Ransomware Attacks and Types – How Encryption Trojans Differ
What is ransomware?
Ransomware is a type of malware (malicious software) used by cybercriminals. If a computer or network has been infected with ransomware, the ransomware blocksaccess to the system or encrypts its data. Cybercriminals demand ransom money from their victims in exchange for releasing the data. In order to protect against ransomware infection, a watchful eye and security software are recommended. Victims of malware attacks have three options after an infection: they can either pay the ransom, try to remove the malware, or restart the device. Attack vectors frequently used by extortion Trojans include the Remote Desktop Protocol, phishing emails, and software vulnerabilities. A ransomware attack can therefore target both individuals and companies.
Identifying ransomware – a basic distinction must be made
In particular, two types of ransomware are very popular:
- Locker ransomware. This type of malware blocks basic computer functions. For example, you may be denied access to the desktop, while the mouse and keyboard are partially disabled. This allows you to continue to interact with the window containing the ransom demand in order to make the payment. Apart from that, the computer is inoperable. But there is good news: Locker malware doesn't usually target critical files; it generally just wants to lock you out. Complete destruction of your data is therefore unlikely.
- Crypto ransomware. The aim of crypto ransomware is to encrypt your important data, such as documents, pictures and videos, but not to interfere with basic computer functions. This spreads panic because users can see their files but cannot access them. Crypto developers often add a countdown to their ransom demand: "If you don't pay the ransom by the deadline, all your files will be deleted." and due to the number of users who are unaware of the need for backups in the cloud or on external physical storage devices, crypto ransomware can have a devastating impact. Consequently, many victims pay the ransom simply to get their files back.
Locky, Petya and co.
Now you know what ransomware is and the two main types. Next you will learn about some well-known examples that will help you identify the dangers posed by ransomware:
Locky is ransomware that was first used for an attack in 2016 by a group of organized hackers. Locky encrypted more than 160 file types and was spread by means of fake emails with infected attachments. Users fell for the email trick and installed the ransomware on their computers. This method of spreading is called phishing, and is a form of what is known as social engineering. Locky ransomware targets file types that are often used by designers, developers, engineers and testers.
WannaCry was a ransomware attack that spread to over 150 countries in 2017. It was designed to exploit a security vulnerability in Windows that was created by the NSA and leaked by the Shadow Brokers hacker group. WannaCry affected 230,000 computers worldwide. The attack hit one-third of all NHS hospitals in the UK, causing estimated damages of 92 million pounds. Users were locked out and a ransom payable in Bitcoin was demanded. The attack exposed the issue of outdated systems, because the hacker exploited an operating system vulnerability for which a patch had long existed at the time of the attack. The worldwide financial damage caused by WannaCry was approximately US$4 billion.
Bad Rabbit was a ransomware attack from 2017 that spread via so-called drive-by attacks. Insecure websites were used to carry out the attacks. In a drive-by ransomware attack, a user visits a real website, unaware that it has been compromised by hackers. For most drive-by attacks, all that is required is for a user to call up a page that has been compromised in this way. In this case, however, running an installer that contained disguised malware led to the infection. This is called a malware dropper. Bad Rabbit asked the user to run a fake Adobe Flash installation, thereby infecting the computer with malware.
Ryuk is an encryption Trojan that spread in August 2018 and disabled the recovery function of Windows operating systems. This made it impossible to restore the encrypted data without an external backup. Ryuk also encrypted network hard disks. The impact was huge, and many of the US organizations that were targeted paid the ransom sums demanded. The total damage is estimated at over $640,000.
The Shade or Troldesh ransomware attack took place in 2015 and spread via spam emails containing infected links or file attachments. Interestingly, the Troldesh attackers communicated directly with their victims via email. Victims with whom they had built up a "good relationship" received discounts. However, this kind of behavior is an exception rather than the rule.
Jigsaw is a ransomware attack that began in 2016. The attack got its name from an image it displayed of the well-known puppet from the Saw movie franchise. With each additional hour the ransom remained unpaid, Jigsaw ransomware deleted more files. The use of the horror movie image caused additional stress among users.
CryptoLocker is ransomware that was first spotted in 2007 and spread via infected email attachments. The ransomware searched for important data on infected computers and encrypted it. An estimated 500,000 computers were affected. Law enforcement agencies and security companies eventually managed to seize control of a worldwide network of hijacked home computers that were used to spread CryptoLocker. This allowed the agencies and companies to intercept the data being sent over the network without the criminals noticing. Ultimately, this resulted in an online portal being set up where victims could obtain a key to unlock their data. This allowed their data to be released without the need to pay a ransom to the criminals.
Petya (not to be confused with ExPetr) is a ransomware attack that occurred in 2016 and was resurrected as GoldenEye in 2017. Instead of encrypting certain files, this malicious ransomware encrypted the victim's entire hard disk. This was done by encrypting the Master File Table (MFT), which made it impossible to access files on the hard disk. Petya ransomware spread to corporate HR departments via a fake application that contained an infected Dropbox link.
Another variant of Petya is Petya 2.0, which differs in some key aspects. In terms of how the attack is carried out, however, both are equally fatal for the device.
The resurrection of Petya as GoldenEye resulted in a worldwide ransomware infection in 2017. GoldenEye, known as WannaCry's "deadly sibling," hit more than 2,000 targets – including prominent oil producers in Russia and several banks. In an alarming turn of events, GoldenEye forced the personnel of the Chernobyl nuclear power plant to manually check the radiation level there, after they were locked out of their Windows computers.
GandCrab is unsavory ransomware that threatened to disclose the porn habits of its victims. It claimed that it had hacked the victim's webcam and demanded a ransom. If the ransom wasn't paid, embarrassing footage of the victim would be published online. After its first appearance in 2018, GandCrab ransomware continued to develop in various versions. As part of the "No More Ransom" initiative, security providers and police agencies developed a ransomware decryption tool to help victims recover their sensitive data from GandCrab.
B0r0nt0k is crypto ransomware that focuses specifically on Windows and Linux-based servers. This harmful ransomware encrypts the files of a Linux server and attaches a ".rontok" file extension. The malware not only poses a threat to files, it also makes changes to startup settings, disables functions and applications, and adds registry entries, files and programs.
Dharma Brrr ransomware
Brrr, the new Dharma ransomware, is installed manually by hackers who then hack into desktop services connected to the internet. As soon as the ransomware is activated by the hacker, it begins to encrypt the files it finds. Encrypted data is given the file extension ".id-[id].[email].brrr".
FAIR RANSOMWARE ransomware
FAIR RANSOMWARE is ransomware that aims to encrypt data. Using a powerful algorithm, all private documents and files of the victim are encrypted. Files that are encrypted with this malware have the file extension ".FAIR RANSOMWARE" added to them.
MADO ransomware is another type of crypto ransomware. Data that has been encrypted by this ransomware is given the extension ".mado" and can thus no longer be opened.
As already mentioned, ransomware finds its targets in all walks of life. Usually, the ransom demanded is between $100 and $200. However, some corporate attacks demand much more – especially if the attacker knows that the data being blocked represents a significant financial loss for the company being attacked. Cybercriminals can therefore make huge sums of money using these methods. In the two examples below, the cyberattack victim is, or was, more significant than the type of ransomware used.
WordPress ransomware, as the name suggests, targets WordPress website files. The victim is extorted for ransom money, as is typical of ransomware. The more in-demand the WordPress site, the more likely it is to be attacked by cybercriminals using ransomware.
The Wolverine case
Wolverine Solutions Group (a healthcare supplier) was the victim of a ransomware attack in September 2018. The malware encrypted a large number of the company's files, making it impossible for many employees to open them. Fortunately, forensics experts were able to decrypt and restore the data on October 3. However, a lot of patient data was compromised in the attack. Names, addresses, medical data and other personal information could have fallen into the hands of cybercriminals.
Ransomware as a Service
Ransomware as a Service gives cybercriminals with low technical capabilities the opportunity to carry out ransomware attacks. The malware is made available to buyers, which means lower risk and higher gain for the programmers of the software.
Ransomware attacks have many different appearances and come in all shapes and sizes. The attack vector is an important factor for the types of ransomware used. In order to estimate the size and extent of the attack, it is necessary to always consider what is at stake or what data could be deleted or published. Regardless of the type of ransomware, backing up data in advance and proper employment of security software can significantly reduce the intensity of an attack.