In part one of this series, we discussed exactly what ransomware is, including the effects of and motives behind different types of attacks. In this second article, I’ll look at the top seven ransomware attacks within the past decade and how they managed to infiltrate networks around the world.
Reveton, ransomware that started spreading in 2010, was based on a Citadel Trojan. This ransomware used its payload to display an alert message on infected systems, claiming that the user was involved in illegal activities (e.g., downloading unlicensed software). To scare the victim further, Reveton displayed footage from the victim’s webcam that was recorded at an earlier point in time. The alert message would then demand the victim pay a ransom, requesting payment using an untraceable prepaid cash service.
European users became the main victims of Reveton in early 2012. Later, different variants of Reveton emerged using different law enforcement organizations’ logos, earning it the nickname Police Trojan. Other variants were also reported in the United States in 2012.
CryptoLocker is encryption ransomware that was first discovered in September 2013. This ransomware encrypted files and folders in victims’ systems using a Rivest-Shamir-Adleman key pair, next used its C&C server to encrypt data and then asked for ransom.
While CryptoLocker infiltrated networks using a C&C server workflow, other variants reported in Australia in 2014 breached users’ systems using phishing and payload mechanisms. A notable victim of this ransomware was the Australian Broadcasting Corporation.
CryptoWall ransomware was first reported in 2014 after targeting a few major websites. This ransomware infiltrated networks in two ways: one by gaining access through exploited browser plugins and downloading the payload, and the other using a steganographic approach, where CryptoWall is encrypted as a payload inside an image and sent via anonymous email campaigns. Once the user downloaded the image, the payload ran the CryptoWall script, infecting the computer.
CryptoWall reportedly caused approximately $18 million in damage. A recent version of CryptoWall, 4.0, not only encrypted files but also the file’s name, making it unbreakable as file names are notoriously difficult to decrypt.
Fusob is mobile ransomware that was first reported between 2015 and 2016 and accounts for 56 percent of all mobile ransomware breaches to date. Like Reveton, Fusob first encrypted data and then ordered victims to pay a ransom after displaying a warning message that accused the user of some fictitious act. Fusob only accepted payment in the form of iTunes gift cards.
Fusob masqueraded as a pornographic video player, deceiving users into installing a seemingly innocuous app that then downloaded Fusob’s payload in the back end. Once Fusob was installed, it would check to see if the device’s default language was some kind of Eastern European dialect. If it was, nothing would happen. If the device used any other language, Fusob would lock the device and ask for a ransom.
Germany, the U.S. and the UK were the primary victims, accounting for 40 percent, 14.5 percent and 11.4 percent of Fusob attacks, respectively. Fusob and one of its variants, called Small, accounted for approximately 93 percent of mobile ransomware attacks between 2015 and 2016.
WannaCry, unleashed in May 2017, had one of the largest attack vectors to date, with upwards of 400,000 computers infected across 150 countries. WannaCry infiltrated networks using the EternalBlue vulnerability. Major firms fell victim to this ransomware after leaving their systems unpatched for a couple of months.
Petya was unleashed in networks just two months after the WannaCry breach in July 2017. This ransomware exploited the same vulnerability that WannaCry used, EternalBlue. Petya was initially encryption ransomware, but after two days, it was upgraded to wiper ransomware, deleting all users’ data. This upgraded wiper ransomware was called NotPetya or GoldenEye. Maersk, a leading logistics company, was just one victim of Petya.
7. Bad Rabbit
The Russian Federation and Ukraine reported a new ransomware called Bad Rabbit on October 24, 2017, eerily similar to both WannaCry and Petya. Rather than exploiting the EternalBlue vulnerability, Bad Rabbit seems to have used a fake Adobe Flash Player update to lure users into downloading it. All affected sites swiftly removed this bogus Flash update from their websites.
Organizations like Interfax, Odessa International Airport, Kiev Metro and Ukraine’s Ministry of Infrastructure were the primary victims of this attack. In addition to Russia and Ukraine, users in the U.S., Turkey, Germany, South Korea and Poland were also targeted by Bad Rabbit.
Bad Rabbit was shut down in just two days, but security experts still advise enterprises to secure their networks right away, as this initial attack may have just been a trial run for hackers.
Despite their differences, these seven major ransomware variants exploited networks based on only three basic procedures: phishing, exploiting vulnerabilities and deploying payloads. To overcome these threats, enterprises have to build a strong security system, leaving no application or OS unpatched.
Stay tuned for part 3 of this series to learn how being proactive can help you avoid these threats and keep your network safe.