Ransomware continued to dominate the cyberspace in 2017. The past year was unlike anything we have seen ever. We all witnessed an increase in different ransomware causing remarkable damage all around the world. The distribution methods and attack vectors have expanded widely. As ransomware is one of the key cyber threats, it’s time for companies of all sizes and industries to wake up and take notice. It seems like no one is immune. Ransomware attacks are getting easier to launch as more and more gadgets and IoT devices connects directly to the internet, creating even more vulnerabilities to be exploited. Major threat actors have already started to use botnets to distribute massive attacks on email gateways, ISPs and so on.
We’re sharing some of the wildest ransomware attacks to help you make better decisions about how to protect your organization. “wildest” does not consider only the number of users affected, it also considers other factors such as distribution, costs, updates and potential damages for future victims. This list is just a sample of what we experienced in 2017 and we can expect similar and even more complex attacks in the future.
Locky arrived as a fake shipping invoice spam email. Once opened, downloads malware and encrypts all components. Locky first appeared in February 2016 and it was 2016’s most popular ransomware. New versions called Diablo and Lukitus also appeared this year using the same attack vector spreading over 28 countries.
Ransom: $400 – $800
Crysis started by hacking into Remote Desktop Services and manually installing ransomware over 22+ countries using brute force password tools to break in. First appeared in February 2016 using Remote Desktop Protocol (RDP).In May 2017, 200 master keys were released allowing victims to decrypt and unlock their systems.
Ransom: $455 – $1,022
Cerber first appeared in March 2016. It distributed ransomware -as-a-service (RaaS) by packaging itself and allows non-technical cybercriminals to use it as a tool and get payments from victims while the developers of the malware took a cut of the money. It has hit more than 23 countries. Attack vectors are Remote Desktop Protocol (RDP), Spam Email and RaaS. Cerber is estimated to generate $2.3 million a year and netted attackers roughly $195,000 in July of 2016 as estimated by the Check Point researchers.
Ransom: $300 – $600
First arrived in March 2016 and distributed through Remote Desktop Protocol (RDP) and exploit kits such as malvertising. Also known to hide on flash drives. Cryptomix does not have a payment portal available on the darknet, instead, victims must wait patiently for the email from the cybercriminals to get the instructions for payment in Bitcoin. It has hit more than 29 countries.
This Ransomware was named after the character from “Saw”. It appeared first in April 2016 as a spam mail with and embedded image of the clown from the Saw movies. It starts the payload when users click and it encrypts files and deletes them every hour until they pay the ransom. It has hit more than 29 countries.
Ransom: $20 – $200
Ransom: $20 – $79
WannaCry was the first ransomware to spread through an SMB exploit in March 2017 (but attacked in May 2017). It spread over 150+ countries, infecting over 200,000 machines in the first day. Hackers have only made $50,000 worth of bitcoin from those infected 200,000 machines.
Ransom: $300 – $600
WYSIWYE was discovered in April 2017 by Panda Security’s researchers. They nicknamed it as “What You See Is What You Encrypt (WYSIWYE). It comes with an interface that an attacker can use to configure their preferences, including the email address that will appear in the ransom note that is sent to the victim. They can go after certain network computers, target specific files, and enter stealth mode from the interface as well. It attacks computer via Remote Desktop Protocol (RDP) brute force attack and then deploys WYSIWYE onto the targeted network computer.
Jaff appeared in May 2017 in the form of a spam email and heavily mimics tactics used by Locky, containing traits related to other forms of malware. It used Necurs botnet and hit more than 21 countries.
NotPetya came as a fake Ukranian tax software update in June 2017. It spread through the network like a worm using an SMB exploit and infect hundreds of thousands of computers in more than 100 countries in few days. This ransomware is a variant of Petya, but uses the same exploit as in WannaCry. Attack Vectors were Supply Chain ME.doc, EthernalBlue and EthernalRomance Exploit. Hackers have only collected 29 payments, for a total of 3.15 BTC, or $7,497 to the date 27th June 2017.
LeakerLocker was detected by McAfee’s research team back in July 2017. Also known as “Android/Ransom.LeakerLocker.A!Pkg,”. They found it hiding inside of two Android applications: Booster & Cleaner Pro and Wallpapers Blur HD. Booster & Cleaner Pro app had 5000 installs at the time of discovery, and Wallpapers Blur HD app with 10 000 installs. It doesn’t encrypt an infected device’s files instead it locks the home screen and claims to access the device’s email addresses, contacts, Chrome history, text messages and calls, pictures, and device information. Then it displays this information in a WebView and demands payment if the victim doesn’t want their data shared with all of their phone contacts.
Arkansas Oral & Facial Surgery Center suffered an attack at the hands of an unknown ransomware on 26 July 2017. It affected imaging files like X-rays along with other documents such as email attachments. It made patient data pertaining to appointments that occurred three weeks prior to the attack inaccessible.
Reyptson was detected by a security researcher of Emsisoft back in July 2017. After infection, Reyptson checks to see if Mozilla’s Thunderbird email client is installed on the computer. If it is installed, the ransomware attempts to read the victim’s email credentials and contact list. It uses those contacts to conduct a spam distribution campaign from the victim’s computer. Each mail contains a fake invoice document that contains an executable responsible for uploading the ransomware.
A week before Halloween (October 2017), Kaspersky Lab said it had received “notifications of mass alerts” of a new ransomware targeting organizations in Ukrainian and Russian. Some of the victims were Russian news media outlets Fontanka.ru and Interfax as well as Kiev’s metro system and an airport in Odessa. ESET researchers stated the ransomware also hit targets in Poland, South Korea, and the United States. BadRabbit used drive-by attacks to deliver the ransomware dropper, a smaller-scale operation.
Ransom: 0.5 Bitcoins
Considering all the different attack vectors we see from Ransomware creators so far, we urge you to stay vigilant for new waves in 2018.
What we expect to see in 2018
Profitability of ransomware attacks will decline as the defenses improve.
Attackers will find new targets and new objectives.
Attackers would shift to high net-worth individuals, sabotage and business disruption.
Attackers would use more advanced techniques to create and spread ransomware such as Worms, Machine Learning, Advance Botnets and Physical attacks.
The development of Machine Learning would protect organizations.
Serverless apps would save time and reduce costs. But they can increase the attack surface.
Manufacturers will gather personal data with or without our agreement to make more money.
More high-end mobile malware will appear.
Everyone will face an amazing future with gadgets, services and experience, but with it comes tremendous risks regarding privacy.
We will see high fines for GDPR after the deadline on 25 May 2018.