Ransomware is today one of the main cyberthreats. The scenario is very diversified with over 1,000 variants targeting organizations, companies and private users. The number of victims is constantly increasing and the technologies underlying the ransomware are more and more sophisticated. In a chronological fashion, we will here introduce you to the 10 most dangerous ransomware in recent years.
CryptoLocker came on the scene in 2013 and was probably the first one to open the era of large-scale ransomware. According to Avast, at its peak between the end of 2013 and the beginning of 2014, CryptoLocker had infected over 500,000 computers together with the clones CryptoWall, Cryt0L0cker and TorrentLocker, as well. The malicious software was rather “elementary” and was defeated thanks to the “Operation Tovar”, a joint campaign between FBI, Interpol, security companies and universities. CryptoLocker paved the way for many other varieties of ransomware that used its code to create new threats.
Even though at the beginning it was presented as a variant of CryptoLocker, this ransomware gained its identity thanks to its particular modus operandi. TeslaCrypt targeted in particular ancillary files associated with video games, such as saved games, maps, downloadable content and similar. In 2016 the 48% of ransomware attacks worldwide were performed by TeslaCrypt. Victims were asked a ransom of $ 500 in bitcoins. The surprise came in May 2016 when the hackers behind TeslaCrypt decided to put an end to their malicious activities and offered the world the main decoding key.
At the end of 2015 SimpleLocker, also known as Andr/Slocker-A, became the first worldwide ransomware threat on Android. SimpleLocker spreads like a Trojan downloader disguised as an app. Once installed, it scanned the device and through an AES encryption changed the file extension to ENC. It also collected device information such as the IMEI number, the smartphone model, the manufacturer and sent them to a C2 server. The latest versions were able to access the camera and showed a photo of the victim. This was used to scare and convince the person to pay the ransom.
Cerber is the example of a technology that uses advanced RSA encryption for malicious aims. It is distributed as a ransomware-as-a-service (RaaS), a sort of “affiliate program” for cyber criminals. Anyone can buy it and launch it on the web earning 40% of the profits. A real evil business.
This is how the attack works: generally, the victim receives an email with an infected Microsoft Office document. Once opened, the ransomware runs silently in the background, without raising suspicion, encrypting the files. Once this phase is complete, the user finds a ransom note in the infected folders or often as desktop wallpaper, as well. At its peak in early 2017, Cerber accounted for 26% of all ransomware attacks. Today, several decoders are available and can help you decrypt the files.
This ransomware attack known as SamSam appeared at the end of 2015, but grew strong only a few years later, bringing high-profile targets to their knees, particularly in the United States. This is a new trend: the ransomware attacks are well-studied and targeted, and the extortion varies according to the level and volume of the victim’s data, as well as their willingness to pay.
Analyzing the Bitcoin wallet of the SamSam group, it emerged, for example, that the US hospital Hancock Health on January 13th, 2018 at 2:31 am paid a ransom of 4 bitcoins amounting to about € 51,000. Within two hours the systems of the health facility were restored.
WannaCry is one of the most dangerous ransomware, as well as one of the biggest cyberattacks ever, who made literally thousands of people want to cry! For the first time, the term ransomware entered the public debate and the world press. In May 2017, 200,000 users including large companies, organizations and public institutions were infected in around 150 countries.
One of its dangerous features is that no action is needed to get infected. WannaCry self-installs on your computer encrypting files with the extension WCRY. The ransom is equal to $ 300 in bitcoins to be paid within three days, after this deadline it will be doubled to $ 600. If the payment does not take place within one week all the files will be lost. Three years after the worldwide release of WannaCry, it is estimated that two million computers are still exposed to the attack.
7.Petya and NotPetya
After WannaCry, the era of ransomware has been confirmed by NotPetya. It was only a few weeks after the WannaCry epidemic in spring of 2017, that Petya began to spread in an updated version. Due to its evolution over time, the latest and most dangerous versions were named NotPetya. NotPetya spread mainly via email with an attached file with extensions .doc, .xls, .ppt or .pdf. The file can be viewed easily but without the user’s knowledge, a dropper is launched and installs the actual malware from the Internet. Once the files are encrypted, the PC is rendered unusable and a ransom of $ 300 in bitcoin is requested. Unlike the other types of ransomware like WannaCry, instead of encrypting each file, this ransomware points directly to the PC’s boot loader.
Ryuk is a ransomware that has caused a lot of damage between 2018 and 2019 specifically targeting organizations that can afford to pay and to which it is not possible to have downtime. The ransomware uses robust military algorithms such as RSA4096 and AES-256. A particularly subtle feature of Ryuk is that it can disable the Windows “System Restore” option on infected computers. This makes it more difficult to recover encrypted data without paying the criminals.
GandCrab uses a ransomware-as-a-service (RaaS) model to maximize distribution focusing mainly on phishing techniques via email. Ransom requests range from $ 500 to $ 600. According to different sources on the Internet, in January 2018, GandCrab had infected over 48,000 nodes in a single month. Despite all the efforts and success in data recovery, the threat has not yet been overcome since the criminal team keeps making changes. In March 2019, distinct variants of the ransomware were in circulation.