By now we all know the effect a Ransomware attack can have on an organisation. If you are not aware of the history of attacks and which ones are on the current threat landscape, you should be. Educating yourself is the first step to understanding how threat actors operate and what tools, tactics and procedures they use. With this knowledge, you can strengthen your defences to protect your organisation from getting attacked.
What is Ransomware? Ransomware is a type of malicious software that limits users from accessing their systems, software, and files until a ransom is paid. Ransomware is spread through phishing emails that contain malicious attachments and downloads.
Read on to find out more about what ransomware is, notorious examples, and how you can protect your organisation from these attacks.
What is Ransomware and How Does it Work?
Ransomware is a piece of software (also known as malware) that gets installed onto a computer after a user clicks on a link or downloads a file containing the software. Ransomware locks the user’s system and files once downloaded. Ransomware is different from malware as the attackers usually demand a ransom for getting your computer, files, and data back.
If at any point a Ransomware attack gets past your first line, Risk Crew’s recommendation is to not pay the ransom amount demanded as threat actors rarely return all your data.
How Does Ransomware Cause Harm?
Ransomware victims risk losing their data once ransomware has accessed their computer. Even if the ransom is paid, it isn’t often that users get all of their data back. Obviously with ransomware comes a large ransom to pay, resulting in a significant financial loss for some businesses. There is also the cost of lost productivity that comes with ransomware attacks. Some employees may not be able to use their computer at all, and time may be spent trying to recover lost files and restoring data.
Let’s now get acquainted with four notorious examples of Ransomware you should know about.
The Petya ransomware first started in 2016 when individuals were sent emails with malicious attachments. Since the launch of Petya ransomware, it was predicted that the different variants of Petya would cause a huge financial loss of over 10 million dollars to organisations globally.
Petya ransomware targeted the Master Boot Record of the System with a malicious payload. It attempts to force a “Hard Error” within Windows to reboot the system. If this fails, the malware creates a task to initiate a reboot after a set delay As with most ransomware attacks you are required to pay a ransom of approximately 6 to 8 million dollars
This type of ransomware has affected many different industries around the world such as banks, transportation, oil, food supply chain and health. The most notable companies that were hit by this attack include the National Bank of Ukraine, Mondelez (food company), Merck (pharmaceutical company) and Rosneft (oil company).
The WannaCry was probably one of the most devastating ransomware attacks in history in terms of monetary loss. At the time, the estimated loss was 4 billion dollars and the amount required to release each machine was around 300 dollars.
This attack involved phishing emails and eventually, over 230 thousand computers were victims of the WannaCry attack. WannaCry exploits vulnerabilities in Server Message Block (SMBv1) protocol. Some of the companies attacked were FedEx, Telefonica, Nissan, NHS and Renault.
Despite that most attacks occurred in 2017, this ransomware is still active today. WannaCry attacks increased by 53% from January to March 2021.
A quick tip: Pay attention to any emails in your inbox that claim you are infected by WannaCry demanding a ransom payment, as oftentimes these are just plain emails with no malware attached. It’s just simply a scare tactic to trick the end-user into responding to the ransom demand.
Ryuk, 2018 – 2021
Ryuk surfaced in late 2018 and was considered a unique type of ransomware as it used the so-called “big game hunting” strategy, which targets enterprises and aims to retrieve a high-value ransom for a minimal effort.
Like many other ransomware attacks, Ryuk malware was spread by phishing emails that contain dangerous links and attachments. In order for the files to be decrypted, you are required to pay a hefty amount between 100,000 and 500,000 dollars, making Ryuk one of the most expensive ransomware attacks in history.
According to the FBI, the Ryuk infection caused more than 150 million dollars worth of damage across the world since its first appearance in 2018. It became famous in 2018 for stopping the operation of major newspapers in the United States. However, not only newspaper companies were hit but this attack made over 100 companies suffer such as EMCOR Group (engineering and industrial construction company) and Epiq Global (legal services company) leading them to endure hefty financial losses.
In 2021, Ryuk advanced its capabilities to move laterally and spread within a Windows domain. It not only spreads across machines that are ‘powered on’ but has the ability to infect ‘powered off’ machines that have wired network connections. Additionally, it can gain privileged access to machines.
Quick fact: Ryuk ransom email contact addresses end with @protonmail.com or @tutanota.com. Also, the victim is required to send a message to the attacker to find out how much they must pay for the decryption key.
Macaw Locker, 2021
In September 2021, Olympus, a leading medical technology company was hit hard by a Macaw Locker ransomware attack. The attackers, Evil Corp, were able to get into their network by disrupting the company’s EMEA operations.
Unfortunately, as the firm was working towards recovery it was attacked again in October 2021. This time the attack impacted operations in the U.S., Canada and Latin America.
Macaw Locker threat actors are known for attacking the same organisation multiple times for the reason that either a vulnerability they find is easily exploitable, or they are certain that their target is likely to pay the amount they demand.
This malware adds the .macaw extension to the file name of the encrypted files. Then the ransomware generates a ransom note in each folder named macaw recover.txt while encrypting the target files. Now that this Ransomware has been exposed, we will likely see Evil Corp evolve it and rebrand again.
How Can You Protect Against Ransomware?
You’ve now taken the first step into understanding some notable ransomware groups and the malware they deploy. But it can seem impossible to stay up to date with the ever-evolving cyber-criminal groups and the tactics they use.
We all know that technology alone cannot protect your systems. Therefore, the best prevention step is your staff as they are your first line of defence. If staff are empowered with training, they can prevent attacks.
You can also prevent attacks by ensuring all computer systems and software are up to date with the latest security patches. Ensure you frequently backup your files to ensure nothing can be lost if you do get attacked with ransomware.
Protect Against Ransomware With Risk Crew
If you need help training or testing your staff against attacks, Risk Crew offers staff awareness training and social engineering testing — that includes phishing email exercises.
Our eRiskology™ course is a comprehensive information security training and awareness programme. eRiskology is an effective way to instil an information security awareness culture in your business. The key to making your staff mindful of the multitude and severity of security threats to your business’s information assets is to “get it in their heads”, which is done through a variety of teaching techniques.
If you already have a robust ransomware programme in place, consider Risk Crew’s Ransomware Readiness Audit Service which is designed to test your business’ ransomware threat “readiness” for a ransomware attack and its ability to recover from one – in the event it fails.
If you need more advice or would like more information about what we can do for your business, get in touch with our team, who will be happy to help.