2017 Ransomware Recap
This year was the year when ransomware diversified into one of the most hard-hitting threats to affect users and especially enterprises. Businesses felt the brunt as the likes of WannaCry and Petya reared their heads. Ransomware as a service continued to flourish in the underground. Ransomware further proliferated as publicly available source code was constantly rehashed. Attack vectors and distribution methods branched out past the Windows platform. While ransomware’s routines are a familiar territory, 2017 brought with it scale and scope. And as ransomware continue to be a cybercriminal cash cow, it won’t be a surprise for them to without expand their horizons. Here are this year’s notable ransomware and the lessons they taught:
What it does: WannaCry encrypts 176 file types, including database, multimedia, and archive files, as well as Microsoft Office documents. It was one of the first to use EternalBlue, an exploit that targets a vulnerability in Windows’ Server Message Block (SMB). Had a kill switch , that prevented it from further spreading.
Ransom: $300 in bitcoins, increases incrementally after a time limit
In the wild: Since March – April 2017; outbreak on May 2017
Attack vectors: EternalBlue; has worm-like capability allowing it to spread within the network
Impact: It struck healthcare systems in the U.K.; countries in Europe were significantly affected, along with the U.S., Japan, as well as those in the Middle East and Asia Pacific; it reportedly infected 200,000 systems in a single day.
What it does: Petya ransomware encrypts the system’s files, overwrites its Master Boot Record, and locked users out with a blue screen of death. Petya abused system administration tools to execute itself — PsExec and Windows Management Instrumentation Command-line.
Ransom: $300 in bitcoins
Outbreak: June 2017
Attack vectors: EternalBlue and EternalRomance exploits; can spread within the local network
Impact: Several countries were affected, especially Europe; up to $300 million in losses for Maersk alone; it shut down systems of banks, power utilities, and airports, to name a few.
What it does: The most prevalent in 2017 despite its hiatuses, Locky ransomware encrypts over 130 file types, including those on removable drives and unmapped network shares.
Ransom: Varies; mostly 0.25–1 bitcoin
In the wild: Since February 2016
Attack vectors: Spam email with various file attachments
Impact: Hollywood Presbyterian Medical Center was coerced to pay $17,000; Methodist Hospital was extorted twice. It used compromised systems to become part of a botnet to further send spammed messages and had a global reach given its multilingual ransom note.
What it does: Notable for its voice feature, Cerber is sold as a ransomware as a service (RaaS), which means cybercriminals can customize its encryption behavior and ransom demands; it’s been recently spotted to be capable of stealing from Bitcoin wallets and evading machine learning.
Ransom: Depends on the affiliate (mainly 1–3 bitcoins)
In the wild: Since March 2016
Attack vectors: Spam email, exploit kit, RaaS
Impact: It pioneered the RaaS business model and earned its developers nearly $200,000 in commissions in one month alone; education, manufacturing, technology, healthcare, energy, and transportation industries and public sector in the U.S., Japan, Taiwan, Australia, and China were affected.
What it does: It’s an open-source ransomware that allowed cybercriminals to create their own versions of Hidden Tear, which were themselves reworked into more spinoffs. Dikkat, WinSec, and R4bb0l0ck showed Hidden Tear customized as a regional, language-specific ransomware, while InfiniteTear and 3301 demonstrated its adaptability, especially given how 3301 can encrypt up to 2,783 file types.
Ransom: Varies (typically $300+ in bitcoins; can go as high as 3 bitcoins)
Inception: Released last August 2015
Attack vectors: Varies
Impact: Hidden Tear was heavily commercialized this year, with the deluge of Hidden Tear’s iterations regularly cropping up. Hidden Tear-related activities, for instance, surged by 142% from January to March 2017.
What it does: It is executed manually via redirected drives, scans and encrypts over 185 file types on removable drives and network shares, and deletes shadow copies to prevent victims from restoring the scrambled files.
Ransom: Varies (initially ranging from €400–900 or $470–1,050)
Attack vectors: Brute-forcing remote desktops (RDP)
Attack vectors: Varies
Impact: It affected businesses in Australia and New Zealand in September 2016. Its activities doubledby early January 2017, affecting the government sector and healthcare, education, real estate, financial, and manufacturing industries.
Erebus Linux Ransomware
What it does: It targets 433 file types and appears expressly designed for encrypting web servers. Each file is scrambled by five layers of encryption algorithms. Erebus searches for directories and system tablespaces before data stored in them are encrypted.
Ransom: 550 bitcoins ($1.62 million)
Reemergence: June 2017
Possible attack vectors: Vulnerabilities or local Linux exploit
Impact: South Korea-based web hosting company NAYANA was hit by this version of Erebus ransomware. It affected 153 Linux servers, including the websites, databases, and multimedia files of around 3,400 businesses that use NAYANA’s services. The company negotiated with the bad guys and agreed to pay a record $1.01 million.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale