8 Intelligent Ransomware Examples CSOs Need to Be Prepared For
By: Kaylie Gyarmathy on September 26, 2019
The chief security officers (CSOs) of today’s companies face a tremendous array of challenges when it comes to protecting their organizations from cyberattacks and data breaches. One of the most dangerous forms of cybercrime that has created headlines in recent years is enterprise ransomware. This insidious form of malware infiltrates a computer system and then encrypts files to prevent the victim from accessing them. In order to unlock the files, they must transmit a payment to the attackers. Of course, even if they do pay the ransom, the attackers seldom restore access, which is why cybersecurity experts advise ransomware victims to not give in to those demands.
8 Intelligent Ransomware Examples to Watch for in 2019
A particularly challenging new form of ransomware, Cerber works on a “ransomware-as-a-service” model that allows hackers to license the ransomware itself and then share a portion of the ransom with the original developer. These licensing transactions are usually made using cryptocurrency, making them extremely difficult to track. Cerber attacks typically target Microsoft Office 365 users with various phishing email schemes
In many ways the forerunner of recent ransomware attacks, the original CrypoLocker hit the scene in 2013 and extorted nearly $3 million from victims over a period of several months. Although the botnet responsible for delivering the malware was shut down in 2014 and encryption keys were recovered to allow people to unlock their data, many new versions of CryptoLocker have emerged in subsequent years. As a Trojan horse, ransomware malware tries to infect a computer by posing as a legitimate program and then searches the system for files to encrypt.
This particularly nasty form of ransomware doesn’t just encrypt files, it also deletes them. Once the malware is activated, it starts a countdown timer. During the first 24 hours, the malware will delete a small number of files every hour. The number of files deleted increases on subsequent days, until finally all files are deleted at the 72-hour mark. Any attempt to remove the ransomware will cause even more files to be destroyed.
Recent ransomware attacks typically exploit a victim’s fear to convince them to pay the ransom (despite the fact that doing so rarely leads to files being unlocked). CryLocker gathers extensive personal information from the victim and poses as a government agency in an effort to shake them down. Some of this information could be used in conjunction with tools like Google Maps to reveal the victim’s location, which could provide the attackers with an additional intimidation tactic.
Most of the ransomware used today are Trojan horses, malware that poses as legitimate software that must be delivered to the victim in some way. What makes ZCrypt so worrisome is that it functions more like an old-fashioned, self-replicating virus. Once introduced into a computer system, ZCrypt replicates itself and spreads to infect anything connected to the same network, including storage disks, mail servers, and flash drives. The virus is even set to “AutoRun,” so that it automatically executes when it comes into contact with a new system. Although most Windows systems set AutoRun to “off” by default, ZCrypt could spread rapidly if a system administrator mistakenly left it on.
Perhaps the most noteworthy recent ransomware attacks, WannaCry had all the ingredients of a cybercrime thriller novel. The malware exploited a vulnerability in the Windows OS Server Message Block (SMB) protocol, which controls how nodes on a network communicate. After discovering this vulnerability, the US National Security Agency began developing an exploit called EternalBlue to potentially take advantage of it. Unfortunately, this code was later stolen by hackers (who were connected to the government of North Korea) and used to develop the WannaCry ransomware, which affected a number of high profile targets in 2017. Although Microsoft quickly patched the vulnerability, the incident highlighted the need for better communication and transparency with the government regarding cybersecurity matters.
A common form of ransomware that spread across Europe by way of spam emails, spider malware exploits the macro functionality of Microsoft Word documents. The malware is buried in the macros of a Word file, which is usually made to resemble a debt collection notice or some other document requiring the victim’s urgent attention. Once the file is opened, the self-executing malicious macros download the malware into the computer and begin encrypting data.
Often characterized as the next generation of ransomware, Petya bypasses the usual route of encrypting individual files and instead locks victims out of their computer entirely. The malware accomplishes this by overwriting the system’s master boot record and encrypts the master file table which allows the computer to locate files. Individual files remain unencrypted, but the computer has no ability to find where they are on the hard drive. As if Petya wasn’t bad enough, a new version of the malware emerged in 2017 that proved far more aggressive. Dubbed NotPetya by security experts, this updated version superficially resembled Petya, but actually functioned as a self-replicating virus that encrypted multiple additional files and even exploited Windows vulnerabilities to remotely access other computers. The aggressive and complex characteristics of the virus have led many experts to believe it was developed by a state actor (with Russia being the most likely candidate).
With ransomware attacks becoming more sophisticated each year, CSOs need to stay on top of the latest trends and tactics to ensure that their systems are protected. More importantly, they must also make sure that people within the organization are aware of the common tactics used by ransomware attackers. Phishing attacks remain one of the most common methods for transmitting cyberattacks, so CSOs need to implement strong programs that educate employees about the risks associated with malicious emails that bypass spam filtering. Implementing data backup solutions, whether through cloud services or through a colocation data center with disaster recovery capabilities, can also help to protect organizations from the harmful impact of ransomware.
About Kaylie Gyarmathy
As the Marketing Manager for vXchnge, Kaylie handles the coordination and logistics of tradeshows and events. She is responsible for social media marketing and brand promotion through various outlets. She enjoys developing new ways and events to capture the attention of the vXchnge audience.