Kaspersky Lab has discovered a series of targeted attacks against Russian companies using a previously unknown encryptor.
The attacks were carried out on Russian financial and transport companies. From December 2020 to the present, about 10 organizations have become victims of cybercriminals. The attacks, which are backed by the Russian-speaking RTM group, use a previously unknown encryption program, Quoter.
Primary infection occurred through phishing emails with topics such as “Summons to court”, “Request for refund”, “Closing documents” or “Copies of documents for the last month.” If the victim followed a link or opened an attachment, an RTM Trojan was downloaded to their device.
After being secured in the system and spreading over the network, the attackers tried to transfer money through accounting programs, replacing the details in payment orders using a Trojan or manually using remote access tools. If the attackers did not succeed, then they set Quoter into action. The program encrypted data using the AES algorithm and left contacts to communicate with the attackers.
If the victim did not respond, the attackers announced that they were ready to put the stolen confidential information in the public domain, and attached evidence. The attackers demanded an average of about a million dollars in ransom. It is noteworthy that several months passed from the moment of being fixed in the system until the application of the ransomware.
Sergey Golovanov, a leading expert at Kaspersky Lab, explained:
The incidents that we were involved in investigating pose a serious threat to companies, as attackers strive to achieve their goal at all costs. Their tactics include the use of several tools at once: a phishing email with a banking Trojan and an encryption program. Among the features of this campaign is the fact that Russian-speaking RTM attackers changed the tools used for the first time; moreover, now they are attacking Russian companies. The latter is rare, usually ransomware programs are used in targeted attacks against organizations from other countries. “