REvil, JSWorm as leading groups for Ransomware 2.0 in APAC— Kaspersky


Kaspersky revealed REvil and JSWorm as the most active ransomware families in the Asia Pacific (APAC) region. 

“Both resurfaced as the pandemic rages in the region last year and we see no signs of them stopping anytime soon,” said Alexey Shulmin, Lead Malware Analyst at Kaspersky.

REvil (aka Sodinokibi, Sodin)

The group initially distributed itself through an Oracle Weblogic vulnerability and carried out attacks on MSP providers. 

REvil’s activities peaked in August 2019 but began targeting several victims in July 2020. By targeting only 44 Kaspersky users globally last June 2020, the group accelerated their attacks. Due to this, Kaspersky protected over 800 users from the threat, which logged an 1893% increase in just one month.

In 2019, the group only targeted APAC. However, Kaspersky detected their presence nearly all over the world just a year after.

Geographical distribution of companies and individuals in different territories attacked by REvil ransomware in 2020. (Source: Kaspersky)

“It is safe to say that during their ‘silent months,’ REvil creators took their time to improve their arsenal, their method of targeting victims, and their network’s reach,” explained Shulmin.

However, APAC still remained one of their top targets for the group.

JSWorm (aka Nemty, Nefilim, Offwhite, Fusion, Milihpen, etc.)

JSWorm is another group that also entered the ransomware landscape in 2019. The difference from this group is that they started targeting on a global scale. The group targeted North and South America, Middle East and Africa, Europe, and APAC. 

The number of JSWorm victims is also lower than REvil, but the group is nonetheless gaining ground. Kaspersky had blocked JSWorm’s attempts against 230 users worldwide. This is a 752% increase compared with 2019’s only 27 users almost infected.

Presently, Kaspersky noticed the group shifting its target towards the APAC region. Over one-third of all the enterprises and individuals were located in APAC.

Geographical distribution of companies and individuals in different territories attacked by JSWorm ransomware in 2020. (Source: Kaspersky)

For some reason, both of these groups have an eye for companies under the Engineering and Manufacturing industry the most. They also target Energy and Utilities, Finance, Professional and Consumer Services, Transportation, and Healthcare.

There is yet an analysis as to why these following industries are targeted the most. However, Kaspersky speculated it has something to do with their lack of cybersecurity infrastructure, making them more vulnerable to attackers.

Security tips and protocols against Ransomware 2.0 groups

With these groups leading the targeted ransomware (Ransomware 2.0) in APAC, Kaspersky warned companies to fortify their cyber defenses:

  • Keep your OS and software patched and up to date.
  • Train all employees on cybersecurity best practices while they work remotely. 
  • Only use secure technologies for remote connection.
  • Carry out a security assessment on your network.
  • Use endpoint security with behavior detection and automatic file rollback, such as Kaspersky Endpoint Security for Business.
  • Never follow the demands of the criminals. Do not fight alone – contact Law Enforcement, CERT, security vendors like Kaspersky.
  • Follow the latest trends via premium threat intelligence subscriptions, like Kaspersky APT Intelligence Service.
  • Know your enemy: identify new undetected malware on premises with Kaspersky Threat Attribution Engine.

For more information about Ransomware 2.0, visit