RANSOMWARE

Ransomware, as the name suggests, demands a ransom in return for releasing its infection from your computer. Ransomware, once installed on our computer, all our data is encrypted, i.e. it is locked, or is said to be deleted. To unlock or decrypt the same, we are asked for money.  This is just like somebody is asked for a ransom after kidnapping them. Most of the ransomware payments are by bitcoin or cryptocurrency so that the ransomware's developer or the sender of the ransomware cannot be caught.

• Malware programs that encrypt the information and retain it as a recovery waiting for a payoff in the cryptocurrency have been a large percentage of malware in recent years, and the percentage is still that. Additionally, Ransomware has crippled businesses, hospitals, police, and even whole cities. The most freelance systems are Trojans, which means that they must be expanded by some kind of social engineering. After it’s executed, the majority of users are checking and encrypting files within several minutes.
• If the client is searching for a few hours before the encryption routine is set up, the malware manager will determine exactly how much the victim can afford and also ensure that other supposedly safe backups are removed or encrypted. Ransomware, like any other malware type, can be avoided, but once executed the damage may be difficult to reverse without a strong, checked backup. Several reports have shown that around a third of the victims are still paying their ransoms, and around 30% of the victims are still not disclosing their records. Whatever the case, it needs other devices, decryption keys and more than a little chance to open the encrypted files, if possible.

Ransomware Attacks: 

Petya

Petya (not to be confused with ExPetr) is a ransomware attack that first hit in 2016 and resurged in 2017 as GoldenEye.

Rather than encrypting specific files, this vicious ransomware encrypts the victim’s entire hard drive. It does this by encrypting the Master File Table (MFT) making it impossible to access files on the disk.

Petya spread through HR departments via a fake job application email with an infected Dropbox link.

WannaCry

WannaCry is ransomware attack that spread across 150 countries in 2017.

Designed to exploit a vulnerability in Windows, it was allegedly created by the United States National Security Agency and leaked by the Shadow Brokers group. WannaCry affected 230,000 computers globally.

The attack hit a third of hospital trusts in the UK, costing the NHS an estimated £92 million. Users were locked out and a ransom was demanded in the form of Bitcoin. The attack highlighted the problematic use of outdated systems, leaving the vital health service vulnerable to attack.

The global financial impact of WannaCry was substantial -the cybercrime caused an estimated $4 billion in financial losses worldwide.

Crowti

The Win32/Crowti ransomware is on the upswing of late, the result of a series of fresh malware campaigns being distributed through spam emails and exploit kits.

Crowti is similar to CryptoLocker in that it uses keys to encrypt the files on a PC, and then asks for payment to unlock them. Crowti usually brands itself with the name CryptoDefense or CryptoWall, and once triggered, victims are given message directing them to a Tor webpage asking for payment using Bitcoin.

In the latest rash of attacks, computers in the United States have been most affected with 71% of total infections, followed by Canada, France and Australia. 

“Crowti impacts both enterprise and home users; however, this type of threat can be particularly damaging in enterprise environments,” Microsoft said in an advisory on the Microsoft Malware Protection Center (MMPC) site.

Crowti is mainly being distributed via spam campaigns. But, it’s also being distributed via exploit kits such as Nuclear, RIG, and RedKit V2, that take advantage of unpatched Java and Flash vulnerabilities. Microsoft has also seen Win32/Crowti being installed by other malware, such as Upatre, Zbot and Zemot.

The spam mails come with email attachments, usually a ZIP archive, that launch the malware when opened. “Attackers will usually try to imitate regular business transaction emails such as fax, voicemails or receipts,” Microsoft said. “If you receive an email that you’re not expecting, it’s best to ignore it.”

Crowti is also using digitally signed malware.

“On September 29, 2014 we saw a Crowti sample distributed with a valid digital certificate—since revoked,” Microsoft said. “Crowti has used digital certificates to bypass detection systems before — we have previously seen it using a certificate issued to The Nielsen Company.”

Of course, the best course of action is to avoid being infected in the first place. “There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines,” Microsoft said. “As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date.”

Locky

Locky is a type of ransomware that was first released in a 2016 attack by an organized group of hackers.

With the ability to encrypt over 160 file types, Locky spreads by tricking victims to install it via fake emails with infected attachments. This method of transmission is called phishing, a form of social engineering.

Locky targets a range of file types that are often used by designers, developers, engineers, and testers.

Bad Rabbit

Bad Rabbit is a 2017 ransomware attack that spread using a method called a ‘drive-by’ attack, where insecure websites are targeted and used to carry out an attack.

During a drive-by ransomware attack, a user visits a legitimate website, not knowing that they have been compromised by a hacker.

Drive-by attacks often require no action from the victim, beyond browsing to the compromised page.  However, in this case, they are infected when they click to install something that is actually malware in disguise. This element is known as a malware dropper.

Bad Rabbit used a fake request to install Adobe Flash as a malware dropper to spread its infection.

Ryuk

Ryuk ransomware, which spread in August 2018, disabled the Windows System Restore option, making it impossible to restore encrypted files without a backup.

Ryuk also encrypted network drives.

The effects were crippling, and many organizations targeted in the US paid the demanded ransoms. August 2018 reports estimated funds raised from the attack were over $640,000.

Troldesh

The Troldesh ransomware attack happened in 2015 and was spread via spam emails with infected links or attachments.

Interestingly, the Troldesh attackers communicated with victims directly over email to demand ransoms. The cybercriminals even negotiated discounts for victims who they built a rapport with — a rare occurrence indeed.

This tale is definitely the exception, not the rule. It is never a good idea to negotiate with cybercriminals. Avoid paying the  demanded ransom at all costs as doing so only encourages this form of cybercrime.

Jigsaw

Jigsaw is a ransomware attack that started in 2016. This attack got its name as it featured an image of the puppet from the Saw film franchise.

Jigsaw gradually deleted more of the victim’s files each hour that the ransom demand was left unpaid. The use of horror movie imagery in this attack caused victims additional distress.

CryptoLocker

CryptoLocker is ransomware that was first seen in 2007 and spread through infected email attachments. Once on your computer, it searched for valuable files to encrypt and hold to ransom.

Thought to have affected around 500,000 computers, law enforcement and security companies eventually managed to seize a worldwide network of hijacked home computers that were being used to spread Cryptolocker.

This allowed them to control part of the criminal network and grab the data as it was being sent, without the criminals knowing. This action later led to the development of an online portal where victims could get a key to unlock and release their data for free without paying the criminals.

GoldenEye

The resurgence of Petya, known as GoldenEye, led to a global ransomware attack that happened in 2017.

Dubbed WannaCry’s ‘deadly sibling’, GoldenEye hit over 2,000 targets, including prominent oil producers in Russia and several banks.

Frighteningly, GoldenEye even forced workers at the Chernobyl nuclear plant to check radiation levels manually as they had been locked out of their Windows PCs.

GandCrab

GandCrab is a rather unsavory ransomware attack that threatened to reveal victim’s porn watching habits.

Claiming to have highjacked users webcam, GandCrab cybercriminals demanded a ransom or otherwise they would make the embarrassing footage public.

After having first hit in January 2018, GandCrab evolved into multiple versions. As part of the No More Ransom Initiative, internet security providers and the police collaborated to develop a ransomware decryptor to rescue victim’s sensitive data from GandCrab.