Ransomware is a growing criminal activity that comes in a variety of forms. Since the first appearance of police locker ransomware variants in 2012, ransomware variants have grown in sophistication and destructiveness.
Some variants encrypt the contents of shared or networked drives, externally attached storage media devices, and cloud storage services mapped to infected computers, in addition to the files on the infected device. These variants are considered destructive because they encrypt files and render them inaccessible until a ransom is paid.
According to recent FBI federal investigations, ransomware authors are continuing to improve their code by using anonymizing services like “Tor 3” for end-to-end communication with infected systems and the Bitcoin virtual currency to collect ransom payments.
CryptoWall, CTBLocker, TeslaCrypt, MSIL/Samas, and Locky are the top five ransomware variants targeting businesses and individuals in the United States.
Since April 2014, CryptoWall and its variants have been actively targeting victims in the United States. CryptoWall was the first ransomware variant to only accept Bitcoin as a ransom payment. CryptoWall ransoms typically range between $200 and $10,000. Following the demise of the CryptoLocker botnet, CryptoWall has emerged as the most popular ransomware variant with victims worldwide. IC3 received 992 CryptoWall-related complaints between April 2014 and June 2015, with victims reporting losses totaling over $18 million. 4 CryptoWall infects victims primarily through spam email. Still, it can also be spread through drive-by downloads5 and malvertising6.
CTB-Locker, which first appeared in June 2014, was one of the first ransomware variants to use Tor as its C2 infrastructure. CTB-Locker only connects to its C2 servers after encrypting victims’ files and only uses Tor for its C2 servers. Furthermore, unlike other ransomware variants that use the Tor network for some communication, the CTBLocker malware has Tor components embedded in it, making it more efficient and difficult to detect. Drive-by downloads and spam emails are used to spread CTB-Locker.
TeslaCrypt first appeared in February 2015, encrypting gaming files for the video game community. These files were targeted in addition to the usual ransomware targets (documents, images, and database files). TeslaCrypt attempted to delete all Shadow Volume Copies and system restore points after the data was encrypted to prevent file recovery. Angler, Sweet Orange, and Nuclear exploit kits were used to distribute TeslaCrypt.
4. MSIL or Samas (SAMSAM)
MSIL, also known as Samas (SAMSAM), was used to infiltrate the networks of several victims in the United States, including the 2016 attacks on healthcare facilities running outdated versions of the JBoss content management application. SAMSAM targets Java-based Web servers that are vulnerable. SAMSAM identifies and compiles a list of hosts reporting to the victim’s active directory using open-source tools. The actors then use psexec.exe to spread the malware across the network and encrypt most of the system’s files. The actors charge the victim varying amounts in Bitcoin in exchange for the decryption keys.