2017 Ransomware Recap

This year was the year when ransomware diversified into one of the most hard-hitting threats to affect users and especially enterprises. Businesses felt the brunt as the likes of WannaCry and Petya reared their heads. Ransomware as a service continued to flourish in the underground. Ransomware further proliferated as publicly available source code was constantly rehashed. Attack vectors and distribution methods branched out past the Windows platform. While ransomware’s routines are a familiar territory, 2017 brought with it scale and scope. And as ransomware continue to be a cybercriminal cash cow, it won’t be a surprise for them to expand their horizons. Here are this year’s notable ransomware and the lessons they taught:

WannaCry

What it does: WannaCry encrypts 176 file types, including database, multimedia, and archive files, as well as Microsoft Office documents. It was one of the first to use EternalBlue, an exploit that targets a vulnerability in Windows’ Server Message Block (SMB). Had a kill switch that prevented it from further spreading.

Ransom: $300 in bitcoins, increases incrementally after a time limit

In the wild: Since March – April 2017; outbreak on May 2017

Attack vectors: EternalBlue; has worm-like capability allowing it to spread within the network

Impact: It struck healthcare systems in the U.K.; countries in Europe were significantly affected, along with the U.S., Japan, as well as those in the Middle East and Asia Pacific; it reportedly infected 200,000 systems in a single day.

What it does: WannaCry encrypts 176 file types, including database, multimedia, and archive files, as well as Microsoft Office documents. It was one of the first to use EternalBlue, an exploit that targets a vulnerability in Windows’ Server Message Block (SMB). Had a kill switch that prevented it from further spreading.

Petya/NotPetya

What it does: Petya ransomware encrypts the system’s files, overwrites its Master Boot Record, and locks users out with a blue screen of death. Petya abused system administration tools to execute itself — PsExec and Windows Management Instrumentation Command-line.

Ransom: $300 in bitcoins

Outbreak: June 2017

Attack vectors: EternalBlue and EternalRomance exploits; can spread within the local network

Impact: Several countries were affected, especially Europe; up to $300 million in losses for Maersk alone; it shut down systems of banks, power utilities, and airports, to name a few.

What it does: Petya ransomware encrypts the system’s files, overwrites its Master Boot Record, and locks users out with a blue screen of death. Petya abused system administration tools to execute itself — PsExec and Windows Management Instrumentation Command-line.

Locky

What it does: The most prevalent in 2017 despite its hiatuses, Locky ransomware encrypts over 130 file types, including those on removable drives and unmapped network shares.

Ransom: Varies; mostly 0.25–1 bitcoin

In the wild: Since February 2016

Attack vectors: Spam email with various file attachments

Impact: Hollywood Presbyterian Medical Center was coerced to pay $17,000; Methodist Hospital was extorted twice. It used compromised systems to become part of a botnet to further send spammed messages and had a global reach given its multilingual ransom note.

What it does: The most prevalent in 2017 despite its hiatuses, Locky ransomware encrypts over 130 file types, including those on removable drives and unmapped network shares.

Cerber

What it does: Notable for its voice feature, Cerber is sold as a ransomware as a service (RaaS), which means cybercriminals can customize its encryption behavior and ransom demands; it’s been recently spotted to be capable of stealing from Bitcoin wallets and evading machine learning.

Ransom: Depends on the affiliate (mainly 1–3 bitcoins)

In the wild: Since March 2016

Attack vectors: Spam email, exploit kit, RaaS

Impact: It pioneered the RaaS business model and earned its developers nearly $200,000 in commissions in one month alone; education, manufacturing, technology, healthcare, energy, and transportation industries and public sector in the U.S., Japan, Taiwan, Australia, and China were affected.

What it does: Notable for its voice feature, Cerber is sold as a ransomware as a service (RaaS), which means cybercriminals can customize its encryption behavior and ransom demands; it’s been recently spotted to be capable of stealing from Bitcoin wallets and evading machine learning.

Hidden Tear

What it does: It’s an open-source ransomware that allowed cybercriminals to create their own versions of Hidden Tear, which were themselves reworked into more spinoffs. Dikkat, WinSec, and R4bb0l0ck showed Hidden Tear customized as a regional, language-specific ransomware, while InfiniteTear and 3301 demonstrated its adaptability, especially given how 3301 can encrypt up to 2,783 file types.

Ransom: Varies (typically $300+ in bitcoins; can go as high as 3 bitcoins)

Inception: Released last August 2015

Attack vectors: Varies

Impact: Hidden Tear was heavily commercialized this year, with the deluge of Hidden Tear’s iterations regularly cropping up. Hidden Tear-related activities, for instance, surged by 142% from January to March 2017.

What it does: It’s an open-source ransomware that allowed cybercriminals to create their own versions of Hidden Tear, which were themselves reworked into more spinoffs. Dikkat, WinSec, and R4bb0l0ck showed Hidden Tear customized as a regional, language-specific ransomware, while InfiniteTear and 3301 demonstrated its adaptability, especially given how 3301 can encrypt up to 2,783 file types.

Crysis/Dharma

What it does: It is executed manually via redirected drives, scans and encrypts over 185 file types on removable drives and network shares, and deletes shadow copies to prevent victims from restoring the scrambled files.

Ransom: Varies (initially ranging from €400–900 or $470–1,050)

Emergence: Last June 2016

Attack vectors: Brute-forcing remote desktops (RDP)

Impact: It affected businesses in Australia and New Zealand in September 2016. Its activities doubled by early January 2017, affecting the government sector and healthcare, education, real estate, financial, and manufacturing industries.

What it does: It is executed manually via redirected drives, scans and encrypts over 185 file types on removable drives and network shares, and deletes shadow copies to prevent victims from restoring the scrambled files.

Erebus Linux Ransomware

What it does: It targets 433 file types and appears expressly designed for encrypting web servers. Each file is scrambled by five layers of encryption algorithms. Erebus searches for directories and system tablespaces before data stored in them are encrypted.

Ransom: 550 bitcoins ($1.62 million)

Reemergence: June 2017

Possible attack vectors: Vulnerabilities or local Linux exploit

Impact: South Korea-based web hosting company NAYANA was hit by this version of Erebus ransomware. It affected 153 Linux servers, including the websites, databases, and multimedia files of around 3,400 businesses that use NAYANA’s services. The company negotiated with the bad guys and agreed to pay a record $1.01 million.

What it does: It targets 433 file types and appears expressly designed for encrypting web servers. Each file is scrambled by five layers of encryption algorithms. Erebus searches for directories and system tablespaces before data stored in them are encrypted.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.