One of the most famous malware variants in existence today, ransomware – which enables a cybercriminal to deny a victim access to their files until a ransom has been paid – has become a major focus of cybercriminals and cyber defenders alike.
Ransomware works by using encryption algorithms, which are designed to ensure that only someone with access to the decryption key can reverse the transformation applied to the encrypted data and restore the original, usable version. A victim is motivated to pay a ransom by the loss of access to valuable data, and, upon payment of the ransom, all the ransomware operator must do is provide a short decryption key to restore access to all of the encrypted data.
The theory behind ransomware is fairly simple and does not vary much from one variant of ransomware to another. However, the specifics of how ransomware is used by cybercriminals can be very different for different groups and attack campaigns, and has evolved significantly over the past few years.
In late 2019 and early 2020, a new trend emerged in ransomware attacks. Instead of restricting themselves to encrypting a victim’s files, ransomware authors began stealing sensitive data from their targets as well. Ransomware variants stealing user data include Ako, CL0P, DoppelPaymer, Maze, Pysa, Nefilim, Nemty, Netwalker, Ragnarlocker, REvil, Sekhmet, and Snatch.
This move was in response to organizations refusing to pay ransom demands after falling victim to a ransomware infection. Although the cost of remediating a ransomware attack is often higher than the demanded ransom, best practice dictates that ransoms should not be paid since they enable the cybercriminals to continue their operations and perform additional attacks.
By stealing data from infected computers before encrypting it, ransomware operators could threaten to expose this data if the victim refused to pay the ransom. Depending on the type of data collected and leaked, this could cause an organization to lose competitive advantage in the marketplace or run afoul of data protection laws, such as the General Data Protection Regulation (GDPR), for its failure to protect the customer data entrusted to it.
2019 was famous as the year in which ransomware operators switched their focus to critical institutions. In the first three quarters of 2019 alone, over 621 hospitals, schools, and cities in the United States were victims of ransomware attacks by Ryuk and other ransomware variants. These attacks had an estimated price tag in the hundreds of millions of dollars and resulted in cities being unable to provide services to their residents, and hospitals being forced to cancel non-essential procedures in order to provide critical care to patients.
This new approach to ransomware took advantage of the importance of the services that these organizations provide. Unlike some businesses, which could weather degraded operations while recovering from an attack, cities, schools, and hospitals needed to restore operations as quickly as possible and often had access to emergency funds. As a result, ransomware attacks against these organizations were often successful and continue to occur.
Unlike most ransomware attacks that target random individuals and businesses, Ryuk ransomware was a highly targeted attack. The cyber criminals behind this operation targeted victims whose businesses would be majorly disrupted even by a small amount of downtime.
Ryuk was designed to encrypt company servers and disrupt business until the ransom was paid rather than steal or compromise an individual’s data.
Targeted victims included newspapers, including all Tribune papers, and a water utility company in North Carolina. Affected newspapers had to produce a scaled-down version of the daily news that didn’t include paid classified ads.
Ryuk infected systems through malware called TrickBot and remote desktop software. After blocking access to servers, Ryuk demanded between 15-50 Bitcoins, which was about $100,000-$500,000.
In addition to disabling servers, infecting endpoints, and encrypting backups, Ryuk disabled the Windows OS system restore option to prevent victims from recovering from the attack.
When the malware was discovered, patches were created to thwart the attack, but they didn’t hold. The moment servers went back online, Ryuk started reinfecting the entire network of servers.
Experts from McAfee suspect Ryuk was built using code originating from a group of North Korean hackers who call themselves the Lazarus Group. Although, the ransomware required the computer’s language to be set to Russian, Belarusian, or Ukrainian in order to execute.
Like Ryuk, PureLocker was designed to encrypt entire servers and demand a ransom to restore access. The malware has been specifically designed to go undetected by hiding its malicious behavior in sandbox environments and mimicking normal functions. It also deletes itself after the malicious code executes.
PureLocker targeted the servers of large corporations attackers believed would pay a hefty ransom.
After a thorough analysis, cryptographic researchers from Intezer and IBM X-Force named this ransomware PureLocker because it’s written in the PureBasic programming language.
Writing malware in PureBasic is unusual, but it gave attackers a serious advantage: it’s difficult to detect malicious software written in PureBasic. PureBasic programs are also easily used on a variety of platforms.
PureLocker is still being executed by large cybercriminal organizations. Experts believe that PureLocker is being sold as a service to cybercriminal organizations who have the knowledge required to target large companies. Strangely, ransomware-as-a-service (RaaS) is now a “thing.”
Cybersecurity experts aren’t sure exactly how PureLocker is getting onto servers; adopting a zero-trust approach to network security is the best way to protect against unknown threats.
REvil is malware from a strain called GandCrab that won’t execute in Russia, Syria, or several other nearby countries. This indicates its origin is from that area.
Like PureLocker, REvil is believed to be ransomware-as-a-service and security experts have said it is one of the worst instances of ransomware seen in 2019.
Why is REvil so bad? With most ransomware attacks, people can ignore the ransom demand and cut their losses. However, those behind the attack threatened to publish and sell the confidential data they encrypted if the ransom wasn’t paid.
In September 2019, REvil shut down at least 22 small towns in Texas. Three months later, on New Year’s Eve, REvil shut down Travelex – a UK currency exchange provider.
When Travelex went down, airport exchanges had to go old school and create paper ledgers to document exchanges. Cybercriminals demanded a $6 million ransom, but Travelex won’t confirm or deny paying this sum.
REvil exploits vulnerabilities in Oracle WebLogic servers and the pulse Connect Secure VPN.
On March 1, 2019, ransomware attacked Jefferson County’s 911 dispatch center and took it offline. County jail staff members also lost the ability to open cell doors remotely, and police officers could no longer retrieve license plate data from their laptops.
Without a working 911 system, the entire city was left vulnerable to the secondary effects of this ransomware attack. Dispatchers didn’t have access to computers for two weeks.
The videoconferencing system that allowed inmates to connect with family members also went down. Guards had to escort inmates to family visits in person, which increased the risk to their safety.
The city paid the $400,000 ransom and was able to restore their systems.
On April 10, 2019, the city of Greenville, NC was attacked by ransomware named RobinHood. When most of the city’s servers went offline, the city’s IT team took remaining servers offline to mitigate the damage.
This attack wasn’t the first time RobinHood made its rounds. In May 2019, the city of Baltimore was hit hard. The city had to spend more than $10 million to recover from a RobinHood attack. Although the ransom was only $76,000, it cost the city $4.6 million to recover data and all the city’s systems were non-functional for a month. The city suffered $18 million in damages.
In 2018, ransomware fell in popularity as rises in the value of cryptocurrency drove a surge in cryptojacking. Cryptojacking malware is designed to infect a target computer and use it to perform the computation-heavy steps required to “mine” Bitcoin and other Proof of Work (PoW) cryptocurrencies and receive the rewards associated with finding a valid block.
However, this isn’t to say that ransomware was completely inactive in 2018. In August 2018, the Ryuk ransomware (one of the leading ransomware threats today) was discovered for the first time “in the wild”. The emergence of Ryuk was part of a shift in how ransomware operators made their money. Attacks like WannaCry targeted quantity over quality, attacking as many victims as possible and demanding a small ransom from each. However, this approach was not always profitable as the average person lacked the know-how to pay a ransom in cryptocurrency. As a result, ransomware operators had to provide a significant amount of “customer service” to get their payments.
In 2018 and beyond, ransomware operators have become more selective in their choice of targets. By attacking specific businesses, cybercriminals could increase the probability that the data encrypted by their malware was valuable and that their target was capable of paying the ransom. This enabled ransomware operators to demand a higher price per victim with a reasonable expectation of being paid.
2017 was the year when ransomware truly entered public awareness. While ransomware has been around for decades, the WannaCry and NotPetya attacks of 2017 made this type of malware a household name. These ransomware variants also inspired other cybercriminals and malware authors to enter the ransomware space.
WannaCry is a ransomware worm that uses the EternalBlue exploit, developed by the NSA, to spread itself from computer to computer. Within a span of three days, WannaCry managed to infect over 200,000 computers and cause billions in damages before the attack was terminated by a security researcher targeting its built-in “kill switch”.
NotPetya is an example of a famous variant that actually isn’t ransomware at all, but rather wiper malware that masquerades as ransomware. While it demanded ransom payments from its victims, the malware’s code had no way to provide the malware’s operators with a decryption key. Since they didn’t have the key, they couldn’t provide it to their victims, making recovery of encrypted files impossible.
Ransomware has proven to be an extremely effective tool for cybercriminals. The loss of access to their data has motivated many organizations to pay large ransoms to retrieve it. The success of ransomware means that it is unlikely to go away as a threat to organizations’ cybersecurity. Protecting against this damaging malware requires deployment of a specialized anti-ransomware solution.