10 Most Dangerous Ransomware in Recent Years | Total Security

In recent years, there have been different types of ransomware in circulation that have turned into a real crisis that has affected organizations and large companies. According to statistics from Cybersecurity Ventures, companies will be affected by ransomware every 14 seconds by the end of 2019. Criminals will earn $ 11.5 billion in revenue from these cyber attacks. 91% of attacks are caused by spear-phishing emails used to infect your computer. How did this cybersecurity threat come about and what are the 10 most dangerous ransomware in recent years that businesses should beware of?

10 most dangerous ransomware

Ransomware is one of the main cyber threats today. Today the scenario is highly diversified with more than 1,100 variants ready to attack companies and private users. The number of victims is constantly increasing, and the technologies underlying ransomware are becoming increasingly sophisticated. Here are the 10 most dangerous ransomware of recent years - you may already know some, hope not from personal experience!

1) Cryptolocker

CryptoLocker entered the scene in 2013 and was probably the first to open the era of ransomware on a large scale. Spread via attachments and spam messages using the Gameover ZeuS botnet, which used RSA 2048-bit public key encryption to encrypt user files for money. According to Avast, at its peak between late 2013 and early 2014, CryptoLocker had infected more than 500,000 computers. using the CryptoWall, Crypt0L0cker, and TorrentLocker clones. The malicious software was quite "elementary" and was defeated thanks to Operation Tovar, a joint campaign between the FBI, Interpol, security companies, and universities. CryptoLocker has paved the way for many other varieties of ransomware that have relied on their own code to create new threats.

2) TeslaCrypt

If at first it was presented as a variant of CryptoLocker, this ransomware obtained its identity thanks to its particular modus operandi. TeslaCrypt has targeted auxiliary files associated with video games, such as saved games, maps, downloadable content, and the like. For gamers, these are often important files, saved locally rather than on the cloud or external drives. In 2016, TeslaCrypt covered 48% of ransomware attacks worldwide. The victims were asked for a ransom of $ 500 worth of bitcoins. One characteristic that allowed it to affect so many victims was its constant evolution. In early 2016, it was possible to restore files only with the intervention of creative hackers. The surprise came in May 2016 when the creators of TeslaCrypt decided to put an end to their malicious activities and offered the world the primary decryption key. After a few days, ESET released a free tool to clean infected computers.

3) SimpleLocker

We all know how the mobile phone has taken over our lives and has become the most widely used electronic device. So much so that this new trend could not be ignored by hackers. Between the end of 2015 and 2016, we witnessed an increase, up to 4 times more, in ransomware attacks on devices with an Android operating system.

At first, these were attacks that made it difficult to access files, preventing users from accessing sections of the user interface. In late 2015, SimpleLocker, also known as Andr / Slacker-A, was the first true ransomware on Android. SimpleLocker spreads as a Trojan downloader disguised as an APP. Once installed, it scans the device and uses AES encryption to change the file extension.ENC. It also collects information such as IMEI number, model, manufacturer, sending this information to a C2 server. The latest versions were able to access the camera and show a photo of the victim to scare her and convince her to pay the ransom. SimpleLocker was born in Eastern Europe, but most of its victims were located in the United States. Today, SimpleLocker is no longer a threat. On this site, you can find detailed information on how to remove SimpleLocker on different Android models.

4) Cerber

Cerber is an example of an advanced ransomware technology that uses advanced RSA encryption. It is distributed as a ransomware-as-a-service (RaaS), a kind of “affiliate program” for cybercriminals. Anyone can buy it and distribute it on the web for 40% of the profits. Malicious software targeted users of the Office 365 cloud package. It uses an elaborate phishing campaign that has so far affected millions of users around the world (with the exception of users in Eastern Europe). The attack happens like this: Usually, the victim receives an email with an infected Microsoft Office document attached. Once opened, the ransomware can run silently in the background during the encryption phase, without raising suspicions. After the file encryption is complete, the user finds a ransom note in the infected folders and often as a desktop background as well. At its peak in early 2017, Cerber accounted for 26% of all ransomware attacks. To date, there are several decoders available that can help you clean files.

5) SamSam

The ransomware attacks known as SamSam appeared in late 2015, but grew only a few years later, bringing high-profile targets, particularly in the United States, to their knees. SamSam has a solid organizational model behind it rather than a technical structure. In 2015 and 2016, JBoss vulnerabilities were exploited. Then, in 2018, SamSam forced weak passwords or exploited vulnerabilities in RDP, Java-based servers, and FTP servers to gain access to the victim's network. It seems that the SamSam attacks are manual and therefore there is someone behind the keyboard to attack the network and make the files inaccessible with RSA-2048 encryption. This is a studied attack and the ransom varies depending on the level and volume of the victim's data, as well as your willingness to pay. Analyzing the Bitcoin wallet of the SamSam group, it became known that, for example, on January 13, 2018, at 2:31 am, the American hospital Hancock Health paid the redemption of 4 bitcoins worth around 51,000 euros. In two hours the health facility systems were restored.

6) WannaCry

WannaCry is one of the most dangerous ransomware, as well as one of the largest cyberattacks in history. For the first time, the term ransomware entered the public debate and in the world press. In May 2017, 200,000 users fell in around 150 countries, including large companies, organizations, and public institutions. This is the first wave of hacker attacks leaked by the NSA. WannaCry uses the EternalBlue exploit and a Microsoft bug in the implementation of the SMB protocol. Although Microsoft released a security update, many computers have yet to be updated.

WannaCry has exploited precisely this gap by aggressively spreading across all devices on the network. One of its most dangerous features is the fact that it self-installs on your computer by encrypting files with the.WCRY extension, the extortion is equivalent to $ 300 dollars in bitcoins that are paid within the first 3 days, then doubled to $ 600. If payment is not made within a week, all files are lost. Today, two years after the worldwide distribution of WannaCry, an estimated two million computers are still exposed to attack.

7) Petya and NotPetya

After WannaCry, NotPetya confirmed the era of ransomware. Petya was a ransomware package dating back to 2016. A few weeks after the WannaCry epidemic, it began to spread in an updated version, which, following the well-known WannaCry ransomware, took advantage of the EternalBlue exploit. Due to its evolution over time, the name was changed to NotPetya. Ransomware on June 28, 2017, was 80% registered in Ukraine, according to ESET data. In second place was Germany with 9%. NotPetya also spread mainly by email, attaching a file with the extensions .doc, .xls, .ppt or .pdf. The file is easily viewable, but unbeknownst to the user, an eyedropper is installed and the actual malware begins to download from the internet. Once the files are encrypted, the PC is rendered unusable and a ransom of $ 300 worth of Bitcoins is requested. The fundamental difference between Petya and other ransomware like WannaCry is that instead of encrypting each file, this ransomware targets the PC's bootloader directly.

8) Bad Rabbit

Bad Rabbit follows in the footsteps of WannaCry and NotPetya. It has affected organizations, mainly in Russia and Eastern Europe, disguised as an Adobe Flash installation. It spreads through automated downloads on compromised websites where it has been inserted into HTML code or Java files using JavaScript. Once downloaded and installed, the PC is frozen. The ransom is $ 280 in bitcoins, with a period of 40 hours to make the payment.

9) Ryuk

Ryuk is a ransomware that has caused a lot of damage between 2018 and 2019. It is specifically aimed at organizations that can pay a lot and cannot afford downtime. Among the victims are American newspapers and the North Carolina water utility that deals with the aftermath of Hurricane Florence. The ransomware uses robust military algorithms such as RSA4096 and AES-256. One particularly subtle feature of Ryuk is that it can disable Windows "System Restore" on infected computers. This makes it even more difficult to recover encrypted data without paying the criminals. Requests for reimbursement were also particularly high in line with the importance of the victims. Analysts believe that Ryuk's source code is largely derived from Hermes, a product of North Korea's Lazarus group. This does not mean that the ransomware is managed by the Korean state. McAfee believes that Ryuk was built on code from a Russian-speaking manufacturer, in part because the ransomware does not run on computers where the language is set to Russian, Belarusian, or Ukrainian. Here you can find detailed information to remove Ryuk on different Windows operating systems.

10) GandCrab

GandCrab is considered the most popular multi-billion-dollar ransomware in 2018 and now in 2019. To avoid detection, the cybercriminals behind GandCrab have relied heavily on Microsoft Office macros, VBScript, and PowerShell. GandCrab uses a ransomware-as-a-service (RaaS) model to maximize distribution, focusing primarily on email phishing. Trade requests range from $ 500 to $ 600. According to a report from January 2018, GandCrab infected more than 48,000 nodes in one month. Despite all the efforts and successes in data recovery, the threat has not yet been overcome as the criminal team continually makes changes. As of March 2019, 9 different variants of the ransomware were in circulation. Europol, in collaboration with the Romanian Police, the Attorney General, and Bitdefender, hacked into GandCrab's servers to obtain the keys and created a product that allows files to be decrypted for free for malware version 1.4 to 5.1.

Fewer Attacks, Higher Success Rate

After presenting the most dangerous ransomware in recent years, it is important to underline, however, that between 2018 and 2019 there has been a certain decline. The decline is considerable and has some underlying reasons. Ransomware attacks are increasingly tailored for specific purposes. They are managed by sophisticated real-time management and control tools, such as SamSam and Ryuk. Targeted attacks target a very small number of organizations, but have a much higher success rate. Therefore, a lower number of attacks does not translate into a drop in the attackers' revenue. Therefore, we must remain vigilant and adopt security measures that can protect us from these increasingly sophisticated threats.

Find the best total security to prevent ransomware attacks and protect your data.