Six ransomware strains that demonstrate attacker innovation
Ransomware attacks happen when threat actors prevent organizations or individuals from accessing their data and/or computer systems (usually using encryption) until they make a payment, and this can paralyze businesses of every size. In 2019 ransomware attacks hit at least 966 US government agencies, educational establishments and healthcare providers at a potential cost of over…
Ransomware attacks happen when threat actors prevent organizations or individuals from accessing their data and/or computer systems (usually using encryption) until they make a payment, and this can paralyze businesses of every size.
In 2019 ransomware attacks hit at least 966 US government agencies, educational establishments and healthcare providers at a potential cost of over $7.5 billion. It’s huge business. But while attackers have developed ransomware strains and campaigns with increasing frequency in recent years, holding data hostage is by no means revolutionary.
The AIDS Trojan
The first ransomware emerged way back in 1989, when AIDS researcher Joseph Popp distributed 20,000 malicious floppy disks to other specialists around the world. A trusted member of the scientific community, he claimed they included a program that could analyze an individual’s risk of getting AIDS; however, the disks really housed malware that would encrypt an infected machine’s files after 90 reboots. Security experts created a free decryption tool to counteract the aptly named ‘AIDS Trojan’, which demanded $189 by invoice, and so began a decades-long digital conflict.
But while it’s true there are no winners in physical war, the elusive, lawless nature of attackers has seen them dominate cyberwarfare (though ransomware distributor Zain Qaiser was sentenced to six years in 2019, proving they can be caught). Attackers are also highly innovative, meaning they’re usually one step ahead of the game. In the early days, for example, they would write their own encryption code which defenders could crack with relative ease. By the mid-2000s, however, attackers began utilizing complex encryption algorithms such as the early public-key cryptosystem RSA, which made cracking ransomware a whole lot harder.
Attackers had further nuanced their methods by the early 2010s, adding a level of cunning previously unseen. One example was Police Locker ransomware, which under the guise of law enforcement would accuse its victims of illicit activity, such as pirating. It would usurp the victim device and declare it ‘locked’ because of the illicit (and fabricated) activity. To add a sense of legitimacy, it included the device’s IP address and government authority logos on the lockout screen. Encryption wasn’t always used, so a simple reboot could easily solve some Police Locker cases; however, the fear factor resulted in many victims – especially those with poor cyber awareness – paying the ransom.
More recently, attackers began purchasing readymade solutions on the black market and delivering them via methods such as spear phishing. Tough-to-crack ransomwares such as SamSam, which surfaced in 2016, can be bought online for as little as a few hundred dollars, yet attackers often demand tens of thousands of dollars when deploying them. SamSam alone had accrued nearly $6m in payments by 2018, proving that ransomware is a lucrative business for cybercriminals with even limited technical ability.
WannaCry and LockerGoga
Nowadays ransomware doesn’t just pose a threat to capital; there’s also a very real risk to infrastructure and, in the worst cases, even human life. In 2017 WannaCry, the world’s most notorious ransomware, crippled 37 of the UK’s National Health Service (NHS) trusts, leading to the cancellation of 20,000 appointments. This brought the NHS to its knees and put the health of vulnerable patients at risk. In 2019, hackers hit 22,000 computers belonging to global aluminum producer Norsk with LockerGoga ransomware. The organization’s entire workforce – that’s 35,000 people – had to operate using pen and paper, and the attack cost the business in excess of £45 million.
Equally sinister was the news that attackers had unleashed ransomware on a major natural gas compression facility in the US, which led the Cybersecurity and Infrastructure Security Agency (CISA) to warn that critical infrastructure operators should redouble their security efforts. After all, how long is it before a nation-state decides to attack an enemy country’s power grids at scale? The Johannesburg ransomware attack that left many residents without electricity in 2019 shows that attackers can, and will, succeed in damaging infrastructure.
Perhaps the fastest-growing threat in cyber today is ransomware-as-a-service (RaaS), which sees writers distance themselves from their product while sending a network of agents into the wild to wreak havoc. And it doesn’t stop there. The writers command their foot soldiers to not just infect machines and networks but also harvest data. That way, if the ransom isn’t paid, the attacker can leverage said data adding jeopardy. The ransom will often start small, for example, but increase with each passing day as the attacker bids to force their victim’s hand.
One of the most significant RaaS attacks occurred when Sodinokibi hit Travelex at the end of 2019 (which we examine in depth here). This began with attackers hitting the foreign exchange company’s website so hard that it couldn’t even get a holding page up. Initially Travelex made little information available, insisting no data was stolen all the while bargaining with the attackers. It transpired that data had been stolen, which begs the question: why was nobody from Travelex prepared to comment? Most organizations would have an incident response plan in place that would help deal with such an event, so one can only assume that Travelex didn’t.
The multimillion dollar ransomware business is always finding ways to make itself more damaging, with recent innovations including auto-infections and auto-emailing stock exchanges to advise them of affected organizations. The group behind Sodinokibi even does a great job ensuring victims can pay the ransom. It will help businesses understand the best way to pay, with agents who will talk them through the process – a service in the truest sense of the word.
Immersive Labs offers hands-on experience of a number of ransomware variants from the point of view of both the end user and technical teams witnessing an outbreak. You can try some of these (including the infamous Sodinokibi) in our Lite platform for free.