This is the definition of "ransomware" that Merriam-Webster has added to its dictionary:
Malware that requires the victim to pay a ransom to access encrypted files
So far, 2017 has been the worst year on record for ransomware attacks, so it's no wonder the word has made it into our common lexicon. As the definition describes, ransomware works by infecting a computer or network, encrypting access, and demanding a payment in order to decrypt your data. If payment is not received, you can expect to never see your data again.
Some security experts expect the problem will continue to get worse. SophosLabs recently released a report on malware in 2017 in which it projected that malware and ransomware attacks are likely to continue to be a blight in 2018, with four major trends contributing:
- Availability of ransomware-as-a-service (RaaS) on the dark web
- Increased Android malware on Google Play
- More focused efforts to compromise MacOS computers
- Exploitation of Microsoft Office vulnerabilities in Windows computers
Here is an overview of the worst ransomware attacks in 2017, and how these trends factored into it.
Cerber first appeared in 2016 and spread through a Microsoft Office .docx attachment in emails. Once a user opens the .docx file, they will see text in the document instructing them to enable a macro in order to see the content properly. Once the user does this, the Cerber ransomware is deployed onto the computer, taking advantage of a Microsoft Office exploit, and is capable of working offline to encrypt files before an audio warning and a new desktop wallpaper informs the user that they have been infected.
In order to decrypt files, the user would have to pay 1 or 2 bitcoins (at the time, equivalent to approximately $700 or $1400 USD) to a provided wallet address.
Cerber was also being sold as an attack kit on the dark web, where buyers pay 40% of the collected fees to the providers and can customize the malware. It was estimated that Cerber could generate up to $2.3 million per year, and accounted for 44% of all malware attacks in 2017.
WannaCry has been the most high-profile ransomware attack this year, having infected parts of the UK’s National Health Services computer networks beginning in May, and spreading to more than 230,000 computers worldwide.
The ransomware took advantage of two tools that use Windows vulnerabilities: EternalBlue and Double Pulsar. WannaCry is thought to have been developed by the NSA and is based around Microsoft’s Server Message Block vulnerability. The vulnerability causes the SMB to mishandle packets and allow harmful code to be deployed, and to move throughout networks. However, instead of reporting the vulnerabilities to Windows to be patched, the NSA developed tools which were then stolen and leaked by a malicious group called the Shadow Brokers.
Microsoft eventually discovered the SMB vulnerability and made patches available, but only two months before the WannaCry attacks began. One of the problems that the attack highlighted was that many individuals, companies, and organizations fail to keep their software up to date.
WannaCry’s rapid spread was slowed down by an unintended kill switch discovered by a cybersecurity expert, Marcus Hutchins of MalwareTech, by accident. The kill switch was the result of presumably leftover code in which the ransomware would encrypt files if it wasn’t able to reach a specific domain. If it was able to reach the domain, it would stop encrypting. By registering the domain name, the spread slowed down. New versions of WannaCry continue to exist and spread, but at a much slower rate.
Ironically, Hutchins was arrested this past summer for allegedly writing malware for Kronos which targeted banks. As a note, there is much speculation by the cybersecurity community about this accusation being false or incorrect about his ill-intent, with Hutchins being known to turn down offers of payment for work, and donating the $10,000 reward for stopping WannaCry.
NotPetya is a slightly different flavor of malware compared to the above examples. While it still demanded a payment to stop its attack like a ransomware, there was no actual way to send your payment or receive keys to decrypt your data. And instead of just encrypting files, it just scrambled them with no way of recovering them. This was truly an effort to cause as much damage and chaos as possible.
NotPetya used the same leaked NSA tool, EternalBlue, that WannaCry used, as well as another NSA tool called EternalRomance which allowed the malware to propogate. The malware was most prolific in the Ukraine and Russia, but did not have the same reach as WannaCry.
LeakerLocker is a Google Play Store app that disguised itself as either Wallpaper Blue HD or Booster & Cleaner Pro apps. Once downloaded, the app would request for permissions to access contacts, photos, text messages, browsing history. Once this is completed, the app would inform you that you must pay $50 via credit card or have your data distributed to all of your contacts, claiming to have a copy of it stored for distribution. The app went unnoticed in the Play Store for some time before it was removed and investigated by Google.
And Still More
Shortly after NotPetya, Bad Rabbit occurred, using the same EternalBlue tool but primarily infecting computers in Russia. Another ransomeware, GIBON, has just been reported which is being spread by email and is still being analyzed. And in between those, several others.
With so many vulnerabilities and tools leaked—and with attack kits more widely available—implementing an attack is becoming more trivial.
Cybersecurity experts advise users to keep their software up to date, use security software, and backup critical and important data. And, contrary to what your instinct might be, it is also strongly advised not to pay ransom fees—not only does this encourage the activity, but there is no guarantee you will get your data back, anyway.
Feature image courtesy of Group IB.