How can I help you? Start Chat

US Phone: 1-866-488-6691
International Phone: +44-2036087492

  • E-Mail
  • Facebook
  • LinkedIn
  • Twitter

Ransomware is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and if the deadline passes, the ransom demand doubles or files are permanently locked. Ransomware is an ever-increasing threat worldwide, claiming a new victim every 10 seconds.

  •  Latest Ransomware
  •  Most Popular Ransomware Variants
  •  History
  •  Top Countries Attacked by Ransomware
  •  Why Does Ransomware use Bitcoin?
  •  How Ransomware Infects Your Computer
  •  Files Affected by Ransomware
  •  Ransomware Prevention
  •  Related Terms

Top Global Ransomware Variants

Latest Ransomware

On October 24th, 2017, the ransomware called ‘Bad Rabbit’ attack broke in Europe. Ukraine was a main target for this malware with many of its critical infrastructures suffering from downtimes including train stations, airports and media sites.

Some of the effected companies are Kiev Metro (Ukrainian train services), Odessa Airport (Ukraine), Ukrainian ministries of infrastructure and finance and Interfax (large Russian media outlet). Other than Ukraine, other countries which were hit include Turkey, Russia and Bulgaria.

The ‘Bad Rabbit’ ransomware asks for a ransom payment of 0.05 BTC (~$280) in the first 40 hours of infection, after which the price will probably rise to a yet unknown amount. The ransomware is spread via a fake Flash software installer, which allegedly arrives as a pop-up from a legitimate Russian news site. Once ran, the pop up leads to a compromised site, which in turn downloads an executable dropper. The ransomware uses known open source software called DiskCryptor in order to encrypt the victim’s drives.

Read more about ‘Bad Rabbit’ ransomware

Most Popular Ransomware Variants

Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, CryptoWall became one of the most prominent ransomwares to date. CryptoWall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
WannaCry – Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks. It infected more than 100,000 computers by taking advantage of an unpatched Microsoft Windows vulnerability.
Jaff – Ransomware which began being distributed by the Necrus botnet in May 2017, via spam emails containing a PDF attachment which contains an embedded DOCM file. As the malware first emerged, it was massively spread at an infection rate of approximately 10,000 emails sent per hour.
Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
TorrentLocker – Ransomware that encrypts user documents, pictures and other type of files. Victims are requested to pay up to 4.1 Bitcoins (approximately US $1800) to the attackers to decrypt their files.
Cerber – An offline ransomware, meaning that it does not need to communicate with its C&C server before encrypting files on an infected machine. It is spread mostly via malvertising campaigns which leverage exploit kits, but also through spam campaigns. It is operated by its author as a ransomware as-a-service; the author recruits affiliates to spread the malware for a share of the ransom payment.

History

The first known ransomware attack was deployed in 1989. The very first known malware extortion was called the AIDS Trojan, aka PC Cyborg. This low-tech malware was distributed in over 20,000 floppy disks to AIDS researchers. It hid files on the drive and encrypted the file names, displaying a message to the user that their license to use a specific type of software had expired. As a ransom, the user was asked to pay $189 USD to receive a repair tool. The decryption tool was easily extracted directly from the code of the Trojan, rendering the malware flawed because it was not necessary to pay the extortionist.

The Statistics are Scary

150+ CountriesThe Ransomware War Affects Everybody
400,000+ Computers InfectedBusiness, Personal, and Government
Every 10 SecondsA Computer is Infected with Ransomware

Top Countries Attacked by Ransomware

Until now, the ransomware-as-a-service industry remained an uncharted region of cybercrime. Very little was known about the operation of such franchises, making it harder for defenders to trace them effectively. In research conducted by Check Point and IntSights, we shed new light on the Cerber ransomware, one of the most prominent ransomware variants. Our report, CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service, discloses not only the technical details of the operation, but also the franchise’s business operation from end-to-end.

Cerber has a wide distribution, due in part to its successful use of leading exploit kits. By monitoring the actual C&C communications, we were able to create a complete view of the ransomware’s activity. Cerber is currently running 161 active campaigns, launching an average of eight new campaigns daily, which have successfully infected approximately 150,000 users worldwide in 201 countries and territories in the past month alone.


Why Does Ransomware use Bitcoin?

Figure A

Bitcoin currency can be used to evade tracing, ransomware operators create a unique Bitcoin wallet to receive funds from each of its victims. Upon paying the ransom (usually 1 Bitcoin, which is currently worth approximately $590), the victim receives the decryption key. The payment is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track the transactions individually. At the end of the mixing process, the money reaches the developer and the affiliates receive their percentage.

WannaCry demanded each victim pay $300 through the means of Bitcoin. The victims only have 72 hours to pay the $300, if you wait past this period, the ransom doubles to $600. After a total of 7 days, WannaCry deletes all encrypted files and the data is permanately lost. Another variant of ransomware strain, Locky, demands any where between 0.5 BTC (BitCcoin) to 1.00 BTC.

The Bitcoin economy has surged and while these prices used to range within a couple hundred of dollars – 1 Bitcoin is currently in the range of $3,900. Check Point researchers found that those affected by WannaCry are unlikely to retrieve their files, even if they pay the ransom. So far, the three bitcoin accounts associated with the WannaCry campaign have accumulated approximately $77,000.

By monitoring the data provided by the C&C servers, we were able to identify actual victim wallets, allowing us to effectively monitor payments and transactions involving each of these wallets. Our research also allowed us to track the actual revenue gained by the malware, as well as the path of financial transactions.


How Ransomware Infects Your Computer

Step 1. ) Checking Your Internet Connection

Figure A

The first executable in the infection chain checks for a specific URL before continuing the attack (so called kill switch). Malware researchers have discovered most of the URLs in the different samples of the attack and so the ransomware component is not created and executed.

We start the analysis from the actual ransomware executable itself as shown in Figure 2. Having analyzed multiple samples of the ransomware, we noticed that the behavior is fairly consistent.

Step 2. ) The Dropper

Figure B

In our report, the attack starts with the launching of the wcry.exe sample. This executable drops a lot of files that are most likely configuration/data files needed to continue execution. We see the dropped files by clicking on the wcry.exe process and then viewing the File Ops Tab. A large number of files with the “wnry” extension are created for example.

Step 3. ) Execution Startup

Figure C

This sample then proceeds to hide all the files in its own folder. This is done through the Windows “Attrib.exe” process as shown in Figure 3. We believe this is done so that the sample does not accidentally encrypt itself, though it could also be a basic technique to hide from investigators.

WCry.exe then executes Windows “icacls.exe” to modify the current folders permissions. We are still investigating as to why this is. This is the first ransomware family we have seen that actually utilizes this Windows process.

Step 4. ) File Encryption

Figure D

Wcry.exe then begins the encryption process starting with files on the desktop. By following the flow of any one of the encrypted documents, we see that the malware wrote into a newly created file with the extension wncryt (t for temp?) and then after the encryption of the original file was completed it renamed the file to have the extension wncry.

For example:

  1. The file 2014-financial-statements-en.pdf was read
  2. The file 2014-financial-statements-en.pdf.wncryt was created.
  3. The file 2014-financial-statements-en.pdf.wncryt was modified with encrypted content of the original 2014-financial-statements-en.
  4. The file 2014-financial-statements-en.pdf.wncryt was renamed to 2014-financial-statements-en.pdf.wncry

It also creates an executable called @wanadecryptor@.exe and launches it. This executable creates the Tor Application folder, and installs Tor in it. This can be seen with suspicious event Tor Application Download. @wanadecryptor@.exe then launches taskhsvc.exe that is used to begin TOR communication.

Step 5. ) Permanetly Deleting Non-Encrypted Versions

Figure E

After the encryption of files is finished we see a UAC prompt pop up because of a CMD that wishes to elevate privileges. The cmd.exe requires elevated privileges in order to delete shadow copies and modify boot options. If the user clicks OK then Shadow Copy Deletion occurs through both vssadmin.exe and wmic.exe. BCEdit and wbadmin executons are meant to occur based on the cmd.exe arguments (/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet). However, neither are executed.

Step 6. ) Notifying the Victim

Figure F

After the encryption, the wallpaper is also changed as seen in Suspicious events Wall Paper Change. Like Cerber and Locky, the wallpaper is changed to display a ransom message.

Persistence on boot is meant to occur based on the registry run key with the process named: tasksche.exe, but this process was never created by the attack and so nothing happens on reboot of the system. This process apparently should have been created from the downloader that detects if a kill switch is present. However, given that we executed this without executing the downloader it was unable to persist.

Finally the process called @wanadecryptor@.exe is also used to display the UI asking for payment.


Files Affected by Ransomware

After successful exploitation and “install”, ransomware encrypts 99% of filetypes – so don’t expect any to be left untouched. Filetypes include:

.123
.3dm
.3ds
.3g2
.3gp
.602
.7z
.ARC
.PAQ
.accdb
.aes
.ai
.asc
.asf
.asm
.asp
.avi
.backup
.bak
.bat
.bmp
.brd
.bz2
.cgm
.class
.cmd
.cpp
.crt
.cs
.csr
.csv
.db
.dbf
.dch
.der
.dif
.dip
.djvu
.doc
.docb
.docm
.docx
.dot
.dotm
.dotx
.dwg
.edb
.eml
.fla
.flv
.frm
.gif
.gpg
.gz
.hwp
.ibd
.iso
.jar
.java
.jpeg
.jpg
.js
.jsp
.key
.lay
.lay6
.ldf
.m3u
.m4u
.max
.mdb
.mdf
.mid
.mkv
.mml
.mov
.mp3
.mp4
.mpeg
.mpg
.msg
.myd
.myi
.nef
.odb
.odg
.odp
.ods
.odt
.onetoc2
.ost
.otg
.otp
.ots
.ott
.p12
.pas
.pdf
.pem
.pfx
.php
.pl
.png
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx
.ppt
.pptm
.pptx
.ps1
.psd
.pst
.rar
.raw
.rb
.rtf
.sch
.sh
.sldm
.sldx
.slk
.sln
.snt
.sql
.sqlite3
.sqlitedb
.stc
.std
.sti
.stw
.suo
.svg
.swf
.sxc
.sxd
.sxi
.sxm
.sxw
.tar
.tbk
.tgz
.tif
.tiff
.txt
.uop
.uot
.vb
.vbs
.vcd
.vdi
.vmdk
.vmx
.vob
.vsd
.vsdx
.wav
.wb2
.wk1
.wks
.wma
.wmv
.xlc
.xlm
.xls
.xlsb
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.zip

 

Typically the virus will add an additional extension to the encrypted files, in the case of WannaCry – .wcry

So if you have a file Document.txt – WannaCry ransomware will encrypt and rename it as Document.txt.wcry


Ransomware Prevention

Here are ways to defend against the next ransomware attack.

Education: Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defenses an organization can deploy.

Continuous data backups: Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.

Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.

Check Point Can Help

Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data, ensuring business continuity and productivity. The effectiveness of this technology is being verified every day by our research team, and consistently demonstrating excellent results in identifying and mitigating attacks.

SandBlast Agent, Check Point’s leading endpoint prevention and response product, includes Anti-Ransomware technology and provides protection to web browsers and endpoints, leveraging Check Point’s industry-leading network protections. SandBlast Agent delivers complete, real-time threat prevention and remediation across all malware threat vectors, enabling employees to work safely no matter where they are, without compromising on productivity.

Learn more about threat prevention and how Check Point Anti-Ransomware, SandBlast Zero-Day Protection and SandBlast Agent can help protect your company against ransomware.