Ransomware infections first became publicized in 2013. Since then, they have steadily increased in popularity. They are today one of the most prevalent online threats that affect Internet users and all organizations. According to the Verizon 2017 Data Breach Investigations Report (DBIR), ransomware was the top malware variety within Crimeware in 2016.
What is Ransomware? How does it work?
Ransomware infections most often result in encryption of data in the computer system. Ransomware can also block access to data, allowing it to be accessed online. The hackers then demand ransom money to restore everything to its original state and give victims their data back. Most transactions are in bitcoins, wire transfers, or premium-rate SMS messages. This is to keep the hackers anonymous and makes it difficult to trace the payment. There are many ransom amounts, ranging from $150-$500 per person to thousands of dollars for organizations. Ransomware’s worst feature is the fact that paying ransom money does not guarantee that your data will be unlocked.
Security experts identify four types of ransomware.
- Encrypting ransomware
- Non-encrypting ransomware
- Mobile ransomware
An RSA encryption algorithm is used to encrypt ransomware. This algorithm encrypts the victim’s data files or entire hard drive and then demands a ransom payment to unlock the encrypted files. With the introduction of Cryptolocker, ransomware was more prominent in 2013. Cryptolocker was the first to demand ransom in bitcoins to obtain the decryption keys for encrypted data.
Website ransomware is the latest version of crypto-ransomware. This malware is designed to infect websites. Although it can infect websites’ files, it doesn’t have any effect on databases. The files on the server become inaccessible and the homepage is marked with a warning about the hostage situation.
Check out our step-by-step guide to learn how to get rid of encrypting ransomware, based on a real example.
The non-encrypting ransomware does not encrypt any data files in the system. There are many methods, but these are the most popular types of non-encrypting Ransomware.
- Ransomware is a ransomware program that infects the user’s computer and displays porn images. It offers to remove the display if the user sends an expensive text message. The ransom is paid and the code will unlock the machine so that the porn images can be stopped.
- Ransomware worm that exploits Windows Product Activation to trick computer users. This malware warns users that the system’s Windows installation needs to be reactivated. The link is always unavailable. The user calls the number listed on the notice. It claims that it is free. The call to the international number gets busy for a lengthy time. The ransomware results in a large loss of money for the ransomware victim.
Leakware is a recent form of ransomware. This is a form of ransomware that can be compared to the classic. Leakware does not lock users out of their data, but it threatens to make stolen information public online. The files that are stolen can contain information that can damage the reputation of the victim. Leakware can cause serious damage to businesses. Ransom payments are usually made by victims to protect their sensitive data and reputation. Hackers are increasingly turning to leak are to get around traditional ransomware. This is because it is possible to format the hard drive or keep backups. Threatening to reveal confidential data to the public is a better motivation than just encrypting it. A typical case of Leakware is shown in one of the episodes of the TV series Black Mirror.
Mobile ransomware is malware that targets mobile devices. It locks your device screen and steals sensitive data. The ransom demands that the ransom be paid to unlock the device or return the stolen data. It starts by downloading supposedly innocent content and critical services. After the malware has been downloaded to a device it will display a fake message accusing the victim of violating the law (e.g. copyrighted file use). Then, the malware will encrypt the files and lock the phone. The ransomware will send the code to unlock the phone and decrypt data after payment, which is often via Bitcoin.
Ransomware Infections Most Dangerous
Encouraged by the profitability of ransomware, criminals have taken this threat to the next level by offering ransomware-as-a-service, which enables anyone, regardless of their skill or coding knowledge, to upgrade to an encrypting ransomware business model. There were many experiments with ransomware delivery and the amount it requires. Criminals set time limits for files to be deleted (e.g. Jigsaw, Koolova), and ransoms that increase in time (e.g. Cerber). There are also options to decrypt files free of charge if victims become attackers and infect others (e.g. Popcorn Time).
These were the top nine ransomware threats, which are most serious and dangerous, that made headlines in 2016/2017
1 – Cerber
Cerber, a ransomware-type malware, was discovered in February 2016. It encrypts several file types, including.jpg and.doc. Cerber adds a.cerberEach encrypted file will be extended. Cerber demands $499 in bitcoins as ransom to unlock these files after a successful infiltration. Otherwise, the ransom amount will double.
Cerber, which has generated $2.3 million per year, is currently the most dangerous crypto threat in the world. It also ranks alongside its direct competitor Locky. Cerber is primarily sold on underground Russian forums. It uses the most advanced Advanced Encryption cryptographic standards. Within the first eight months of operation, Cerber produced four editions that have received various improvements. Cerber is also offered in the form of ransomware-as-a-service, which allows “affiliates” to distribute the Cerber ransomware in exchange for 40% of each ransom amount paid.
2 – Locky
Locky can also change file names to a 16-digit and unique combination with an. aesir?.thor?.locky?.zeptoOr.Odin file extension. It becomes almost impossible to identify original files. The ransom required to decrypt the files is approximately $235-$470 in bitcoins.
3 – KillDisk
KillDisk is a data-wiping malware that can be used to destroy companies by randomly deleting files. KillDisk can infect any network drive or local drive that the user has access to, so one user could infect many others. KillDisk can target both Windows and Linux systems, something that we don’t often see.
KillDisk is the most costly ransomware ever created. It asks for $247,000 in bitcoins. Important to remember that KillDisk’s Linux version does not keep the encryption key anywhere. Criminals can’t just give you the decryption key, and then bring your files back, even if you pay a very high ransom.
Discovered in July 2016, Petya was one of the first types of ransomware virus to gain major success by spreading via a ransomware-as-a-service scheme. Petya is primarily targeted at business users. An HR employee may receive an email containing a link to Dropbox that appears to contain a person’s Curriculum Vitae. It is actually an a.exe file that has a self-extracting executable, which can infect the system. Petya not only encrypts files but also replaces the reboot code with a malicious one. Victims are then forced to pay a $400 ransom to gain access to their computers.
Petya is now available in a modified version known as PetrWrap, according to recent news. PetrWrap Trojan contains a Petya ransomware sample in its data section. It then uses Petya as a Trojan to infect the victim’s computer. PetrWrap creates its own cryptographic procedures and modifies Petya’s code in runtime to stop it from being executed. This allows criminals to conceal the fact they are using Petya.
5 – Popcorn Time
Popcorn Time is a form of crypto-ransomware that combines Ponzi schemes with social activism and blackmail. MalwareHunterTeam discovered the Popcorn Time ransomware in late 2016. It was originally designed to provide victims with a criminal means of obtaining a decryption key for encrypted files and folders. Popcorn Time actually turns victims into attackers, giving them the option to either pay a ransom or infect two others and pay the ransom to obtain a free key.
Popcorn Time ransomware attaches to the.filockExtension to encrypted files. It is capable of encrypting more than 500 file types with AES256 encryption. Popcorn Time requires payment for one bitcoin. This amount is now $780.
6 – Koolova
Kozlova may be the most bizarre thing to appear. This ransomware claims it can restore your files for you (just like Popcorn Time). You don’t need to infect other people to receive a decryption key. The victim must instead read two articles on how to protect yourself against ransomware attacks: Google’s “Stay Safe While Browsing” and Bleeping Computer’s “Jigsaw Ransomware Decelerated: Will delete all your files until the Ransom is paid.”
After the Koolova ransomware infects your computer, it encrypts all files and displays a warning screen. The text tells you to read two awareness posts and give a decryption code. It then displays a screen similar to the Jigsaw Ransomware and tells you that if you are too lazy to read two articles before the countdown reaches zero, it will delete the files, which is not a joke, as Koolova actually does delete the files.
7 – Spora
Spora, a ransomware new in January 2017, was released. Spora is ransomware that was first discovered in January 2017. It has a strong encryption algorithm, offline functionality, and incredibly sophisticated payment sites. Spora is sent via spam emails pretending to be invoiced. E-mails contain ZIP attachments that contain HTA files (HTML Application). These files have double extensions, such as pdf.HTAOrDOC.HI. Windows computers only see the first extension, so users can easily be tricked into opening malicious files.
Spora appears to not have any weaknesses in its encryption process and has a unique pricing structure. The cost of full decryption includes file restoration, removal, and immunity against future ransomware versions. It costs between $79 and $280 in bitcoins. The victims have two options: they can either choose to restore files, remove ransomware, or get immunity. Or victims can decrypt up to two files for free. The ransom is payable within a certain time frame. Otherwise, the decryption keys will be permanently erased.
8 – WannaCry
The latest and probably one of the worst digital disasters to happen in years, WannaCry (also known as WannaCrypt, WannaDecrypt, WCry, and WanaCryptOr 2.0) emerged on 12 May 2017 and has infected over 300,000 computers in 99 countries. This attack has affected well-known organizations like Renault, LATAM Airlines, and Deutsche Bahn. FedEx is also affected. There are also government agencies and departments around the world (e.g. the Ministry of Internal Affairs of the Russian Federation or the Ministry of Foreign Affairs of Romania).
WannaCry exploits the ETERNALBLUE vulnerability, a portion of the NSA cyber-arsenal that was published by Shadow Brokers in April 2017. WannaCry exploits a vulnerability in Microsoft’s implementations of the Server Message Block file-sharing protocol to remotely infect computers that are connected to the same network. WannaCry encrypts the files and gives victims three days to pay $300 in bitcoins. If the ransom is not paid, the ransom amount will double. After seven days, all data will be erased.