Ransomware Examples
Looking for ransomware examples? This post covers major ransomware attacks, their tactics, how ransomware has evolved, and how these attacks are handled. Discover essential tips on staying safe.
Quick Facts
- Ransomware has come a long way from the 80s to today and it’s getting more advanced, from the AIDS Trojan to WannaCry and DarkSide targeting critical infrastructure and big companies.
- Recent ransomware delivery methods are phishing emails, RDP exploitation and supply chain attacks so you need strong security and employee awareness training to mitigate the risks.
- Preventing and recovering from ransomware attacks requires strategic practices like regular backups, endpoint protection, employee training and following a structured recovery process including isolating infected systems, notifying authorities and restoring from verified clean backups.
Ransomware: Understand. Prevent. Recover.
Old Ransomware
Ransomware has been around since late 80s and has been getting more advanced since then. Old ransomware like AIDS Trojan, GPCode and Archievus set the stage for modern cybercriminals. These early attacks were basic by today’s standards but showed the capability to disrupt and extort victims on a large scale. Each ransomware variant has evolved since then, introducing new propagation methods, encryption techniques and features like data theft and bug bounty programs making the threat more severe over time.
AIDS Trojan
The AIDS Trojan, created by Joseph Popp in 1989 is considered the first known ransomware attack. Popp, a Harvard educated biologist, distributed 20,000 floppy disks with the malware to attendees of the World Health Organization’s AIDS conference. The ransomware would replace a system file, hide directories and encrypt file names on the hard drive making the computer unusable unless a ransom was paid. Victims were told to send $189 to a P.O. box in Panama to get the decryption key.
This first ransomware attack showed how malware could disrupt systems and extort money from victims. Although basic, the AIDS Trojan set the stage for future ransomware variants and showed how attackers could exploit software vulnerabilities for profit.
This was a precursor to the more advanced ransomware attacks that would come in the following decades and show how ransomware has evolved over time.
GPCode
GPCode ransomware appeared in 2004 and was another big milestone in ransomware history. This malware spread via email and targeted users through attachments and links. Unlike the AIDS Trojan, GPCode asked for smaller ransoms so it was more accessible to a wider range of victims.
This showed the trend of using email as a delivery mechanism for ransomware and that trend continues.
Archievus
In 2006 Archievus ransomware emerged and targeted Windows systems with a more advanced approach. This ransomware used 1,024-bit RSA encryption to lock files on the infected system making it much harder to decrypt without the right key. Victims were told to go to an online store to buy the decryption password, another sign of the evolving tactics of cybercriminals.
Archievus was the first sign of ransomware getting more advanced and the trend would continue.
Ransomware Attacks of the 2010s
The 2010s saw several big ransomware attacks that caused massive disruption and financial loss. These attacks, including the ransomware variant NotPetya, CryptoLocker and WannaCry showed the capability of ransomware to affect organizations and individuals globally. Each of these attacks highlighted different aspects of ransomware evolution from delivery to impact.
Over the decade, how ransomware attacks have evolved includes the potential impact of government intervention and the increasing average discount
CryptoLocker
CryptoLocker was active from September 2013 to late May 2014 and was one of the first big ransomware attacks that combined locker and crypto ransomware. This advanced malware spread via infected email attachments and the Gameover ZeuS botnet and targeted victims with malicious links and attachments. Once installed, CryptoLocker would encrypt files on the victim’s computer and demand ransom payments to be made in Bitcoin or via a prepaid cash voucher by a specified deadline.
CryptoLocker’s financial impact was massive, earning $27 million in its first two months. This was a big milestone in ransomware evolution and showed how combining different types of ransomware could maximize extortion. CryptoLocker’s success would pave the way for future ransomware variants and the ransomware threat landscape would continue to grow.
WannaCry
The WannaCry ransomware attack in 2017 was a global cyber attack that exploited the EternalBlue vulnerability (CVE-2017-0144) in the Server Message Block (SMB) protocol. This vulnerability was in outdated versions of Microsoft Windows operating systems and allowed the ransomware to spread across networks, affecting many sectors in 150 countries. The attack demanded a ransom of $300 to $600 to be paid in Bitcoin and caused $4 billion in damages worldwide.
WannaCry showed the importance of having up to date and patched systems to prevent ransomware attacks. It also showed the capability of ransomware to affect critical infrastructure as seen in the widespread disruption it caused. WannaCry is one of the most known ransomware attacks and is often mentioned along with other big attacks like NotPetya and CryptoLocker.
NotPetya
NotPetya was first detected in 2017 and was the first ransomware that aimed to destroy data rather than collect ransom money. Unlike other ransomware that encrypts files for ransom, NotPetya would render files unrecoverable making it more destructive.
The attack was stealthy and caused big damage to the affected systems so ransomware can be used in cyber warfare.
Recent Ransomware Attacks
In recent years we have seen big ransomware attacks on big organizations and critical infrastructure. Attacks have surged by over 70% from 2022 to 2023. These attacks, including the ransomware variants DarkSide, REvil and LockBit 3.0 have shown the ransomware gangs are getting more sophisticated and ambitious. By targeting high value targets they are causing financial and operational disruption and we need to have strong security measures.
How ransomware attacks are being handled has evolved, with increased government intervention and a rising average discount on ransomware payments
DarkSide
DarkSide is a ransomware group that targets big organizations and operates under a Ransomware-as-a-Service (RaaS) model where they provide their ransomware to affiliates who do the attacks. In May 2021, DarkSide was behind the Colonial Pipeline attack which caused widespread fuel supply disruption across the US. They demanded almost $5 million USD in cryptocurrency and it was paid to regain access to the systems.
This incident showed the vulnerabilities in the critical infrastructure and the damage of ransomware.
REvil
REvil also known as Sodinokibi is known for big attacks and double extortion. This ransomware group has attacked many big victims including Acer, JBS USA and Kaseya.
By encrypting files and threatening to release stolen data, REvil has extracted big ransom from their ransomware victims and showed the evolving tactics of ransomware gangs to deliver ransomware and we need to learn how to encrypt files properly.
LockBit 3.0
LockBit 3.0 was the biggest locker ransomware group in 2022 and is known for fast encryption and innovative tactics. In 2021 and 2022, LockBit became the most prolific gang that has targeted Australia. They introduced a bug bounty program where they are paying ethical hackers to find vulnerabilities in their ransomware code.
This approach made their malware more effective and showed the increasing sophistication of ransomware.
Ransomware Delivery Methods
Ransomware delivery methods have evolved over the years and are adapting to the advancements in technology and security. Some of the common delivery methods are:
- Scare tactics and locking mechanisms
- Sophisticated phishing emails
- Remote Desktop Protocol (RDP) exploitation
- Supply chain attacks
Attackers have been refining their methods to maximize the impact and reach of their ransomware attacks.
Phishing Emails
Phishing emails are still the primary delivery mechanism for ransomware, exploiting the ease of sending emails and the effectiveness of social engineering. These emails come as official corporate communication, commercial notifications or cloud service alerts and trick the recipient to open malicious attachments or click on harmful links. Mass mailed downloads or links in phishing emails can bypass anti-spam filters and are a very effective way to distribute ransomware.
Spear phishing is a more targeted approach where they target specific individuals within an organization with personalized and believable emails. This increases the chances of successful infiltration as the recipient is more likely to trust and act on the seemingly legitimate communication. Notable ransomware like Ryuk and Spora have used phishing emails to initial access to the victim's network and shows the persistent threat of this delivery method.
Remote Desktop Protocol (RDP)
Some ransomware attacks exploit unauthorized access to Remote Desktop Protocol (RDP to get into the network. By brute forcing RDP credentials attackers can get control of the target systems and deploy ransomware. This is more concerning for organizations with poorly secured RDP services as it allows attackers to bypass traditional security and directly infect critical systems.
Supply Chain Attacks
Supply chain attacks involve compromising software providers to get into multiple organizations through legitimate software updates. By targeting software vendors, attackers can propagate ransomware to many organizations whenever updates are released. This was seen in Kaseya and SolarWinds attacks and shows the impact and reach of supply chain attacks in spreading ransomware.
Ransomware Tactics
Ransomware gangs have developed many ways to maximize the impact of their attacks and pressure victims to pay the ransom. These are double extortion, triple extortion, and hybrid cryptography each adding layers to the victim’s decision-making process. One of the key elements in these attacks is the delivery of a good ransom note which is the trigger for the victim to act.
Now you know these tactics.
Double Extortion
Double extortion ransomware encrypts files and threatens to release stolen data if the ransom is not paid. This involves encrypting the victim’s data and exfiltrating it and the attacker will publish the stolen information if the ransom is not paid. Double extortion has grown, at least 15 ransomware families are using this technique by 2020. REvil has popularized this method by publicizing their victims and leaking stolen data to increase pressure.
The DarkSide ransomware group is another example of a cyber criminal organization using double extortion. During their attacks, they demand payment for file decryption and for not releasing exfiltrated sensitive data. This dual approach adds to the urgency and complexity of the ransom demand and makes it harder for the victim to ignore or mitigate the threat without significant consequences.
Triple Extortion
Triple extortion ransomware adds another layer of pressure by threatening the primary victim’s customers or partners with data exposure or service disruption. For example AvosLocker ransomware uses Distributed Denial of Service (DDoS) attacks as part of their triple extortion strategy and threaten to disrupt services if the ransom is not paid. This affects not only the immediate victim but also the other connected entities and increases the chances of ransom payment.
Hybrid Cryptography
Hybrid cryptography in ransomware involves combining multiple encryption algorithms to make decryption without paying the ransom harder. By using multiple encryption techniques ransomware can make traditional decryption harder and force the victim to pay the ransom to get access to their files.
This is another example of how ransomware developers are getting more technical.
Ransomware as a Service (RaaS) Groups
Ransomware as a Service (RaaS) has changed the ransomware landscape by allowing cybercriminals to rent ransomware for their own campaigns. This model has democratized access to ransomware tools and even those with limited technical skills can launch sophisticated attacks.
Examples of RaaS are GandCrab, Dharma and MedusaLocker all contributed to the surge of ransomware attacks worldwide.
GandCrab
GandCrab ransomware:
- Launched in January 2018
- Most active ransomware from 2018 to 2019
- Retired on June 1, 2019
- The FBI released decryption keys in July 2019 so victims can recover their encrypted files without paying the ransom.
GandCrab’s success proved the RaaS model can spread ransomware globally.
Dharma
Dharma ransomware also known as Crysis operates under a RaaS model that is being marketed and sold by multiple independent threat actors. This ransomware has been updated frequently with new variants and is a persistent threat across all industries.
Dharma’s random targeting and continuous updates prove the challenges in fighting RaaS based ransomware.
MedusaLocker
MedusaLocker:
- First appeared in the wild in early October 2019
- Adds to the growing list of RaaS offerings
- Encrypts files and demands ransom for the decryption key
- Uses advanced techniques to evade detection and maximize impact
MedusaLocker’s arrival proves the innovation in the ransomware as a service market.
Business Impact
Financial loss, data breach and brand damage. Beyond the initial ransom payment companies have to face additional costs for detection, response and recovery.
Knowing these impacts, businesses can develop strategies to protect against ransomware.
Financial Losses and Ransom Demand
Ransomware payments reached $1.1 billion in 2023, up from $567 million in 2022. These financial losses are on top of the costs of detection and response which can be huge.
For example, the average cost of a ransomware attack including detection and response was $5.13 million in 2023. The financial hit to businesses proves that investing in cybersecurity is key to preventing ransomware.
Data Breach
Ransomware attacks result in data breach, exposing sensitive information and causing financial and reputational damage. In 2023 data breach complaints to the FBI increased by 33% and resulted in $534.4 million in losses. These breaches can lead to lawsuits and class-action suits and add to the financial burden of affected companies.
Brand Damage
Ransomware attacks get massive media attention and get immediate negative publicity that can damage a company’s reputation. Publicized ransomware attacks make customers and stakeholders lose trust in the affected company’s ability to protect sensitive data.
The damage to a business’s reputation can be long term so it’s crucial for organizations to respond transparently and quickly to ransomware attacks.
Preventing Ransomware
Preventing ransomware requires a multi-layered approach, regular backups, endpoint protection and employee training. Implementing these best practices will reduce an organization’s exposure to ransomware and overall cybersecurity.
Regular Backups
Regular backups are key to mitigating ransomware risks. Organizations should back up their most critical data at least once a day, following the 3-2-1 backup rule: Keep three copies of data on two different storage types with one copy offline. This way data can be restored quickly in case of ransomware attack and minimize downtime and financial loss.
Alan Liska says that:
for years and years, we as the security community have been beating it in people's heads
And it has finally started to sink in with more and more people making sure they backup data and files to protect from ransomware.
Endpoint Protection
Deploying endpoint security solutions is key to detect and block ransomware. Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) can monitor and manage security for all remote devices, antivirus, data encryption, data loss prevention and intrusion detection.
These will protect critical infrastructure and reduce the risk of ransomware infection.
Employee Training
Security awareness training will help employees recognize suspicious emails or attachments and safe web surfing practices. Basic cybersecurity knowledge among employees can reduce the risk of ransomware by preventing common mistakes.
Regular training and phishing simulations can help reinforce these best practices.
Use a Threat Intelligence Solution Built for Ransomware Mitigation
Enhance your cybersecurity strategy with Recorded Future's Ransomware Mitigation Solution. This ransomware mitigation solution combines advanced threat intelligence with real-time data to help organizations proactively identify and neutralize ransomware threats swiftly.
By integrating threat intelligence into your security tools, you can protect critical data, minimize downtime, and reduce financial losses. It complements existing measures like regular backups, endpoint protection, and employee training, providing a comprehensive defense against ransomware.
Ransomware Recovery Steps
Recovering from a ransomware attack requires a step by step approach to minimize damage and get back to normal. Key steps are to isolate infected systems, notify authorities and restore from clean backups.
Following these steps will allow organizations to recover from ransomware attacks and minimize the overall impact.
Isolate Systems with Ransomware Infection
Immediately disconnect infected devices from all network connections, wired, wireless and mobile to prevent ransomware from spreading. If multiple systems are affected, taking the network offline at the switch level can help contain the infection and limit further damage.
Isolating affected systems is the first step in any ransomware recovery plan.
Notify Authorities
Report the ransomware incident to the following authorities:
- Local police
- Relevant cybersecurity agencies such as CISA
- FBI Internet Crime Complaint Center (IC3)
- US Secret Service
These authorities can provide guidance and support during the recovery process.
Notify the authorities according to your cyber incident response plan to engage all internal and external teams.
Restore from Backups
Before restoring from backups, make sure the backup is free from malware to avoid re-infection. Reconnect systems and restore data from offline, encrypted backups based on priority of critical services. Only clean systems should be added to the new VLAN created for recovery purposes to avoid re-infection.
These will make the recovery process smoother.
Ransomware Future
As ransomware evolves, the future will be more sophisticated, targeted and government intervention. Understanding these trends will help organizations anticipate and prepare for potential ransomware threats and stay ahead of cyber attackers.
Additionally, how ransomware attacks are expected to evolve includes the potential impact of government intervention and the increasing average discount on ransomware payments.
Increased Sophistication
Ransomware has become more sophisticated with the use of artificial intelligence (AI) tools. AI tools will allow ransomware to encrypt better, making traditional decryption harder. With AI, ransomware can better identify high value targets, making attacks more profitable.
This sophistication requires advanced security.
Targeted Attacks
Ransomware campaigns will focus more on critical sectors like healthcare, finance and government entities because of the high value data. Industrial sector is still a top target because of the large amount of sensitive data stored. These targeted attacks emphasize the need for robust security and incident response plans tailored to the specific needs of these high risk sectors.
Government Intervention
Increased law enforcement action against ransomware is a good step forward. Governments are starting to work together internationally to form coalitions to disrupt ransomware networks and trace cryptocurrency payments. This collective effort is key to fight global ransomware and protect critical infrastructure.
Summary
Ransomware has gone from a simple encryption tool to a sophisticated threat that can take down entire organizations. CryptoLocker, WannaCry and NotPetya are examples of the devastating impact of ransomware. Recent high profile attacks show the ongoing threat. Knowing how ransomware is delivered and the techniques used (double and triple extortion) is key to developing prevention and recovery strategies.
As ransomware evolves, organizations must be always on and proactive in their security. Regular backups, comprehensive endpoint protection and employee training are the foundation of a robust defense against ransomware.
Book a demo today with Recorded Future and see how our Ransomware Mitigation Solutions can strengthen the security of your organization.
Related