Ransomware has been dominating the headlines more than ever before, and for good reason. It has caused every size company across the globe to stop in their tracks. From mom and pop shops to fortune 500’s. Research tells us that this isn’t just as fad. As cybercriminals are becoming more creative and sophisticated with their attacks, it will be more important than ever to stay on top of your education and security. In the meantime, here’s an overview of the most recognized ransomware attacks performed in 2017.

NotPetya

Starting in June 2017, NotPetya initially posed as a fake Ukrainian tax software update that victims would download and then apply to all devices. After this point, cybercriminals use SMB exploit to then spread through the network, creating a “worm” that destroys everything in its path. Before initiating complete network and file destruction, NotPetya would ask for $300 in bitcoin in exchange for the decryption key, but for reasons unknown, the system in charge of payment collection eventually fell apart. None the less, NotPetya caused over $300 million in damage and was responsible for serious damage to the Ukranian infrastructure. It shut down power plants, banks, grocery stores, FedEx, the largest shipping container in the world and also infected hundreds of thousands of computers in over 100 countries.

WannaCry

Although NotPetya caused the most damage through SMB, WannaCry is the original ransomware to have spread through SMB exploit. Originating as a spam email, hackers attached a zip file with what they said was an invoice, job offer or some other cover-up. Using EternalBlue, an exploit in Microsoft Windows SMB protocol, they were able to perform remote code execution on machines that were either unsupported legacy devices or that hadn’t undergone Microsoft’s patch update.

WannaCry established in March of 2017 and on the first day of its attack in May, infected over 200,000 machines. They demand a ransom between $330 to $600, are spread out over 150 countries and created a potential damage count of $4 billion. WannaCry is known as the most devastating ransomware attack in history with an estimated 10 million affected, including law enforcements, banks and other infrastructure areas.

Locky

What originated back in early 2016 has expanded into 2 new strands, Diablo and Lukitas. The expansion was set loose in August of 2017 and is still creating devastation in over 28 countries with ransom of $400-$800. The malware is delivered as a spam email labeled as a shipping invoice from Amazon Marketplace or Herbalife and contain a zip file attachment. However, the company they’re claiming to be changes and recently released a campaign directed at Game of Thrones fans. In one day, a single campaign can reach over a million emails, demanding anything from 0.5-40 bitcoin ($400-$32,000).

CrySis

Distributing malware through Remote Desktop Protocol (RDP) is a popular form of execution because it allows hackers to infect admin accounts and use them as an entry way into whole systems. CrySis uses unsecure RDP computers as entry points where they then implement password tools. Once getting into the system, it encrypts a computer and then removes all automated backups. Since its origination in February 2016, it has continued into 2017, as recently as May, demanding a ransom of $455 to $1,022 in over 22 countries.

Nemucod

Delivered as another spam email disguised as an invoice, Nemucod attaches a zip file with a JavaScript that downloads malware and encryptions that are stored on compromised websites. NemuCod has been around since 2015, working with Teslacrpyt, until branching out on its own in 2017. This ransomware has infected over 26 countries and sends a ransom note to its victims demanding 300 bitcoin.

Jaff

This ransomware disperses through spam emails and began in May of 2017. At one point, it was sending out 5 million email attacks an hour. Jaff shares the same exact characteristics as Locky, such as payment page, PDF that opens up a Word document and being distributed through Necurs. The difference here is their ransom demand, which is 2 bitcoin, equivalent to $3,700. There are new variants being dispersed constantly and has already infected over 21 countries.

Spora

In over 28 countries, legitimate websites have been hacked in order to input a fake JavaScript pop-up that tells users to update their Chrome browser in order to continue viewing the webpage. Spora began its attack in January of 2017 and tells the victims of different payment options: restore first two files for free, restore additional files for $30, decrypt file for $79, buy immunity from future attacks for $50 and remove all Spora-related files, after paying the ransom, for $20.

Cerber

Initiated in March 2016, Cerber has dispersed attacks through spam emails and RDP exploits in over 23 countries as recently as October 2017. The malware attack will also hack passwords and steal cryptocurrency as additional income after exploiting victims for bitcoin ransom from $300-$600. On top of their ransomware attacks, Cerber will package hacking tools and sell them to other cyber criminals as a product they refer to as ransomware-as-a-service (RaaS).

CryptoMix

Through an exploit referred to as “malvertising,” CryptoMix will hack an advertisement and the shopping website that it leads to, attacking the victim’s computer when they arrive on the site. CryptoMix is also known for its distribution of attacks through RDP and flash drives. These attacks have been going on since March 2016, have reached over 29 countries and make the victims wait for an email demanding a ransom of 5 bitcoin ($3,000).

Jigsaw

Dispersed through a spam email, Jigsaw demands a ransom from its victims between $20- $200 or else it deletes a file every hour. Some victims have reported a loss of 1,000 files after trying to reboot their systems or restarting after process termination. Jigsaw is named after a character in the movie “Saw,” and has hit over 29 countries.

As a reminder, these are 10 of the most noticed malware attacks of 2017 and don’t include the large numbers of other less substantial, but still devastating, hacks. According to Threat Post, Andrea Zaharia wrote, “a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim. By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment.”

Although malware attacks are never 100% preventable, you should do everything in your power to avoid victimization. According to Malwarebytes, a cyber-security and anti-malware software, there are security measures you can take:

  • Update your operating system, browsers and plugins. These updates exist so that bugs and potential exploits in earlier versions get fixed, decreasing vulnerabilities.
  • Enable click-to-play plugins. This helps to block malicious ads or other exploits from being delivered.
  • Remove software that you don’t use. Especially software that the manufacturer no longer creates patches for. Some examples are Windows XP, Adobe Reader and older versions of media players.
  • Keep an eye out for social engineering. This can be through emails that claim to be from your bank, tech support or a questionable social media campaign. Some tactics are to:
    1. Check for the details. Check the senders address (is it from the actual company they claim?). By hovering over embedded links, you can check legitimacy of URL’s. Are they strange line breaks? Oddly worded sentences? Know the communication methods for important organizations and if you ever have doubt, call the company to confirm.
    2. Refrain from calling fake tech support numbers that offer to help you with malware. Malwarebytes claims that a “A real security company would never market to you via pop-up saying they believe your computer is infected. They would especially not serve up a (bogus) 1-800 number and charge money to fix it. If you have security software that detects malware, it will show such a detection in your scan, and it will not encourage you to call and shell out money to remove the infection.”
    3. Dismiss cold callers claiming to be from Microsoft, a tech support company, claiming they found credit card fraud on your card or that you have an overdue loan, are all frauds.
    4. Browse safely: use strong passwords, make sure you’re on a strong connection and log out of websites when you’re done.
  • Have a multi-layer security platform. Purchase security software and add to it by using a firewall, anti-virus, anti-malware and anti-exploit technology.

References:

https://www.techrepublic.com/article/the-top-10-worst-ransomware-attacks-of-2017-so-far/?bhid=27733029506249943860869485574155&ftag=TRE684d531

https://www.webroot.com/blog/2017/10/31/top-10-nastiest-ransomware-attacks-2017/

https://blog.barkly.com/ransomware-statistics-2017

https://threatpost.com/jaff-malware-probe-uncovers-link-to-cybercrime-marketplace/126060/

https://blog.malwarebytes.com/cybercrime/2017/05/new-jaff-ransomware-via-necurs-asks-for-2-btc/