By now we all know what a Ransomware attack is and what effect it can have on an organisation. If you are not aware of the history of attacks and which ones are on the current threat landscape, you should be. Educating yourself is the first step to understanding how threat actors operate and what tools, tactics and procedures they use. With this knowledge, you can strengthen your defences to protect your organisation from getting attacked.
Let’s now get acquainted with four notorious examples of Ransomware you should know about.
The Petya ransomware first started in 2016 when individuals were sent emails with malicious attachments. Since the launch of Petya ransomware, it was predicted that the different variants of Petya would cause a huge financial loss of over 10 million dollars to organisations globally.
Petya ransomware is targeted the Master Boot Record of the System with a malicious payload. It attempts to force a “Hard Error” within Windows to reboot the system. If this fails, the malware creates a task to initiate a reboot after a set delay As with most ransomware attacks you are required to pay a ransom of approximately 6 to 8 million dollars.
This type of ransomware has affected many different industries around the world such as banks, transportation, oil, food supply chain and health. The most notable companies that were hit by this attack include the National Bank of Ukraine, Mondelez (food company), Merck (pharmaceutical company) and Rosneft (oil company).
The WannaCry was probably one of the most devastating ransomware attacks in history in terms of monetary loss. At the time, the estimated loss was 4 billion dollars and the amount required to release each machine was around 300 dollars.
This attack involved phishing emails and eventually, over 230 thousand computers were victims of the WannaCry attack. WannaCry exploits vulnerabilities in Server Message Block (SMBv1) protocol. Some of the companies attacked were FedEx, Telefonica, Nissan, NHS and Renault.
Despite that most attacks occurred in 2017, this ransomware is still active today. WannaCry attacks increased by 53% from January to March 2021.
A quick tip: Pay attention to any emails in your inbox that claim you are infected by WannaCry demanding a ransom payment, as oftentimes these are just plain emails with no malware attached. It’s just simply a scare tactic to trick the end-user into responding to the ransom demand.
Ryuk, 2018 – 2021
Ryuk surfaced in late 2018 and was considered a unique type of ransomware as it used the so-called “big game hunting” strategy, which targets enterprises and aims to retrieve a high-value ransom for a minimal effort.
Like many other ransomware attacks, Ryuk malware was spread by phishing emails that contain dangerous links and attachments. In order for the files to be decrypted, you are required to pay a hefty amount between 100,000 and 500,000 dollars, making Ryuk one of the most expensive ransomware attacks in history.
According to the FBI, the Ryuk infection caused more than 150 million dollars worth of damage across the world since its first appearance in 2018. It became famous in 2018 for stopping the operation of major newspapers in the United States. However, not only newspaper companies were hit but this attack made over 100 companies suffer such as EMCOR Group (engineering and industrial construction company) and Epiq Global (legal services company) leading them to endure hefty financial losses.
In 2021, Ryuk advanced its capabilities to move laterally and spread within a Windows domain. It not only spreads across machines that are ‘powered on’ but has the ability to infect ‘powered off’ machines that have wired network connections. Additionally, it can gain privileged access to machines.
Quick fact: Ryuk ransom email contact addresses end with @protonmail.com or @tutanota.com. Also, the victim is required to send a message to the attacker to find out how much they must pay for the decryption key.
Macaw Locker, 2021
In September 2021, Olympus, a leading medical technology company was hit hard by a Macaw Locker ransomware attack. The attackers, Evil Corp, were able to get into their network by disrupting the company’s EMEA operations.
Unfortunately, as the firm was working towards recovery it was attacked again in October 2021. This time the attack impacted operations in the U.S., Canada and Latin America.
Macaw Locker threat actors are known for attacking the same organisation multiple times for the reason that either a vulnerability they find is easily exploitable, or they are certain that their target is likely to pay the amount they demand.
This malware adds the .macaw extension to the file name of the encrypted files. Then the ransomware generates a ransom note in each folder named macaw recover.txt while encrypting the target files. Now that this Ransomware has been exposed, we will likely see Evil Corp evolve it and rebrand again.
Prevent attacks and stop paying the ransom
You’ve now taken the first step into understanding some notable ransomware groups and the malware they deploy. But it can seem impossible to stay up to date with the ever-evolving cybercriminal groups and tactics they use.
We all know that technology cannot alone protect your systems. Therefore, your next step should be with your staff as they are your first line of defence. If staff are empowered with training, they can prevent attacks.
However, if at any point of a Ransomware attack gets past your first line, Risk Crew’s recommendation is to not pay the ransom amount demanded as threat actors rarely return all your data.
If you already have a robust ransomware programme in place, consider Risk Crew’s Ransomware Readiness Audit Service that is designed to test your business’ ransomware threat “readiness” for a ransomware attack and its ability to recover from one – in the event it fails.