2016 was a busy year for ransomware. Some samples targeted critical infrastructure, while others went after rival crypto-malware families. Some adopted new techniques to prey upon users, whereas others went offline entirely.
Hundreds if not thousands of ransomware families now dominate the playing field. But they’re not all created equal. Here are 10 strains that made some of the biggest waves in 2016.
CryptoWall didn’t partake in any groundbreaking campaigns in 2016. But it did one thing that was significant: it survived. Researchers first detected CryptoWall back on 19 June 2014. The fact that it’s still going more than two and a half years later is a testament to CryptoWall’s sophisticated design and the persistence of ransomware as a threat.
Researchers at Cisco Talos identified SamSam as one of the first instances of a cryptoworm. Unlike traditional ransomware, which spread primarily via phishing scams and exploit kit attacks, cryptoworms are believed to be the next generation of crypto-malware in that they mimic a computer worm’s userless distribution methods. SamSam exhibited this level of self-propagation in a March 2016 campaign when its developers partnered it with JexBoss, a tool for scanning and exploiting vulnerable JBoss application servers. That pairing allowed SamSam to scan for a weak server, establish an initial network foothold, and move laterally to other vulnerable machines while encrypting data along the way.
In April 2016, security researchers released a decryption key for a ransomware called Jigsaw. Their utility couldn’t have come sooner. Jigsaw is a particularly sadistic form of ransomware that gives victims only 24 hours to pay the ransom fee of 150 USD. If they fail to meet that deadline, Jigsaw begins deleting files every hour and increases the number of files for deletion every time. Any funny business, including shutting down the computer, causes Jigsaw to delete 1,000 of the victim’s files. The ransomware carries out this scheme for 72 hours, at which point it deletes every remaining file that comes with one of its 240 targeted file extensions.
Chimera first made headlines in November 2015. It distinguished itself from other ransomware by two main characteristics: its use of the peer-to-peer messaging service BitMessage to generate a code key for its encryption process and an invitation for victims to join its affiliate program.
Things went sour for Chimera after a few months of infecting unsuspecting users. In late July 2016, the developers of Petya/Mischa tweeted out a link to a data dump of 3500 decryption keys for Chimera. That incident, which represents one of the first documented rivalries between two ransomware groups, helped many (but not all) victims of Chimera decrypt their files for free.
6. Petya and Mischa
On 25 July 2016, the ransomware-as-a-service (RaaS) platform for Petya and Mischa officially launched. Each successful infection begins with a dropper activating on an infected computer. That dropper either installs Petya or Mischa. If it obtains administrative privileges, it loads up Petya, as that ransomware family needs admin rights to replace the Master Boot Record and encrypt the Master File Table. If the RaaS package fails to achieve those rights, it instead loads up Mischa, a more traditional ransomware that encrypts users’ data at the file level.
Either way, affiliates get to keep a share of the ransomware’s profits. Their percentage depends on how much money they collect from victims.
Researchers first detected Cerber in early spring 2016. Though new to the malware scene, early versions of the ransomware quickly proved they weren’t messing around. Each variant targeted network shares, the decryptor for many of those samples came with compatibility for 12 different languages, and some samples even “spoke” the ransom note using VBScript.
It’s therefore no wonder Cerber’s author ultimately created an affiliate system for their creation that spanned across the globe. This ransomware-as-a-service (RaaS) platform helped contribute to Cerber’s total activity, so much so that its current yield is enough to net the ransomware author nearly one million dollars on an annual basis independent of their own attack campaigns.
Most ransomware samples come with a standard ransom note that they display to all their victims. Not CryLocker. This malware locks a victim out of their computer and demands they pay 45 USD in 24 hours. To heap on the pressure, CryLocker customizes its ransom note with the user’s name, birthday, location, IP address, system details, Skype account details, Facebook account details, LinkedIn account details, and other data it harvests from the infected computer. The ransomware then threatens to publish all that information online unless the victim pays up.
HDDCryptor is a nasty family of ransomware. It’s capable of enumerating existing mounted drives and encrypting all files as well as finding and accessing previously connected drives and disconnected network paths. In addition, the crypto-malware uses disk-level encryption to encrypt and overwrite an infected computer’s Master Boot Record (MBR) with a new bootloader, which causes a ransom message to display instead of the login screen upon boot up.
Researchers first detected HDDCryptor in September 2016. Two months later, the ransomware made headlines when it infected 2,000 systems at the San Francisco Municipal Transport Agency (SFMTA), or “Muni,” and demanded 100 Bitcoins (approximately 70,000 USD) in ransom. Fortunately, the attack did not affect SFMTA’s rail and bus service, and the public agency said it would use its working backups to restore access to its systems.
After months of tracking TeslaCrypt across spam campaigns and exploit kit attacks, security researchers at the Slovakian IT security firm ESET learned its developers intended to abandon the ransomware. The researchers contacted the developers and requested the master decryption key. In response, TeslaCrypt’s authors published the key, which ESET used to make a free decryption utility. Victims of the ransomware can now use this tool to regain access to their files.
Researchers detected the first sample of Locky in February 2016. Shortly thereafter, it made a name for itself when it infected the computer systems at Hollywood Presbyterian Medical Center in southern California. Officials chose to temporarily shut down the hospital’s IT system while they worked to remove the ransomware, a decision which caused several departments to close and patients to be diverted elsewhere. But without working data backups, the executives at Hollywood Presbyterian ultimately decided to pay the ransom of 40 Bitcoin (70,000 USD).
In the months that followed, Locky went through at least seven different iterations: “.zepto,” “.odin,” “.shit,” “.thor,” “.aesir,” “.zzzzz,” and “.osiris.” It also leveraged unique distribution channels like SVG images in Facebook Messenger and fake Flash Player update websites.
As we direct our gaze to the New Year, we have no idea what digital threats await us in 2017. But we can be sure ransomware will be one of them. With that in mind, it’s important that organizations make sure they’ve implemented a functional data recovery strategy and thought about exploit kit attacks by investing in vulnerability management before the first of January arrives.
For more ransomware prevention tips, please click here.