According to the annual report Hi-Tech Crime Trends 2017 presented by Group-IB at CyberCrimeCon, funds stolen from companies via online banking using malware in H2 2016-H1 2017 in the Russian Federation equals around $10.4 mln, while targeted attacks on banks brought hackers more than $27 mln. Despite an overall 35 percent decrease YoY, targeted attacks on financial institutions remain cybercriminal’s most profitable revenue stream in the former Soviet Union. According to Group-IB forecasts a new threat is set to cause disproportionate losses for the financial sector – disruption and damage to financial infrastructure caused by targeted attacks from financially motivated cybercriminals and state sponsored hackers.
Early in 2017, Group-IB staff detected the first cases of ransomware being used to conceal evidence of targeted attacks during theft from a bank in the Russian Federation. While attacking the victim bank with a view to steal from card processing systems, Cobalt gang took control over its network. After successfully conducting their attack, they ran a modified version of Petya – (PetrWrap ransomware) on all computers in the corporate network to hide their activity and complicate investigation. During incident response, data was partially restored, however most computers of the bank’s network were disabled, causing service disruptions, reputational damage and loss of clients. The ransomware was not used to collect additional funds but to remove evidence of the attack.
Head of Threat Intelligence Department, co-Founder of Group-IB
In March 2017 Black Energy previously known for its attacks on energy sector, broke new ground attacking Ukrainian banks via a third party infection at a Kyiv IT integrator, most importantly using their own crypto locker.
WannaCry, widely attributed to Lazarus, the North Korean state hacker group, also used a crypto locker as the foundation of its attack. In this instance, it was clear that the attack’s aim wasn’t the financial gain, but to disrupt infrastructure.
NotPetya, attributed to the state-backed Black Energy group, was more targeted – piggybacking off of ME DOC Ukrainian accountancy software, but the aim of both of attacks was destruction of the infrastructure. In June 2017 NotPetya resulted in the disruption of internal processes and IT systems for a wide range of companies globally, including oil & gas companies and financial institutions. The attack temporarily shut down production at a number of refineries.
The full version of Hi-Tech Crime Trends 2017