The art of the ransomware changes alongside virus development.
Ransomware is a computer virus program designed to use the same distribution as other malware software, and attack the unprotected computer. By way of development ransomware types are created to use rootkit technology, meaning they hook onto legitimate running processes and rename malicious files into OS files. The most destructive ransomware attacks are remembered by the number of computers infected, importance of the deleted data, or simply by the showcase of power, if the attacked network was high profiled enough.
Ransomware started as a simple virus in 1989, it has been around changing and developing until 2013 when it was first significantly noticed. By the end of 2013 criminals have collected ransom worth of $23 million. However, the most vicious attacks were performed starting 2016 to this day. Ransomware as we know it is predominantly crypto-locker ransomware, which means locks the files on computer.
During the last few years hackers have developed a model Ransom-as-a-service (RaaS). In other words, they offer their software for use, in return for the percentage from ransom taken from the victims. As reported by Osterman Research (market research Company) 59% of all ransomware is sent through email. An easy access to the malware and email messages sent have caused attacks to spread. Vicious scheme has affected not only regular users, but companies, small businesses and manufacturing sector. Many companies and industries had to stop their production lines for over 48 hours. Yet more than 25% has never reported the crime.
Billy is Here – Jigsaw Ransomware
In 2016 a Jigsaw ransomware attacked computers with a spooky character face much like the clown from “Saw” movie. Jigsaw encrypted files and asked for a $150 ransom. As the letters continue to appear in the screen, the spooky clown claimed it will delete files every hour until the ransom is paid. After trying something to stop it or delay the payment, all the files remaining will be deleted.
Jigsaw basically scans the computer for a picture, Adobe, zip, rar, Microsoft, 3D max and other files and targets them. Due to its aggressive nature jigsaw has been the most profitable ransomware attack at the time. Recently there has been a research where more sophisticated variants of the clown have been spotted.
A Message from SamSam Ransomware
At the mid-2016, the FBI has noted some variants of Locky ransomware, one of them called the ‘SamSam’ that has attracted attention for being target-oriented. SamSam directed its attacks towards businesses. SamSam used vulnerability of an application that was patched, but unpatched ones were still ripe for exploit. Large corporates such as Cisco found out that it was installed on thousands of IP addresses, exploiting entire networks. SamSam was remembered for adding customer service to the software, to make it easy for the clients to pay ransom. It even included a live chat.
The Evil Petya Ransomware
Ransomware that encrypts files on the computer with a sentence: “If you see this text, then your files are no longer accessible, because they have been encrypted”. Petya is a ransomware with a twist, an evil one for that matter. It has its own boot loader, which means writes a code at the beginning of the hard disk. Upon encrypting the entire disk and not just the files, Petya has the install process that practically replaces the files on the first sector of the hard disk. Which means any files that were previously on the disk will be damaged.<<
User Experience – Spora Ransomware
First appeared in January this year, Spora got little media exposure due to the WannaCry spread. Spora has been developed by savvy cybercriminals, and ransom payment site is more sophisticated than others. Spora has a strong encryption engine, mostly delivered by email file attachments. Another aspect of ransomware that separates it from others is the ability to work offline. It will encrypt files on all local drives and shared network devices.
Tears of the Victims – WannaCry Ransomware
At the beginning of this year a new and very efficient ransomware hit over 25,000 devices in four days. The attack was swift using EternalBlue exploit which allowed it to spread through message protocol vulnerability to lock down the computers. It is important to mention that the reason why WannaCry is so dangerous is because it spreads on its own, it has worm like capabilities to embed itself in computer system. There were recent news that a group behind the WannaCry attacks was called “Lazarus”.
God of Mischief – Locky Ransomware
Notorious in one single day, Locky ransomware has been sent to 23 million emails worldwide in a 24 hours timeframe. Locky is the variant of the TeslaCrypt Trojan version. Once installed it will rename all of the users file extensions to Locky. Not only that but it will delete all shadow volume copies and restore points to prevent users expelling the ransomware from computer. Recently Locky has come back fueled by botnet spam campaign.
The Return – NotPetya Ransomware
Much like Petya, the NotPetya ransomware has individual ID for each victim. But instead of guiding them to Tor web browser to insert the ID, NotPetya sent them to email address with a posteo.net suffix. But as its predecessor, NotPetya is also unable to return the files stolen.
Comand and Control – The DefRay Ransomware
Proofpoint researchers have named it DefRay because of command and control server hostname from the first attack. The Defray Ransomware is at its core a camouflaged Trojan horse. Defray is selective about targets, the attacks are mostly enterprise oriented. It targets only business, education, health and manufacturing sectors, asking for $5000 ransom to access infected files. The Defray Ransomware engineer has even wrote a polite message to the victims: “Don’t panic, read this and contact someone from IT department. Your computer has been infected with a virus known as ransomware.”
Cerber is very similar to other ransomware Trojans, as it encrypts victims’ files, it creates the txt file with instruction to ransom and retrieving files. In July 2016 it has been reported that Cerber infected 150,000 computers worldwide. The creator of Cerber is entrepreneur as it seems, he sells his software and deploys it for 40% of the ransom cut. The fact that his Ransomware-as-a-Service affiliates can generate $2.3 million each month sounds a bit disturbing.
Royal Minions and Princess Locker Ransomware
Princess Locker has been discovered this year. Due to a bug fix it has returned not alone, but with minions. Princess Ransomware is automated with exploit kit called RIG. Which means instead of malicious attachment it lures the user to website where the browser gets attacked via drive-by attacks designed to find vulnerabilities. It seems as though the royalty is selling software rather than asking for ransom. The ransom note asks the user to use a special software ‘Princess Decryptor’ that can be purchased only through ransom screen for $350.
As these cyber criminals wage wars against cybersecurity experts, the ransomware attacks on enterprises are getting more frequent. The paid ransom unfortunately does not mean a complete resolution of all problems. According to research, 1 in 5 businesses that paid ransom never get their files back, or the culprits turn around and ask for another one. This means not only loss of money paid as ransom, but also loss of money for operational delays and infrastructure instability for several days at best. A law firm in the US reported that they lost $700,000 due to downtime and not being able to access the documents. Ransomware is more than just a simple crime, it is business model, and a downfall for the companies attacked when not ready.