The Ministry of SMEs and Startups, the Korean National Police Agency, and the Korea Internet & Security Agency (KISA) said on the 16th that new ransomware attacks called "Midnight" and "Endpoint" targeting domestic small and midsize companies had been identified.
The attack is characterized by first breaching information technology (IT) system integration and maintenance firms and then spreading to their clients. While many of the victims were identified as small manufacturing corporations, cases were also confirmed in other sectors, including distribution, energy, and public institutions.
According to analyses by the Korean National Police Agency and KISA, the attackers infiltrated the internal systems of IT maintenance firms by sending malicious emails disguised as quote requests, job applications, or consulting inquiries. When the attachment is executed, a remote-control malware is installed, and internal information and account information are exfiltrated.
The attackers then used the stolen information to send emails impersonating the firms to their clients, and through this, secured access privileges to clients' internal systems and distributed ransomware.
It was confirmed that this ransomware not only encrypts files but also applies a "double extortion" method that involves exfiltrating internal data in advance and threatening to disclose it.
The Korean National Police Agency and KISA distributed a security advisory containing attack techniques and response measures to related agencies and corporations. This is the first time the Korean National Police Agency has issued an official security advisory in cooperation with relevant ministries based on threat intelligence obtained during an investigation.
The Korean National Police Agency is currently investigating the related attacks and plans to share additional threat information with relevant agencies and corporations.