The outbreak in digital devices, in the past decade, has not only contributed to immense development but has also bred cybercrimes. The most popular form of cyber-extortion is a ransomware. Lets take a look at the devastating ransomware attacks the world has seen till date after a quick insight into the definition, types, and the work-flow of a ransomware 

What is ransomware?

Ransomware is a piece of malware that encrypts the user/organization's data or locks the users out of their devices and demands a ransom in exchange for the decryption key or for returning access to the device. The ransom is usually demanded in the form of cryptocurrency.

Types of ransomware

  1. Locker Ransomware
  2. Crypto Ransomware
  3. Scareware
  4. Doxware

Locker Ransomware

As the name implies, this type of ransomware locks the computer or device and cuts off access to users. Usually, in these types of attacks, the screen freezes out and restarting the system would display a blank screen with an official looking message that says illegal activity has been detected in the system and a fine has to be paid to unlock the system.

Crypto Ransomware

This type of ransomware usually encryts data or files. The user will not be able to access any of his files, unless the decrytion key is obtained after paying up the ransom demanded by the hacker. These are probably the worst kinds of ransomware as the hacker holds all your sensitive information and files and there is no guarantee that paying the ransom would give you back the data that has been stolen.

Scareware

Most of us would have come across this type of attack. Scarewares usually have pop-ups or alerts claiming to have found some threat or issues in our systems and asks the user to pay a sum of money to have it resolved. They usually assume the form of a fake anti-virus software or cleaning tool to trick the user into clicking on it.

Doxware

Gone are the days when hackers threatened to delete user data, now they are threatening to release it or rather leak it online instead. Doxware is commonly known as leakware or extortionware. These types of attacks threaten to release the information hijacked, if the ransom demanded is not paid. Organizations in the finance, healthcare, defence and other fields that deal with sensitive information are usually the targets of these attacks.

Ransomware workflow

Any digital medium can be used to distribute ransomware, however e-mails remain the number one delivery vector for these kinds of attacks. Spear phishing is used in majority of the ransomware attacks. An e-mail containing an infected link or attachment, targeting an individual or organization, is sent from a seemingly trusted source. The unsuspecting user opens the mail and clicks on the link following which the ransomware is launched. The attack can also be via drive-by downloading, wherein the user visits an infected site and the malware gets downloaded and installed onto the user's device without his knowledge. Here is what happens after the ransomware is launched

  1. When the user clicks on an infected link or attachment, the ransomware is launched through powershell or any other extension.
  2. Ransomware, on most occasions facilitate the download of a payload that causes further harm to the system. Once the ransomware is launched, the infected machine communicates with the hacker's server for more instructions post which the payload which encrypts the user's data, is downloaded onto the infected system.
  3. As soon as the download is complete, a ransom note with the price in bitcoins is demanded in exchange for the decryption key.
  4. Certain types of ransomware also tend to spread laterally, thereby infecting the other systems present in the network

Now that we have a basic understanding about how these cyber-extortion crimes work, let us take a look at the top 3 ransomware attacks that stunned organizations across the globe.

    1.  Ryuk

      n the December of 2018, the operations of several US newspapers were thrown into disarray, when the Russian based criminal group WIZARD SPIDER, launched the Ryuk ransomware. These attacks were seen to target large organizations (Big game hunting) with logistics and technology companies being hit the most. Though the attacks started in April 2018, it was not until December that they intensified. The attacks started off by infecting clean systems but in recent times, they have progressed to become a part of a triple threat attack methodology, infecting systems already containing strains of malware like Emotet and TrickBot. 

      Infection vectors:

       Once a phishing e-mail is opened, a malicious macro runs and executes a Powershell command, which attempts to download Emotet. Once Emotet is downloaded, it retrieves and executes another payload, usually TrickBot. With TrickBot the information on the affected systems are stolen and if the system is part of the group targeted by the threat actors, the admin credentials are further exploited to infect the other systems in the network. Once this is done, a connection is established with the target's live servers through a Remote Desktop Protocol (RDP), and the Ryuk ransomware is dropped into the system. Recently on December 30, 2019, Ryuk took down the entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility in the US, for more than 30 hours. As it is very evident, Ryuk is nowhere close to being done.

    2. WannaCry:

      The May of 2017 saw major hospitals in the UK, government, and non-governmental agencies declaring a state of emergency as a ransomware brought down their operation. Wannacry was the first ransomware to behave like a worm and spread to other machines using the Windows SMB protocol, thereby seeming like an organized cyber attack. It hit thousands of computers in over 150 countries, within hours, leaving encrypted files in its wake. 

      Operation: 

      WannaCry is associated with a cybercriminal group named Lazarus, which is believed to be working for North Korea. This strain of ransomware works in tandem with DoublePulsar and EternalBlue, which were stolen from the National Security Agency (NSA) and released in public. DoublePulsar acts as a backdoor that is used to deliver the Wannacry ransomware and the EternalBlue exploit is used to spread the ransomware to unpatched systems on the network. A damage of over billions of dollars was incurred before the kill switch to stop the spread of this ransomware was discovered. Marcus Hutchins, a reverse malware engineer discovered that the domain name embedded in the code, when registered, stoped the infection. Even after 2 years from its inception, reports generated by Shodan reveal that over 1.7 million machines are still vulnerable to this strain of ransomware.

    3. Notpetya:

      A month after the crippling attack from WannaCry, another ransomware more dangerous and intrusive than WannaCry hit systems around the world. Notpetya, a variant from the Petya ransomware, targeted Windows machines, encrypting the hard drives. While resembling a random ransomware attack, Notpetya is believed to be a carefully planned Russian cyberattack with Ukraine as the major infection site. This ransomware encrypts the master file table and demands a ransom in bitcoins to restore access. The highlight of Notpetya however, is its ability to spread without any human intervention. The infection starts at a backdoor planted in M.E.Doc software and spreads to other systems through the M.E.Doc servers. After its entry into the network, Notpetya uses EternalBlue and EternalRomance by exploiting the SMB vulnerability to further spread to other systems.

Some of the other noteworthy ransomware are Samsam, Locky, Bad Rabbit, and Troldesh. Despite the widespread attacks and innumerous warnings to keep systems fully patched and secure, we still find millions of systems open and vulnerable to cyberattacks. Don't wait to get hit, regularly deploy updates and patches released.