Examples of ransomware attacks

There are thousands of types of ransomware malware. Below are some examples of malware that have had worldwide impact and caused widespread damage.

WannaCry

WannaCry is an entry-level ransomware with a self-propagating mechanism that allows it to exploit a vulnerability in the Windows SMB protocol and infect other computers. WannaCry is packaged as a dropper, a stand-alone program that extracts encryption / decryption applications, files containing encryption keys, and a Tor communication program. It’s not ambiguous and it’s relatively easy to find and remove.

Locky

Locky is able to encrypt 160 file types, primarily files used by designers, engineers and testers. First released in 2016. It is mainly distributed via exploit kits or phishing. The attacker sends an email prompting the user to open a Microsoft Office Word or Excel file that contains malicious macros, or a ZIP file that installs the malware after extraction.

Cryptographic Cabinet

Cryptolocker was released in 2017 and has affected over 500,000 computers. It usually infects your computer via email, file sharing sites, and unprotected downloads. In addition to encrypting files on your local computer, you can also scan mapped network drives and encrypt files with write permissions. A new variant of Crypolocker can bypass older antivirus software and firewalls.

Not Petya and Petya

Petya is a ransomware that infects your computer and accesses the Master File Table (MFT) to encrypt your entire hard drive. This makes the entire disk inaccessible even if the actual file is not encrypted. Petya was first seen in 2016 and was distributed via fake application messages that primarily point to infected files stored in Dropbox. This only affected Windows computers.

Petya requires you to agree to give the user permission to make administrator-level changes. If the user agrees, a fake system crash screen will be displayed while the computer restarts and starts encrypting the hard drive in the background. Next, a ransom note will be displayed. The original Petya virus was less successful, but a new variant of Kaspersky Labs called NotPetya turned out to be more dangerous. NotPetya is equipped with a propagation mechanism that allows it to propagate without human intervention.

NotPetya originally spread through the backdoor of accounting software widely used in Ukraine, and later exploited the Windows SMB protocol vulnerabilities Eternal Blue and Eternal Romance. NotPetya encrypts not only MFT, but also other files on disk. While the data is encrypted, the data is irreparably corrupted. The user who pays the ransom cannot actually get the data back.

Ryuk

Ryuk infects computers via phishing emails or drive-by downloads. Use a dropper to extract the Trojan horse on the victim’s computer and establish a lasting network connection. Attackers can use Ryuk as the basis for Advanced Persistent Threat (APT), install additional tools such as keyloggers, and perform privilege escalation and lateral movement. Ryuk is installed on all additional systems that an attacker has access to. The attacker installs Trojan horses on as many computers as possible and then activates Locker ransomware to encrypt files. In Ryuk attack campaigns, the ransomware aspect is only the final stage.

Grand Club

Grand Crab was released in 2018. It has been used to launch ransomware-based blackmail attacks that encrypt files on users’ computers, demand ransom, and threaten attackers to reveal victims’ pornographic habits. There are several versions, all targeted for Windows computers. Free decryption features are currently available on most versions of GrandCrab.

How does ransomware work?

After the device is exposed to malicious code, the ransomware attack proceeds as follows:

Ransomware can remain dormant on the device until the device is most vulnerable before launching the attack.
Infection – Ransomware is secretly downloaded and installed on your device.
Run – Ransomware maps location of the files. Some ransomware attacks also delete or encrypt backup files and folders.
Encryption – Ransomware performs a key exchange with the command and control server and uses the encryption key to encrypt all files detected during the execution step. It also blocks access to the data.
Notify User – Ransomware adds instruction files detailing the Pay for decryption process and uses these files to display ransom notes to users.
Cleanup – Ransomware usually exits and removes itself, leaving only payment instructions.
Payment – Victims gets additional information on how to pay the required ransom.
The TOR Hidden Service is often used to encapsulate these communications to avoid detection by network traffic monitors.
Decryption – After the victim pays the ransom, the victim may receive a decryption key, usually via the attacker’s Bitcoin address.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.