The first ever ransomware virus was created in 1989 by Harvard-trained evolutionary biologist Joseph L. Popp. It was called the AIDS Trojan, also known as the PC Cyborg. Popp sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference. The AIDS Trojan was “generation one” ransomware malware and relatively easy to overcome. The Trojan used simple symmetric cryptography and tools were soon available to decrypt the file names. But the AIDS Trojan set the scene for what was to come.
17 years later, another strain was released but this time it was much more invasive and difficult to remove than its predecessor. In 2006, the Archiveus Trojan was released, the first ever ransomware virus to use RSA encryption. The Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to purchase items from an online pharmacy to receive the 30-digit password.
June 2006 - the GPcode, an encryption Trojan which spread via an email attachment purporting to be a job application, used a 660-bit RSA public key.
At the same time GP Code and it’s many variants were infecting victims, other types of ransomware circulated that did not involve encryption, but simply locked out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive the unlocking code.
Two years after the initial GP Code virus was created, another variant of the same virus called GPcode.AK was unleashed on the public using a 1024-bit RSA key.
Mid 2011 - The first large scale ransomware outbreak, and ransomware moves into the big time due to the use of anonymous payment services, which made it much easier for authors to collect money from their victims. There were about 30,000 new samples detected in each of the first two quarters of 2011.
July 2011 - During the third quarter of 2011, new ransomware detections doubled to 60,000.
January 2012 - The cybercrime ecosystem comes of age with Citadel, a toolkit for distributing malware and managing botnets that first surfaced in January 2012. Citadel makes it simple to produce ransomware and infect systems wholesale with pay-per-install programs allowing cybercriminals to pay a minimal fee to install their ransomware viruses on computers that are already infected by other malware. Due to the introduction of Citadel, total infections surpassed 100,000 in the first quarter of 2012.
Cyber criminals begin buying crime kits like Lyposit—malware that pretends to come from a local law enforcement agency based on the computer’s regional settings, and instructs victims to use payment services in a specific country—for just a share of the profit instead of for a fixed amount.
March 2012 - Citadel and Lyposit lead to the Reveton worm, an attempt to extort money in the form of a fraudulent criminal fine. Reveton first showed up in European countries in early 2012. The exact “crime” and “law enforcement agency” are tailored to the user’s location. The threats are "pirated software" or "child pornography". The user would be locked out of the infected computer and the screen be taken over by a notice informing the user of their "crime" and instructing them that to unlock their computer they must pay the appropriate fine using a service such as Ukash, Paysafe or MoneyPak.
April 2012 - Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are responsible for Police Ransomware scams that have spread throughout North and South America since April of 2012.
July 2012 - Ransomware detections increase to more than 200,000 samples, or more than 2,000 per day.
November 2012 - Another version of Reveton was released in the wild pretending to be from the FBI’s Internet Crime Complaint Center (IC3). Like most malware, Reveton continues to evolve.
July 2013 - A version is released targeting OSX users that runs in Safari and demands a $300 fine. This strain does not lock the computer or encrypt the files, but just opens a large number of iframes (browser windows) that the user would have to close. A version purporting to be from the Department of Homeland Security locked computers and demanded a $300 fine.
July 2013 - Svpeng: This mobile Trojan targets Android devices. It was discovered by Kaspersky in July 2013 and originally designed to steal payment card information from Russian bank customers. In early 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for Lookout, a San Francisco-based mobile security firm, 900,000 phones were infected in the first 30 days.
August 2013 - A version masquerading as fake security software known as Live Security Professional begins infecting systems.
September 2013 - CryptoLocker is released. CryptoLocker is the first cryptographic malware spread by downloads from a compromised website and/or sent to business professionals in the form of email attachments that were made to look like customer complaints controlled through the Gameover ZeuS botnet which had been capturing online banking information since 2011.
Cryptolocker uses a 2048-bit RSA key pair, uploaded to a command-and-control server, and used it to encrypt files with certain file extensions, and delete the originals. It would then threaten to delete the private key if payment was not received within three days. Payments initially could be received in the form of Bitcoins or pre-paid cash vouchers.
With some versions of CryptoLocker, if the payment wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to get their files back. Ransom prices varied over time and with the particular version being used. The earliest CryptoLocker Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices were initially set at $100, €100, £100, two Bitcoins or other figures for various currencies.
November 2013 - The ransom changes. The going ransom was 2 Bitcoins or about $460, if they missed the original ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and control servers. After paying for that service, the first 1024 bytes of an encrypted file would be uploaded to the server and the server would then search for the associated private key.
Early December 2013 - 250,000 machines infected. Four Bitcoin accounts associated with CryptoLocker found that 41,928 Bitcoins had been moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other payment methods.
Mid December 2013 - The first CryptoLocker copycat software emerges, Locker, charging users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number.
Late December 2013 - CryptoLocker 2.0 – Despite the similar name, CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a different programming team. Among other differences, 2.0 would only accept Bitcoins, and it would encrypt image, music and video files which the original skipped. And, while it claimed to use RSA-4096, it actually used RSA-1024. However, the infection methods were the same and the screen image very close to the original.
Also during this timeframe, CryptorBit surfaced. Unlike CryptoLocker and CryptoDefense which only targets specific file extensions, CryptorBit corrupts the first 212 or 1024 bytes of any data file it finds. It also seems to be able to bypass Group Policy settings put in place to defend against this type of infection. The cyber gang uses social engineering to get the end-user to install the ransomware using such devices as a rogue antivirus product. Then, once the files are encrypted, the user is asked to install the Tor Browser, enter their address and follow the instructions to make the ransom payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware developer’s digital wallet.
February 2014 - CryptoDefense is released. It used Tor and Bitcoin for anonymity and 2048-bit encryption. However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the infected computer. Despite this flaw, the hackers still managed to earn at least $34,000 in the first month, according to Symantec.
April 2014 - The cyber criminals behind CryptoDefense release an improved version called CryptoWall. While largely similar to the earlier edition, CryptoWall doesn’t store the encryption key where the user can get to it. In addition, while CryptoDefense required the user to open an infected attachment, CryptoWall uses a Java vulnerability. Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and many others led people to sites that were CryptoWall infected and encrypted their drives. According to an August 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the largest and most destructive ransomware threat on the Internet as of this publication, and they expect this threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, with 5.25 billion files being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 paid $500, but the amounts ranged from $200 to $10,000.
Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, 3⁄4 in the US, who were searching for porn and wound up downloading the software. Since Android requires permission to install any software, it is unknown how many people actually installed it after download. Users were required to pay $100 – $300 to remove it.
May 2014 - A multi-national team composed of government agencies managed to disable the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy Bogachev who operated the botnet from his base on the Black Sea.
iDevice users in Australia and the U.S. started seeing a lock screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring payment of $50 to $100 to unlock. It is unknown how many people were affected, but in June the Russian police arrested two people responsible and reported how they operated. This didn’t involve installing any malware, but was simply a straight up con using people’s naiveté and features built into iOS. First people were scammed into signing up for a fake video service that required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a stolen phone, to lock the owners out of their own devices.
July 2014 - The original Gameover ZeuS/CryptoLocker network resurfaced no longer requiring payment using a MoneyPak key in the GUI, but instead users must to install Tor or another layered encryption browser to pay them securely and directly. This allows malware authors to skip money mules and improve their bottom line.
Cryptoblocker – July 2014 Trend Micro reported this new strain that doesn’t encrypt files that are larger than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. It uses AES rather than RSA encryption.
On July 23, Kaspersky reported that Koler had been taken down, but didn’t say by whom.
August 2014 - Symantec reports crypto-style ransomware has seen a 700 percent-plus increase year-over-year.
SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was designed for Synology network attached storage devices. And unlike most encryption ransomware, SynoLocker encrypts the files one by one. Payment was 0.6 Bitcoins and the user has to go to an address on the Tor network to unlock the files.
This was discovered midsummer 2014 by Fedor Sinitisyn, a security researcher for Kaspersky. Early versions only had an English language GUI, but then Russian was added. The first infections were mainly in Russia, so the developers were likely from an eastern European country, not Russia, because the Russian security services quickly arrest and shut down any Russians hacking others in their own country.
Late 2014 - TorrentLocker – According to iSight Partners, TorrentLocker “uses components of CryptoLockerand CryptoWall but with completely different code from these other two ransomware families.” It spreads through spam and uses the Rijndael algorithm for file encryption rather than RSA-2048. Ransom is paid by purchasing Bitcoins from specific Australian Bitcoin websites.
Early 2015 - CrytoWall takes off, and replaces Cryptolocker as the leading ransomware infection.
April 2015 - CrytoLocker is now being localized for Asian countries. There are attacks in Korea, Malaysia and Japan.
May 2015 - It's heeere. Criminal ransomware-as-a-service has arrived. In short, you can now go to this TOR website "for criminals by criminals", roll your own ransomware for free, and the site takes a 20% kickback of every Bitcoin ransom payment. Also in May 2015 a new strain shows up that is called Locker and has been infecting employee's workstations but sat there silently until midnight May 25, 2015 when it woke up. Locker then started to wreak havoc in a massive way.
May 2015 - New "Breaking Bad-themed ransomware" gets spotted in the wild. Apart from the Breaking Bad theme, CryptoLocker.S is pretty generic. It is surprising how fast ransom Trojans have developed. A year ago every new strain was headline news, now it's on page 3. This version grabs a wide range of data files, encrypts it using a random AES key which then is encrypted using a public key.
June 2015 - SANS InfoSec forum notes that a new version of CryptoWall 3.0 is in the wild, using resumes of young women as a social engineering lure: "resume ransomware".
June 2015 - The FBI, through their Internet Crime Complaint Center (IC3), released an alert on June 23, 2015 that between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. Ransomware gives cybercriminals almost 1,500% return on their money.
July 2015 - An Eastern European cybercrime gang has started a new TorrentLocker campaign where whole websites of energy companies, government organizations and large enterprises are being scraped and rebuilt from scratch to spread ransomware using Google Drive and Yandex Disk.
July 2015 - Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types.
September 2015 - An aggressive Android ransomware strain is spreading in America. Security researchers at ESET discovered the first real example of malware that is capable to reset the PIN of your phone to permanently lock you out of your own device. They called it LockerPin, and it changes the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding a $500 ransom.
September 2015 - The criminal gangs that live off ransomware infections are targeting Small Medium Business (SMB) instead of consumers, a new Trend Micro Analysis shows. The reason SMB is being targeted is that they generally do not have the same defenses in place of large enterprise, but are able to afford a 500 to 700 dollar payment to get access to their files back.
The Miami County Communication Center’s administrative computer network system was compromised with a CryptoWall 3.0 infection which locked down their 911 emergency center. They paid a 700 dollar Bitcoin ransom to unlock their files.
October 2015 - A new strain called LowLevel04 spreads using remote desktop and terminal services attacks. It encrypts data using RSA-2048 encryption and the ransom is double from what is the normal $500, demanding four Bitcoin. Specifically nasty is how it gets installed: brute force attacks on machines that have Remote Desktop or Terminal Services installed and have weak passwords.
October 2015 - The nation’s top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker, Cryptowall and other malware without paying a ransom. “The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people just to pay the ransom.”
October 2015 - Staggering CryptoWall Damage: 325 Million Dollars. A brand new report from Cyber Threat Alliance showed the damage caused by a single criminal Eastern European cyber mafia. The CTA is an industry group with big-name members like Intel, Palo Alto Networks, Fortinet and Symantec and was created last year to warn about emerging cyber threats.
November 2015 - CryptoWall v4.0 released and displays a redesigned ransom note, new filenames, and now encrypts a file's name along with its data. In summary, the new v4.0 release now encrypts file names to make it more difficult to determine important files, and has a new HTML ransom note that is even more arrogant than the last one. It also gets delivered with the Nuclear Exploit Kit, which causes drive-by infections without the user having to click a link or open an attachment (sic).
November 2015 - A new strain is spotted with a very short 24-hour deadline, researchers crack the Linix. Encover strain and British Parliament computers get infected with ransomware.
December 2015 - Kaspersky reports that ransomware is doubling year over year, and Symantec reports that TeslaCrypt attacks moved from 200 to 1,800 a day.
January 2016 - A stupid and damaging new strain called 7ev3n encrypts your data and demands 13 bitcoins to decrypt your files. A 13 bitcoin [almost $5,000] ransom demand is the largest we have seen to date for this type of infection, but that is only just one of the problems with 7ev3n. In addition to the large ransom demand, the 7ev3n crypto-ransom malware also does a great job trashing the Windows system that it was installed on. DarkReading reports on a Big Week In Ransomware.
February 2016 - Ransomware criminals infect thousands with a weird WordPress hack. An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering TeslaCrypt to unwitting end-users. Antivirus is not catching this yet.
February 2016 - It's Here. New Ransomware Hidden In Infected Word Files. It was only a matter of time, but some miscreant finally did it. There is a new strain somewhat amateurishly called "Locky", but this is professional grade malware. The major headache is that this flavor starts out with a Microsoft Word attachment which has malicious macros in it, making it hard to filter out. Over 400,000 workstations were infected in just a few hours, data from Palo Alto Networks shows. Behind Locky is the deadly Dridex gang, the 800-pound gorilla in the banking Trojan racket.
March 2016 - MedStar receives a massive ransomware demand. A Baltimore Sun reporter has seen a copy of the cybercriminal's demands. "The deal is this: Send 3 bitcoins — $1,250 at current exchange rates — for the digital key to unlock a single infected computer, or 45 bitcoins — about $18,500 — for keys to all of them."
April 2016 - News came out about a new strain that does not encrypt files but makes the whole hard disk inaccessible. As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads. It's called Petya and clearly Russian.
April 2016 - The Ransomware That Knows Where You Live. It's happening in the UK today, and you can expect it in America tomorrow [correction- it's already happening today]. The bad guys in Eastern Europe are often using the U.K. as their beta test area, and when a scam has been debugged, they go wide in the U.S. So here is what's happening: victims get a phishing email that claims they owe a lot of money, and it has their correct street address in the email. The phishing emails tell recipients that they owe money to British businesses and charities when they do not.
April 2016 - Hello mass spear phishing, meet ransomware! Ransomware is now one of the greatest threats on the internet. Also, a new strain called CryptoHost was discovered, which claims that it encrypts your data and then demands a ransom of .33 bitcoins to get your files back (~140 USD at the current exchange rate) . These cybercrims took a shortcut though, your files are not encrypted but copied into a password protected RAR archive .
April 2016 - CryptoWorms: Cisco's Talos Labs researchers had a look into the future and described how ransomware would evolve. It's a nightmare. They created a sophisticated framework for next-gen ransomware that will scare the pants off you. Also, a new strain called Jigsaw starts deleting files if you do not pay the ransom.
April 2016 - Ransomware On Pace To Be A 2016 $1 Billion Dollar Business. CNN Money reports about new estimates from the FBI show that the costs from so-called ransomware have reached an all-time high. Cyber-criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers. At that rate, ransomware is on pace to be a $1 billion a year crime this year.
Late April 2016 - Scary New CryptXXX Ransomware Also Steals Your Bitcoins. Now here's a new hybrid nasty that does a multitude of nefarious things. A few months ago the 800-pound Dridex cyber gang moved into ransomware with Locky, and now their competitor Reveton follows suit and tries to muscle into the ransomware racket with an even worse criminal malware multitool. At the moment CryptXXX spreads through the Angler Exploit Kit which infects the machine with the Bedep Trojan, which in its turn drops information stealers on the machine, and now ads professional grade encryption adding a .crypt extension to the filename. Here is a graph created by the folks of Proofpoint which illustrates the growth of new strains in Q1, 2016:
Here is a blog post that looks at the first 4 months of 2016 and describes an explosion of new strains.
May 2016 - Petya comes loaded with a double-barrel ransomware attack. If the initial overwriting the master boot record does not work, they now have an installer that offers Petya and a backup "conventional" file-encrypting strain called Mischa. ProofPoint Q1-16 threat report confirms that Ransomware and CEO Fraud dominate in 2016. A new Version 4 of DMA Locker comes out with weapons-grade encryption algorythms, and infects machines through drive-by downloads from compromised websites. In a surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key.
June 2016 - CryptXXX becomes UltraCrypter and targets data stored on unmapped network shares along with local HDD volumes, removable drives, and mapped network repositories. The Jigsaw strain morphs into new branding and now uses an Anonymous skin - asks for a very high $5,000 ransom. The RAA ransomware goes after Russian victims, which is rare considering that most cyber mafia are based there. A new strain called BART (duh!) locks files by archiving them, is a Locky spinoff, and gets spread by email attachments. The hybrid Satana strain both encrypts files and replaces the Master Boot Record (MBR) as Petya/Misha does. EduCrypt demonstrates what happens when employees open infected attachments. Tripwire has a more detailed write-up here. The upshot? Everyone and their cybercrime brother has jumped on the bandwagon.
July 2016 - A new strain dubbed Ranscam simply deletes files when it runs. A ransom note asking the victim for $125 in Bitcoin pops up, but the threat actors actually have no mechanism for restoring files. An update to Locky allows the malware to encrypt machines even when they’re offline. The RaaS (Ransomware-as-a-Service) trend continues with Stampado ($39 for a lifetime license) and Petya/Mischa (the higher the ransom collected, the higher the payout percentage) getting in on the action.
August 2016 - Hitler ransomware continues the recent trend of less skilled cybercriminals simply deleting files hoping to make a quick buck. The wildly popular PokemonGo app unsurprisingly has a ransomware that impersonates it. The developer added a backdoor Windows account, spreading the executable to other drives, and creating network shares. A new report by Check Point researchers showed that Cerber's Ransomware-as-a-Service (RaaS) affiliate program is a success with more than 160 participants at current count, and almost $200K profit with only 0.3% victims paying ransom. Voicemail notifications have become a popular phishing email in at least two campaigns. Hackers are able to target a wider array of people than billing notifications which don’t apply to all users, for example.
September 2016 - Cry is a sophisticated strain that steals and hosts personal information gathered from social networks, locates the victim on Google Maps using wireless SSID’s and deletes Shadow Volume Copies among other nasty features. Mamba, like Petya, continues the trend of full-disk encryption ransomware but unlike Petya encrypts all data on the machine’s hard drive. Fantom ransomware uses file and process names to set the size of the ransom demand, so if the campaign is targeting home users for example the ransom would be lower than if the target was a large enterprise. Ransomware officially became extortion under California law, however we see this as an ‘awareness’ thing than anything else.
October 2016 - Virlock is a two year old strain that spreads like a virus in the cloud. A massive Cerber campaign uses malicious Macros to infect its victims. Another version of Cerber stops SQL so it can encrypt the database. CryPy, a strain written in Python, also had Paypal phishing pages on the server the phishing emails were coming from so expect more to come from this one. As of now, ID Ransomware can detect over 200 different strains!
November 2016 - Locky is very much alive and well. One new campaign starts with a ‘credit card suspended’ phishing email with an attached malicious .JS file, another attacks victims via Facebook messenger. Crysis decryption keys have been made public. A browser locker variant called Ransoc infects victims via malvertising. Karma ransomware pretends to be a Windows optimization program and is distributed via a Pay-per-Install Network.
December 2016 - Osiris is a new Locky strain delivering surprise surprise, Excel docs containing macros that download and install Locky. Goldeneye encrypts the workstation twice: the files and the Master File Table (MFT). The phishing email contains both an Excel file that pulls the malware and a PDF used as a social engineering tool. If a user follows instructions on both documents, you potentially get to pay ransom TWICE. The Sandworm cybercrime gang has gotten their hands on KillDisk malware and added a ransomware feature. They run highly targeted campaigns, asking for 222 Bitcoin (around $200,000) from their victims.
January 2017 - Spora ransomware gives its victims options to just pay for file decryption, or they can pay more for immunity against future attacks. This is a sophisticated strain that collects victim data into a .KEY file, which then must be sent to the attackers who will set the ransom amount based on that data and provide decryption once paid. A new version of Spora uses an innovative way to spread itself via USB sticks.
February 2017 - A new app claims to have login data for leaked Netflix accounts, allowing users to get free access. What you actually get is fake account credentials, while your data is being encrypted in the background. DynA-Crypt ransomware not only encrypts data, it also attempts to steal information and even deletes files without backing them up. CRYSIS is back, mostly targeting US healthcare orgs. using brute force attacks via Remote Desktop Protocol (RDP). Weak passwords make these attacks successful.
March 2017 - Cryptolocker has been pretty quiet the past 6 months but it’s back, jumping from a handful of infections per day to over 400 per day. The original Petya has been hijacked by cybercriminals making it their own. Dubbed PetWrap, this new variant features a special module that patches the original Petya ransomware 'on the fly.’
April 2017 - The IT director for a private school reported that after getting hit with Samas ransomware, their entire Veeam backup repositories were wiped out as a result. The FBI said they had never seen ransomware delete backups. This is a prime example of why offline backups are so important! Cerber has taken over the ransomware market in 2017, its features (robust encryption, offline encryption, etc) and its RaaS (Ransomware-as-a-Service) business model make it very easy for newbie criminals to run their own custom campaigns. Most recently, Cerber gained the ability to evade detection by cybersecurity tools which use machine learning to identify threats. Locky has reappeared on the scene via phishing emails with a PDF that has a Word file hidden within, which executes a macro script when opened by the user. This scenario allows the phishing email to bypass sandboxes.
May 2017 - Fatboy Raas (ransomware-as-a-service) uses the Big Mac index from The Economist in determining how much ransom to ask for. The WanaCry ransomware worm took the world by storm in mid-May, starting with an attack on vulnerable SMB services railways, telcos, universities, the UK's NHS, and so on. In all the strain infected over 300,000 computers in over 150 countries, making the criminals $90,000 which is really not that much compared to the amount of infections. WanaCry really caused the world to take notice of ransomware. Shadow Brokers, the hackers who leaked the NSA SMB zero-day exploit that powered WanaCry, published a manifesto announcing a subscription offer where they will release more zero-day bugs and exploits for various desktop and mobile platforms, stolen from the NSA. Coming in June 2017, it is set up like a 'wine of month' club with subscribers getting a members only data dump each month.
June 2017 - Microsoft proudly announced that no known ransomware could penetrate the newest Win 10 Creators Update. What’s that saying about things being too good to be true? ZDNet hired a pro hacker who proved that wrong in about 3 hours.
NotPetya was the new worldwide ‘ransomware’ attack following May’s WannaCry outbreak, hitting targets in Spain, France, Ukraine, Russia, and other countries. However NotPetya is not like normal ransomware, it’s more like cyber warfare and does not come from the authors of the original Petya. It does not delete any data but simply makes it unusable by locking the files and then throwing away the key.
July 2017 - F-Secure labs uncovered chat sessions in which a ransomware support agent claimed they were hired by a corporation for targeted operations. Later analysis/metadata research confirmed that this tactic was used with another variant, and the follow-up attack targeted IP lawyers that was seemingly aimed at disrupting their business operations.
August 2017 - An update to Cerber lets the Dridex gang steal from three different Bitcoin wallet apps as well as steals passwords from popular web browsers. Cerber is among the most rapidly evolving ransomware families, the criminals are constantly trying new ways to monetize ransomware.
A key ransomware money laundering operation BTC-e taken down and owner, Russian national Alexander Vinnik was arrested in Greece in a multi-national law enforcement effort. FinCEN, the US department of the Treasury Financial Crimes Enforcement Network assessed BTC-e with a $110 million civil money penalty for willfully violating U.S. anti-money laundering laws. Vinnik was assessed $12 million for his role in the violations.
Locky is back with a new Diablo6 variant spread through phishing emails with infected attachments. It’s too soon to tell just how widespread this new variant will be. A new version of an old IRS/FBI phishing scheme asks its recipients to download a questionnaire. SyncCrypt is a new phishing threat that hides ransomware inside an infected JPG. Newly discovered Defray ransomware targets healthcare, education, manufacturing and tech sectors in the US and UK, using customized spear phishing emails and demanding a hefty $5k ransom.
September 2017 - New nRansomware demands nudes instead of Bitcoin in an attempt to blackmail victims multiple times. A similar attack spotted in Australia and the US claims that a virus was installed on a porn website which recorded the victim through their webcam. However, scammers are likely bluffing about having compromising information. This led us to believe that these are simply fake extortion emails. We ended up calling it ‘faketortion’.”
Two new massive Locky campaigns were reported this month; one pushing a new variant that encrypts files with the .ykcol extension and demanding 0.5 Bitcoin (~$1800) , the other sneaks malicious code into an attachment that looks like a printer output to its victims.
October 2017 - Bitdefender released its new Ransomware Recognition Tool. This tool analyzes both the ransom note and the encrypted file samples to identify the strain of ransomware and suggest a decryption tool for the identified family, if one is available.
Bad Rabbit ransomware hit organizations in Russia, Ukraine and the U.S. This is basically a new, improved NotPetya version 2 that starts with social engineering. In this release, encrypted data is recoverable after buying the key, meaning BadRabbit attack is not as destructive as NotPetya. They fixed a lot of bugs in the file encryption process.
November 2017 - The Bad Rabbit attack from last month was found to be a cover for an insidious spear phishing campaign, targeting Ukranian officials in an attempt to get their financial and confidential information. Ransomware attacks are becoming more and more sophisticated and are not always what they look like on the surface.
A new strain called Ordinypt ransomware targeted victims in Germany only. Instead of encrypting users' documents, the ransomware rewrites files with random data.
The Scarab strain was updated and spread via the Necurs botnet. In a massive 12.5 million campaign targeting .com domains, The current campaign prevents users from using third-party recovery tools, deletes Shadow Volume Copies and other default Windows recovery features.
December 2017 - Scarab ransomware first seen in November, comes with the option for infected victims to negotiate a price for retrieving their encrypted files.
According to Carbon Black's 2017 Threat Report, ransomware attacks have grown in volume and amount per attack and is now a $5 billion industry.
January 2018 - Interesting research by Enterprise Strategy Group: 63% of organizations experienced an attempted ransomware attack in 2017, with 22% reporting these incidents occurred on a weekly basis.
A white hat hacker developed a working 'ransomcloud' strain, which encrypts cloud email accounts like Office 365 in real-time. If a white hat can do this, so can a black hat. Watch out for this attack in the near future.
We’re seeing cybercriminals shift away from Bitcoin due to its current high profile and high value, which mean small fluctuations dramatically alter the cost, and worries that the anonymity it offers isn't all it's cracked up to be. While not yet a widespread payment method for distributors of ransomware, there are a number of examples of ransomware demanding their fee for unlocking be paid in Monero, such as Kirk ransomware.
February 2018 - Recently, cryptomining related attacks have become more popular than ransomware for many attackers. They don't need to actually engage the victim to make a lot of money, but we don’t think ransomware will be going away any time soon.
A new variant called Annabelle has been discovered, which seems to have been designed to ‘show off the skills’ of the developer who created it, by being as difficult to deal with as possible. It terminates numerous security programs, disables Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can’t run a variety of programs, and overwriting the master boot record of the infected computer with a boot loader. The good news is Bleeping Computer has encryption instructions.
March 2018 - A massive survey of nearly 1,200 IT security practitioners and decision makers across 17 countries reveals that half the people who fell victim to ransomware infections and chose to pay in 2017 were able to recover their files. This is why backups are so important, there is never a guarantee your files will be recovered even if you pay the ransom. When asked what’s inhibiting them from defending their respective organizations against cyberthreats, “low security awareness among employees” remains one of the top 3 reasons. In other words, get your users trained yesterday!
A new ransomware-as-a-service dubbed GandCrab showed up mid-month. This is the most prominent ransomware of 2018, infecting approximately 50,000 computers, most of them in Europe, in less than a month asking each victim for ransoms between $400 and $700,000 in DASH cryptocurrency. Yaniv Balmas, a security researcher at Check Point compares GandCrab to the notorious Cerber family, and the expert also added that GandCrab authors are adopting a full fledged agile software development approach, the first time in ransomware history. More technical details at the Security Affairs blog.
Zenis ransomware discovered by the MalwareHunterTeam not only not encrypts your files, but also purposely deletes your backups. The latest version utilizes AES encryption to encrypt the files, unfortunately at this time there is no way to decrypt them. If you are infected with Zenis, DO NOT PAY THE RANSOM. Instead you can receive help or discuss this ransomware in Bleeping Computer's dedicated Zenis Ransomware help & support topic.
The City of Atlanta was infected with SamSam ransomware, and had a bitcoin demand of $51,000 to unlock the entire system. The infection affected several internal and customer-facing applications, such as the online systems that residents used to pay city bills or access court documents. A total od total of $2.6 million has been set aside for emergency recovery efforts, and that doesn't include the ransom. This strain is believed to have the ability to get access to systems and wait weeks before an attack, making it easier to strike twice. That's exactly what happened when the Colorado DOT was infected with SamSam at the beginning of the month.
AVCrypt ransomware, discovered by BleepingComputer, tries to uninstall your existing security software (such as AV) before it encrypts files. However, it looks like no encryption key is sent to a remote server so it's unclear whether this is true ransomware or a wiper.
A new report from SentinelOne found that ransomware is now something that more than half (56%) of companies have faced in the past two months. That's up from 48% who said the same thing in the firm's 2017 report.
April 2018 - Hackers are working hard at making ransomware less predictable in order to avoid detection. Changes to the encryption process, the code itself, and even delivery methods are just a few of the 11 ways ransomware is evolving.
Verizon's 2018 Data Breach Incident Report lists ransomware as the most common type of malware carried by phishing attacks. It's used in 56% of such incidents. Here is the full report: https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
Healthcare has always been targeted as an industry by hackers trying to get their hands on valuable PII. The HHS' Healthcare Cybersecurity and Communications Integration Center released a report on SamSam, a strain that has targeted the healthcare and government sectors since 2016. A few weeks later, the Center for Orthopaedic Specialists (COS) in California was hit and had to notify 85,000 patients. This is just another indicator that a ransomware infection is seen as a HIPAA data breach and needs to be reported.
May 2018 - A new strain called Blackheart drops its payload alongside the perfectly legitimate AnyDesk remote desktop tool, highly likely as a way to evade detection. If that sounds familiar, similar tool TeamViewer was infected with malware in a similar way in 2016.
BitKangoroo is another new strain using AES-256 encryption that deletes your files if you do not pay. Once it deletes a file, it will reset the timer back to 60 minutes. Fortunately, it can be decrypted for free using Michael Gillespie's BitKangarooDecrypter.
The European Union's General Data Protection Regulation will affect how U.S. companies deal with the rising threat of ransomware attacks, according to a leading privacy lawyer, by requiring the reporting of incidents even if the impact on data or systems is minimal.
June 2018 - Satan Ransomware was seen using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign.
SamSam, the ransomware strain that crippled several cities and school districts in the U.S. earlier this year came back. This strain has three new ways to avoid detection: It decrypts the payload only at run-time, making it nearly impossible to identify and analyze. It’s loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools. It requires a password to be entered by the threat actor to run in the first place. This new strain of SamSam is designed for targeted attacks.
SonicWall's latest report on cyberattack volumes shows that in 2018 year to date, there have been 2 million Ransomware attacks - a 299% increase – that’s TRIPLE over last year!
July 2018 - GandCrab v4 – a more dangerous and invasive newly released strain of the notorious ransomware is back with more power in its pincers: it no longer needs a C2 server, it functions without Internet access, can spread via the SMB exploit EternalBlue and it appears to hunt for unpatched machines. Still, there are easy ways to avoid an attack.
SonicWall released a mid-year update to their 2018 Cyber Threat Report with some sobering statistics about the state of ransomware this year:
- A 229% increase in ransomware attacks year-to-date over 2017
- 12 new variants of ransomware
- 181.5 MILLION attacks this year alone (that’s nearly 100K attacks daily!)
Bottom line? Ransomware is alive and well!
SamSam is in the news again, earlier this year EHR vendor Allscripts was a victim of the strain which caused over 1,500 doctor’s offices to be unable to access patient records. Now one of those offices has filed a class-action suit against the firm, claiming they failed “to secure its systems and data from cyberattacks, including ransomware attacks".
Also this month LabCorp, one of the largest clinical labs in the U.S., was hit with SamSam. The attack was contained quickly and didn't result in a data breach. However, before the attack was fully contained, 7,000 systems and 1,900 servers were impacted. Of those 1,900 servers, 350 were production servers. If you're in health care SamSam is definitely something to watch out for and it can have devastating consequences. A new literature review from Marshall University describes the problem as well as prevention methods in great detail.
September 2018 - KnowBe4 released a new version of our popular Ransomware Simulator tool that now tests against 13 ransomware scenarios and 1 cryptomining scenario. Cryptomining is just another means to a financial end for cybercriminals. Just like ransomware, remote access trojans (RATs), and other types of malware, the cybercriminal needs to somehow infect a machine. This kind of attack isn't going anywhere. If you have any kind of security strategy around malware and ransomware, you need to be adding cryptojacking/cryptomining to the list and act accordingly; you’ll be seeing a lot more of this attack vector.
October 2018 - An announcement from the National Cyber Security Centre (NCSC) identified a number of cyber actors and attacks likely carried out by the GRU, the Russian military intelligence service. Here is a full list of attributions that the British National Cyber Security Centre has compiled about the GRU.
Proofpoint’s Wombat Security division published their 2018 User Risk Report, which surveyed 6,000 working adults. The results show 64 percent of respondents do not know what ransomware is. In times like this you really need to step your users through new-school security awareness training to prevent such attacks.
November 2018 - New variant CommonRansom asks for RDP access to the victim’s computer in order to decrypt files. This is the latest attempt to extend the ransomware attack beyond the simple act of extortion. It is likely that the group is more interested in the credentials than ransom payments.
Four new strains of Dharma ransomware were discovered that evade detection by all but one antivirus solutions on the market. Researchers observed a malicious executable dropped through a .NET file and another associated HTML Application (HTA) file. There is no decryption available, even if ransom is paid an encryption key is generated locally so it's a fake key.
There should be no question by now that Mac and iOS devices are targets for attacks. New data from Datto, a backup provider, shows that MSPs have seen a 500% increase in ransomware on both MacOS and iOS devices over last year. Most organizations have a group of users that use Macs, usually the creative types. So, it’s official – all users, regardless of operating system, are potential targets of ransomware.
December 2018 - New sextortion attacks take a dark turn and infect people with GandCrab ransomware. The email claims cybercriminals have a video of you watching an inappropriate website, and that you can download that video and see it for yourself.
A server outage at a major newspaper publishing company prevented the distribution of many leading U.S. newspapers, including the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun. It looks like this was a targeted ransomware attack using the specialized Ryuk ransomware family. This strain is the latest incarnation of the earlier HERMES ransomware which is attributed to the capable and active Lazarus Group that operates out of a Chinese city just north from North Korea and reportedly controlled by the N.K. Unit 180 spy agency.
January 2019 - A new malware attack was detected in the wild that combines two known pieces of malware: the Vidar data harvesting malware followed by GandCrab ransomware. Running an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not pay the ransom. See how the attack works here.
CryptoMix ransomware has resurfaced, according to a recent blog at Ransomware Incident Response vendor CoveWare. With each infection, the message goes beyond just asking for bitcoin, but instead attempts to compel victims to pay the ransom with the claim that the money will go to a fictitious charity.
Ransomware is using a variety of methods to reduce or nullify the effectiveness of data backups such as attacking shared network drives, Windows shadow copies, and any files that have backup file extensions. Some ransomware variants can even sync with the victim’s cloud service and encrypt files stored there. some new variants are also making it harder for organizations to know which backup to restore from
North Carolina Attorney General Josh Stein released a report on Thursday that highlights the impact of data breaches on the state in 2018, and paired the report with a bipartisan bill to strengthen breach notifications to include ransomware attacks.
A new strain dubbed Anatova was discovered in a private peer-to-peer (p2p) network and targets consumers by using the icon of a game or application to trick the user into downloading it. Anatova is packed with functionality that is also difficult to analyze, a telling sign this was created by experienced bad actors. It has the ability to morph quickly, adding new evasion tactics and spreading mechanisms, has some similarities to GandCrab and once downloaded, encrypts all or many files on an infected system and demands ransom in cryptocurrency in order to unlock it - 10 DASH – currently valued at around $700 USD.
February 2019 - According to Coveware’s Q4 2018 Global Ransomware Marketplace Report, cybercriminals are just getting started with this impactful form of malicious attack. Average numbers of paid ransom and downtime resulting from an attack backups compromised are all up over the previous quarter.
A new report produced by the Cyber Risk Management (CyRiM) project led by Nanyang Technological University - ‘Bashe attack: Global infection by contagious malware’ – models a ransomware attack scenario on a global scale where hundreds of thousands of companies worldwide are infected and offers a look into what the aftermath would look like. The estimated damages worldwide range from $85-193 billion, with global cyber insurance losses ranging from $10-27 billion.
Torrent sites are banning CracksNow, a popular source of torrent uploads, after discovering that the uploader of cracks and keygens was distributing GandCrab ransomware. CracksNow was labeled as “trusted” before a number of users started noticing bad things happening to their computers.
March 2019 - A new strain called LockerGoga infects aluminum producer Norsk Hydro, and Hexion and Momentive chemical plants, effectively shutting them down for days and go on manual operation, causing them to buy hundreds of new computers.
In an interview at the 2019 RSA Conference, Josh Zelonis, senior analyst at Forrester Research, discusses the next great security threats to enterprises. According to Zelonis, a new trend of victims paying off the ransoms could reverse the wane in ransomware attacks that has been seen in the last year or so.
Matrix ransomware has been around since 2016, but according to a new report from Sophos, the malware has undergone major recent improvements that allow it to perform a wide range of attack tasks. It uses RDP-based brute force attacks to gain an initial foothold. The malware contains several payload executables including some legitimate admin tools – each used to either infect the initial endpoint, or connect to remote machines via RDP and spread within the network. Their code even includes efforts to disable AV software on endpoints. Once infected, the victim is required to contact the attacker, submit some encrypted files (presumably to prove they are, indeed, the victim) and then are provided with the bitcoin ransom amount equivalent to $2500.
According to Coveware’s recently released 2018 Q4 Ransomware Marketplace Report, we’re seeing some very disturbing – and yet revealing – trends in ransomware attacks:
- Ransoms have increased by an average of 13% over Q3 in 2018 to $6733
- Attacks on backups as part of the ransomware attack have increased by 39% over Q3 2018
- The average victim company size has risen from 38 to 71 employees
The attack on backups to decrease an organization's ability to recover instead of paying the ransom mixed with the ransom increase shows that cybercriminals know they have victims painted into a corner.