On the surface, many people identify ransomware as a one-dimensional type of attack that encrypts files and only frees them once payment is received. In theory, this is the basis for most ransomware attacks. Over time, cybercriminals have continued to develop attacks to be more intricate and ultimately more damaging.
Malware is increasing at an alarming rate. For example, ransomware increased by 435% in 2020 compared to the year prior, according to Deep Instinct. The COVID-19 pandemic and the need for so many employees to work from home has widened the scope of attacks for cybercriminals, with experts fearing the statistics for 2021 will be far greater than any year on record. Guy Caps, CEO of Deep Instinct says, "We've seen the pandemic accelerate companies' business transformations to conducting business online while the abrupt switch to the work-from-home model widened organizations' attack surface. It's no wonder that security teams have difficulty keeping up with the onslaught of attacks of every different type."
As ransomware continues on its destructive path, six variations are particularly concerning. This is especially true if you run a business or other organization that houses large amounts of data. Many of these serious forms of ransomware were released years ago, and security patches are available for most of them. Despite this, and exemplified in the graphic below, businesses in the U.S. are still being affected by them. We will explain each in more detail so readers will have a better idea of prominent signs that your system may be infected.
What are the six most damaging types of ransomware against businesses today?
-
CryptoLocker
CryptoLocker first emerged in September of 2013. The situation it created amongst organizations was so serious that a global government task force, named Operation Tovar, was assembled to take the threat down. This ransomware is a threat to businesses using computers with a Windows operating system.
How does it work? Much like regular ransomware, CryptoLocker conned its victims into downloading malicious email attachments. This ransomware uses what is known as an asymmetric encryption method, otherwise referred to as a two-key system. This means that there is a public key for encryption and a private key for decryption. Be sure to remember this detail.
Once installed onto a victim's computer, CryptoLocker begins to scan files and other connected devices, searching for information to encrypt. Remember that private key used for decryption? If payment is not received within a specified time frame, CryptoLocker threatens to destroy it. As time passed, the cybercriminals offered to retrieve the decryption key after the deadline for an additional fee.
How do you know if your system has been infected? The original version of CryptoLocker has been resolved, with decryption keys freely available online. Despite this, and as exemplified by the previous graphic, there are still many businesses that are falling prey to this version of ransomware. Before it presents itself, you may be able to tell that your system is infected with CryptoLocker. You will notice that files being renamed with new extensions, such as .encrypted or .cryptolocker. Once it has finished encrypting most of your files, you will receive the below message on your screen.
Image courtesy of Avast -
WannaCry
WannaCry ransomware first began infecting Windows operating systems in May of 2017. It spreads by exploiting a vulnerability found in the Windows Server Message Block protocol.
It is built from four main components: First, the DoublePulsar dropper, which is a self-contained program that extracts other components of the ransomware. Second, there is a tool that conducts the encrypting and decrypting of information. Third, a document that contains encryption keys. And finally, a copy of Tor, which is an open-source software program enabling anonymous communication.
According to Safety Detectives, WannaCry went on an early rampage, taking down systems associated with world government organizations, public transportation, national telecommunication companies, global logistic companies, and multiple universities. Today, this ransomware is still responsible for almost half of reported incidents in the U.S.
On the surface, WannaCry does not act any differently than a standard ransomware attack. Employees of a business or organization may not even notice its existence until it is too late. The unique aspect of this form of ransomware has everything to do with how it infects a user's system, rather than other characteristics.
The demand? As a medium or large business, the ransom that WannaCry demands is manageable. Victims would need to pay $300 in Bitcoin within three days or $600 within a week to retrieve their data. Experts have suggested that victims do not pay the ransom because in many cases, these cybercriminals cannot decrypt the data anyway. This can be a scary prospect for businesses or organizations that house sensitive data that is not backed up. If your system is infected with WannaCry, a message similar to that displayed below will appear on the screen.
Image courtesy of ImpervaAlthough Microsoft provided a patch for this virus rather quickly, it is still ranked second, only behind CryptoLocker, in terms of dangerous ransomware variants that are still after businesses in the U.S. today. How can you ensure you remain safe against WannaCry? Be sure you have installed the security update MS17-010.
-
Cryptowall
CryptoWall is a ransomware that is best described as "highly contagious." Coded to run on both 32-bit and 64-bit Mac or Windows systems, the infection can occur by simply clicking on advertisements, sometimes even found on trustworthy, well-known domains. Like other ransomware, it also infects the system using malicious ZIP attachments within emails. The PDFs located within the zip file usually disguise themselves as bills or invoices. Unfortunately, once opened, it is too late. By this point, the virus is installed in either the %AppData% or %Temp% folders. Be aware that this form of ransomware can encrypt external drives, network shares, and data in the cloud.
How can you know if you have been infected with CryptoWall? When attempting to open files such as word documents, excel spreadsheets, or PDFs, they will launch with the correct program, but data will not display correctly. Also, an error message may accompany the opened file. Within your computer's directory, you may also find three files, titled: DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.html, and DECRYPT_INSTRUCTION.url. The presence of these files means your system has become a victim of the dreaded CryptoWall ransomware. Clicking on any one of the files will also reveal instructions for returning the data, including the amount of the ransom payment.
What about the ransom payment? Businesses beware. Ransom demands for CryptoWall can range from anywhere between USD 200 and 10,000 dollars. Unless your IT leader has been conducting regular backups, paying the ransom may be the only way to retrieve your data. This is because this virus does not store the encryption key where a user can easily retrieve it.
-
Locky
Locky ransomware was first discovered at the beginning of 2016. Like other highly transmissible variations of the virus, it targets Windows operating systems. Victims, which originally consisted of many in the healthcare industry, would receive a fraudulent email containing an attachment. The email would have language referring to urgent payment invoices. If you open the attachment, which is often a Microsoft Word document, you will notice it filled with gibberish. You may also receive a prompt to enable your macros. This is the malicious activation script that installs the latest version of Locky onto your computer.
What makes Locky so damaging? Unlike other versions of ransomware, Locky can scramble your computer's source code, ultimately rendering it unusable.
If you suspect your system may have been taken over by Locky, you can conduct verification by checking files to see if they have been renamed. In the instance of this virus, new extensions may include: aesir, .odin, .osiris, .thor and .locky. Though it was initially a major threat to those in the healthcare industry, it no longer discriminates, now also regularly affecting businesses across the U.S. The ransom is not cheap either. Be prepared for demands that range anywhere from USD 4,000 to 8,000 dollars.
-
Emotet
Emotet was first identified in 2014. Since then, this ransomware has gone on a damaging run, costing businesses and other organizations up to USD 1 million dollars to clean up. Emotet spreads through spam emails that are home to a malicious script, macro-enabled document files, and harmful links. It will try to lure the unsuspecting victim into clicking on its malicious inclusions using persuasive language referring to invoice, payment details, and even shipping notifications from well-known carriers. In addition to encrypting files, this ransomware can also steal banking logins, financial data, and Bitcoin wallets.
What makes Emotet so dangerous? It uses functionality that helps it evade detection, even from some of the strongest anti-malware products on the market. It can know if it is running in a virtual machine and can lay dormant if it detects a sandbox, a tool cybersecurity experts use to research malware in a "safe space." Also, Emotet hijacks your email account, stealing contact information of others you interact with and selling it to other top-level criminal groups for the deployment of illicit activities like extortion and data theft through ransomware.
-
Petya
First discovered in 2016, Petya infects Microsoft Windows-Based computers. It infects the master boot record to start a payload that encrypts data on hard drive systems. This prevents Windows systems from properly booting. Like other ransomware, Petya is spread through infected email attachments.
How does it work? Petya begins by encrypting the Master File Table of the NTFS file system. It then quickly follows up with a message demanding a ransom payment be made in Bitcoin. All the while, your system may display a message stating that the hard drive is being repaired. Petya is relentless. Since the original payload requires a user to grant it administrative privileges, it also comes pre-loaded with a second payload called Mischa. This is activated if Petya fails to install. Mischa is a more conventional type of ransomware, encrypting user files without administrative privileges.
What is NotPetya? A variant of the original Petya, NotPetya exhibits key differences from the original. It is spread using an exploit known as EternalBlue. Once a system is compromised, EternalBlue exposes flaws in Windows networking protocols to silently spread across networks. The particular danger of NotPetya is that it is able to affect new systems without any user action.
Petya is considered dangerous for businesses because it is a multi-layered virus that can prevent a system from ever booting correctly again.
The Bottom Line: Protect your business against ransomware at all costs
As we can see, ransomware continues to decimate businesses across the U.S. Ransomware has evolved to go beyond its traditional damage tactics. New variants of the virus do more than just encrypt files and demand a payment. They are now capable of inflicting damage on a whole new level. Limited computer access, liaising with other cybercriminals and never releasing encrypted data are just some ways new versions of this traditional virus are affecting computer users.
Although many of these versions of ransomware have been around for several years now - some with well-publicized solutions - they are still affecting a high proportion of users. With this in mind, businesses must proactively protect themselves against losses that can range from thousands to millions of dollars. Three tips that IT leaders should be aware of to prevent and tackle ransomware variants include: conducting regular system updates, hold regular employee education sessions, and stay on top of ongoing trends.