Ransomware is a type of malware (malicious software) used by cybercriminals. If a computer or network has been infected with ransomware, the ransomware blocksaccess to the system or encrypts its data. Cybercriminals demand ransom money from their victims in exchange for releasing the data. To protect against ransomware infection, a watchful eye and security software are recommended. Victims of malware attacks have three options after an infection: options on the table are to pay the ransom, try to remove the malware, or restart the device. Attack vectors frequently used by extortion Trojans include the Remote Desktop Protocol, phishing emails, and software vulnerabilities. A ransomware attack can therefore target both individuals and companies.
Identifying ransomware – a fundamental distinction must be made
In particular, two types of ransomware are prevalent:
- Locker ransomware. This type of malware blocks essential computer functions. For example, you may be denied access to the desktop while the mouse and keyboard are partially disabled. This allows you to continue to interact with the window containing the ransom demand to make the payment. Apart from that, the computer is inoperable. But there is good news: Locker malware doesn’t usually target critical files; it generally just wants to lock you out. The destruction of your data is, therefore, unlikely.
- Crypto ransomware. Crypto-ransomware aims to encrypt your essential data, such as documents, pictures, and videos, but not to interfere with crucial computer functions. This spreads panic because users can see their files without access. Crypto developers often add a countdown to their ransom demand: “If you don’t pay the ransom by the deadline, all your files will be deleted.” due to the number of users who are unaware of the need for backups in the cloud or on external physical storage devices, crypto-ransomware can have a devastating impact. Consequently, many victims pay the ransom simply to get their files back.
Locky, Petya, and co.
Now you know what ransomware is and the two main types. Next, you will learn about some well-known examples that will help you identify the dangers posed by ransomware:
Locky
Locky is ransomware first used for an attack in 2016 by a group of organized hackers. Locky encrypted more than 160 file types and was spread utilizing fake emails with infected attachments. Users fell for the email trick and installed the ransomware on their computers. This propagation method is called phishing and is a form of what is known as social engineering. Locky ransomware targets file types often used by designers, developers, engineers, and testers.
WannaCry
WannaCry was a ransomware attack that spread to over 150 countries in 2017. It was designed to exploit a security vulnerability in Windows that was created by the NSA and leaked by the Shadow Brokers hacker group. WannaCry affected 230,000 computers worldwide. The attack hit one-third of all NHS hospitals in the UK, causing estimated damages of 92 million pounds. Users were locked out, and a ransom payable in Bitcoin was demanded. The attack exposed the issue of outdated systems because the hacker exploited an operating system vulnerability for which a patch had long existed at the time of the attack. The worldwide financial damage caused by WannaCry was approximately US$4 billion.
Bad Rabbit
Bad Rabbit was a ransomware attack from 2017 that spread via so-called drive-by attacks. Insecure websites were used to carry out the attacks. In a drive-by ransomware attack, a user visits a genuine website, unaware that hackers have compromised it. For most drive-by attacks, all that is required is for a user to call up a page that has been compromised in this way. In this case, however, running an installer that contained disguised malware led to the infection. This is called a malware dropper. Bad Rabbit asked the user to run a fake Adobe Flash installation, infecting the computer with malware.
Ryuk
Ryuk is an encryption Trojan that spread in August 2018 and disabled the recovery function of Windows operating systems. This made it impossible to restore the encrypted data without an external backup. Ryuk also encrypted network hard disks. The impact was huge, and many of the US organizations that were targeted paid the ransom sums demanded. The total damage is estimated at over $640,000.
Shade/Troldesh
The Shade or Troldesh ransomware attack occurred in 2015 and spread via spam emails containing infected links or file attachments. Interestingly, the Troldesh attackers communicated directly with their victims via email. Victims who had built up a “good relationship” received discounts. However, this kind of behavior is an exception rather than a rule.
Jigsaw
Jigsaw is a ransomware attack that began in 2016. The attack got its name from an image it displayed of the well-known puppet from the Saw movie franchise. With each additional hour, the ransom remained unpaid, Jigsaw ransomware deleted more files. The use of the horror movie image caused additional stress among users.
CryptoLocker
CryptoLocker is ransomware that was first spotted in 2007 and spread via infected email attachments. The ransomware searched for essential data on infected computers and encrypted it. An estimated 500,000 computers were affected. Law enforcement agencies and security companies eventually managed to seize control of a worldwide network of hijacked home computers that were used to spread CryptoLocker. This allowed the agencies and companies to intercept the data sent over the network without the criminals noticing. Ultimately, this resulted in an online portal where victims could obtain a key to unlock their data. This allowed their data to be released without paying the criminals a ransom.
Petya
Petya (not to be confused with ExPetr) is a ransomware attack that occurred in 2016 and was resurrected as GoldenEye in 2017. Instead of encrypting specific files, this malicious ransomware encrypted the victim’s entire hard disk. This was done by encrypting the Master File Table (MFT), making accessing files on the hard disk impossible. Petya ransomware spread to corporate HR departments via a fake application that contained an infected Dropbox link.
Another variant of Petya is Petya 2.0, which differs in some key aspects. However, both are equally fatal for the device regarding how the attack is carried out.
GoldenEye
The resurrection of Petya as GoldenEye resulted in a worldwide ransomware infection in 2017. GoldenEye, known as WannaCry’s “deadly sibling,” hit more than 2,000 targets – including prominent oil producers in Russia and several banks. In an alarming turn of events, GoldenEye forced the personnel of the Chornobyl nuclear power plant to check the radiation level manually. After that, they were locked out of their Windows computers.
GandCrab
GandCrab is unsavory ransomware that threatens to disclose the porn habits of its victims. It claimed it had hacked the victim’s webcam and demanded a ransom. If the ransom weren’t paid, embarrassing footage of the victim would be published online. After its first appearance in 2018, GandCrab ransomware continued to develop in various versions. As part of the “No More Ransom” initiative, security providers and police agencies developed a ransomware decryption tool to help victims recover their sensitive data from GandCrab.
B0r0nt0k
B0r0nt0k is crypto-ransomware that focuses specifically on Windows and Linux-based servers. This harmful ransomware encrypts the files of a Linux server and attaches a “.rontok” file extension. The malware threatens files, changes startup settings, disables functions and applications and adds registry entries, files, and programs.
Dharma Brrr ransomware
Brrr, the new Dharma ransomware, is installed manually by hackers who then hack into desktop services connected to the internet. When the hacker activates the ransomware, it encrypts the files it finds. Encrypted data is given the file extension “.id-[id].[email].brrr”.
FAIR RANSOMWARE ransomware
FAIR RANSOMWARE is ransomware that aims to encrypt data. Using a robust algorithm, all private documents and files of the victim are encrypted. Files encrypted with this malware have the file extension “.FAIR RANSOMWARE” added.
MADO ransomware
MADO ransomware is another type of crypto-ransomware. Data encrypted by this ransomware is given the extension “.mado” and can thus no longer be opened.
Ransomware attacks
As already mentioned, ransomware finds its targets in all walks of life. Usually, the ransom demanded is between $100 and $200. However, some corporate attacks demand much more – especially if the attacker knows that the blocked data represents a significant financial loss for the attacked company. Cybercriminals can therefore make vast sums of money using these methods. In the two examples below, the cyberattack victim is, or was, more significant than the type of ransomware used.
WordPress ransomware
WordPress ransomware, as the name suggests, targets WordPress website files. The victim is extorted for ransom money, as is typical of ransomware. The more in-demand the WordPress site, the more likely it is to be attacked by cybercriminals using ransomware.
The Wolverine case
Wolverine Solutions Group (a healthcare supplier) was the victim of a ransomware attack in September 2018. The malware encrypted numerous amounts of the company’s files, making it impossible for many employees to open them. Fortunately, forensics experts could decrypt and restore the data on October 3. However, a lot of patient data was compromised in the attack. Names, addresses, medical data, and other personal information could have fallen into the hands of cybercriminals.
Ransomware as a Service
Ransomware as a Service gives cybercriminals with low technical capabilities the opportunity to carry out ransomware attacks. The malware is made available to buyers, which means lower risk and higher gain for the software programmers.
Conclusion
Ransomware attacks have many different appearances and come in all shapes and sizes. The attack vector is an essential factor for the types of ransomware used. To estimate the scope and extent of the attack, it is necessary always to consider what is at stake or what data could be deleted or published. Regardless of the type of ransomware, backing up data in advance and adequately employing security software can significantly reduce the intensity of an attack.