Kaspersky detected new ransomware attack on Russian companies

Kaspersky Lab has recorded a series of targeted attacks targeting Russian financial and transport companies. Hackers used a previously unknown ransomware virus

According to a statement from Kaspersky Lab, since December 2020, ten Russian financial and transport companies have been subjected to hacker attacks using the previously unknown Quoter ransomware. Experts believe that the Russian-speaking group RTM is engaged in this.

The hackers sent out phishing emails, choosing topics that they calculated should force the recipient to open the message, for example, “Request for refund”, “Copies of documents from the last month” and so on. As soon as the recipient clicked on the link or opened the attachment, the RTM Trojan was downloaded to their device.

Then the attackers tried to transfer money through accounting programs by replacing the details in payment orders or manually using remote access tools. If they failed, they used Quoter, which encrypted the data using the AES cryptographic algorithm and left contacts for communication with hackers. If the recipient did not respond, they threatened to make the stolen personal data publicly available and attached evidence, and demanded about $1 million as a ransom.

Sergey Golovanov, a leading expert at Kaspersky Lab, warned that the attacks pose a serious threat to companies, as hackers use several tools at once: a phishing email with a banking Trojan and an encryption program.

“Among the features of this campaign is that the Russian-speaking RTM attackers changed the tools used for the first time, moreover, now they are attacking Russian companies,” said Mr. Golovanov, noting that usually encryption programs are used in attacks on foreign organizations.

Group-IB also warned about hacker attacks from RTM. According to the company, from September to December 2018, they sent more than 11 thousand malicious emails to financial institutions from addresses faked for government agencies. The emails contained a malicious attachment. They had fake PDF icons, and after running the file extracted from the archive, the computer was infected. On average, one successful theft of this type brought the attackers about 1.1 million rubles ($15,000).