The Musings of a Bored Redditor

Ransomware

Advertisements

CryptoLocker

This attack was first seen in 2013, and set the stage for what ransomware is on a grand scale.  It was spread via attachments to spam messages, and used RSA public key encryption to seal up user files, demanding cash (as shown in the above screen capture).  Jonathan Penn, Director of Strategy at Avast, notes that it’s height in late 2013 and early 2014, over half a million (500,000) machines were infected by CryptoLocker.

It was somewhat primitive and defeated by Operation Tovar, a white-hat campaign that brought down the botnet that controlled CryptoLocker.  In the process of the take down, the private keys CryptoLocker used to encrypt files were discovered, but as Penn put it, CryptoLocker had “opened the floodgates” to many other varieties  of file-encryption ransomware – some of which were derived from CryptoLocker’s source code and some of which was given CryptoLocker’s name – or was a close variant written from scratch.

The variants overall harvested about three million dollars (3,000,000.00$) in ransom fees; notably CryptoWall, which by 2015 accounted for half of all ransomware infections.

TeslaCrypt

Within a year of CryptoLocker, there was another threat – known as TeslaCrypt – it’s M.O. was to target ancillary files associated with video games – saved games, maps, DLC (downloadable content) and the such. These files are precious to gamers, but are more likely to be stored locally rather than in the cloud or backed up on an external drive.  By 2016, TeslaCrypt made up forty-eight percent (48%) of ransomware attacks.

One of the biggest strengths that TeslaCrypt had was that it was constantly upgraded by it’s developers, with some holes that allowed infected computers to be repaired/patched by early 2016, making files essentially impossible to restore without help from the malware’s creators.  Surprisingly the developers did exactly that two months later, announcing that they were done with their sinister activities and offering the master decryption key to the world.

SimpleLocker

Android was the platform of choice to attack – and in late 2015, early 2016, ransomware attacks spiked almost fourfold.  Many were so-called “blocker” attacks that merely made it difficult to access files by preventing users from getting at parts of the UI (user interface), but in late 2015 this particular aggressive ransomware began to spread, which was the first Android based attack to actually encrypt files and make them inaccessible without the scammers’ help.  It was also the first known ransomware that delivered its malicious payload via a Trojan downloader which made it more difficult for security measures to catch up to.  SimpleLocker was born in Eastern Europe, but three quarters (3/4) of it’s victims were in the US (United States), as scammers go after the money.

However the number of infected devices is still relatively low – about one hundred-fifty thousand (150,000) since late 2016 – Google is working hard to assure it’s users that it’s very hard to actually get infected by a ransomware.

WannaCry

The first of the two major attacks was called WannaCry and “was easily the worst ransomware attack in history,” says Penn, the Director of Strategy at Avast.  “On May 12th, the ransomware started taking hold in Europe.  Just four days later, Avast had detected more than 250,000 detections in 116 countries.” This really puts 150,000 Android attacks over more than a year into perspective.  This attack was “the first wave of attacks that maliciously utilized leaked hacking tools from the NSA” according to ReliaQuest CTO Joe Partlow.

WannaCry “blindly took advantage,” of this hole, says Penn, “spreading aggressively across devices on the network because user interaction isn’t required for further infection.” And, Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, points out that “many organizations had the SMB port, 445, openly exposed to the Internet, which helped propagate the worm.”

Petya

Refers to a family of encrypting malware that was first discovered in 2016, and it targets Microsoft Windows based systems, infect the master boot record (MBR) to execute a payload which encrypts the hard drive’s file system table and prevents Windows from booting.  It then demands that the victim make a payment in bitcoin in order to regain access to their system.  Variants of Petya were first seen in March 2016, which spread via infected email attachments, but in June 2017 there was another version of Petya which was used for a global cyberattack, primarily targeting Ukraine.  The 2017 variant spread through the EternalBlue exploit; which is generally believed to have been developed by the US NSA (National Security Agency), and was used by the WannaCry ransomware.

Kapaersky Lab referred to this new version as NotPetya to disambiguate it from the earlier variants due to the differences in operation.  This variant was also modified in a way that didn’t revert its own changes.

Advertisements

Advertisements