Ransomware is a type of malware that holds a computer or data for ransom, requiring payment for the return of the data or control of the computer. The data being held ransom is often encrypted by the ransomware, which is then unencrypted when payment is received. Payment is often requested in cryptocurrency format, such as bitcoin.
While anyone can be the victim of ransomware, campaigns are more frequently targeting businesses or organizations that can afford to pay out larger ransoms. Small and medium-sized businesses, city governments, and even newspapers have been recent victims of ransomware.
Ransomware attacks evolve as rapidly the technology to combat them does. They often leave little evidence behind, which makes them difficult to investigate and trace back to an individual or group. However, learning more about the way ransomware is evolving can help you keep your devices and data safe.
Ransomware is Growing
According to Recorded Future, the number of ransomware campaigns they have been tracking went from 635 in January 2017 to 1463 in January 2019. However, they’re quick to point out that while ransomware is increasing, most of the campaigns aren’t effective and disappear as quickly as they are developed.
Another thing to keep in mind is that even though the number of ransomware campaigns has increased in recent years, the target has shifted from individual users to businesses. Personal devices, such as laptops, tablets or mobile phones don’t hold massive amounts of sensitive or valuable data and are often backed up to the cloud. For example, a hacker could try to ransom your iPhone, but with all your photos and contacts backed up to iCloud, there is little incentive to pay them. However, for businesses, there are still many reasons to be concerned about the rise in ransomware.
One of the most prevalent ransomware campaigns today is GandCrab. It was first reported in January of 2018 and has only picked up speed. GandCrab ransomware is focused on individuals, rather than businesses, with average ransom demands of $500 to $600.
GandCrab uses a ransomware-as-a-service model, which maximizes delivery and has found continued success despite better detection software. GandCrab primarily uses phishing to find their victims, but they are also known to use exploit kits. The team behind GandCrab has made regular adjustments and five code releases since its creation. They are quick to respond and adapt to security developments, staying ahead of consumer security software and remaining a threat.
The second-most common ransomware is Ryuk. It gained international attention when several Tribune Publishers newspapers were unable to print their newspapers. Ryuk seems to be used primarily in targeted attacks in the U.S. and is unfortunately successful. In 2018, Ryuk earned approximately $640,000 in bitcoins through the extortion of multiple large organizations.
Ryuk is spread through botnets, which download and install the Ryuk ransomware on the system the botnet has infiltrated. Because Ryuk appears to be targeted, it seems as though this is done manually by a human attacker. Vulnerabilities to Ryuk and the botnets it uses are:
- Security software that is disabled, not updated, or not installed at all.
- Scans for botnets or other security breaches are not being performed.
- There are missing or weak credentials within the network or unpatched endpoints.
Ryuk has the ability to encrypt network drives and resources, delete shadow copies, and disable Windows System Restore. This means that if the data ransomed by Ryuk isn’t backed up externally, it may be impossible to recover, making prevention all the more important.
Other Ransomware to Look Out for in 2019
Hermes is ransomware that is linked to North Korea and has been distributed via phishing campaigns using invoices or other attachments that are often password protected to avoid spam filters. Recently, Hermes was spread in South Korea as part of a false Flash Player update. Once installed on a victim’s computer, their data is encrypted, and ransom must be paid in order to decrypt the data.
SamSam is an organization that uses targeted ransomware and breaks into networks to encrypt multiple computers across the organization. SamSam typically demands a high ransom for the data they’ve taken hostage. SamSam is suspected of the ransomware attack on the city of Atlanta, in March 2018.
Crysis uses a spam-based ransomware attack, using malicious attachments to infiltrate an organization. Once the system has been infected, it encrypts data in all file types on fixed, removable, and network drives, crippling an organization. The ransom demand for encrypted data is typically around one bitcoin.
Bit Paymer exploits vulnerable Remote Desktop Protocol (RDP) servers to access networks. Once they’ve gained a foothold, they target machines for their ransomware. Bit Paymer will often also disable backups or security measures. This sophisticated campaign targets large organizations and adjusts the ransom demand to the size of the victim. Ransom demands range from 20 to over 50 bitcoins. Bit Paymer also requires three separate confirmation transactions of one bitcoin apiece.
Protect Yourself from Ransomware
The best way to protect yourself or your business from ransomware is to stay up to date with malware protection and security software. We offer a wide array of web security services, contact us to learn more about how we can help keep you safe online.