Ransomware is a sort of malware assault in which the attacker encrypts and locks the victim’s data, including essential files, and then demands money in exchange for the data’s unlocking and decryption.
To infect the victim’s device—which could be a computer, printer, smartphone, wearable, point-of-sale (POS) terminal, or other endpoints—this form of attack makes use of weaknesses in the victim’s system, network, and software.
Ransomware Attack Examples
There are thousands of different types of ransomware malware out there. Some examples of malware that had a global impact and caused extensive devastation are listed in the following section:
WannaCry is ransomware that infects computers by exploiting a weakness in the Windows SMB protocol. It also features a self-propagation mechanism that allows it to infect other computer systems. Droppers, which are self-contained programs that extract the encryption/decryption application, files holding encryption keys, and the Tor communication program from WannaCry’s package, are used to distribute it. It is not disguised in any way and is relatively simple to identify and eliminate. WannaCry was a ransomware attack that spread quickly across 150 countries in 2017, affecting 230,000 computers and causing an estimated $4 billion in losses.
CERTBER is ransomware-as-a-service, which means it is available for use by cybercriminals who utilize it to launch attacks and distribute their loot in collaboration with the malware’s creator. In the course of encrypting files, Cerber operates invisibly, and it may attempt to block antivirus and Windows security functions from executing to prevent users from restoring the system. When it is successful in encrypting files on the computer, it shows a ransom note on the desktop wallpaper of the computer.
Locky has the capability of encrypting 160 different file types, the majority of which are used by designers, engineers, and testers. It was originally made available to the public in 2016. It is primarily delivered by exploit kits or phishing attacks, in which attackers send emails that entice the recipient to open a Microsoft Office Word or Excel document that contains harmful macros, or a ZIP file that contains the malware and installs it when the file is extracted.
After being released in 2017, Cryptolocker affected more than 500,000 computers worldwide. Email, file-sharing websites, and unprotected downloads are the most common ways in which it infects PCs. The program can not only encrypt files on a local machine, but it can also scan mapped network devices and encrypt anything on a network disc that it has access to write to. Crypolocker variants that have been developed recently are capable of eluding legacy antivirus software and firewalls.
Petya and NotPetya are two characters in the game Petya and NotPetya.
Infected machines are infected with Petya ransomware, which infects them and encrypts their whole hard drive by accessing the Master File Table (MFT). Even though the actual files are not encrypted, this renders the entire disc unreadable. Petya was first discovered in 2016, and it spread primarily through a bogus job application message that contained a link to an infected file stored on the Dropbox cloud storage service. It only affected PCs running the Windows operating system.
Petya requires the user’s agreement before it can permit it to make administrative-level changes to the system. After the user agrees, the malware reboots the machine and displays a bogus system crash screen, while simultaneously encrypting the disc in the background. After that, it displays the ransom notice.
The original Petya virus was not particularly effective, but a subsequent variation developed by Kaspersky Labs and dubbed NotPetya proved to be far more hazardous. As a result of its built-in propagation mechanism, NotPetya is capable of spreading without the need for human intervention.
A backdoor in accounting software that was widely popular in was used to propagate NotPetya initially. Later, the malware used EternalBlue and EternalRomance vulnerabilities in the Windows SMB protocol to spread. This malware not only encrypts the MFT, but it also encrypts other files on the computer’s hard drive. In the process of encrypting the data, it causes significant damage to it, which makes recovery impossible. Users who pay the ransom will not be able to retrieve their information.
Ryuk Ryuk infects computers by sending phishing emails or downloading malicious software on the computer’s hard drive. It makes use of a dropper, which downloads and installs a trojan on the victim’s computer while also establishing a permanent network connection. As a result, attackers can utilize Ryuk as a starting point for an Advanced Persistent Threat (APT), installing additional tools such as keyloggers, executing privilege escalation, and moving from one system to another. When the attackers obtain access to a new machine, Ryuk is installed on that system as well.
Once the attackers have installed the trojan on as many computers as possible, they activate the locker ransomware and encrypt the files on the affected computers. In a Ryuk-based assault campaign, the ransomware component is only introduced at the end of the campaign, when the attackers have already caused significant damage and stolen the files they need to continue the campaign.
GrandCrab The GrandCrab was first introduced in 2018. It encrypts files on a user’s computer and demands a ransom. It has been used in ransomware-based extortion attacks, in which attackers threatened to reveal victims’ pornographic viewing habits if they did not pay the ransom. There are numerous versions available, all of which are designed to work on Windows-based computers. GrandCrab decryptors are currently available for download for the majority of GrandCrab versions.