Ransomware

Course: Information Security

What is Ransomware?
• Ransomware is a type of malware (malicious software) used by
cybercriminals.
• If a computer or network has been infected with ransomware, the
ransomware blocksaccess to the system or encrypts its data.
• Cybercriminals demand ransom money from their victims in exchange for
releasing the data.
• A ransomware attack can therefore target both individuals and companies.
• Attack vectors frequently used by extortion Trojans include:
• Remote Desktop Protocol,
• phishing emails, and
• software vulnerabilities.
Types of Ransomware
• Two types of ransomware are very popular:
1. Locker ransomware
2. Crypto ransomware
Locker Ransomware
• This type of malware blocks basic computer functions.
• For example, you may be denied access to the desktop, while the mouse and
keyboard are partially disabled.
• This allows you to continue to interact with the window containing
the ransom demand in order to make the payment.
• Apart from that, the computer is inoperable.
• Good Thing about it: Locker malware doesn't usually target critical
files; it generally just wants to lock you out. Complete destruction of
your data is therefore unlikely.
Crypto Ransomware
• The aim of crypto ransomware is to encrypt your important data, such as
documents, pictures and videos, but not to interfere with basic computer
functions.
• This spreads panic because users can see their files but cannot access
them.
• Crypto developers often add a countdown to their ransom demand: "If you
don't pay the ransom by the deadline, all your files will be deleted.“
• Devastating Effect: Due to the number of users who are unaware of the
need for backups in the cloud or on external physical storage devices,
crypto ransomware can have a devastating impact.
• Consequently, many victims pay the ransom simply to get their files back.
Ransomware Examples
• Locky
• Wannacry
• Bad Rabbit
• Ryuk
• Shade/ Troldesh
• Jigsaw
• Cryptolocker
• Petya
• GoldenEye
• GandCrab
• B0r0nt0k
• Dharma Brrr ransomware
• FAIR RANSOMWARE ransomware
• MADO ransomware
Locky
• It is ransomware that was first used for an attack in 2016 by a group
of organized hackers.
• Locky encrypted more than 160 file types and was spread by means
of fake emails with infected attachments.
• Users fell for the email trick and installed the ransomware on their
computers.
• This method of spreading is called phishing, and is a form of what is
known as social engineering.
• Locky ransomware targets file types that are often used by designers,
developers, engineers and testers.
Locky

•Example/Description: Locky was a ransomware strain first seen in

2016, spread via malicious email attachments. It encrypts files and
demands payment in Bitcoin. Files are renamed with the extension
.locky.

•Real-world case: Locky was distributed through social engineering

emails posing as invoices.
•
WannaCry
• WannaCry was a ransomware attack that spread to over 150 countries in
2017.
• It was designed to exploit a security vulnerability in Windows that was
created by the NSA and leaked by the Shadow Brokers hacker group.
• WannaCry affected 230,000 computers worldwide.
• The attack hit one-third of all NHS hospitals in the UK, causing estimated
damages of 92 million pounds.
• Users were locked out and a ransom payable in Bitcoin was demanded.
• The attack exposed the issue of outdated systems, because the hacker
exploited an operating system vulnerability for which a patch had long
existed at the time of the attack.
• The worldwide financial damage caused by WannaCry was approximately
US$4 billion.
WannaCry
• Example/Description: WannaCry caused a global ransomware outbreak
in 2017, exploiting the EternalBlue vulnerability in Windows systems. It
spread quickly across networks. Files are locked and ransom is demanded
in Bitcoin.

• Impact: Affected hospitals, businesses, and institutions worldwide,

including the UK’s NHS.

•
Bad Rabbit
• Bad Rabbit was a ransomware attack from 2017 that spread via
so-called drive-by attacks.
• Insecure websites were used to carry out the attacks.
• In a drive-by ransomware attack, a user visits a real website, unaware that
it has been compromised by hackers.
• For most drive-by attacks, all that is required is for a user to call up a page
that has been compromised in this way.
• In this case, however, running an installer that contained disguised
malware led to the infection.
• This is called a malware dropper. Bad Rabbit asked the user to run a fake
Adobe Flash installation, thereby infecting the computer with malware.
Bad Rabbit
• Example/Description: Bad Rabbit ransomware surfaced in 2017,
disguised as a fake Adobe Flash Player installer. It spread through
drive-by downloads on compromised websites.

• Notable Case: Targeted systems in Russia and Ukraine.

•
Ryuk
• Ryuk is an encryption Trojan that spread in August 2018
and disabled the recovery function of Windows operating systems.
• This made it impossible to restore the encrypted data without an
external backup.
• Ryuk also encrypted network hard disks.
• The impact was huge, and many of the US organizations that were
targeted paid the ransom sums demanded.
• The total damage is estimated at over $640,000.
Ryuk
• Example/Description: Ryuk is a ransomware strain used in targeted
attacks on large organizations. It encrypts data and often disables system
recovery tools.

• Notable Case: Extensively used against government agencies, hospitals,

and educational institutions, causing millions in damages.

•
Shade or Troldesh
• The Shade or Troldesh ransomware attack took place in 2015 and
spread via spam emails containing infected links or file attachments.
• Interestingly, the Troldesh attackers communicated directly with their
victims via email.
• Victims with whom they had built up a "good relationship" received
discounts.
• However, this kind of behavior is an exception rather than the rule.
Shade or Troldesh
• Example/Description: Shade (also known as Troldesh) spread via
phishing emails. It encrypted files and added extensions like .xtbl or .ytbl.
Victims received ransom demands through text files.

• Interesting Fact: Developers ceased operations in 2020 and publicly

released decryption keys.

•
Jigsaw
• Jigsaw is a ransomware attack that began in 2016.
• The attack got its name from an image it displayed of the well-known
puppet from the Saw movie franchise.
• With each additional hour the ransom remained unpaid, Jigsaw
ransomware deleted more files.
• The use of the horror movie image caused additional stress among
users.
Jigsaw
• Example/Description: Jigsaw ransomware encrypts files and deletes
them over time if the ransom is not paid. It displays a screen with the
image of the "Jigsaw" doll from the Saw movies.

• Unique Feature: Deletes a certain number of files every hour as a

psychological pressure tactic.

•
CryptoLocker
• CryptoLocker is ransomware that was first spotted in 2007 and spread
via infected email attachments.
• The ransomware searched for important data on infected computers and
encrypted it.
• An estimated 500,000 computers were affected.
• Law enforcement agencies and security companies eventually managed to
seize control of a worldwide network of hijacked home computers that
were used to spread CryptoLocker.
• This allowed the agencies and companies to intercept the data being sent
over the network without the criminals noticing.
• Ultimately, this resulted in an online portal being set up where victims
could obtain a key to unlock their data.
• This allowed their data to be released without the need to pay a ransom to
the criminals.
CryptoLocker
• Example/Description: CryptoLocker emerged in 2013, targeting systems
through malicious email attachments. It encrypted files and demanded
payment in Bitcoin for decryption.
• Impact: One of the earliest, most widespread ransomware strains.

•
Petya
• Petya is a ransomware attack that occurred in 2016 and was resurrected as
GoldenEye in 2017.
• Instead of encrypting certain files, this malicious ransomware encrypted
the victim's entire hard disk.
• This was done by encrypting the Master File Table (MFT), which made it
impossible to access files on the hard disk.
• Petya ransomware spread to corporate HR departments via a fake
application that contained an infected Dropbox link.
• Another variant of Petya is Petya 2.0, which differs in some key aspects. In
terms of how the attack is carried out, however, both are equally fatal for
the device.
Petya
• Example/Description: Petya ransomware encrypts the Master Boot
Record (MBR) instead of files, rendering the system unbootable.

• Real-world case: Often distributed through phishing emails or software

exploits.

•
Golden Eye
• The resurrection of Petya as GoldenEye resulted in a worldwide
ransomware infection in 2017.
• GoldenEye, known as WannaCry's "deadly sibling," hit more than
2,000 targets – including prominent oil producers in Russia and
several banks.
• In an alarming turn of events, GoldenEye forced the personnel of the
Chernobyl nuclear power plant to manually check the radiation level
there, after they were locked out of their Windows computers.
Golden Eye
• Example/Description: GoldenEye is a variant of Petya ransomware that
encrypts both the MBR and individual files. It was part of the 2017
NotPetya attacks.

• Notable Case: Affected businesses, mainly in Ukraine, disrupting logistics

and power systems.

•
GandCrab
• GandCrab is unsavory ransomware that threatened to disclose the
porn habits of its victims.
• It claimed that it had hacked the victim's webcam and demanded a
ransom.
• If the ransom wasn't paid, embarrassing footage of the victim would
be published online.
• After its first appearance in 2018, GandCrab ransomware continued
to develop in various versions.
• As part of the "No More Ransom" initiative, security providers and
police agencies developed a ransomware decryption tool to help
victims recover their sensitive data from GandCrab.
GandCrab
• Example/Description: GandCrab operated as
Ransomware-as-a-Service (RaaS), allowing affiliates to spread it in
exchange for a revenue share. It encrypted files and added various
extensions, like .GDCB and .CRAB.
• Shutdown: Developers retired GandCrab in 2019.

•
B0r0nt0k
• B0r0nt0k is crypto ransomware that focuses specifically on Windows
and Linux-based servers.
• This harmful ransomware encrypts the files of a Linux server and
attaches a ".rontok" file extension.
• The malware not only poses a threat to files, it also makes changes to
startup settings, disables functions and applications, and adds registry
entries, files and programs.
B0r0nt0k
• Example/Description: B0r0nt0k is a ransomware strain that targeted
Linux-based servers. It encrypted files and appended the extension
.rontok.
Dharma Brrr
• Brrr, the new Dharma ransomware, is installed manually by
hackers who then hack into desktop services connected to the
internet.
• As soon as the ransomware is activated by the hacker, it begins to
encrypt the files it finds.
• Encrypted data is given the file extension ".id-[id].[email].brrr".
Dharma Brrr
• Example/Description: Dharma is a ransomware family that appends
extensions like .brrr. It spreads through Remote Desktop Protocol (RDP)
vulnerabilities.
Fair and Mado
• FAIR RANSOMWARE is ransomware that aims to encrypt data.
• Using a powerful algorithm, all private documents and files of the
victim are encrypted.
• Files that are encrypted with this malware have the file extension
".FAIR RANSOMWARE" added to them.
• MADO ransomware is another type of crypto ransomware.
• Data that has been encrypted by this ransomware is given the
extension ".mado" and can thus no longer be opened.
Fair and Mado
Example/Description: FAIR ransomware is known for encrypting files and
adding the extension .FAIR. Victims receive a ransom note with
instructions to contact attackers for decryption.
Ransomware Attacks
1. WordPress ransomware
• WordPress ransomware, as the name suggests, targets WordPress website files.
• The victim is extorted for ransom money, as is typical of ransomware.
• The more in-demand the WordPress site, the more likely it is to be attacked by
cybercriminals using ransomware.
2. The Wolverine case
• Wolverine Solutions Group (a healthcare supplier) was the victim of a ransomware attack
in September 2018.
• The malware encrypted a large number of the company's files, making it impossible for
many employees to open them.
• Fortunately, forensics experts were able to decrypt and restore the data on October 3.
• However, a lot of patient data was compromised in the attack. Names, addresses,
medical data and other personal information could have fallen into the hands of
cybercriminals.
Ransomware as a Service
• Ransomware as a Service gives cybercriminals with low technical
capabilities the opportunity to carry out ransomware attacks.
• The malware is made available to buyers, which means lower risk
and higher gain for the programmers of the software.
• Anatomy of Ransomware
• https://www.youtube.com/watch?v=aykf0P5Qtb8