January 19, 2017
Ransomware has been the most prevalent cyber threat since 2005. However, recent events have proven that the threat is increasing significantly in both frequency and complexity – so much so that 2016 has been designated ‘the year of ransomware.’ In fact, according to ISTR’s Special Report on Ransomware and Business, “ransomware has quickly emerged as one of the most dangerous cyber threats facing both organizations and consumers, with global losses now likely running to hundreds of millions of dollars.” Attacks have become so sophisticated that even the FBI advises companies to just pay the ransom – a demand that has more than doubled since the end of 2015.
Further, the number of new ransomware families continues to increase and evolve, with strains now appearing and retiring every month, making it even more difficult for organizations to combat ransomware threats. For example, according to Symantec, TeslaCrypt was one of the most widespread ransomware variants in late 2015 and early 2016, only to cease operations last May.
In December, we projected the ransomware problem to get worse in 2017. With 7 out of 10 malicious phishing and spear-phishing emails now containing ransom, ransomware protection is as challenging as ever before. To help organizations stay up to date on current threats, we’ve outlined some of the most prevalent ransomware families of the moment:
- LOCKY: First detected in February 2016, Locky spreads malware through spam, typically through an email message, though its recently been spreading via social media. Once infected, Locky scrambles and renames all important files with the extension .locky – with the attacker holding the decryption key for ransom. It’s most famous victim to date has been Hollywood Presbyterian Medical Center, which was forced to shut down its IT systems in an attempt to remove the ransomware, resulting in delaying patient care, but the hospital failed to remove the virus and ultimately paid the ransom. Last year we wrote about stopping a Locky attack targeting an Israeli defense company.
- CERBER: Cerber emerged in early March 2016 and, though a newer strain, has made a significant impact already, as it was recently named one of the most lucrative ransomware-as-a-service (RaaS) platforms in the world. The ransom demand ranges from $513 to $1,026 and it is sophisticated enough to read the ransom note aloud to the victim.
- HDDCRYPTOR: This variant rewrites a computer’s Master Boot Record (MBR) and locks users out of their systems. First detected in September 2016, the virus was responsible for the attack on San Francisco Municipal Transport Agency that demanded $70,000.
- PEYTA AND MISCHA: This package combines to different approaches to encryption. Similar to HDDCryptor, Peyta encrypts Master File Table (MFT) and MBR, and the Mischa variant is deployed and individually encrypts files where Peyta is not successful. In addition, Peyta and Mischa can work offline. Deployed as a RaaS program last July, distributors are paid based on how much money they can extort from their victims.
- CRYPTXXX: Discovered in April 2016, the new and improved CryptXXX extorted more than $45,000 in less than three weeks. Though researchers from Kaspersky Labs released a free tool to decrypt victims’ data without paying the ransom, hackers have since worked to update the virus to much success.
While the prevalence of certain ransomware variance ebbs and flows, one thing is for certain – if you have email security that can prevent phishing and spear phishing, then you can prevent ransomware. Recognizing the ever-increasing ransomware threats in phishing attacks, IRONSCALES built a patent-pending, automatic email phishing response solution to analyze and remediate incoming threats in real time. With on premise and cloud-based automatic server-side remediation, IRONSCALES can help remove ransomware emails even when a user is offline or not logged in. Our newest product, Federation, anonymously shares phishing attack intelligence with enterprises and organizations worldwide, enabling them to proactively defend their network gateways and endpoints from increasingly frequent and sophisticated phishing attacks.