Ransomware was deemed one of the biggest malware threats of 2018, and it continues to disrupt the operations of businesses and the daily lives of individuals all over the world in 2019. The 2019 ransomware landscape is quite diverse – security researchers track over 1,100 different ransomware variants preying on innocent web users. As this number is constantly growing and ransomware is becoming more sophisticated, we decided to put together a list of some of the most popular ransomware attacks out there. You may have heard of some of these attacks before in the news, as they made waves in the cybersecurity industry over the last few years.
Below you will find a description of ten of the most infamous ransomware variants of recent years with a link to its decryption key (where applicable).
1) Bad Rabbit
Cerber is an example of evolved ransomware technology. It is distributed as ransomware-as-a-service (RaaS) which is an “affiliate program” of sorts for cybercriminals. Anyone can buy it and unleash it in exchange for 40 per cent of the profits.
Targeting cloud-based Office 365 users and using an elaborate phishing campaign, Cerber has impacted millions of users worldwide, except in post-Soviet countries. Typically, the victim receives an email with an infected Microsoft Office document attached. Once opened, ransomware may run silently in the background during the encryption phase and not provide any indication of infection to the user. After the encryption is complete, users will find ransom notes in encrypted folders and often as a desktop background. At its peak in early 2017, Cerber accounted for 26% of all ransomware infections. Cerber uses strong RSA encryption, and currently, there are no free decryptors available.
Decryptor: Trend Micro Ransomware File Decryptor Tool https://www.trendmicro.com/en_us/forHome/products/free-tools.html
Dharma is a cryptovirus that uses contact email and random combinations of letters to mark encrypted files. It first struck the world in 2016 and is releasing new versions regularly. Dharma uses an AES 256 algorithm to encrypt files, while simultaneously deleting shadow copies. The latest variants of 2019 have file extensions .gif .AUF, .USA, .xwx, .best, and .heets. The proliferation of new Dharma variants indicates a broader distribution of the ransomware to new groups of hackers.
Decryptor: Rakhni decryptor by Kaspersky Lab is able to decrypt files with the .dharma extension https://noransom.kaspersky.com/
Considered to be the most popular multi-million dollar ransomware of 2018, GandCrab is one of the few widely deployed ransomware campaigns. The GandCrab team relies heavily on Microsoft Office macros, VBScript, and PowerShell to avoid detection and uses a ransomware-as-a-service (RaaS) model to maximize delivery while primarily focusing on consumer phishing emails. Ransom demands can range from $500 to $600.
First reported at the end of January 2018, GandCrab infected over 48,000 nodes within a month. Since then, GandCrab has been constantly evolving. The team behind it has made dozens of adjustments and at least five new code releases. Europol, in cooperation with Romanian Police, the General Prosecutor’s Office and Bitdefender, hacked GandCrab servers for keys and produced a tool allowing victims to decrypt their files for free.
The Jigsaw ransomware attack was named after a horror movie character and it is a particularly sadistic form of ransomware. It not only encrypts user’s files but also progressively deletes them. That means victims need to react quickly – they have only 24 hours to pay the ransom of 150 USD. If they fail to meet that deadline, ransomware begins deleting files every hour and increases the number of files for deletion every time. Any funny business, including shutting down the computer, causes Jigsaw to delete up to 1,000 of the victim’s files.
Katyusha is an encryption ransomware Trojan that was first observed in October 2018. It encrypts files adding extension “.katyusha” and demands 0.5 BTC within three days. Katyusha threatens to release the data to public download if the ransom is not paid. The malware package contains EternalBlue and DoublePulsar exploits which are used to spread over the network. It also deletes shadow copies from the system. Katyusha ransomware is commonly delivered to victims via malicious email attachments. Currently, there are no tools capable of cracking Katyusha’s encryption and restoring data free of charge.
Since the beginning of 2019, LockerGoga has hit several industrial and manufacturing firms, causing significant harm. After an initial infection at the French engineering consulting firm Altran, it disrupted Norsk Hydro and two major US-based chemical companies.
LockerGoga is the newest, targeted, and more destructive type of ransomware. Interestingly, it appears to have both ransomware and wiper capabilities. Later versions of LockerGoga forcibly log victims off the infected device, which often results in victims not being able to see the ransom message and instructions on how to recover files. That’s a very different approach from typical ransomware that merely encrypts some files on a machine but otherwise leaves it running.
A sample of the ransomware shared to malware analysis site VirusTotal shows that only a handful of anti-malware products can detect and neutralize the LockerGoga malware.
Not every ransomware is created for financial gain purposes. Some ransomware authors have other goals in mind, like the authors of PewCrypt. This ransomware that made a lot of noise at the beginning of 2019 and it was created with one goal – the hacker only wants victims to subscribe to the popular YouTuber PewDiePie (the most subscribed-to creator on the platform for over five years) and help him reach 100m subscribers before the Indian Bollywood channel, T-Series. The competition between them has been a talking point on the internet for several months and, for some reason, PewDiePie fans seem to believe that making and releasing ransomware is a proper and acceptable method of supporting their idol. PewDiePie has made numerous videos publicly stating that he does not agree with using malicious tactics to keep him at the top.
PewCrypt is typically distributed by spam email message campaigns and websites that host malware or display malicious advertisements. It is written in Java programming language and uses an advanced 256 bit AES encryption method. However, after some time the author has released the decryption tool for everybody to use for free.
Ryuk is part of a fairly new ransomware family, which made its debut in August 2018 and has since produced $3.7 million in bitcoin, spread across 52 payments. Common ransomware is usually distributed via massive spam campaigns and exploit kits, but Ryuk is specifically used in targeted attacks. It mainly focuses on big targets like enterprises that can pay a lot of money to recover their files. Ryuk uses robust military algorithms such as ‘RSA4096’ and ‘AES-256’ to encrypt files and demand ransoms ranging from 15 to 50 bitcoins.
When Ryuk ransomware first appeared in late 2018, many researchers assumed it was tied to North Korea as Ryuk shares much of its code base with Hermes ransomware. However, further research determined that the Ryuk authors are most likely located in Russia and they had built Ryuk ransomware using (most likely stolen) Hermes code.
SamSam is a ransomware strain used most commonly in targeted ransomware attacks. SamSam has attacked a wide range of industries in the US, mainly critical infrastructure, such as hospitals, healthcare companies, and city municipalities. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. Last year, SamSam attack crippled the city of Atlanta for days and cost taxpayers close to $17 million.
Unlike most ransomware campaigns which rely on phishing techniques for delivery, SamSam uses Remote Desktop Protocol (RDP) to infect victims’ networks with minimal detection. The calling card of this ransomware is renaming all infected files to “I’m sorry.” SamSam group made over $6 million in ransom payments, often demanding over $50,000 in bitcoin, and caused over $30 million in losses to victims.
Ransomware is preventable!
Even though there are ways to recover encrypted files with a decryptor in some cases, there is no silver bullet that can treat every existing variant of ransomware, and new variants are being created all the time. The best way to handle ransomware is prevention – follow healthy security practices, like making frequent offline backups and staying away from suspicious attachments to not get infected in the first place.