack.

- "Double-extortion"
 
The actors disclose or sell the data of the company if the company is not willing to pay ransom. This method was first introduced by Maze, another notorious ransomware, and currently almost all ransomware actors have adopted this method, and so as REvil. Starting from January 2020, the group runs their own site "Happy Blog", where they post data extorted from their victims.

- Voice over Internet Protocol (VoIP) calling
 
In February 2021, they announced that they are now offering Voice over Internet Protocol (VoIP) calling and DDoS attack service for their affiliates to make pressure on their victims.[8] They stated that they will call the media or their victims' business partners, telling them about the attack. 

 

## Detect and Defense
For prevention, it is always crucial to be aware of spamming emails. Nowadays, spamming emails is still the most popular and effective method to access victims' computers. 

In addition, keep an eye on new exploits and updates is also important. Ransomware groups usually are not capable of discovering 0-day exploits by themselves, but they will exploit the disclosed vulnerabilities and attack those who have not updated their system. Thus, keep computers updated and patched systems immediately after the disclosure is essential for preventing ransomware attack.

Furthermore, as the REvil business grows, the actors behind has posted on dark web to recruit more affiliates for their operations. Thus, more attacks from the group is expected. TeamT5 will keep following the ransomware and provide up-to-date information of the notorious ransomware.

To efficiently prevent ransomware attacks, TeamT5 offers a total solution for enterprise protection. Our unique ransomware containment technology is proven to successfully block many types of ransomware, which can detect and stop malicious ransomware immediately. And even restore encrypted files from the backup.

For more information about TeamT5 Ransomware Prevention total solution, please contact: <sales@teamt5.org>

 

## References

[1] https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/

[2] https://www.advintel.io/post/inside-revil-extortionist-machine-predictive-insights

[3] https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/

[4] Texas Municipalities - https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/; Backup Company - https://www.zdnet.com/article/ransomware-hits-hundreds-of-dentist-offices-in-the-us/; Foreign Exchange Company - https://www.bbc.com/news/business-51017852; US Law Firm - https://www.zdnet.com/article/ransomware-gang-asks-42m-from-ny-law-firm-threatens-to-leak-dirt-on-trump/; Pan-Asia Retailer - https://www.bleepingcomputer.com/news/security/pan-asian-retail-giant-dairy-farm-suffers-revil-ransomware-attack/

[5] https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html

[6] https://www.drcommodore.it/2019/06/20/hackerato-winrar-it-malware-al-posto-del-programma/

[7] https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/

[8] https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-call-victims-business-partners-about-attacks/


*Image courtesy of [Pixabay](https://pixabay.com/)

Introducing The Most Profitable Ransomware REvil

2021年3月、再びREvilによる攻撃が発表されました。コンピューター大手Acerを標的にしたこのランサムウェア攻撃では、これまでに要求された身代金の中でも最も高額となる5000万ドルが要求されました。この悪名高いランサムウェアの被害者は、Acerだけには留まりません。2019年4月に初めて登場したREvilは、複数の分野にまたがって数百社にのぼる著名な機関を攻撃しています。2020年には、REvilは1億ドル以上を稼ぎ出しています。[1] 本レポートでは、REvilの基本的な特徴とともに、使用されているテクニックについてもご紹介します。

## REvilとは 

REvilの別名は「Sodinokibi」であり、ロシアのサイバー犯罪グループであるGOLD SOUTHFIELDあるいはPinchy Spiderによって展開されたRansomware as a Service（RaaS）オペレーションです。ポストソビエト諸国にある組織は攻撃しておらず、英語圏のサイバー犯罪者への協力を拒否していることから、このグループはロシアを拠点としていると考えられています[2]。 

REvilは、同じく悪名高いランサムウェアであるGandCrabの後継である可能性が高いと思われます。コードに類似点があり、GandCrabが引退した直後にREvil攻撃が活発化したからです[3]。


![introducing-the-most-profitable-ransomware-revil_JP_figure1.png](https://uploads.teamt5.org/upload/original/introducing-the-most-profitable-ransomware-revil_JP_figure1.png)
_図1：REvilの登場とGandCrabの引退の時系列_

 

![REvil_2.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1621845337/R_Evil_2_804b2676dc.png)
_図2：REvilとGandCrabの文字列解読に見られる類似性_

 

![REvil_3.png](https://res.cloudinary.com/dvgomg5gh/image/upload/v1621845337/R_Evil_3_e9724a2992.png)
_図3：REvilとGandCrabの身代金用の壁紙の構築に見られる類似点__

 

複数の事業分野に対する攻撃キャンペーンが世界中で数多く観測されました。REvilの脅威アクターは、地方自治体、大手法律事務所、多国籍小売業者などを標的として攻撃しています。要求された身代金の最高額は法律事務所に対する4200万ドルでしたが、今回のAcerに対する攻撃では、それを上回る5000万ドルという金額が要求されています。（この事象に関する参考文献については、本ページの末尾を参照。[4]）

 

![introducing-the-most-profitable-ransomware-revil_JP_figure4.png](https://uploads.teamt5.org/upload/original/introducing-the-most-profitable-ransomware-revil_JP_figure4.png)
_図4：REvilの悪名高い攻撃の時系列_

 

## サービスとしてのランサムウェアモデル（RaaS：Ransomware as a Service model）

REvilを使った脅威アクターは、「サービスとしてのランサムウェア」のビジネスモデルを採用しています。このモデルでは、ランサムウェア開発者はランサムウェアの開発と保守を担当し、このモデルではアフィリエイトと呼ばれるサイバー犯罪者集団が被害者のシステムにアクセスしてランサムウェアを配布する役割を担っています。このビジネスモデルでは、自分自身でランサムウェアを開発できないサイバー犯罪者が、ダークウェブでサービスを購入し、ランサムウェア攻撃を展開することができます。
 
このモデルを通じて、REvilの脅威アクターはREvilあるいはREvilのカスタマイズされたバージョンをアフィリエイトに提供します。被害者のシステムに首尾よく侵入した後、REvilの脅威アクターは身代金の支払いリンクを提供し、自らで身代金の支払いを要求します。集金後、アフィリエイトには利益の60%～75%が支払われます。それだけでなく、こういった脅威アクターは、アフィリエイトに対してマネーロンダリングを支援するなどの有料サービスも行っています。

![introducing-the-most-profitable-ransomware-revil_JP_figure5.png](https://uploads.teamt5.org/upload/original/introducing-the-most-profitable-ransomware-revil_JP_figure5.png)

 

## 戦術とテクニック、そしてその手順
### 初期アクセス
REvilの場合、アフィリエイトによって初期アクセスの方法が異なる可能性があります。現在、このランサムウェアは、主に侵害されたRDPセッション（65%）、フィッシング攻撃（16%）、およびソフトウェアの脆弱性（8%）によって配布されています。[5] しかしながら、Revilを配布するサプライチェーン攻撃も確認されています。

REvilsの脅威アクターは、RDPセッションを侵害するにあたりブルートフォース攻撃を仕掛けたとインタビューで語っています。[1] フィッシングメールに関しては、サイバー犯罪者が一度、メールを「booking.com」からの新しい予約案内に見せかけていたことがわかっています。脆弱性を突くこともあります。実際、REvilの初めての攻撃は、Oracle Weblogicの脆弱性である「CVE-2019-2725」を突いたものでした。それだけでなく、脅威アクターは、公開後に新たな脆弱性を展開することもできます。例えば、犯罪グループは、最近公開されたMicrosoft Exchangeサーバーの脆弱性を利用して、Acerのシステムにアクセスしています。

展開された中でも、最も驚くべき手法であったのがサプライチェーン攻撃です。2019年6月頃、イタリアのWINRAR販売サイトがハッキングされました。[6][7] このときサイトからダウンロードされたソフトウェアは、WINRARインストーラーではなく、REvilインストーラーでした。この攻撃によって企業が感染したことを示す公表はありませんでしたが、ファイルの交換に成功していたという事実から、アフィリエイトがサプライチェーン攻撃の展開に成功したことを示しています。

初期アクセス時の様々な手口だけではなく、サイバー犯罪者は様々な独自のテクニックも採用しています。例えば、REvilでは楕円曲線ディフィー・ヘルマン鍵共有を使用してファイルを暗号化していましたが、他のランサムウェアでは、RSA、Salsa20またはAESを使用して暗号化されていることがよくあります。この方法は、鍵が短くなり解読が困難になることから、より効率的な方法と言えます。

 

## 身代金を回収するための効果的な方法
昨今では、ランサムウェア攻撃が深刻な問題となっているため、ほとんどの企業がランサムウェアの被害に遭った場合に備えて重要なデータをバックアップすることを学んでいます。しかしながら、ランサムウェアの脅威アクターは、被害者に確実に身代金を支払わせるため、二重の脅迫、VoIPコール、DDoS攻撃などの複数の新たなメソッドを開発しています。

- 「二重の脅迫」
 
企業が身代金の支払いに応じない場合、脅威アクターは企業のデータを開示するか売却します。このメソッドは、もう一つの悪名高いランサムウェアであるMazeが最初に導入したやり方で、現在ではほとんどすべてのランサムウェアの脅威アクターがこの方法を採用しており、REvilもその一つです。2020年1月以降、このグループは被害者から奪ったデータを掲載するための自社サイト「Happy Blog」を運営しています。

- VoIP（Voice over Internet Protocol）コール
 
2021年2月には、被害者に圧力をかけるため、アフィリエイト向けにVoIP（Voice over Internet Protocol）コールとDDoS攻撃サービスをしかけると発表しました。[8] 彼らはメディアや被害者の取引先に電話をかけて、攻撃について伝えると述べています。

 

## 検出と防御
防止するためには、スパムメールに常に注意することが不可欠です。現在も、スパムメールが被害者のコンピューターにアクセスする最も一般的かつ効果的な方法となっています。

さらに、新たな悪用やアップデートに目を向けることも重要です。ランサムウェア攻撃グループは通常、自分たちでゼロデイ攻撃を発見する能力はありませんが、公開された脆弱性を悪用し、システムをアップデートしていない人に向けて攻撃をしかけます。従って、ランサムウェア攻撃を防止するためには、公開後はすぐにコンピューターを更新し、システムにパッチを当てることが不可欠です。

さらに、REvilの攻撃ビジネスが成長する中で、背後にいる脅威アクターはダークウェブに掲載し、操れるより多くのアフィリエイトを募集しています。ですから、このグループからの攻撃はさらに増えることが予想されます。TeamT5では、引き続きこのランサムウェアの追跡調査を続け、今後もこの悪名高いランサムウェアの最新情報を提供していきます。

ランサムウェア攻撃を効率的に防ぐために、TeamT5では企業向けのトータル保護ソリューションを提供しています。当社独自のランサムウェア封じ込め技術は、多くの種類のランサムウェアのブロックに成功した実績があり、悪質なランサムウェアを即座に検知して停止させることができます。さらに、バックアップから暗号化されたファイルを復元することも可能です。

TeamT5のランサムウェア防止トータルソリューションの詳細については、こちらからお問い合わせください：<sales@teamt5.org>

 

## 参考文献

[1] https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/

[2] https://www.advintel.io/post/inside-revil-extortionist-machine-predictive-insights

[3] https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/

[4] Texas Municipalities - https://www.zdnet.com/article/at-least-20-texas-local-governments-hit-in-coordinated-ransomware-attack/; Backup Company - https://www.zdnet.com/article/ransomware-hits-hundreds-of-dentist-offices-in-the-us/; Foreign Exchange Company - https://www.bbc.com/news/business-51017852; US Law Firm - https://www.zdnet.com/article/ransomware-gang-asks-42m-from-ny-law-firm-threatens-to-leak-dirt-on-trump/; Pan-Asia Retailer - https://www.bleepingcomputer.com/news/security/pan-asian-retail-giant-dairy-farm-suffers-revil-ransomware-attack/

[5] https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html

[6] https://www.drcommodore.it/2019/06/20/hackerato-winrar-it-malware-al-posto-del-programma/

[7] https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/

[8] https://www.bleepingcomputer.com/news/security/ransomware-gang-plans-to-call-victims-business-partners-about-attacks/


*画像のソース: [Pixabay](https://pixabay.com/)

TeamT5's ThreatVision Cyber Threat Intelligence Platform Joins PolySwarm Malware Analysis Marketplace

Related Post

APT Threat Landscape of Taiwan in 2020

【Cybernews】Sung-ting Tsai, TeamT5: “companies shouldn’t claim themselves as 100% secured or unhackable”

Introducing The Most Profitable Ransomware REvil