Ransomware has been evolving for decades. In the last year, ransomware attacks have taken on unusual characteristics not seen in previous years. For example, ransomware attacks used to target individual endpoints, but are now targeting entire servers.
Cyber criminals have been attacking servers in order to demand higher ransoms. The belief is that servers contain the most amount of critically important data and companies will be willing to pay more to recover access.
In 2019, ransomware attacks impacted more than 966 government agencies, 89 educational organizations, and 764 healthcare providers.
Here’s a look at the 5 most significant ransomware attacks in 2019.
Unlike most ransomware attacks that target random individuals and businesses, Ryuk ransomware was a highly targeted attack. The cyber criminals behind this operation targeted victims whose businesses would be majorly disrupted even by a small amount of downtime.
Ryuk was designed to encrypt company servers and disrupt business until the ransom was paid rather than steal or compromise an individual’s data.
Targeted victims included newspapers, including all Tribune papers, and a water utility company in North Carolina. Affected newspapers had to produce a scaled-down version of the daily news that didn’t include paid classified ads.
Ryuk infected systems through malware called TrickBot and remote desktop software. After blocking access to servers, Ryuk demanded between 15-50 Bitcoins, which was about $100,000-$500,000.
In addition to disabling servers, infecting endpoints, and encrypting backups, Ryuk disabled the Windows OS system restore option to prevent victims from recovering from the attack.
When the malware was discovered, patches were created to thwart the attack, but they didn’t hold. The moment servers went back online, Ryuk started reinfecting the entire network of servers.
Experts from McAfee suspect Ryuk was built using code originating from a group of North Korean hackers who call themselves the Lazarus Group. Although, the ransomware required the computer’s language to be set to Russian, Belarusian, or Ukrainian in order to execute.
Like Ryuk, PureLocker was designed to encrypt entire servers and demand a ransom to restore access. The malware has been specifically designed to go undetected by hiding its malicious behavior in sandbox environments and mimicking normal functions. It also deletes itself after the malicious code executes.
PureLocker targeted the servers of large corporations attackers believed would pay a hefty ransom.
After a thorough analysis, cryptographic researchers from Intezer and IBM X-Force named this ransomware PureLocker because it’s written in the PureBasic programming language.
Writing malware in PureBasic is unusual, but it gave attackers a serious advantage: it’s difficult to detect malicious software written in PureBasic. PureBasic programs are also easily used on a variety of platforms.
PureLocker is still being executed by large cybercriminal organizations. Experts believe that PureLocker is being sold as a service to cybercriminal organizations who have the knowledge required to target large companies. Strangely, ransomware-as-a-service (RaaS) is now a “thing.”
Cybersecurity experts aren’t sure exactly how PureLocker is getting onto servers; adopting a zero-trust approach to network security is the best way to protect against unknown threats.
REvil is malware from a strain called GandCrab that won’t execute in Russia, Syria, or several other nearby countries. This indicates its origin is from that area.
Like PureLocker, REvil is believed to be ransomware-as-a-service and security experts have said it is one of the worst instances of ransomware seen in 2019.
Why is REvil so bad? With most ransomware attacks, people can ignore the ransom demand and cut their losses. However, those behind the attack threatened to publish and sell the confidential data they encrypted if the ransom wasn’t paid.
In September 2019, REvil shut down at least 22 small towns in Texas. Three months later, on New Year’s Eve, REvil shut down Travelex – a UK currency exchange provider.
When Travelex went down, airport exchanges had to go old school and create paper ledgers to document exchanges. Cybercriminals demanded a $6 million ransom, but Travelex won’t confirm or deny paying this sum.
REvil exploits vulnerabilities in Oracle WebLogic servers and the pulse Connect Secure VPN.
On March 1, 2019, ransomware attacked Jefferson County’s 911 dispatch center and took it offline. County jail staff members also lost the ability to open cell doors remotely, and police officers could no longer retrieve license plate data from their laptops.
Without a working 911 system, the entire city was left vulnerable to the secondary effects of this ransomware attack. Dispatchers didn’t have access to computers for two weeks.
The videoconferencing system that allowed inmates to connect with family members also went down. Guards had to escort inmates to family visits in person, which increased the risk to their safety.
The city paid the $400,000 ransom and was able to restore their systems.
On April 10, 2019, the city of Greenville, NC was attacked by ransomware named RobinHood. When most of the city’s servers went offline, the city’s IT team took remaining servers offline to mitigate the damage.
This attack wasn’t the first time RobinHood made its rounds. In May 2019, the city of Baltimore was hit hard. The city had to spend more than $10 million to recover from a RobinHood attack. Although the ransom was only $76,000, it cost the city $4.6 million to recover data and all the city’s systems were non-functional for a month. The city suffered $18 million in damages.
Ransomware is a threat to everyone including individuals, small businesses, corporations, and even government agencies. The fact that ransoms are being paid because it’s cheaper than rebuilding gives hackers more incentive to continue hijacking machines and increasing their demands.
After being attacked by the ransomware known as SamSam in 2018, the city of Atlanta spent $2.6 million to rebuild their servers after hackers demanded $50,000 in Bitcoin. The city won’t confirm one way or another, but the payment portal was taken offline quickly and they had no choice but to spend the money to rebuild.
Don’t let your organization become the next victim of a sophisticated ransomware attack. Schedule a free demo for our anti-ransomware solution and see how easy it is to protect your organization from unexpected, malicious attacks.