One of the earlier cases of ransomware infection was first reported in Russia between 2005 and 2006. Since then, ransomware has rapidly become one of the biggest threats on the internet, with new variations being deployed periodically with the primary objective of making monetary gains through illegal means.
A form of malicious software or malware which typically encrypts or deletes data making it unavailable, unusable, or impossible to decrypt, ransomware is responsible for hundreds of millions of dollars of losses annually.
Ransomware encrypts targets’ files and displays notifications, requesting payment before the data can be unlocked. The ransom demand is usually in virtual currency, bitcoin because it is hard to track. Payment does not guarantee that encrypted files will be released, and similarly, a decrypted file doesn’t mean that malware is removed from the system.
Ransomware is a growing threat to businesses since it can result in loss of sensitive information, regular operations disruption, and harm to an organization’s reputation. Attackers commonly encrypt an organization’s critical business data after infiltrated its systems, subsequently demanding a monetary payment.
This post will list some of the most widespread ransomware that combines innovative encryption algorithms to block access to files requiring a ransom payment for file decryption.
WannaCry is a cryptoworm, a network worm that targets vulnerable Windows 7 computers by encrypting documents to demand ransom payments in the bitcoin cryptocurrency. Its transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access and the DoublePulsar code injection method to install and execute a copy of itself. A significant outbreak of this crypto-ransomware occurred in 2017, infecting more than 230,000 computers in 150 countries.
This ransomware’s main characteristics are that it encrypts one document at a time and configures the Discretionary Access Control List (DACL) on each document to give everyone full access permissions. It first creates encrypted copies of all documents, thus doubling disk usage. It then encrypts the original document and moves it to the %temp% folder with a new file name and file extension. A separate application TASKDL.EXE deletes the scrambled originals in the %temp% folder after all documents are encrypted. It deletes volume shadow copies via VSSADMIN.EXE after the documents are encrypted. It also deletes the backup catalog on the local computer via WBADMIN.EXE after the documents are encrypted. Notably, this cryptoworm changes the desktop wallpaper too.
In most cases, the attackers deliver this malware performing an active brute-force attack against the passwords for Windows machines and accessible through a firewall with RDP (remote desktop protocol) enabled. The malware executable bundles within itself several payload executables it needs to accomplish its tasks.
Once it gains a foothold inside the network, Matrix uses the RDP within the networks it has infected. This malware also encrypts one document at a time. It renames the document by adding an identifier to the file type extension and deletes volume shadow copies via WMIC.EXE and VSSADMIN.EXE before the documents are encrypted. Notably, it too changes the desktop wallpaper.
GandCrab was the most popular ransomware in the first half of 2019 for large scale, untargeted attacks through malicious websites and email attachments. Using the Ransomware-as-a-Service (RaaS) model, its creators peddled it to anyone who wanted to use it, which netted them a percentage of each ransom it extorted.
This ransomware encrypts one document at a time and opens documents for read/write for in-place encryption. It uses Write Through to ensure the write is persisted to disk without potential caching delays and deletes volume shadow copies via VSSADMIN.EXE after documents are encrypted. Finally, it also changes the desktop wallpaper.
First appeared in 2015, SamSam ransomware (Ransom.SamSam) specializes in targeted ransomware attacks, breaking into networks and encrypting multiple computers across an organization before issuing a high-value ransom demand.
After breaking in via the Remote Desktop Protocol (RDP), the attacker attempts to escalate their privileges to the level of Domain Admin so that they can deploy SamSam malware across an entire network, just like a sysadmin deploying regular software. The attacker seems to wait until victims are likely to be asleep before unleashing the malware on every infected machine simultaneously, giving the victim little time to react.
The malware has infected more than 230 entities so far, and $6 million in ransom payments was extorted. An estimated $30 billion in damages affected private and public institutions, including hospitals and schools.
Typically, the malware encrypts one document and creates an encrypted copy of the actual document on free available disk sectors. If not overwritten by other data, the original document can be theoretically recovered from disk. It deletes volume shadow copies via VSSADMIN.EXE before the documents are encrypted.
Dharma is well-known since 2016 and is one of the most profitable ransomware around due to its mass-market, service-based ransomware-as-a-service (RaaS) business model. Also known as CrySIS, Dharma encrypts files using asymmetric algorithms, and, therefore, public (encryption) and private (decryption) keys are generated during the process. The private key is usually stored on a remote server controlled by the developers.
This ransomware encrypts multiple documents and deletes volume shadow copies via VSSADMIN.EXE, both before and after the documents are encrypted. It opens the original document for read/write but doesn’t change the contents. Instead, it sets the file size of the original document to 0 bytes before it is deleted. It then creates an encrypted copy of the original document on free available disk sectors; theoretically, the original document is recoverable from disk if not overwritten by other data. However, this is complicated as the document’s file size is set to 0 bytes before it is deleted.
BitPaymer, sometimes also known as “wp_encrypt,” exclusively targets Windows-based computer systems. Once a Windows system is infected, Bitpaymer encrypts user files and creates a ransom note on the user’s desktop.
BitPaymer encrypts most stored files and appends filenames with the “.locked” extension. Updated variants of this ransomware use “.LOCK” extensions for encrypted files. Compromised data immediately becomes unusable.
Known to abuse an alternate data stream (ADS), a feature in the NTFS file system that allows the ransomware to hide from plain sight and evade security tools. This malware deletes volume shadow copies via VSSADMIN.EXE before the documents are encrypted.
It employs FlushBuffersFile to ensure buffered data is immediately committed to the disk and renames documents after encryption. For each encrypted document, BitPaymer creates a ransom note text file containing the key blob in base64 for decryption.
Ryuk ransomware targets large organizations for a high-ransom return. It is one of the first ransomware families to include the ability to identify and encrypt network drives and resources and delete shadow copies on the endpoint. The attackers can then disable Windows System Restore for users, making it impossible to recover from an attack without external backups or rollback technology. Based on Hermes ransomware, Ryuk encrypts multiple documents simultaneously. It encrypts data on mapped network drives and adds the key blob at the end of the encrypted document.
LockerGoga uses several common ways, such as spam email campaigns, Trojans, untrustworthy software download channels, fake software updaters, and software cracking tools to infect a computer. LockerGoga is identical to another ransomware-type program called CottleAkela.
Once installed, LockerGoga modifies the user accounts by changing the passwords. It tries to log off users already logged in to the system. It will then relocate itself into a temp folder after renaming itself using a command line. The command-line does not contain the file paths of the files targeted for encryption. LockerGoga encrypts files stored on desktops, laptops, and servers. Every time LockerGoga encrypts a file, a registry key is modified. LockerGoga leaves a ransom note in README_LOCKED.txt in the desktop folder after the encryption process.