A Short Guide To Ransomware

Ransomware is a type of malware is designed to deny access to computer systems or sensitive data until a ransom is paid. 

While ransomware has been around for decades, ransomware attacks are becoming more sophisticated, spreading through phishing emails, spear phishing, email attachments, vulnerability exploits, computer worms and several other attack vectors.

Many cyber attacks give attackers access to your computer to install ransomware including:

 

●      Social engineering and phishing: Ransomware spreads by tricking users into downloading an infected email attachment that masquerades as a file from a colleague or boss.

●      Malvertising: Malvertising uses an infected iFrame or invisible element to spread ransomware. The iFrame redirects to a page that executes malicious code or an exploit kit to perform a drive-by download without user knowledge.

●      Vulnerabilities: More aggressive forms of ransomware like WannaCry exploit vulnerabilities to infect computers without user action.

Once infected, ransomware may encrypt some or all files.

After the initial ransomware infection, a ransom note explains the files are inaccessible. The victim must send a ransom payment to buy the decryption key to decrypt their files. Traditionally, ransom payments were demanded via prepaid cash services, Western Union transfers, gift cards, or premium rate SMS services. Nowadays, cybercriminals demand their ransom to be paid in Bitcoin and other cryptocurrencies.

According to the National Security Institute, the average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. Cybersecurity Ventures predicts that ransomware will cost $6 trillion annually.

It is worth noting that in many cases, victims don't report ransomware attacks to law enforcement, creating artificially low reported ransomware numbers. In recent years, estimates of the number of ransomware attacks has reached 204.24 million.

The threat assessment experts at Upguard have produced a detailed review of various different  types of ransomware from 1989 to the present and here are three signicant expamples: 

 AIDS Trojan

One of the first known examples of ransomware was the AIDS Trojan written by evolutionary biologist Dr. Joseph Popp. Popp sent infected floppy diskettes to hundreds of victims under the heading "AIDS Information Introductory Diskette".

The Trojan replaced the AUTOEXEC.BAT file, which would then be used to count the number of times the computer has booted. Once the boot count reached 90, the ransomware hid directories and encrypted the names of all files on the hard drive (rendering the system unusable).

The victim would then be asked to 'renew the license' and contact PC Cyborg Corporation for payment, which involved sending $189 to a P.O. box in Panama, even though the decryption key could be extracted from the code of the Trojan.

Joseph Popp was ultimately declared mentally unfit to stand trial but promised to donate the profits from the ransomware to fund AIDS research.

WannaCry

WannaCry, an encrypting ransomware computer worm, was initially released on 12 May 2017. The ransom demand ranged from $300 to $600 to be paid in the cryptocurrency Bitcoin. WannaCry ransomware is also known as WannaCrypt, WCry, Wana Decrypt0r 2.0, WannaCrypt0r 2.0 and Wanna Decryptor.

It targets computers running outdated versions of the Microsoft Windows operating systems by exploiting the EternalBlue vulnerability in the Server Message Block (SMB) protocol. This allowed the ransomware to spread without victim participation. A group known as The Shadow Brokers stole the EternalBlue exploit from the United States National Security Agency (NSA) a few months prior to the cyber attack.

The EternalBlue exploit was discovered, but not disclosed, by the NSA prior to the attack. The NSA has since been criticized for not disclosing the exploit to Microsoft or the public on CVE, which may have allowed it to be patched prior to WannaCry.

Despite quick patching and the discovery of a kill switch domain, WannaCry was able to spread to an estimated 200,000 computers across 150 countries, causing hundreds of millions to billions of dollars in damages. Much of WannaCry's success was due to poor patching cadence.

Security experts, the United States, United Kingdom, Canada, Japan, New Zealand and Australia have formally asserted North Korea was behind the attack.

Ryuk

Ryuk is a sophisticated ransomware run by WIZARD SPIDER, a cyber crime group, who targets large enterprises for high ransom payments.  Rather than exploiting vulnerabilities or using a spray and pray phishing method, Ryuk is spread through spear phishing emails and an Emotet geo-based download function.

Once infected, a ransom note named RyukReadMe.txt is displayed containing a static template except for a changing email address and Bitcoin wallet. The email addresses usually contain one email at protonmail.com and another at tutanota.com, typically esoteric actors, directors or Instagram models' names are used.

Based on observed transitions to known Ryuk BTC wallets, the ransom demand varies significantly depending on the size and value of the victim's organization. Ideed, The Russia-based group has made roughly $3.7 million off 52 known transactions.

Want more ransomware examples?

For a detailed list of ransomware examples please visit the Upguard  website

You Might Also Read:

GCHQ Boss Says Ransomware Attacks Have Doubled In A Year:

 

« CISA, FBI & NSA Issue Ransomware Warning Alert
Iranian Petrol Stations Suffer A Massive Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cloud Foundry Foundation (CFF)

Cloud Foundry Foundation (CFF)

Cloud Foundry supports the full application development lifecycle, from inception, through all testing stages, to deployment.

Cyber Technology Institute - De Montfort University

Cyber Technology Institute - De Montfort University

The Cyber Technology Institute provides training and high quality research and consultancy services in the fields of cyber security, software engineering and digital forensics.

Security IT Summit

Security IT Summit

The Security IT Summit is a unique one-day event which allows senior IT & Cyber security professionals to meet with innovative and competitive suppliers to the industry.

Adeptis Group

Adeptis Group

Adeptis is a specialist international Cyber Security recruitment search firm.

Napatech

Napatech

Napatech develops and manufactures high speed network accelerators specifically designed for real-time network monitoring and analysis applications.

Protiviti

Protiviti

Protiviti consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.

_cyel

_cyel

_cyel is introducing a new cybersecurity strategy: not a new generation of patches and firewalls, but moving target security – we take away the targets. Without replacing your existing system.

RISE

RISE

RISE is an independent, State-owned research institute, which offers unique expertise and over 100 testbeds and demonstration environments for future-proof technologies, products and services.

HackHunter

HackHunter

HackHunter’s passive sensor network continuously monitors, detects and alerts when a malicious WiFi network and/or hacking behaviour is identified.

Singular Security

Singular Security

Singular Security help public and private organizations minimize cybersecurity risk and pass their IT compliance audit.

FirmGuard

FirmGuard

FirmGuard helps organisations understand Information Security and comply with internal and external governance and regulation.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

Bedrock Systems

Bedrock Systems

BedRock Systems is on a mission to deliver a trusted computing base from edge to cloud, where safety and security isn’t just a perception, it’s a formally proven reality.

DatChat

DatChat

DatChat Inc. is a blockchain, cybersecurity, and social media company that focuses on protecting privacy on our devices and also protecting our information after we have shared it with others.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

OpsHelm

OpsHelm

OpsHelm provides a Software-as-a-Service solution to help businesses ensure that all of their cloud environments have their security bases covered.