Ransomware Attacks 2017 (so far)
The danger that ransomware attacks pose to individuals and organisations has long been a concern for cyber and information security professionals. Despite this, public appreciation and understanding of this threat has traditionally been limited. At its most basic, ransomware is malware that encrypts files or locks devices, before demanding a ransom payment in return for restored functionality. If a victim chooses not to pay, their files or devices will most probably remain inoperative. Ransomware is not a new phenomenon; as a matter of fact, the first ever recorded attack dates back as far as 1989. It is, however, a threat that is gaining prominence, as we are increasingly dependent on the data stored on computer and mobile devices. This dependence has been publicly exposed this year by several high profile attacks, rendering 2017 the year that the concept and threat of ransomware truly accelerated into public consciousness.
Most readers will have heard of WannaCry, which affected over 100,000 organisations and individuals worldwide in May. Other established threats such as Cerber and Locky have continued to plague users, generating huge revenue along the way. Ransomware can be a hugely effective financial operation for both cyber-criminals and nation states, and this year there have been several attempting to follow in the footsteps of Cerber and Locky. Below, Silobreaker’s Cyber Security & Risk Intelligence team provide a summary of some of the most prominent.
January: Spora Ransomware
First observed in early January, Spora was one of the first ransomware to emerge in 2017. Its sophisticated nature prompted researchers to suggest that Spora was developed by experienced cybercriminals. Of particular note is its ability to encrypt files whilst offline, alongside its advanced ransom payment site which mirrors a well known e-commerce site. Spora has proved highly resilient, and has multiple distribution channels including being a payload for the Rig exploit kit. In late June an updated version emerged, which includes AV evasion techniques. Researchers view Spora as an up-and-coming threat, which may come to rival established malware such as Cerber and Locky.
February: Erebus Ransomware
Erebus was first observed targeting Windows systems via a malvertising campaign in September 2016. However, while this first variant was not particularly harmful, it re-emerged in February this year in a significantly altered, and far more advanced form. The new variant, which targets Linux systems, has incorporated the ability to bypass User Account Control (UAC), a Windows system which blocks anyone without proper authorisation from altering a device.
The threat posed by Erebus became clear in June, when it hit South Korean web hosting company NAYANA. The devastating attack infected 153 servers, and subsequently more than 3,400 business websites hosted by the company. Although the precise infection vector is unknown, it is thought Erebus may have exploited well known vulnerabilities such as Dirty Cow to achieve infection. In order to mitigate the damage, NAYANA agreed to pay a ransom of $1.01 million to recover their servers, constituting what is thought to be largest single ransomware payment ever.
May: Jaff Ransomware
Jaff ransomware emerged in May 2017, only days before the WannaCry attack, which led to the malware being somewhat under reported. However, it deserves to be included in this summary for a multitude of reasons. Its distribution network is well known, using the Necurs botnet which has previously been used to spread Locky ransomware and the Dridex banking trojan. This allowed Jaff to serve as the main payload in several large spam campaigns, targeting users in China, India, Russia and Germany. Jaff has also received several upgrades, including efforts to make its ransom note more professional. However, the threat posed by Jaff was significantly diminished in June, when researchers at Kaspersky developed a decryption key allowing victims to recover files for free.
May: WannaCry Ransomware
Perhaps the most infamous ransomware incident of all time and certainly the most documented, WannaCry achieved worldwide notoriety after infecting between 200,000 and 300,000 victims in over 150 countries. Amongst its high-profile victims were the UK’s National Health Service, FedEx, Telefonica and Renault.
WannaCry utilised the leaked NSA exploit EternalBlue, which allowed it to spread across networks by targeting the Server Messaging Block (SMB) protocol, primarily affecting older Windows systems including Windows XP and Windows 8. However, despite its unprecedented reach, WannaCry failed to reap much financial reward. A bitcoin wallet set up for victims willing to pay the demanded $300 ransom, as of July, only held $143,000, a comparatively small sum. This has led to speculation that the perpetrator, which some claim is the North Korean linked Lazarus Group, were more interested in causing disruption than monetary gain. Despite its notoriety, WannaCry is also a poorly designed piece of malware. It was halted when a British malware researcher registered a domain that caused an anti-analysis feature to kick in and bring an end to its rampage.
NotPetya (also referred to as Golden Eye, PetrWrap, ExPetr) burst on to the scene in late June, infecting thousands of individuals and large multinational companies such as WPP, A.P. Moller-Maersk and Cadbury. However, one of the most notable details regarding NotPetya is that it is not actually a ransomware at all.
After its emergence in Ukraine researchers initially believed that NotPetya was a new version of an older ransomware named Petya, or at least modelled heavily on it. It was soon discovered that NotPetya bore a closer resemblance to disk wiping malware such as Shamoon, which are used for purely destructive purposes. This is in part, based on the fact that after encrypting a victim’s files, the malware will not store a decryption key, meaning that even if a ransom is paid, file recovery is not possible. NotPetya was part of a supply chain compromise attack which affected a Ukrainian accounting software called M.E.Doc. This software pushed out updates containing the malicious payload, which then used EternalBlue to achieve lateral network movement. The same attack vector was likely used to push other malware, most notably the XData ransomware, which targeted mainly Ukrainian users beginning in early May.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.