Table of Contents
- Ransomware is one of the biggest cyber threats
- It encrypts files for users and requests ransom
- We will introduce you to the top ten threats
Jigsaw – “Let’s play a game!”
Ransomware Jigsaw was created in March 2016 and is inspired by the horror series Saw. At startup, he displayed a puppet figure, a ransom amount, and a red digital clock. Unlike others, this malware not only encrypts files, but also deletes them and increases the amount requested every hour.
Jigsaw plays with the user by deleting several files every hour during the first 24 hours. The next day it deletes hundreds of files, the third day it deletes thousands until the ransom is paid. If a user attempts to tamper with the ransomware or restarts the computer, the malware will remove thousands of files as a “penalty”.
Newer versions of ransomware did not use the iconic figure, but were still referred to as Jigsaw. It spreads as an attachment to a junk message and relies on the action of the user who opens the attached file, which in many cases has happened.
WannaCry – Wanna cry?
The ransomware tribe WannaCrypt (also known as WannaCry) began to spread on May 12, 2017 and is considered one of the biggest attacks in the history of ransomware. The malicious code infected hundreds of thousands of devices worldwide and affected both private businesses and institutions such as banks, telecommunications companies and hospitals in about 150 countries.
The greatest impacts have been reported in healthcare, where WannaCry shut down important medical systems, caused chaos and directly affected the lives of many patients. In other sectors, however, the consequences of his attack were immense.
This ransomware has become an indicator of the sad fact that individuals and network administrators have neglected Windows updates. WannaCry exploited a bug in the Windows Server Message Block (SMB) protocol, known as EternalBlue. A devastating attack could be prevented, since the security hole patch had been available for two months at that time.
Petya / NotPetya – without going back
Just one month after the WannaCry ransomware, another attack took place that hit thousands of businesses and institutions around the world. The first version of Petya malware was distributed as an attachment to email messages as early as 2016, and was characterized by an MBR.
Malware then encrypted the system file table (MFT) and prevented the operating system from starting. Instead of Windows, the user was asked to pay the ransom in bitcoins. In June 2017, a new version appeared, using the EternalBlue security hole to spread. Security firm Kaspersky named the new mutation as NotPetya.
Apparently, not even a month after EternalBlue’s security shortage abused the WannaCry ransomware on a large scale, many computers didn’t have the appropriate patch installed. The attack, aimed primarily at Ukraine, once again celebrated success in the form of many attacked systems. However, the modified version was not able to undo the changes made, ie to decrypt the files, if the ransom was paid.
Bad Rabbit – fake Adobe Flash
Bad Rabbit ransomware attack followed malicious applications WannaCry and NotPetya. In October 2017, it mainly infected organizations in Russia, Ukraine and Eastern Europe. He used compromised web pages to infiltrate and pretended to be the Adobe Flash installer.
The “evil rabbit” was able to attack, for example, the Interfax news agency, the international airport in Odessa, Ukraine, the Kiev metro and the Ukrainian Ministry of Transport. It has also been recorded in other countries – such as Turkey, Germany, Poland, Japan, South Korea and the United States.
Traditionally, data has been encrypted after installing the application. The user was then directed to the website where he was acquainted with the requirement to pay the ransom in bitcoins at a specified time.
Locky – with the permission of the user
Locky is one of the most successful forms of ransomware that appears repeatedly and always returns stronger and more insidious. It is usually distributed through spam campaigns because it is one of the easiest and cheapest ways to deliver malware to a user.
Here, too, the user has a major role to play – if he or she hears an urgent request, downloads an “important” document and allows macros as required in the message, he immediately loses access to the contents of his computer. Subsequently, he will be asked to pay the ransom in exchange for the decryption key.
Locky encrypts important data files, attached network drives and folders, bitcoin wallets, and Snapshot Service (VSS) files. One of the best known victims is the Hollywood Presbyterian Medical Center, where ransomware forced the hospital to temporarily shut down information systems, close several departments, and direct patients elsewhere.
Although the distribution scheme may sound too simple, ransomware Locky clearly shows how many users can succumb to phishing, open a malicious attachment, and extract files from a compressed ZIP archive.