Ransomware, a type of malware that holds data for ransom, has been around for years. In 1991, a biologist spread PC Cyborg, the first ransomware, by sending floppy disks via surface mail to other AIDS researchers, for instance. In the mid '00s Archiveus was the first ransomware to use encryption, though it's long ago been defeated and you can find its password on its Wikipedia page. In the early 2010s, a series of "police" ransomware packages appeared, so called because they purported to be warnings from law enforcement about the victims' illicit activities and demanded payment of "fines"; they began to exploit the new generation of anonymous payment services to better harvest payments without getting caught.
In the 2010s, a new ransomware trend emerged: the use of cryptocurrencies as the ransom payment method of choice by cybercriminals. The appeal to the extortionists is obvious, as cryptocurrencies are specifically designed to provide an untraceable, anonymous payment method. Most ransomware gangs demanded payment in bitcoin, the most high-profile cryptocurrency, although some began shifting their demands to other currencies as bitcoin's popularity made its value more volatile.
Attacks shot up in the middle of the 2010s to crisis levels. But by 2018, the ransomware boom seemed to be on its way out, in favor of another illicit way to snag bitcoin that didn't require victims to figure out what a bitcoin wallet was: cryptojacking. Cryptojackers follow the script that spammers and DDoS attackers have been using for years: surreptitiously gaining control of computers without their owners knowing. In the case of cryptojacking, the compromised machines become bitcoin mining rigs, quietly generating cryptocurrency in the background and eating up idle computing cycles while the victim is none the wiser. Ransomware attacks declined over the course of 2018, while cryptojacking attacks shot up by 450 percent.
Ransomware attacks today
Over the past two years, however, ransomware has come back with a vengeance. Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks, sees two big drivers behind this trend. The first has to do with the vagaries of cryptocurrency pricing. Many cryptojackers were using their victims' computers to mine the open source Monero currency; with Monero prices dropping, "at some point the threat actors will realize that mining cryptocurrency was not going to be as rewarding as ransomware," says Hahad. And because the attackers had already compromised their victim's machines with Trojan downloaders, it was simple to launch a ransomware attack when the time was right. "I was honestly hoping that that prospect would be two to three years out," says Hahad, "but it took about a year to 18 months for them to make that U-turn and go back to their original attack."
The other trend was that more attacks focused on striking production servers that hold mission-critical data. "If you get a random laptop, an organization may not care as much," says Hahad. "But if you get to the servers that fuel their day-to-day business, that has so much more grabbing power."
These kinds of attacks require more sophistication — not necessarily in terms of the ransomware code itself, but in the skills needed by the attackers to infiltrate better protected systems to install the malware. "A spray and pray type of tactic isn't going to give them a lot of return on investment," says Hahad. "More targeted attacks with good lateral movement capability are going to get them there, and most of the time that lateral movement is not automatic. It's really about gaining initial intrusion points and then somebody manually going in there and sniffing around the network, moving files around, escalating privileges, getting credentials for some admin potentially to access another machine remotely."
With that in mind, let's take a look at the worst offenders in this new age of ransomware.
5 ransomware families: Their attack targets and methods
Attacks using software known as SamSam started appearing in late 2015, but really ramped up in the next few years, gaining some high-profile scalps, including the Colorado Department of Transportation, the City of Atlanta, and numerous health care facilities. SamSam is the perfect example of how attackers' organizational prowess is as important as their coding skills. SamSam doesn't indiscriminately look for some specific vulnerability, as some other ransomware variants do, but rather operates as ransomware-as-a-service whose controllers carefully probe pre-selected targets for weaknesses, with the holes it has exploited running the gambit from vulnerabilities in IIS to FTP to RDP. Once inside the system, the attackers dutifully work to escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.
Although the initial belief among security researchers was that SamSam had an Eastern European origin, the overwhelming majority of SamSam attacks targeted institutions within the United States. In late 2018, the United States Department of Justice indicted two Iranians that they claim were behind the attacks; the indictment said that those attacks had resulted in over $30 million in losses. It's unclear how much of that figure represents actual ransom paid; at one point the Atlanta city officials provided local media with screenshots of ransom messages that included information on how to communicate with the attackers, which led them to shut that communications portal down, possibly preventing Atlanta from paying ransom even if they wanted to.
Ryuk is another targeted ransomware variant that hit big in 2018 and 2019, with its victims being chosen specifically as organizations with little tolerance for downtime; they include daily newspapers and a North Carolina water utility struggling with the aftermath of Hurricane Florence. The Los Angeles Times wrote a fairly detailed account of what happened when their own systems were infected. One particularly devious feature in Ryuk is that it can disable the Windows System Restore option on infected computers, making it all the more difficult to retrieve encrypted data without paying a ransom. Ransom demands were particularly high, corresponding to the high-value victims that the attackers targeted; a holiday season wave of attacks showed that the attackers weren't afraid to ruin Christmas to achieve their goals.
Read more on the next page...