A Short Guide To Ransomware

Ransomware is a type of malware is designed to deny access to computer systems or sensitive data until a ransom is paid. 

While ransomware has been around for decades, ransomware attacks are becoming more sophisticated, spreading through phishing emails, spear phishing, email attachments, vulnerability exploits, computer worms and several other attack vectors.

Many cyber attacks give attackers access to your computer to install ransomware including:

 

●      Social engineering and phishing: Ransomware spreads by tricking users into downloading an infected email attachment that masquerades as a file from a colleague or boss.

●      Malvertising: Malvertising uses an infected iFrame or invisible element to spread ransomware. The iFrame redirects to a page that executes malicious code or an exploit kit to perform a drive-by download without user knowledge.

●      Vulnerabilities: More aggressive forms of ransomware like WannaCry exploit vulnerabilities to infect computers without user action.

Once infected, ransomware may encrypt some or all files.

After the initial ransomware infection, a ransom note explains the files are inaccessible. The victim must send a ransom payment to buy the decryption key to decrypt their files. Traditionally, ransom payments were demanded via prepaid cash services, Western Union transfers, gift cards, or premium rate SMS services. Nowadays, cybercriminals demand their ransom to be paid in Bitcoin and other cryptocurrencies.

According to the National Security Institute, the average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. Cybersecurity Ventures predicts that ransomware will cost $6 trillion annually.

It is worth noting that in many cases, victims don't report ransomware attacks to law enforcement, creating artificially low reported ransomware numbers. In recent years, estimates of the number of ransomware attacks has reached 204.24 million.

The threat assessment experts at Upguard have produced a detailed review of various different  types of ransomware from 1989 to the present and here are three signicant expamples: 

 AIDS Trojan

One of the first known examples of ransomware was the AIDS Trojan written by evolutionary biologist Dr. Joseph Popp. Popp sent infected floppy diskettes to hundreds of victims under the heading "AIDS Information Introductory Diskette".

The Trojan replaced the AUTOEXEC.BAT file, which would then be used to count the number of times the computer has booted. Once the boot count reached 90, the ransomware hid directories and encrypted the names of all files on the hard drive (rendering the system unusable).

The victim would then be asked to 'renew the license' and contact PC Cyborg Corporation for payment, which involved sending $189 to a P.O. box in Panama, even though the decryption key could be extracted from the code of the Trojan.

Joseph Popp was ultimately declared mentally unfit to stand trial but promised to donate the profits from the ransomware to fund AIDS research.

WannaCry

WannaCry, an encrypting ransomware computer worm, was initially released on 12 May 2017. The ransom demand ranged from $300 to $600 to be paid in the cryptocurrency Bitcoin. WannaCry ransomware is also known as WannaCrypt, WCry, Wana Decrypt0r 2.0, WannaCrypt0r 2.0 and Wanna Decryptor.

It targets computers running outdated versions of the Microsoft Windows operating systems by exploiting the EternalBlue vulnerability in the Server Message Block (SMB) protocol. This allowed the ransomware to spread without victim participation. A group known as The Shadow Brokers stole the EternalBlue exploit from the United States National Security Agency (NSA) a few months prior to the cyber attack.

The EternalBlue exploit was discovered, but not disclosed, by the NSA prior to the attack. The NSA has since been criticized for not disclosing the exploit to Microsoft or the public on CVE, which may have allowed it to be patched prior to WannaCry.

Despite quick patching and the discovery of a kill switch domain, WannaCry was able to spread to an estimated 200,000 computers across 150 countries, causing hundreds of millions to billions of dollars in damages. Much of WannaCry's success was due to poor patching cadence.

Security experts, the United States, United Kingdom, Canada, Japan, New Zealand and Australia have formally asserted North Korea was behind the attack.

Ryuk

Ryuk is a sophisticated ransomware run by WIZARD SPIDER, a cyber crime group, who targets large enterprises for high ransom payments.  Rather than exploiting vulnerabilities or using a spray and pray phishing method, Ryuk is spread through spear phishing emails and an Emotet geo-based download function.

Once infected, a ransom note named RyukReadMe.txt is displayed containing a static template except for a changing email address and Bitcoin wallet. The email addresses usually contain one email at protonmail.com and another at tutanota.com, typically esoteric actors, directors or Instagram models' names are used.

Based on observed transitions to known Ryuk BTC wallets, the ransom demand varies significantly depending on the size and value of the victim's organization. Ideed, The Russia-based group has made roughly $3.7 million off 52 known transactions.

Want more ransomware examples?

For a detailed list of ransomware examples please visit the Upguard  website

You Might Also Read:

GCHQ Boss Says Ransomware Attacks Have Doubled In A Year:

 

« CISA, FBI & NSA Issue Ransomware Warning Alert
Iranian Petrol Stations Suffer A Massive Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Ilex International

Ilex International

Ilex International is a European software vendor which specialises in Identity & Access Management solutions.

Simeio Solutions

Simeio Solutions

Simeio is a complete Identity and Access Management (IAM) solution provider that engages securely with anyone, anywhere, anytime.

TCPWave

TCPWave

TCPWave IPAM is the world’s first acclaimed DNS/DHCP management software to pass the most stringent Information security tests.

Cyber Academy

Cyber Academy

Cyber Academy is one of the first institutions in the SE Europe region that provides a hands-on program in cyber security, blockchain and AI.

CyberGRX

CyberGRX

The CyberGRX Exchange and our risk assessments-as-a-service help Enterprises and Third Parties cost-effectively identify, prioritize and mitigate risk.

ACROS Security

ACROS Security

ACROS Security is a leading provider of security research, real penetration testing and code review for customers with the highest security requirements.

Sky Republic

Sky Republic

Sky Republic offers a Smart Contract Platform to integrate and synchronize business networks beyond EDI and API.

Stratus Cyber

Stratus Cyber

Stratus Cyber is a premier Cyber Security company specializing in Managed Security Services. Our services include Blockchain Security, Pentesting, and Compliance Assessments.

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator

CorkBIC International Security Accelerator invests in early stage disruptive companies in the security industry including, Cybersecurity, Internet of Things (IOT), Blockchain and AI.

Nihon Cyber Defense

Nihon Cyber Defense

Nihon Cyber Defence’s mission is to provide robust solutions, services and support to governments, corporates and organisations in order to protect them from all forms of cyber warfare.

CHEQ

CHEQ

CHEQ provides fully autonomous, preemptive technology for brand safety and ad-fraud prevention.

DisruptOps

DisruptOps

Built for today’s cloud-scale enterprises, DisruptOps’ Cloud Detection and Response platform automates assessment and remediation procedures of critical cloud security issues.

Alcon Maddox

Alcon Maddox

Alcon Maddox is a niche recruitment and executive search firm specialised in sourcing exceptional Cyber Security sales and commercial leadership talent. Serving clients across the Middle East & Europe

Secure Cyber Defense

Secure Cyber Defense

Secure Cyber Defense provides expert cybersecurity consulting and managed detection and response services to companies, local government, schools and universities.

BlastWave

BlastWave

BlastWave’s BlastShield integrates three innovative products into a single solution to help prevent inadvertent and intentional attacks.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.