Background Image

Blog Post

Jan 23

Ransomware 2017-2018

By the 3rd quarter of 2017 64% of malicious email attacks contained one form of ransom ware or another. These attacks are on the rise so it seems prudent to disclose some information regarding these attacks, and perhaps some strategies for prevention and removal. Below we'll list the top 10 ransom ware attacks and below that some specific steps that can be taken.

Top Ten Ransom Ware Attacks 

As seen on Tech Republic

10. Jigsaw - Starts as malicious email and upon user interaction encrypts and even deletes files unless user pays $150 - Named for clown image from the movie Saw, which embeds itself in some email viewers - first seen 2016

9. Cryptomix - This attack is generally followed by an email by the actual attacker as no payment portal is included in it's design.

8. Cerber - Ransomware as a service - Widely deployed by non hackers who share their extorted funds with the software developers.

7. Spora - Javascript popup that insists the user must update their Google Chrome via the popup, after which the user is infected by the updated software which steals credentials and personal information. This often leads to both extortion as well as sold user data.

6. Jaff - Jaff uses a botnet to send millions of spam emails daily, which upon infection demands 1.79 Bitcoins = current value over $16,000

5. Nemucod - Since 2015 as a phishing attack utilizing compromised systems to transplant malware - appears as shipping invoice.

4. CrySis - An RDP (Remote Desktop Protocol) Service based attacks. This attack generally starts as hacker spoofing a software company to garner access or potentially a brute force attack on RDP allowing escalated privileges and network level infection.

3. Locky - Phishing vector, emerging variants named Diablo and Lukitus - as reported by Tech Republic - and ProofPoint 

2. WannaCry - aka WannaCrypt - So far the most devastating ransom ware, making use of EternalBlue which in turn exploited a vulnerability in Microsoft's SMB protocol (Server Message Block). 

1.  NotPetya - This attack started as a Ukranian Tax Spoof, then infecting hundreds of thousands of computers in over 100 countries. This ransom ware uses the same exploit as WannaCry - coupled with the original Petya ransom ware.

Prevention Strategies

On Windows start with the MBSA - Make a backup of your system if it contains important files - or an installer if it doesn't. Show hidden file extensions, this makes it easier to see malicious file types like PDF.EXE <-- That isn't something to trust. Refuse .exe files by email if you have filters. Tell anyone who needs to send you an executable to use dropbox or google cloud. Disable files running from AppData/LocalAppData folders  *Worst case scenario a fresh install will generally wipe out any ransom ware along with everything else on your machine. Finally if you aren't planning on getting remote desktop help anytime soon - disable RDP services altogether.

On Linux - use chattr to lock important files to prevent manipulation. Change ssh keys on new installations, only enable RDP when using it implicitly. (Very few of these even affect Linux users.) Erebus does/did though so precautions are relevant.

Fix Ransom Ware Infections

Clean install vs Restore - In some cases a system restore may actually work but if you have a physical backup copy it may still be wiser to do a clean install, then use the backup to restore what's missing. In some cases YouTube has videos that show precisely how to remove ransom ware - depending on which attack it is. *Example below - this will most often require making repairs via safe mode, manipulating registry files, rooting out the malicious script, and being prepared to restart the process if anything goes wrong. We strongly urge users to make backups of important data and files and be prepared for a fresh install scenario.


Add Comment:
Please login or register to add your comment or get notified when a comment is added.
1 person will be notified when a comment is added.