In the previous articles, we have thoroughly discussed ransomware, their impact in 2017 and their worst types. In this post, we will talk about 10 worst ransomware attacks in the last five years (2013-18).
CryptoLocker ensured that ransomware became a part of common man's vocabulary by mid-2014. Spotted for the first time in late 2013, it spread via email attachments and botnet activities. It asked the ransom to be paid in Bitcoin or either lose your data. With no possible way to recover the data, it is believed that the ransom paid by the victims was somewhere around $27 million. However, by mid-August, the private keys for decryption were available as the concerned law enforcement agencies made arrests and seizures and took down the botnet.
CryptoWall spread via Cutwail spam botnet and it is estimated that it infected more than 600K machines. It copied several attributes of CryptoLocker including the interface asked for asking ransom. Along with infecting the existing files on the system, it also deleted Shadow Copies created by Window's Volume Shadow Service (VSS). Like other ransomware, it implemented a deadline approach for asking ransom payments ranging from $200 to $2000 in Bitcoins or other prescribed payment methods. Overall, it is believed that the attacks made around $1M using CryptoWall.
Another variant of CryptoLocker, TeslaCrypt targeted a specific group of files. It scanned the existing files on the system and targeted saved games, in-game profiles, downloadable contents, skins, and other such files related to video games. For hardcore gamers, it is highly unlikely that they would store them on a cloud service or on an external drive. According to this report, TeslaCrypt made for around 48% of ransomware attacks till 2016. Although the attackers kept on improving the ransomware, they shockingly offered the master decryption key publicly later on.
With Android devices having more than 75% of market share, the launch of a ransomware attack targeting them was inevitable. As per this report published on Barkly, the number of instances of ransomware infection increased by four folds in 2015 & 2016. In late 2015, SimpleLocker was the first Android-specific ransomware which actually encrypted files and made it impossible to access the encrypted files without the attacker’s help. It delivered its malicious payload in the form of a trojan downloader. It originated from the Eastern parts of Europe but the majority of its victims belonged to the United States.
Another ransomware based on the modus operandi of CryptoLocker, it spread via attachments in an email or drive-by downloads on the websites. Once downloaded into the victim’s system, it targeted files stored locally on the system as well as on the network along with those on removable storage devices. Like other ransomware attacks, it implemented an asymmetric encryption algorithm before asking for ransom and presenting a deadline for making the ransom payment of $550. The deadline specified for making the payment was set at 72 hours. TorrentLocker was in no way related to Bit Torrent or any such torrent website.
HDDCryptor is considered to be one of the most dangerous families of ransomware. Once downloaded in a victim’s system, it is capable of encrypting all files along with accessing previously connected network paths and drives. This ransomware made headlines in November 2016 when it crippled more than 2000 systems of SFMTA (the San Francisco Municipal Transport Agency). Though the attack did not affect the public transportation systems such as railways and buses, the attackers demanded a ransom of 100 Bitcoins, equivalent to $70,000 at the time. However, the agency was able to recover its systems to normalcy with the help of previously stored backups.
Locky became popular as it extracted data from a prominent US healthcare company in 2016. The victim company, The Hollywood Presbyterian Medical Center had to pay $17,000 as a ransom to recover the encrypted patient data. Initially, the attackers added the element of social engineering to spread the infections. They would first send a word document disguised as an invoice which would require the victims to enable the macros for viewing the invoice properly. Once macros are enabled, ransomware is downloaded and system files are encrypted. Throughout 2016 and 2017, various variants of Locky with different capabilities were launched by the attackers.
Initially discovered in March 2016, Petya encrypted a drive’s system file tables instead of encrypting every file. With this approach, the entire system can be rendered to be unusable quickly as compared to other existing ransomware. After encryption, it overwrites Windows bootloader and forces a reboot to display the ransom image. The ransom image is an ASCII image which demands the ransom in Bitcoins. For Petya ransomware to be successful in infecting a target system, the user on the target system must have admin privileges.
WannaCry was one particular attack which spread across the globe like a wildfire. From infecting hospital systems in Ukraine to National Health Service in the UK to radio stations in the United States, it infected more than 400,000 systems across the world. The ransomware exploited an already-discovered vulnerability in the SMB protocol. It has been found that the attackers used ETERNALBLUE, one of those NSA-built tools that were leaked by Shadow Brokers. Prior to this leak by Shadow Brokers in March 2017, Microsoft had already released an update on March 14, 2017, for patching the vulnerability and marked it as critical.
Another prominent ransomware that had a significant impact in the last year was NotPetya. Though it was loosely based on Petya ransomware, the researchers dubbed it as NotPetya_ due to significant advancements and improvements. It followed the modus operandi of WannaCry by exploiting the same vulnerability in the SMB protocol. Ukraine’s national cyber agency also made speculations that NotPetya was not a ransomware attack, rather a cyber attack on Ukraine by the Russian Federation. Moreover, the threats possessed by NotPetya were even more serious as there was no kill switch like WannaCry had.
In the last decade or so, cybersecurity has become a question of what is next? not what was last? With ransomware posing a significant security threat to an organization’s security posture, we hope that the people responsible for an organization’s security take notes from previous incidents in order to improve their defences.