11 of the worst ransomware - we name the internet's nastiest extortion malware
Updated 15 May 2017: The WannaCry ransomware first started infecting PCs on Friday 12 May 2017 and quickly spread around the world, wreaking havoc on hospital and other health infrastructure across the UK. It uses a modified leaked NSA exploit, EternalBlue, to spread, and another wave of attacks could be around the corner.
Five years ago ransomware was a type of malware that had been kicking around for a decade to little effect. By 2017, it is everywhere, supplanting all other forms of malware as the number one menace. Two things changed its status – the rise of Bitcoin (almost untraceable payment) and the example of FBI scareware which started to decline around 2012 but proved the principle that digital extortion can be profitable.
According to Symantec, 16 families were discovered in the decade to 2014, most spread on a very small scale such as Cryzip, the first small-scale ransomware to affect the UK. In 2015, by spectacular contrast, 27 families were recorded in that year alone.
Ransomware is difficult to stop even for Windows computers running antivirus although that is improving. The only reliable defence is backup but even that can come under attack from ransomware if it is reachable from the infected PC. Users are urged not to pay the fees. Longer term, extortion malware could move to the next tactic of threatening people with exposure for crimes they had not committed, such as downloading child abuse images. With more SMEs being affected than ever before, this threat has a way to run yet.
1. WannaCry/Wana decrypt0r wreaks havoc on NHS England
EuroPol has described the WannaCry ransomware, which shut down hospital infrastructure all over the UK and uses a leaked exploit first developed by the National Security Agency, as unprecedented in scale.
The attack was launched on Friday 12 May and quickly spread to more than 200,000 systems around the world. Security researcher Kafeine found that WannaCry had code based on the NSA’s EternalBlue malware, which was leaked earlier this year by the group calling itself the Shadow Brokers. According to BleepingCompuer, EternalBlue exploits a vulnerability in the Server Message Block protocol to spread through file sharing networks. MalwareBytes Labs reports that the worm creates two threads, first to scan for hosts on the local network, and the other that scans hosted online. Infected machines will see the malware demand a payment of up to $600 to decrypt the files.
Microsoft had patched the exploit in update MS17-010 in March this year, but unpatched systems or those running older versions of Windows without Windows Update enabled were still open to infection. The company took the unusual step of releasing another patch for older operating systems, including the generally unsupported Windows XP.
But by that time hospitals, doctor’s surgeries and accident and emergency wards in the UK had been affected by the attack and some were even reportedly turning patients away. Home secretary Amber Rudd confirmed that one in five NHS England trusts had been hit by the attack, but insisted no patient data had been compromised.
Elsewhere, organisations hit by the attack included Telefonica in Spain, Renault in France, and delivery company FedEx in the USA, as well as China’s state oil company and railways in Germany. Russia was believed to have most instances of the attack.
Security researchers warn that another wave of attacks is likely, and that the code could easily be evolved to become more sophisticated and harder to stop. It’s suspected that an organised criminal group was behind the attack.
2. CryptoLocker – where ransomware took off
CryptoLocker is long gone (downed by Operation Tovar in 2014) but it deserves infamy because its heyday of 2013 proved to cybercriminals how successful ransomware could be. It was supplanted by the equally vicious CryptoWall, which remains a headache to this day on systems not running updated AV or endpoint security. A long way behind state of the art but it doesn’t need to be. Recovery? It’s dead, Jim
3. Locky – well engineered, ruthless, clever
The work of the criminals behind the Dridex botnet, Locky is as bad as ransomware can get. Locky’s creators seem to have thought of everything, not only encrypting a wide range of data files but even Bitcoin wallets and Windows Volume Snapshot Service (VSS) files in case users try and restore files using that. Reaches out to attached shares and even other PCs and servers. Uses strong encryption and has found several high-profile victims. Recovery? No.
4. Crysis - Locky copycat with big ambitions
First detected by ESET in early 2016, Crysis styles itself on Locky in that it encrypts shadow copies and every file it can find including in some cases system files. This rather odd behaviour means that the infected PC can become inoperable. Attempts to elevate its privileges to admin level by stealing available logins and even steals files, including user credentials. Targets VMware virtual machines. Recovery? ESET has a decryptor for early versions.
5. zCrypt – ransomware that behaves like a virus
zCrypt tries the unusual technique of spreading as a virus. This means that it doesn’t rely on malicious emails to find victims and can spread on USB sticks. Creates a custom autorun.inf that allows it to execute automatically when it is plugged into a second machine. Instead of automatically encrypting all the files it can find it simply detects important directories and encrypts files that are changed. Scrambles files first to make recovery impossible.
6. PowerWare – PowerShell hijacker
Discovered by security firm Carbon Black, this one is interesting because it is aimed at businesses using Microsoft Word and the PowerShell scripting interface. This malware’s innovation is that after tempting the user to enable macros to view a booby-trapped Word attachment it runs without files, hooking PowerShell to download a malicious script. Writing no files makes it hard to detect its activity when it encrypts files. Recovery? Possible says Carbon Black.
7. Petya – attack the PC too
Ransomware usually encrypts files but Petya’s target is the system itself. Its first act is to overwrite the Master Boot Record (MBR), causing a full blue screen of death crash. When the user reboots instead of Windows they see a skull and crossbones splash screen with a ransom demand. Effectively, they are holding hostage the files and the entire system by encrypting the Master File Table making the files inaccessible. Recovery? Possible
8. HydraCrypt – ransomware can be beaten
Offshoots of the CrypBoss ransomware, Hydracrypt is notable for being pushed by the highly-active Angler exploit kit that suddenly and mysteriously disappeared in June 2016, HydraCrypt is possibly famous for the battle between its creators and a researcher called Fabian Wosar. So far, Wosar is winning hands down, having released decryptors for successive versions of this family. Recovery? Yes.
9. Cerber – ransomware-as-a-service
Cerber is one of a new breed of what appear to be ransomware-as-a-service applications. Encrypts files, of course, but not in Russia or former Soviet republics which might be a clue to its Russian origins. Once infected, PCs throws up fake Windows system alert, instituting a reboot before starting it encryption routine. Rubbing it in, Cerber even institutes the PC to speak its ransom demand in case the victim doesn’t notice the dropped text files. Recovery? None known
11. CryptoWall – it’s everywhere
With Locky and Cerber, CryptoWall is still the most common ransomware threat. Produced in several versions since at least 2014, version 4.0 has been distributed since late 2015 using the Angler exploit kit, CryptoWall feels like a mature piece of malware right down to its attempts at persistence and process injection. Little things stand out such as the way it makes every encrypted filename unique to make it more difficult to understand the damage. Recovery? No.
Organisations across the globe have and will continue to suffer malicious attacks, unless a cultural change takes place
Since Friday a wave of ransomware attacks has swept the globe
Ransomware has risen to the top of the malware pile. We look at how this has happened