Dangerous Types of Ransomware (and How to Guard Against Them)
When they hear the word “ransom,” history buffs and movie aficionados may think of the Lindbergh baby or John Paul Getty III, whose kidnapping was detailed a few years ago in All the Money in the World. Business owners, on the other hand, are likely to experience a different variety of terror as they quietly consider their vulnerability to different types of ransomware.
Ransomware is only one of many forms of potential cyberattacks, but it’s likely to elicit the most dramatic and fearful response. Unfortunately, this reaction isn’t the result of melodrama or overreaction. A quick look at some key disaster recovery statistics shows that businesses are perfectly justified in their concern. After all, a recent report from IBM found that the share of breaches caused by ransomware increased by 41% in 2021, with the average cost of an attack reaching an astounding $4.54 million.
Businesses that aren’t fully aware of their potential vulnerability to a ransomware attack could be exposing themselves to enormous financial risk. To help ensure that you’re as informed as possible, let’s review the concept of ransomware and take a closer look at some of the most common types.
What Is Ransomware?
The name of this particular kind of cyberattack is fairly illuminating. Ransomware is a form of malware (short for malicious software) that criminals use to block an individual or business from accessing important data. Exactly how they do so and why it’s such a significant risk is worthy of further discussion.
Methods to Initiate a Ransomware Attack
There are many ways to initiate a ransomware attack. These methods, known as attack vectors, target unsuspecting users with seemingly innocuous content. Some of the most common vectors include:
- Phishing emails that contain malicious attachments or links
- Stolen or compromised Remote Desktop Protocol (RDP) credentials
- Software vulnerabilities
- Compromised websites
Recently, phishing has become one of the most popular forms of attack, particularly as criminals exploited vulnerabilities created by COVID-19.
The Damage and Destruction of Ransomware
The consequences of a ransomware attack can be costly and long-lasting. In some cases, the attack is severe enough that a business has to cease operations entirely until the data is restored. This kind of event can cripple an organization financially, permanently damage its reputation, and cause massive interruptions to important services for customers. In the worst-case scenario, it could cause a business to permanently close its doors.
What Are the Types of Ransomware?
Ransomware is far from new. In fact, it has existed since 1989, beginning with the AIDS Trojan or PC Cyborg attack. The technology, however, has become far more sophisticated over time, moving well beyond the original concept of dropping an infected floppy disk in the mail. Understanding the modern types of ransomware threats can help you avoid them.
The first of two of the primary ransomware forms, crypto-ransomware attacks are also known as data kidnapping or encryptors. In this scenario, cyber attackers encrypt files on a computer or network so that they are unusable. They then demand ransom payments in exchange for the key that will allow the data to be decrypted. One of the most well-known crypto-ransomware attacks of recent years was against Colonial Pipeline, which quickly paid a $5 million ransom.
Locker ransomware differs significantly from crypto-ransomware in that it doesn’t encrypt files. Instead, it locks the user completely out of the system so that it is impossible to operate the device. Attackers hope that the victims will respond in desperation and pay a ransom to have their devices unlocked. Unfortunately, doing so does not guarantee that the attacker will follow through and restore the functionality of the device.
Also known as exfiltration or doxware, leakware involves a bad actor stealing sensitive information and threatening to release it publicly. This is a particularly high risk for industries that deal with sensitive data, such as healthcare providers. In addition to damaging an organization’s reputation, there can also be hefty fines for failure to comply with data privacy regulations.
Ransomware as a Service (RaaS)
When cybercriminals do not have the technical capabilities to carry out an attack, they sometimes hire outside professionals to do the work for them. These third parties are then paid a portion of the collected ransom or, in rare cases, regular wages. RaaS professionals are responsible for every stage of the attack, from distributing the ransomware to granting access once the ransom has been paid.
What Are the Most Common Ransomware Strains Today?
Because they are under constant development, it’s impossible to provide an exhaustive list of ransomware strains. However, there are four strains that have gained significant publicity and caused substantial damage over the past several years.
Conti was initially observed in 2020. It uses a number of attack vectors, including spearphishing campaigns, RDP credentials, phone calls, and fake software, to gain access to victims’ networks. Conti is such a powerful variant that the U.S. Department of State is offering a $5 million reward in exchange for information related to the criminals behind it. As of January 2022, the Federal Bureau of Investigation (FBI) estimated that more than 1,000 victims of Conti had been extorted, with payouts totaling over $150 million. This makes it the costliest ransomware variant to date. One of the most significant Conti attacks was against the Costa Rican government. This attack affected multiple systems within the government, including taxes and healthcare.
According to a study by Intel471, the most prevalent ransomware variant from July to September 2021 was Lockbit 2.0. It accounted for 33% of the attacks during that period. The most well-known attack was on Accenture, a global consulting firm. Through this attack, LockBit was able to encrypt files of various airlines and initially demanded a $50 million ransom.
In March 2021, the FBI released an alert warning that there was an increase in PSYA ransomware attacks against academic institutions. PYSA can exfiltrate and encrypt data and has typically targeted schools, colleges, universities, and seminaries. In most cases, PYSA gains access to networks through RDP credentials and phishing emails. It is capable of encrypting all files and applications on Windows and Linux devices and has been used to exfiltrate employment records with highly sensitive information.
First detected in June 2021, Hive has since become one of the most dominant ransomware variants. It undergoes frequent updates, allowing it to outsmart detection. A recent variant, discovered by Microsoft in July 2022, uses string encryption. It also often deletes backups and takes steps to prevent data recovery, which can significantly decrease a business’s ability to survive an attack unscathed.
What Ransomware Strains Were Dominant in the Past?
Ransomware strains emerge and fade, sometimes quite rapidly. Some of the most dangerous strains of the past, such as TeslaCrypt, later became defunct. Others disappear from the public eye only to make occasional reappearances or emerge with new variants.
The CryptoLocker strain emerged in 2013 as attackers mimicked business emails and used fake FedEx and UPS tracking notices. This ransomware could infect shared network drives, external hard drives, and cloud storage drives. Experts believe that the attackers behind CryptoLocker extorted approximately $3 million, a startling number considering that only 1.3% of the people who were hit by the attack paid the ransom.
Attackers distributed CryptoLocker via exploit kits and spam. When the malware was run, it installed itself in the Windows User Profiles folder and encrypted files across local hard drives and mapped network drives. It only encrypted files with specific extensions, including Microsoft Office and OpenDocument. A message would then appear informing the user that files had been decrypted and demanding payment via Bitcoin. The approach used by CryptoLocker has since been copied many times over.
When the original CryptoLocker was taken down in 2014, CryptoWall rose to replace it. It has since been modified into several different versions, including CryptoDefense and CryptoBit. The first version of Cryptowall used an RSA public encryption key, but later versions used a private AES key that was then further masked with a public AES key. When a user opens the malware attachment, the CryptoWall binary copies itself into the Microsoft temp folder and begins to encode files. CryptoWall encrypts a wider variety of file types than CryptoLocker.
TorrentLocker emerged in 2014 and implemented methods from CryptoLocker and CryptoWall. It used AES encryption on Microsoft Windows files before demanding a ransom to be paid in Bitcoins.
The first detection of Crysis ransomware was in February 2016, and it was soon labeled as the successor to a previous strain known as TeslaCrypt. Crysis is generally distributed via compromised email attachments and URLs. Once a user has clicked the link, Crysis creates registry entries so that it is executed at every system start. It then encrypts all file types, including those without extensions.
As the name suggests, Locky is designed to lock a user out of their files until a ransom payment is made. Locky originally emerged in 2016 and is typically distributed as a .doc file attached to an email message. When the document is opened, the user is asked to enable macros, which allows Locky to encrypt files using AES encryption. Users receive a message demanding a ransom so that files can be decrypted.
There have been several ransomware strains that specifically target Microsoft Office 365 users, and Cerber is one of the most prominent. Cerber appeared in 2016 and was so named because it would rename file extensions as .cerber.
As the first ransomware developed to target Mac users, KeRanger quickly made a name for itself in 2016. It is remotely executed using BitTorrent and encrypts files with RSA and RSA public key cryptography.
Petya and NotPetya
Both Petya and NotPetya had serious attacks in 2016 and 2017. Although it did not spread particularly effectively, Petya was noteworthy because of its innovative encryption technique. NotPetya, on the other hand, was both expansive and effective at encrypting files. This made NotPetya especially harmful, causing $10 billion in damages worldwide. Experts believe that NotPetya was created to specifically target Ukraine, but it eventually spread throughout Europe and North America as well.
In 2017, an attack by WannaCry locked computers in 150 countries around the globe, effectively disabling a total of 300,000 devices. The attack specifically targeted Windows computers using an NSA exploit called Eternal Blue.
Another prominent ransomware strain that first appeared in 2017 is Bad Rabbit, which has some similarities to WannaCry and Petya. Bad Rabbit is generally disguised as an Adobe Flash installer, and victims can be exposed just by visiting a compromised website. When users click on the ? installer, the malware encrypts their files and displays a message requesting a ransom payment.
Making its first appearance in 2018, Ryuk ransomware uses computer malware called Trickbot to install itself after gaining access to a network’s servers. It then encrypts files with an AES algorithm and changes their extensions to .RYK. The FBI estimated that, as of November 2020, victims of Ryuk attacks had paid more than $61 million to recover their files. A new variant of Ryuk, which is capable of spreading laterally through a network, emerged in 2021.
CTB-Locker is a form of crypto-ransomware. Attackers generally use malicious email messages and disguised downloads to infect operating systems. It can encrypt many file types before a message appears demanding a ransom. CTB-Locker is well-known, in part, because hackers generally outsource the infection process to partners in exchange for a cut of the profits.
Named after the villain of the Saw franchise, Jigsaw received its moniker because the ransom demand included an image of the tricycle-riding puppet from the films. Originally known as BitcoinBlackmailer, Jigsaw periodically reappears to wreak havoc on victims. It is typically spread through spam email and uses AES encryption on all data files and the Master Boot Record on the infected device. The ransom message is also noteworthy in that it includes a threat to delete one file for every hour that the ransom is not paid. Fortunately, this ransomware attack is less menacing than its movie counterpart. Experts have developed a fairly simple method for defeating Jigsaw.
In 2019, Norwegian aluminum manufacturer Norsk Hydro was struck by a ransomware attack known as LockerGoga. The attack quickly became major news, particularly because the company refused to pay the ransom and instead temporarily shut down some operations. Once LockerGoga is installed, it modifies user accounts and changes their passwords before encrypting files. Some, but not all, of the variants of LockerGoga are capable of encrypting all file types.
How Can You Protect Against a Ransomware Attack?
With so many strains in current circulation, the number of new strains under development at any given time, and the lengthy list of ransomware strains from the past, the idea of a ransomware attack quickly becomes quite a terrifying prospect. However, it is possible to prevent and recover from one successfully.
To protect your business from the devastating consequences of breaches, data loss, and leaks related to ransomware, you can take some key steps:
- Ensure that you have basic security measures in place, such as two-factor authentication.
- Make use of a service with effective encryption to protect your data.
- Use a business continuity solution to regularly back up data so that it can be recovered in the event of an attack.
- If your system is compromised, do not rush to pay the ransom as attackers may not restore your data even once payment is made.
- Notify the appropriate regulatory and law enforcement agencies as quickly as possible.
While it may not be possible to prevent every attack, these measures can help you decrease the risk and respond quickly should the worst occur.
How Can Businesses Learn More about the Threat of Ransomware?
The threat of ransomware is ever-present, and businesses should prepare accordingly. If you feel your business has not placed adequate focus on this potential disaster, the time to act is now. You can begin by learning more about preventative steps, backup services, and data recovery options.
The team at Invenio IT specializes in business continuity solutions, including responses to ransomware attacks. Reach out to the experts to discuss your risk level and how to better protect your business against current and future types of ransomware.