In recent years, there have been so many ransomware spreading around the Internet becoming one of the biggest cybersecurity threats. According to Cybersecurity Ventures statistics, companies were affected by ransomware every 14 seconds by the end of 2019. In 91% of the cases the attacks are caused by spear phishing emails. This year thanks to ransomware attacks, criminals will earn $ 11.5 billion. How did this cybersecurity threat come about and what are the 10 most dangerous ransomware in recent years that you should know? Arm yourself with information!
AIDS Info Disk: the first ransomware attack ever recorded in history
The first ransomware to go down in history was the AIDS Trojan, also known as PC Cybor. It was programmed in QuickBasic 3.0 in 1989 by the American biologist Joseph Popp and it was distributed via floppy disks sent via postal services. Popp sent twenty thousand 5.25” floppy disks to researchers outside the United States who were conducting important research on AIDS. The fictitious sender of these letters was “PC Cybor Corporation” and inside there was a floppy disk titled “AIDS Information – Introductory Diskettes”. The disks were accompanied by an information booklet stating the need to purchase a license to use the software. Two files were to be found in the disks: INSTALL.EXE and AIDS.EXE. The first one was the actual malware. Once it was installed on the PC replacing the AUTOEXE.baT file, the MS-DOS Windows system boot file, a message was displayed asking the user to renew the license in order to continue using the computer. The connected printers would then print a document inviting the victims to send $ 189 to a mailbox in Panama in order to buy an annual license and obtaining instructions on data recovery. The AIDS Trojan installation was performed by 5% of users, equivalent to around 1,000 computers.
The message displayed after the PC infection by AIDS ransomware. Source: Wikipedia.
The ransomware caused considerable damage to science. An Italian AIDS care research organization for example lost about 10 years of study results. Joseph Popp was arrested by the FBI in January 1990 after being spotted by a security officer at Amsterdam Schiphol airport. This prevented him from sending other 2 million floppy disks containing the ransomware. He was released from prison prematurely in 1991 because of his unstable mental health.
The connection between ransomware, cryptography and cryptocurrency
In the 2000s Archiveus, Gpcode, TROJ.RANSOM.A, Krotten, Cryzip and Mayarchive were the first types of ransomware to use sophisticated RSA cryptography. For example, Gpcode, identified in June 2006, used a 660-bit RSA cryptographic scheme. Two years later, a new version was discovered, initially considered difficult to decipher because it used a 1024-bit RSA key. Archiveus was a Microsoft Windows virus that required the user to make a purchase on a website to obtain the decryption password. In May 2006 the software was cracked and the password to recover the infected files was found.
A few years later a series of ransomware appeared, the so-called “police ransomware”, since they pretended to be warnings from the police. Victims were asked to pay a fine for their alleged illegal acts.
At the same time, the new generation of anonymous payment services began to be used to obtain money without being discovered. Riding the chance of exploiting the anonymity and non-traceability of payments, towards the end of 2010 a new trend emerged among cybercriminals: the use of cryptocurrencies. Bitcoin in particular has become the currency of computer extortions.
Over the past few years, ransomware attacks have become a real threat, involving top secret espionage agencies and international intrigues. This is the case, for example, of WinLock due to which the Russian authorities arrested ten people in August 2010.
The 10 most dangerous ransomware in recent years
Ransomware is today one of the main cyberthreats. The scenario is very diversified with over 1,000 variants targeting organizations, companies and private users. The number of victims is constantly increasing and the technologies underlying the ransomware are more and more sophisticated. In a chronological fashion, we will here introduce you to the 10 most dangerous ransomware in recent years. You certainly know at least one of them, hopefully not through your direct experience!
CryptoLocker came on the scene in 2013 and was probably the first one to open the era of large-scale ransomware. Spread through email attachments and spam messages using the Gameover ZeuS botnet, it used a 2048-bit RSA public key to encrypt user files in exchange for money. According to Avast, at its peak between the end of 2013 and the beginning of 2014, CryptoLocker had infected over 500,000 computers together with the clones CryptoWall, Cryt0L0cker and TorrentLocker, as well. The malicious software was rather “elementary” and was defeated thanks to the “Operation Tovar”, a joint campaign between FBI, Interpol, security companies and universities. CryptoLocker paved the way for many other varieties of ransomware that used its code to create new threats.
Even though at the beginning it was presented as a variant of CryptoLocker, this ransomware gained its identity thanks to its particular modus operandi. TeslaCrypt targeted in particular ancillary files associated with video games, such as saved games, maps, downloadable content and similar. For gamers, these are often important files, saved locally rather than on cloud or in external drives. In 2016 the 48% of ransomware attacks worldwide were performed by TeslaCrypt. Victims were asked a ransom of $ 500 in bitcoins. Its constant evolution is a feature that allowed this ransomware to spread and hit so many victims.
At the beginning of 2016 it was possible to restore the files only with the intervention of the creators. The surprise came in May 2016 when the hackers behind TeslaCrypt decided to put an end to their malicious activities and offered the world the main decoding key. After a few days ESET released a free tool to decrypt infected computers.
We all know mobile devices have taken hold in our lives and have become the most used electronic devices. This new trend could not be left unexploited by hackers! Between the end of 2015 and 2016 we have seen an escalation of ransomware attacks on devices with an Android operating system almost quadrupling.
The first type of attacks made it difficult for the users to access files and prevent them from accessing sections of the mobile user interface. At the end of 2015 SimpleLocker, also known as Andr/Slocker-A, became the first worldwide ransomware threat on Android. SimpleLocker spreads like a Trojan downloader disguised as an app. Once installed, it scanned the device and through a AES encryption changed the file extension to .ENC. It also collected device information such as the IMEI number, the smartphone model, the manufacturer and sent them to a C2 server. The latest versions were able to access the camera and showed a photo of the victim. This was used to scare and convince the person to pay the ransom. SimpleLocker was created somewhere in Eastern Europe, but most of its victims were located in the United States. On this page here you can find detailed information on how to remove SimpleLocker on different phone models, although today SimpleLocker is no longer a threat.
Ransomware attacks on Android devices experienced an increase of up to 4 times. Source: Kaspersky Lab.
Cerber is the example of a technology that uses advanced RSA encryption for malicious aims. It is distributed as a ransomware-as-a-service (RaaS), a sort of “affiliate program” for cyber criminals. Anyone can buy it and launch it on the web earning 40% of the profits. A real evil business. The ransomware targets users of the Office 365 cloud package. It uses an elaborate phishing campaign that to date has affected millions of users around the world with the exception of Eastern European countries.
This is how the attack works: generally, the victim receives an email with an infected Microsoft Office document. Once opened, the ransomware runs silently in the background, without raising suspicion, encrypting the files. Once this phase is complete, the user finds a ransom note in the infected folders or often as desktop wallpaper, as well. At its peak in early 2017, Cerber accounted for 26% of all ransomware attacks. Today, several decoders are available and can help you decrypt the files.
This ransomware attack known as SamSam appeared at the end of 2015, but grew strong only a few years later, bringing high-profile targets to their knees, particularly in the United States. SamSam has a solid organizational model behind it, rather than a technical structure. In 2015 and 2016, this ransomware focused on exploiting the JBoss vulnerabilities. Then, in 2018 SamSam forced weak passwords for vulnerabilities on RDP, Java-based servers and FTP servers in order to gain access to the victim’s network. It seems that SamSam attacks are controlled manually meaning there is someone behind the keyboard who targets a specific network and makes the files inaccessible with an RSA-2048 encryption. This is a new trend: the ransomware attacks are well-studied and targeted and the extortion varies according to the level and volume of the victim’s data, as well as their willingness to pay.
Analyzing the Bitcoin wallet of the SamSam group, it emerged, for example, that the US hospital Hancock Health on January 13th 2018 at 2:31 am paid a ransom of 4 bitcoins amounting to about € 51,000. Within two hours the systems of the health facility were restored.
An overview of the SamSam attacks in 2018. Source: Symantec.
WannaCry is one of the most dangerous ransomware, as well as one of the biggest cyber attacks ever, who made literally thousands of people want to cry! For the first time the term ransomware entered the public debate and the world press. In May 2017, 200,000 users including large companies, organizations and public institutions were infected in around 150 countries. This is the first wave of hacker attacks with tools leaked from the National Security Agency (NSA). WannaCry uses the EternalBlue exploit and a Microsoft bug in the implementation of the Server Message Block (SMB) protocol. Although Microsoft had released a security update, many computers had not been updated yet. WannaCry exploited precisely this security gap by spreading aggressively on all networked devices.
One of its dangerous features is that no action is needed to get infected. WannaCry self-installs on your computer encrypting files with the extension .WCRY. The ransom is equal to $ 300 in bitcoins to be paid within three days, after this deadline it will doubled to $ 600. If the payment does not take place within one week all the files will be lost. Two years after the worldwide release of WannaCry, it is estimated that two million computers are still exposed to the attack.
The screen with the ransom request displayed on computers blocked by WannaCry. Source: Wikipedia.
- Petya und NotPetya
After WannaCry, the era of ransomware has been confirmed by NotPetya. Let’s start all over where all began, i.e. in 2016 when Petya first appeared as a ransomware package. It was only a few weeks after the WannaCry epidemic in spring of 2017, that Petya began to spread in an updated version, exploiting the EternalBlue on the trail of the well-known WannaCry ransomware. Due to its evolution over time, the latest and most dangerous versions were named NotPetya. According to ESET data, on June 28th 2017, 80% of the ransomware cases were registered in Ukraine. Germany ranked second with 9%. NotPetya spread mainly via email with an attached file with extensions .doc, .xls, .ppt or .pdf. The file can be viewed easily but without the user’s knowledge a dropper is launched and installs the actual malware from the Internet. Once the files are encrypted, the PC is rendered unusable and a ransom of $ 300 in bitcoin is requested. The fundamental difference between Petya/NotPetya and the other types of ransomware like WannaCry lies in the targeted file: instead of encrypting each file, this ransomware points directly to the PC’s boot loader.
In 2017 the Bad Rabbit ransomware spread particularly in Russia but also Bulgaria, Turkey and Germany. Source: Kasperky.
Ryuk Ryuk is a ransomware that has caused a lot of damage between 2018 and 2019 specifically targeting organizations that can afford to pay and to which it is not possible to have downtime. Among the victims there are American newspapers and the North Carolina water service dealing at that time with the consequences of the hurricane Florence. The ransomware uses robust military algorithms such as RSA4096 and AES-256. A particularly subtle feature of Ryuk is that it can disable the Windows “System Restore” option on infected computers. This makes more difficult to recover encrypted data without paying the criminals. Ransom requests are also particularly onerous in correspondence with the importance of the victims. Analysts believe that Ryuk’s source code is largely derived from Hermes, a product of the Lazarus group of North Korea. This does not mean that the ransomware is managed by the Korean state, though. McAfee believes that Ryuk was built on a code from a Russian-speaking manufacturer, in part because the ransomware does not run on computers where the language is set to Russian, Belarusian and Ukrainian. If you are victim of Ryuk or you want to know more about the technical aspects, here you can find detailed information to delete this malware on different Windows operating systems. GandCrab GandCrab is considered the most popular multimillionaire ransomware in 2018 and 2019. To avoid detection, cybercriminals behind GandCrab relied heavily on Microsoft Office, VBScript and PowerShell macros. GandCrab uses a ransomware-as-a-service (RaaS) model to maximize distribution focusing mainly on phishing techniques via email. Ransom requests range from $ 500 to $ 600. According to different sources on the Internet, on January 2018, GandCrab had infected over 48,000 nodes in a single month. Despite all the efforts and success in data recovery, the threat has not yet been overcome since the criminal team keeps making changes. In March 2019, distinct variants of the ransomware were in circulation. Europol, in collaboration with the Romanian police, law enforcement agencies and Bitdefender, hacked the GandCrab servers to obtain the keys. They were able to create a free product that allows the decryption for the versions 1.4 up to 5.1 of the malicious software. Fewer attacks, greater success rate
After presenting the 10 most dangerous ransomware of the last years, it is important to underline however that between 2018 and 2019 a certain decline in the number of attacks was recorded. The decrease is considerable. Unfortunately, the cybercriminals are not giving up, but they are rather changing the way they work. Ransomware attacks are becoming more and more customized for specific goals and targets. They are managed by sophisticated real-time controls and management tools, such as with SamSam and Ryuk. These “new” targeted attacks hit a very small number of organizations, but have a much higher success rate. An inferior number of attacks does not therefore translate into a fall in revenue for the hackers, nor should you be letting down your guard in respect to this threat. You must continue to remain vigilant and adopt security measures that can protect your IT infrastructures from these highly sophisticated cyberthreats.
Defend yourself with knowledge! Check out our article to find some practical tips against ransomware.