Ransomware Attacks 101 – from Wannacry to Darkside

Think of ransomware attacks as virtual kidnapping. Ransomware actors use encryption to hold your devices’ functions and files hostage or lock you out of your system. Then they request a ransom for its release. These actors are mostly motivated by financial gain, like kidnappers.  

However, paying a ransom doesn’t guarantee you get some or all your files back. A Kaspersky research shows that only a quarter of people who pay ransom get their full data returned. Therefore, caution is the parent of safety when it comes to ransomware attacks.  

To prevent these attacks, you need to understand how to identify threats. 

This post educates you on the operations of common ransomware attacks, so you can eliminate them before they disrupt your entire system.  

What are ransomware attacks?  

Ransomware attacks are types of malicious software(malware) that block access to your computer system or encrypt your data until a fine, called ransom, is paid. If the ransom is paid, you receive a decryption key to retrieve your files or the attacker unlocks your files for you. Whereas, if the payment is not made, the malicious actor publishes your data online, on the dark web, or blocks access to your files forever.  

Ransomware attacks are often linked with credential security issues and poor password hygiene. They are also spread through phishing emails and software vulnerabilities. In the past, attackers usually announced data exfiltration immediately, to put pressure on payments. But, with changing times comes shifting ransomware tactics. More recently, attackers have started delaying public announcements, motivating companies to pay up to avoid public embarrassment. 

And according to the state of ransomware 2022 report from Sophos, 66% of the organizations surveyed were hit with ransomware in 2021, an increase of 29% compared to 2020. 90% of those organizations said the attack mostly impacted their ability to operate and among the private sector organizations, 86% said it caused a loss in revenue.  

Types of ransomware attacks 

Locker Ransomware 

In this type of attack, a hacker or ransomware gang uses malware that blocks access to some or all computer files or functions. They use social engineering techniques like phishing or compromised Active Directory credentials to infiltrate systems. Once inside, they block users’ access to their system until the ransom is paid.  

Some locker ransomware denies complete access to files, while your mouse and keyboard are only partially disabled. However, locker does not infiltrate the entire computer network or attack the files on the computer, it generally just locks you out.  Complete destruction of your data is therefore unlikely. This makes it easier to find locker ransomware and remove it without paying the ransom. 

The attacker might demand payment of any amount via Perfect Money, a QIWI Visa Virtual Card number to unlock files, crypto, or any untraceable money transfer platform.  Although the Locker ransomware is simple, it can pack a devastating blow to one’s computer. It’s encrypted with an advanced encryption system called AES (Advanced Encryption Standard) and if you don’t know the code, it’d be nearly impossible to break.  However, if you’ve backed up your files, you can easily retrieve them without paying the ransom. 

Crypto ransomware

Crypto ransomware or encryptors are one of the most well-known and damaging ransomware variants. Unlike locker ransomware, crypto-ransomware encrypts important data such as documents, pictures, and videos, but does not interfere with basic computer functions. Users can see their files but cannot access them. Crypto hackers often add a countdown to their ransom demand: “If you don’t pay the ransom by the x deadline, all your files will be deleted.” Due to the number of users who are unaware of the need for backups in the cloud or on external physical storage devices, crypto-ransomware can have a devastating impact.

Crypto-ransomware essentially takes the files hostage, demanding a ransom in exchange for the decryption key needed to restore the files. Like Locker ransomware, crypto hackers use compromised credentials, system vulnerabilities, passwords, and phishing to infiltrate systems.

Ransomware as a Service (RaaS)

Ransomware as a service (RaaS) enables hackers to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment. The fees depend on the ransomware’s complexity and features, and generally, there’s an entry fee to become a member. Once members infect computers and collect ransom payments, a portion of the ransom is paid to the RaaS creator under previously agreed-upon terms.

RaaS fosters a gig economy, making it more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.

The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. It also involves perpetrators renting access to a ransomware type (like locker or crypto-ransomware) from the ransomware author, who offers it as a pay-for-use service. RaaS creators host their ransomware on dark net sites and allow criminals to purchase it as a subscription — much like a SaaS model.

Examples of Ransomware attacks

Wannacry Ransomware

WannaCry Ransomware is a crypto-ransomware worm that attacks Windows OS. WannaCry, also known as WannaCrypt, WannaCryptor, and Wanna Decryptor, spreads using EternalBlue, an exploit that had been discovered by the National Security Agency (NSA). It’s a form of malware that can spread from PC to PC across networks (hence the “worm” component) and then once on a computer it can encrypt critical files (the “crypto” part). The perpetrators then demand ransom payments to unlock those files. The name was derived from strings of code detected in some of the first samples of the virus.

WannaCry is one of the first examples of a worldwide ransomware attack. It began with a cyber attack on May 12, 2017, that affected hundreds of thousands of computers in as many as 150 countries, including systems in the National Health Services of England and Scotland, FedEx, the University of Montreal, and Honda. Taking advantage of the vulnerable version of the Server Message Block (SMB) protocol, it ultimately infected approximately 200,000+ machines in more than 150 countries.

Unlike phishing attacks, computer users don’t have to click on a link or open an infected file. WannaCry just looks for other vulnerable systems to enter (like weak passwords or in some versions it uses stolen credentials), then it copies and executes the program, again, and again, and again. The only way for an infected user to access WannaCry encrypted files is if they have an external backup copy of those files. It has been reported that even though some organizations paid the Bitcoin ransom, none of the encrypted files were returned.

Baltimore Ransomware Attack

During the Baltimore ransomware attack of May 7, 2019, the American city of Baltimore, Maryland had its servers largely compromised by a variant of ransomware called Robinhood. Baltimore became the second U.S. city to fall victim to this new variant of ransomware after Greenville, North Carolina, and was the second major US city with a population of over 500,000 people to be hacked by ransomware two years after Atlanta was attacked the previous year.

The city of Baltimore spent spent about $10 million on recovery efforts because of this 2019 ransomware attack, not including an $8.2 million loss in revenues such as taxes, fees, and fines.

SamSam

SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. SamSam ransomware attacked the State of Colorado’s 300 services, all databases, applications, and 1300 computers. Early in the morning of February 21, 2018, the Colorado Department of Transportation (CDOT) fell victim to a SamSam ransomware attack. CDOT employees were the ones to discover the incident when business hours started and they tried logging onto the network.

The first known version of SamSam ransomware appeared in late 2015. Also known as Samas or SamsamCrypt, the type targets organizations within multiple industries, including critical infrastructure establishments from the healthcare and public health sectors, the transportation sector, and the education sector. SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims’ network or brute force weak passwords to obtain an initial foothold.

SamSam specializes in targeted ransomware attacks, breaking into networks and encrypting multiple computers across an organization before issuing a high-value ransom demand. The group is believed to be behind the attack on the city of Atlanta in March, which saw numerous municipal computers encrypted.

According to an alert issued by the Cybersecurity & Infrastructure Security Agency (CISA) on December 3rd, 2018, the SamSam ransomware gang exploits vulnerabilities in an organization’s Windows servers. In this way, malicious actors gain unlawful access to the company network and infect all accessible hosts. Devices in the department’s system all displayed the now-infamous ransom note.

Once the encryption process is completed, the malicious actors leave a ransom note on the infected devices containing instructions on how to contact them on a Tor hidden service site.

Darkside Ransomware

DarkSide is a ransomware gang that operates as a Ransomware-as-a-Service (RaaS) operation that sells its services to affiliate malware gangs on the dark web.  DarkSide ransomware is a relatively new ransomware strain that threat actors have been using to target multiple large, high-revenue organizations resulting in the encryption and theft of sensitive data and threats to make it publicly available if the ransom demand is not paid. DarkSide ransomware, first seen in August 2020 and updated as v2.0 in March 2021, is associated with the DarkSide group and now often operates as ransomware-as-a-service (RaaS).

DarkSide ransomware performs brute force attacks and exploits known vulnerabilities in the remote desktop protocol (RDP) to gain initial access. After initial access, DarkSide ransomware performs validation on the machines to infect. DarkSide ransomware collects information about computer names and system languages in its initial code execution. DarkSide is used to target English-speaking countries. It identifies data backup applications, exfiltrates data, and then encrypts local files as part of the ransomware deployment.

An event where hackers used Darkside Ransomware:

• In early May 2021, Colonial Pipeline, one of the largest pipelines in the United States, was forced to shut down operations due to a large-scale ransomware attack on its digital infrastructure. The 5,500-mile pipeline carries over 45 per cent of the total fuel consumption of the Eastern Seaboard. As a result, Colonial Pipeline operations were down for numerous days while the company turned its attention to getting the pipeline back in operation. Due to the shutdown, Americans in the Eastern United States saw fuel shortages and a spike in fuel prices.

What had happened was a ransomware attack, linked to the DarkSide group, that struck Colonial Pipeline’s networks. At the time of the attack, supply shortage concerns prompted gasoline futures to reach their highest level in three years.

Five days after the hack was announced, the national average price for a gallon of regular gas had pushed past $3 for the first time since 2014 (though gas prices were already on an upswing before the pipeline shutdown), with bigger jumps in some states the pipeline serves, including Georgia, North and South Carolina, and Virginia

The U.S. government has recovered a “majority” of the millions of dollars paid in ransom to hackers behind the Colonial Pipeline cyberattack, U.S. Department of Justice officials say.

Ransomware Payment: Colonial Pipeline paid nearly $5 million to Eastern European hackers on May 7, 2021, contradicting reports that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline.

Ryuk Ransomware

Ryuk Ransomware was first noticed in August of 2018 when it started targeting large organizations for high ransom amounts. While other ransomware attacks cast a wide net and target a large number of different people and organizations in hopes that the attack will be successful in one or two, Ryuk ransomware deployments are bespoke to the network attackers are working to compromise. Ryuk has the ability to identify and encrypt network drives and resources, as well as delete shadow copies on the endpoint. This means the attackers can then disable Windows System Restore for users, making it impossible to recover from an attack without external backups or rollback technology.

Ryuk is a sophisticated ransomware threat that has been targeting businesses, hospitals, government institutions, and other organizations since 2018. The Ryuk attackers demand higher ransom payments from their victims compared to many other ransomware gangs. The ransom amounts associated with Ryuk typically range between 15 and 50 Bitcoins, or roughly between $100,000 and $500,000, although higher payments have reportedly been paid. Because the attackers go after organizations with critical assets that are more likely to pay, a technique the security industry calls “big game hunting,” the Ryuk gang is very successful at monetizing their campaigns.

Microsoft refers to Ryuk as a human-operated ransomware attack, and it’s part of a larger trend of ransomware gangs adopting highly targeted and stealthy techniques that were primarily associated with advanced persistent threat (APT) groups in the past. Being human-operated means that attackers execute multi-level attacks against company networks. It starts with carefully selecting targets rather than adopting an automated, “spray and pray” approach, and requires both broad and specific knowledge of the target infrastructure in order to succeed. Ryuk usually begins with phishing emails then when it infiltrates a system, it encrypts its files.

Avoiding the damage caused by ransomware attacks

How do you keep your company information safe from the clutches of digital kidnappers? Here are 4 ways to prevent ransomware attacks.

• Backups:

Backups are the best way to ransomware-proof your data. Backups are only effective when they are cyber-resilient. Cyber-resilient backups are encrypted and immutable, and they restore data accurately. When backing up:

• Include the date, system and application files, database, virtual machines and any data on SaaS platforms. 
• Test backups and recovery processes regularly to ensure it’s working well. Conduct test backups at least once a month. 
• Follow the 3-2-1-1 principle. It advises storing four separate copies of your data: two stored locally in different formats, one stored offline, and one saved in an immutable format. Immutable data can’t be altered as there is no key to “unlock” it with, like with encrypted data. IDC now recommends that you store one copy of your data on immutable storage or in the cloud.

• Zero-Trust Model

The Zero-Trust Model means treating every user, device, and request in your network as if it originates from an untrusted external source. Rooted in the principle of “never trust, always verify.” The model uses strong authentication methods, leverages network segmentation, prevents lateral movement, provides Layer 7 threat prevention, and simplifies granular “least access” policies to protect modern environments and enable digital transformation. 

If done correctly, a Zero Trust architecture results in higher overall levels of security, but it can also reduce security complexity and operational overhead.

The idea of a zero-trust principle guiding your cyber security means that there’s no room for human error. It’s a defensive mechanism intended to eliminate implicit trust and instead validate at every stage of digital interaction. Zero Trust ensures relevant least privilege and secure access to corporate resources, limiting the attack surface and decreasing the chances of ransomware attacks

• Vulnerability Scanning

According to Ransomware Index Report Q1 2022 by Cyber Security Works (CSW) and Ivanti, 22 new vulnerabilities and nine new weaknesses have been associated with ransomware in Q1 2022, an increase of 7.6% from January.

Configuring parameters and scheduling scanning is critical in avoiding operation disruptions if bandwidth is limited. Vulnerability scanners are well-designed to alert you when they detect any abnormal behavior on your IT network— You stand a better chance of catching cyber criminals before they encrypt or steal your information. 

A vulnerability scanner pinpoints the number of affected endpoints and servers by probing connected systems within your network to identify areas of potential exposure that cyber attackers and exploits can take advantage of. 

Specops Password Auditor tool scans your Active Directory for password-related vulnerabilities. 

• Regular patches and updates of software and operating systems

Along with social engineering tactics, outdated and vulnerable systems are ransomware’s most common attack vectors. Update your applications and operating systems as soon as new patches become available, and retire any legacy technology you may have on your network. Outdated systems leave plenty of vulnerabilities that cybercriminals can exploit, but updated systems help businesses patch up those access points and keep their data protected

Wannacry, for instance, principally targets out-of-date systems. WannaCry attack owes its success to the 200,000 compromised machines running the 30-year-old SMB v1 protocol, with the help of the EternalBlue exploit kit. Many organization hadn’t updated their system to comply with Microsoft’s critical security update for SMB vulnerability which was released a week earlier. Those whose systems were unpatched found themselves unable to access their internet. 

Final Thoughts

It’s also essential to implement company-wide security training for all employees. Social engineering, especially phishing, is a common way malicious actor access your system.  Educating every staff about ransomware tactics reduces your chances of being vulnerable to attackers.