The first known ransomware, named AIDS Trojan/PC Cyborg, was discovered in 1989.
Written by Harvard-trained evolutionary biologist Joseph Popp, this first generation of ransomware had to be introduced to systems via floppy disk. This AIDS Trojan used symmetric cryptography and, soon after, a remedy was available to decrypt the files. However, it had established a new type of attack that other cyber criminals were quick to take up. More recent iterations of extortion-based ransomware are much more sophisticated, targeted and harder to unlock.
At the same time, hackers have also started to take a more methodical and structured approach to ransomware attacks, with some being backed by “hacking factories” in countries such as Russia, North Korea and China.
With the advent of cryptocurrency, ransomware came to the forefront of the cybercriminals’ arsenal, with attackers demanding victims fork over BitCoin, the most common cryptocurrency, to regain control of their data. Government bodies, major corporate institutes, hospitals and networks have been taken offline by modern ransomware with devastating consequences.
Increasingly, organisations have become the prime target for ransomware attacks. This is because cyber criminals perceive them as more likely to pay, as typically the data they tend to hold is both sensitive and key to business continuity.
In the face of possible public embarrassment, hefty GDPR fines and the need to get back to “business as normal” quickly, more companies are opting to payout. As a result, there has been an increase in the number of disruptionware attacks simply because it is so successful.
DIGIT has compiled a list of some of the worst ransomware attacks of the past five years.
This pesky ransomware worked by scrambling the target’s files and then renamed them all so that they would have the extension .locky. Once deployed a pop-up would appear demanding a payment in BitCoin. Like many other viruses this one came in an email with an attached document pretending to be an invoice requiring payment.
Upon opening the document a message would appear containing nonsense text with phrases such as “enable macro if data encoding is incorrect” – a form of social engineering designed to trick the user into enabling macros. Once enabled, the virus would save and run a binary file that downloads the actual encryption.
On its first day out in the world, Locky was sent to reportedly half a million users and this figure continued to rise until the virus began to drop off in June 2016. Its victims included Hollywood Presbyterian Medical Center, which in February 2016 paid the ransom to decrypt key patient data.
At the time, Allen Stefanek, president of the Hollywood Presbyterian Medical Center, said “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Possibly one of the most notorious ransomware attacks to hit the UK, WannaCry started infecting computers across the globe in 2017. Propagated by EternalBlue, this ransomware cryptoworm targeted computers running Microsoft Windows operating systems encrypting data and demanding a BitCoin payment.
The virus was delivered via phishing emails, which tricked the recipients into opening attachments and releasing malware onto their systems. Europol estimates around 200,000 computers were infected across 150 countries.
The largest agency hit by WannaCry was the NHS and is thought to have cost the healthcare institution £92 million in reparation work. At the time, 19,000 appointments were cancelled as a result of the attack, which disrupted the NHS over the course of a week. Elite North Korean hackers were blamed for the attack following a year-long investigation.
NotPetya followed swiftly after WannaCry and bore striking similarities to its predecessor. NotPetya specifically targeted Ukraine through a hacked version of a major accounting program, widely used in the country.
This attack was notable for its rapid spread and widespread impact, and for the intention behind its release. NotPetya was a “wiper” virus, which meant it would never release the victim’s data even if the ransom was paid. Another element of NotPetya was that it was the first major ransomware to encrypt the victim’s master file table rather than simply the files on the drive.
NotPetya’s origins have also been a source of interest in this attack. Officially it remains a mystery as to who released the ransomware and why, but a number of experts have pointed to Russia as the perpetrator of it. It is believed that that NotPetya was a politically-motivated cyber weapon deployed by Russia against Ukraine.
At the time of the attack, Russia and Ukraine were in the midst of political strife over the annexation of the Crimean peninsula less than two years prior. Its release coincided with Constitution Day, a Ukrainian public holiday commemorating the signing of the post-Soviet Ukrainian constitution. Aside from the political significance of the release, the timing ensured that businesses and authorities would be caught off guard and unable to respond.
This is a custom, highly targeted type of infection that is typically deployed using a wide range of exploits or brute-force tactics and stolen credentials. According to cyber security firm Malwarebytes, attacks were made on targets via vulnerable Jboss host serves during SamSam attacks in 2016 and 2017.
In 2018 it began exploiting vulnerabilities in remote desktop protocols, Java-based web servers, or file transfer protocol servers. Weak passwords were another easy access point for the virus to enter a system.
According to the US Department of Homeland Security, after gaining access to a particular network “the SamSam actors escalate privileges for administrator rights, drop malware onto the server and run an executable file, all without victims’ action or authorisation.
“While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.”
SamSam made a considerable amount of cash for its creators and wreaked havoc on a number of US hospitals, many of which paid the ransom. By targeting hospitals that deal with life-saving treatments, hackers knew that these organisations were more likely to handover the fee to get their systems back. However, by doing this they are encouraging attackers to do it again.
The infection’s most notable attack was on the city of Atlanta, which experienced outages on various customer facing applications that meant people were unable to pay bills or access court-related information. As a result, the Department of Atlanta Information Management was forced to shut down many of its digital services, including its court system database and the wi-fi at Hartsfield Jackson Atlanta International Airport.
Similar to SamSam, this ransomware specifically targeted organisations that could afford little downtime such as daily newspapers and utilities. Its victims included all of Tribune Publishing newspapers; affected newspapers included the Los Angeles Times, Chicago Tribune, Wall Street Journal and the New York Times.
It also attacked the North Carolina water system, which was at the time coping with the aftermath of Hurricane Florence. It targeted high-value victims and was deployed seasonally to have the most impact – for example, at Christmas. To date, it has collected millions in ransom payments.
According to research carried out by CheckPoint Research, due to the nature of Ryuk’s campaign, this ransomware could be connected to HERMES – a malware normally attributed to North Korean APT Lazarus Group, which was also used in massive targeted attacks.
Unlike other ransomware attacks, CheckPoint’s analysis revealed that this virus was not mass distributed via spam email campaigns. Instead, its encryption scheme was tailored purposefully for small-scale operations. Only crucial assets and resources were infected in each targeted network with its infection and distribution carried out manually by the attackers.
This method requires extensive network mapping, hacking and credential collection prior to each operation and bears similarities to the Sony Pictures beach in 2014.
- To learn more about ransomware and cybersecurity, make sure to attend DIGIT Expo 2019, where Timothy Jeffcoat, senior manager – engineering, Datto, and Gordon Coulter, CEO, Exmos, will be giving a talk: Ransomware Live – Recovering Your Data in a Jiffy.