Ransomware is the leading cyber security threat in 2018. In a recent podcast, Hal Lonas, CTO of the security software provider Webroot, offered a succinct explanation of how ransomware has flipped the security threat paradigm on its ear. “It used to be that the bad guys wanted data because it was valuable to them,” he said. “With ransomware, they’re essentially asking: ‘your data isn’t valuable to me, but how much is worth to you?’ It’s scary how smart it is.” New types of ransomware will continue to surface. Hackers are constantly modifying ransomware code to evade detection by defense technologies, such as security software. This year, we’ve witnessed a surge in “polymorphic” malware, which is malware that changes automatically to appear unique to different endpoints. Security software often fails to discover these variants. To decrypt files, hackers typically request payment in the form of bitcoin or other cryptocurrencies.
Email is the signature method for distributing ransomware. It's spread using some form of social engineering; victims are tricked into downloading an e-mail attachment or clicking a link. Once the end user acts, the malware installs itself on the system and begins encrypting files.
10 of Today’s Leading Ransomware Strains
There are a variety of ransomware strains making their way around and infecting end users. Here are the top 10 strains in order of how common they appear in the wild:
WannaCry: WannaCry spread through the Internet using an exploit vector named EternalBlue, which was leaked from the U.S. National Security Agency. The ransomware attack, unprecedented in scale, infected more than 230,000 computers in over 150 countries, using 20 different languages to demand money from users.
Locky: Locky is typically spread via an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption. The spam campaigns spreading Locky are operating on a massive scale. One company reported blocking 5 million emails associated with Locky campaigns over the course of two days
Cerber: Cerber targets cloud-based Office 365 users and is using an elaborate phishing campaign.
Jaff: This ransomware is spread using malicious PDF or WSF files that have an embedded docm file, which downloads an encoded executable. After the downloaded file is decoded, the ransomware encrypts the user’s files.
Cryrar/ACCDFISA: The Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim’s files in password-encrypted RAR-sfx archives.
Spora: Spora spreads via USB drives whilst also encrypting files. The sophistication of this threat could easily make it the new Locky. It uses statistical values about encrypted files to calculate the ransom amount.
Purgen/GlobeImposter: GlobeImposter is a ransomware-type virus that mimics the Purge ransomware. Following infiltration, GlobeImposter encrypts various files and appends any number of various extensions to the name of each encrypted file.
Shade: Shade is ransomware-type virus proliferated via malicious websites (exploit kits) and infected email attachments. Shade encrypts most files stored on the infected machine. Shade changes the desktop background and creates a .txt file which states that the files are encrypted and that the email address provided must be used to receive instructions for decryption.
Crysis: This new form of ransomware can encrypt files on fixed, removable, and network drives and it uses strong encryption algorithms and a scheme that makes it difficult to crack within a reasonable amount of time.
CryptoWall: CryptoWall first appeared in early 2014, and variants have appeared with a variety of names, including: Cryptorbit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0, among others.
Educating End Users About Ransomware
Most people think about ransomware as a security issue. But, that’s not entirely accurate. Ransomware makes backup and security inseparable. A proper business protection strategy requires a three-pronged approach, comprising education, security and backup.
Education: Make sure that you have tools and a strategy in place to educate the entire organization. For example, all current and new employees should have to go through some basic cyber security training. During this training, businesses should provide specific visual examples of what a phishing email looks like, which is one of the leading causes of a ransomware infection. This is an essential part of protecting against attacks and it should become a fundamental practice in any business today.
Security: When it comes to defending systems against ransomware, antivirus software is essential for any business. Firewall and web filtering are also a must. Most security vendors recommend this type of multi-layered approach to protect against ransomware.
Backup: Modern backup solutions take snapshot based, incremental backups as frequently as every five minutes to create a series of recovery points and allow businesses to run applications from backup copies of virtual machines. When it comes to the threat of ransomware, the benefits of a data protection solution are three-fold:
- Your business will never need to pay hackers ransom to get critical data back.
- Your business will avoid data loss since backups are taken frequently and can be restored quickly.
- Your business won’t experience significant downtime.
National Cyber Security Awareness Month with SumnerOne
Ransomware is only one of the major cyber security threats businesses are facing in 2018. Raising awareness about cyber security threats and sharing educational information is one way that end users can stay ahead of becoming victims. SumnerOne has created a campaign to show our support and raise awareness for National Cyber Security Awareness Month. Be sure to follow along and subscribe to our blog to stay up-to-date with the latest information.
Originally published October 2, 2018, updated April 18, 2019