The History of Ransomware

Logethica

Level 13
Thread author
Verified
Top Poster
Well-known
Jun 24, 2016
636
Suprisingly long history
Ransomware has been the most pervasive cyber threat since 2005. According to publicly available information, ransomware infections have outnumbered data breaches 7,694 to 6,013 over the past 11 years.

Over the years there have been two distinct varieties of ransomware which remain consistent: crypto and locker based. Crypto-ransomware is ransomware variants that actually encrypt files and folders, hard drives, etc. Whereas Locker-ransomware only locks users out of their devices, most often seen with Android based ransomware.

New-age ransomware involves a combination of advanced distribution efforts such as pre-built infrastructures used to easily and widely distribute new strains as well as advanced development techniques such as using crypters to ensure reverse-engineering is extremely difficult. Additionally, the use of offline encryption methods are becoming popular in which ransomware takes advantage of legitimate system features such as Microsoft’s CryptoAPI, eliminating the need for Command and Control (C2) communications.

Terrance DeJesus of Solutionary's Security Engineering and Research Team (SERT) takes a look back at the highlights and the evolution of ransomware throughout the years...

The very first ransomware virus, the AIDS Trojan, was created by Harvard-trained Joseph L. Popp in 1989. 20,000 infected diskettes were distributed to the World Health Organization’s international AIDS conference attendees. The Trojan’s main weapon was symmetric cryptography. It didn’t take long for decryption tools to recover the file names, but this effort set in motion over almost three decades of ransomware attacks.
Almost two decades (17 years) after the first ransomware malware was distributed, another strain was released. Unfortunately, this new strain was much more difficult to remove and used RSA encryption for the first time in ransomware history. The Archiveus Trojan encrypted everything in the “My Documents” directory on a system and required users to make purchases from specific Web sites to obtain the password to decrypt the files. Archiveus was also the first known ransomware variant to use Asymmetric encryption.
Jump five years and mainstream anonymous payment services make it much easier for hackers using ransomware to collect money from their victims without revealing their identity. Product related ransomware Trojans began to go mainstream that same year. A Trojan ransomware that mimicked a user’s Windows Product Activation notice informed users that their system's Windows installation had to be re-activated due to fraud. A fake online activation option was offered but was ultimately a dead end for the users trying to resolve their issue, requiring users to call an international number. The malware claimed that this call would be free, but the call was actually routed through a rogue operator who placed the call on hold, causing the user to incur large international long distance charges to go along with their ransomware infection
A major ransomware Trojan known as Reveton began to spread throughout Europe. Based on the Citadel Trojan, the piece of ransomware claimed the computer under attack had been used for illegal activities and that in order to unlock the system the user would be required to pay a fine using a voucher from an anonymous prepaid cash service. In some strains, the computer screen displayed footage from the computer’s webcam to give the illusion that the ‘criminal’ was being recorded. Shortly after this incident, there was a flurry of “police-based” ransomware including Urausy and Tohfy.

Researchers discovered new variants of Reveton in the United States, claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.
September 2013 was a pivotal moment in ransomware history as CryptoLocker was born. CryptoLocker was the first cryptographic malware spread by downloads from a compromised website and/or sent to business professionals in the form of email attachments made to look like customer complaints. CryptoLocker infections spread rapidly because threat actors leveraged the already existing GameOver Zeus botnet infrastructure. Operation Tovar in 2014 put a halt to the GameOver Zeus Trojan and CryptoLocker campaigns by targeting the Peer-to-Peer infrastructure used for distribution and support.

CryptoLocker uses AES-256 to encrypt files with specific extensions, then uses a 2048-bit RSA key generated by the command-and-control (C2) server to encrypt the AES-256 bit key. C2 servers were established on Tor networks. This made decryption difficult as attackers kept the RSA public-key on their C2 servers. Hackers using CryptoLocker would threaten to delete the private key if payment was not received within three days.
In 2014, CryptoDefense, a ransomware that used Tor and Bitcoin for anonymity and 2048-bit RSAencryption, was released. CryptoDefense used Windows’ built-in encryption CryptoAPIs, and the private key was stored in plain text on the infected computer - a flaw that was unfortunately not immediately discovered.

The same creators of CryptoDefense shortly rolled out an improved version dubbed CryptoWall. Unlike CryptoDefense, CryptoWall doesn’t store the encryption key where the user can get to it. Cryptowall became a widespread issue as it used the aggressive Cutwail email spam campaign, which mainly targeted the United States. CryptoWall has also been delivered via exploit kits such as Angler, and found to be the final payload downloaded during Upatre campaigns. CryptoWall has had several active campaigns all being conducted by the same threat actor who tracked them by unique IDs. CryptoWall showed an advancement in malware development because of its ability to establish persistence by adding additional registry keys and copying itself to startup folders. In 2015, the Cyber Threat Alliance published a report on a globally spread CryptoWall campaign that netted roughly $325 million. This CryptoWall campaign required an expansive infrastructure containing over four tiers to operate.
Sypeng can be considered the first Android-based ransomware that locked the screen of victims with an FBI penalty warning message. Sypeng was delivered via fake Adobe Flash updates in SMS messages. MonkeyPaks worth $200 were expected for payment.

Koler ransomware was extremely similar to Sypeng in that it used fake “police” penalties and demanded MoneyPaks for ransom. Koler can be considered the first “Lockerworm” in that it contained self-propagating techniques in which it would send customized messages to everyone in a phone’s contact list, pointing them to a specific URL to be downloaded again, then locking them out of their systems
Unlike other variants of its past, CTB-Locker communicated directly with the C2 server in Tor, versus having a multi-tiered infrastructure made up of proxies, botnets, multiple Bitcoin wallets, etc. It was also one of the first ransomware variants to begin deleting Shadow Volume Copies on Windows machines. In 2016, CTB-Locker was updated to specifically target websites.

SimplLocker was also discovered in 2014. It was considered to be the first “Crypto-based” ransomware for Android mobile devices in that it encrypted files and folders versus simply locking the user out of their phone.
An aggressive Android ransomware strain started to spread across America in September of last year. Security researchers at ESET discovered the first real example of malware capable of resetting the PIN of your phone to permanently lock you out of your own device. Dubbed LockerPin, the ransomware changes the infected device's lock screen PIN code and leaves victims with a locked mobile screen. LockerPin then demanded $500 to unlock the device.

Ransomware-as-a-Service (RaaS) started in 2015. These services typically included user-friendly ransomware kits which could be purchased on underground markets. Typically selling for $1,000 to $3,000, buyers shared roughly a 10 percent to 20 percent cut of their profits with the seller. Tox is often considered the first and most widely distributed RaaS toolkit/ransomware.
TeslaCrypt appeared in 2015 as well and would go on to be a persistent threat as developers made roughly four versions. It was first distributed via Angler exploit kits and grew to be distributed by others. TeslaCrypt used AES-256 to encrypt files, then RSA-4096 to encrypt the AES private key. C2 domains within Tor were used for payment and distribution efforts. Included in its infrastructure were multiple tiers, including proxy servers. TeslaCrypt itself was highly advanced, containing functions which allowed resiliency and persistence on victim machines. In 2016, TeslaCrypt authors gave up their master decryption key to ESET.
LowLevel04 ransomware was discovered in 2015, targeting Remote Desktop and Terminal Services. Unlike other ransomware campaigns, attacks were done manually by attackers in which they remoted into servers, mapped out internal systems and drives before manually distributing the ransomware. In this case, attackers were observed deleting application, security and system logs.

Chimera ransomware was discovered towards the end of 2015. Considered to be the first “doxing” ransomware of its kind, Chimera threatened to publish sensitive or private files online to the public. Chimera used BitMessage’s P2P protocol for communication to C2s. It turned out these C2s were just Bitmessage nodes
Ransom32 was discovered and considered to be the first ransomware written in JavaScript. The malware itself was extremely large compared to others, coming in at 22MB. It used NW.js which allowed it to process and execute actions similar to other ransomware written in C++ or Delphi. Ransom32 was considered a game changer because it could theoretically work on multiple platforms such as Linux, Mac OSX, and Windows.

7ev3n ransomware has become publically known in the past few months. At 13 bitcoins, it probably demands the highest ransom yet. 7ev3n ransomware not only performed the typical encryption then ransom demands, but also trashed Windows systems as well. The malware developers seemed to be heavily focused on ensuring 7ev3n had the capabilities to destroy any possible way of recovering encrypted files. 7ev3n-HONE$T was released shortly, lowering the ransom demand and adding some efficient functionalities.
During 2016, malware authors of EDA2 and Hidden Tear publicly released the source code on GitHub, claiming to do so was for research purposes. Those who discovered it quickly copied the code and made custom changes, causing a huge spike in random variants to appear.

The infamous Locky ransomware was discovered in 2016 as well. Locky quickly began to spread via aggressive phishing campaigns and by leveraging the Dridex infrastructure, which was already spread globally. Locky also made headlines for infecting multiple hospitals based in Kentucky, California, Kansas and foreign regions. Threat actors quickly discovered that infecting systems tied to necessary facilities within healthcare paid off as multiple hospitals quickly paid the ransoms, thus starting a trend of phishing emails that led to ransomware downloads in the healthcare industry.
SamSam or SAMAS ransomware was observed being distributed specifically to vulnerable JBoss servers. At first, threat actors performed reconnaissance against JBoss servers using a tool known as JexBoss, before exploiting vulnerabilities and installing SamSam. Unlike others, SamSam included a channel so attackers could communicate in real-time directly with their victims via a .onion website.
The first official Mac OSX-based ransomware, KeRanger was discovered in 2016, delivered via a Transmission BitTorrent client for OSX. The ransomware was signed with a MAC development certificate, allowing it to bypass Apple’s GateKeeper security software.
Petya became popular in 2016 as it was being delivered via Drop-Box and overwrote the Master Boot Record (MBR) of infected machines, then encrypted the physical drive itself. It also used a fake CHKDISK prompt while encrypting the drive. If the payment of $431 was not received within seven days, the payment doubled. Petya was updated to include a second payload, which turned out to be Mischa ransomware variant, which did not encrypt the hard drive
Maktub was discovered as well in 2016, proving to researchers that ransomware developers were attempting to create extremely advanced variants. Maktub was the first of its kind to use a Crypter, which is software used to hide or encrypt the source code of malware. Instead of using C2s for retrieving and storing encryption keys, Maktub performed the encryption offline using Windows CryptoAPI.
The Jigsaw ransomware became the first of its kind in which the ransom note contained the popular Jigsaw characters from the movie series SAW. It also threatened to delete a file every 60 minutes if the $150 ransom was not paid. Additionally, if a victim attempted to stop the process or restart their machine, it then deleted 1,000 files.
As of the end of May 2016, CryptXXX is the latest ransomware variant being heavily distributed. Researchers suggest that it is connected to the Reveton ransomware variant because of similar footprints during the infection period. CryptXXX is spread via multiple exploit kits, primarily Angler, and is typically observed after Bedep infections. Included functionalities are, but not limited to, Anti-Sandbox detection, mouse activity monitoring capabilities, custom C2 communication protocols and payment through TOR.
Microsoft released an article detailing a new ransomware variant named ZCryptor. Besides the adapted functionalities as its predecessors such as encrypting files, adding registry keys for persistence and so forth, Zcryptor can be considered one of the very first “Cryptoworms”. Distributed through spam email, Zcryptor has self-propagating techniques to infect external devices and other systems on the network while encrypting every machine and shared drive as well.

What is the future of ransomware?...
Go to the link at the top of the page to find out what is predicted.

Fellow MT Members...
What Software do you trust your protection from Ransomware to?
Have you had (or know someone who has had) any encounters with the above Ransomware (or others)?..
..If Yes,then was it by accident or through testing?..
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Suprisingly long history
Ransomware has been the most pervasive cyber threat since 2005. According to publicly available information, ransomware infections have outnumbered data breaches 7,694 to 6,013 over the past 11 years.

Over the years there have been two distinct varieties of ransomware which remain consistent: crypto and locker based. Crypto-ransomware is ransomware variants that actually encrypt files and folders, hard drives, etc. Whereas Locker-ransomware only locks users out of their devices, most often seen with Android based ransomware.

New-age ransomware involves a combination of advanced distribution efforts such as pre-built infrastructures used to easily and widely distribute new strains as well as advanced development techniques such as using crypters to ensure reverse-engineering is extremely difficult. Additionally, the use of offline encryption methods are becoming popular in which ransomware takes advantage of legitimate system features such as Microsoft’s CryptoAPI, eliminating the need for Command and Control (C2) communications.

Terrance DeJesus of Solutionary's Security Engineering and Research Team (SERT) takes a look back at the highlights and the evolution of ransomware throughout the years...

The very first ransomware virus, the AIDS Trojan, was created by Harvard-trained Joseph L. Popp in 1989. 20,000 infected diskettes were distributed to the World Health Organization’s international AIDS conference attendees. The Trojan’s main weapon was symmetric cryptography. It didn’t take long for decryption tools to recover the file names, but this effort set in motion over almost three decades of ransomware attacks.
Almost two decades (17 years) after the first ransomware malware was distributed, another strain was released. Unfortunately, this new strain was much more difficult to remove and used RSA encryption for the first time in ransomware history. The Archiveus Trojan encrypted everything in the “My Documents” directory on a system and required users to make purchases from specific Web sites to obtain the password to decrypt the files. Archiveus was also the first known ransomware variant to use Asymmetric encryption.
Jump five years and mainstream anonymous payment services make it much easier for hackers using ransomware to collect money from their victims without revealing their identity. Product related ransomware Trojans began to go mainstream that same year. A Trojan ransomware that mimicked a user’s Windows Product Activation notice informed users that their system's Windows installation had to be re-activated due to fraud. A fake online activation option was offered but was ultimately a dead end for the users trying to resolve their issue, requiring users to call an international number. The malware claimed that this call would be free, but the call was actually routed through a rogue operator who placed the call on hold, causing the user to incur large international long distance charges to go along with their ransomware infection
A major ransomware Trojan known as Reveton began to spread throughout Europe. Based on the Citadel Trojan, the piece of ransomware claimed the computer under attack had been used for illegal activities and that in order to unlock the system the user would be required to pay a fine using a voucher from an anonymous prepaid cash service. In some strains, the computer screen displayed footage from the computer’s webcam to give the illusion that the ‘criminal’ was being recorded. Shortly after this incident, there was a flurry of “police-based” ransomware including Urausy and Tohfy.

Researchers discovered new variants of Reveton in the United States, claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.
September 2013 was a pivotal moment in ransomware history as CryptoLocker was born. CryptoLocker was the first cryptographic malware spread by downloads from a compromised website and/or sent to business professionals in the form of email attachments made to look like customer complaints. CryptoLocker infections spread rapidly because threat actors leveraged the already existing GameOver Zeus botnet infrastructure. Operation Tovar in 2014 put a halt to the GameOver Zeus Trojan and CryptoLocker campaigns by targeting the Peer-to-Peer infrastructure used for distribution and support.

CryptoLocker uses AES-256 to encrypt files with specific extensions, then uses a 2048-bit RSA key generated by the command-and-control (C2) server to encrypt the AES-256 bit key. C2 servers were established on Tor networks. This made decryption difficult as attackers kept the RSA public-key on their C2 servers. Hackers using CryptoLocker would threaten to delete the private key if payment was not received within three days.
In 2014, CryptoDefense, a ransomware that used Tor and Bitcoin for anonymity and 2048-bit RSAencryption, was released. CryptoDefense used Windows’ built-in encryption CryptoAPIs, and the private key was stored in plain text on the infected computer - a flaw that was unfortunately not immediately discovered.

The same creators of CryptoDefense shortly rolled out an improved version dubbed CryptoWall. Unlike CryptoDefense, CryptoWall doesn’t store the encryption key where the user can get to it. Cryptowall became a widespread issue as it used the aggressive Cutwail email spam campaign, which mainly targeted the United States. CryptoWall has also been delivered via exploit kits such as Angler, and found to be the final payload downloaded during Upatre campaigns. CryptoWall has had several active campaigns all being conducted by the same threat actor who tracked them by unique IDs. CryptoWall showed an advancement in malware development because of its ability to establish persistence by adding additional registry keys and copying itself to startup folders. In 2015, the Cyber Threat Alliance published a report on a globally spread CryptoWall campaign that netted roughly $325 million. This CryptoWall campaign required an expansive infrastructure containing over four tiers to operate.
Sypeng can be considered the first Android-based ransomware that locked the screen of victims with an FBI penalty warning message. Sypeng was delivered via fake Adobe Flash updates in SMS messages. MonkeyPaks worth $200 were expected for payment.

Koler ransomware was extremely similar to Sypeng in that it used fake “police” penalties and demanded MoneyPaks for ransom. Koler can be considered the first “Lockerworm” in that it contained self-propagating techniques in which it would send customized messages to everyone in a phone’s contact list, pointing them to a specific URL to be downloaded again, then locking them out of their systems
Unlike other variants of its past, CTB-Locker communicated directly with the C2 server in Tor, versus having a multi-tiered infrastructure made up of proxies, botnets, multiple Bitcoin wallets, etc. It was also one of the first ransomware variants to begin deleting Shadow Volume Copies on Windows machines. In 2016, CTB-Locker was updated to specifically target websites.

SimplLocker was also discovered in 2014. It was considered to be the first “Crypto-based” ransomware for Android mobile devices in that it encrypted files and folders versus simply locking the user out of their phone.
An aggressive Android ransomware strain started to spread across America in September of last year. Security researchers at ESET discovered the first real example of malware capable of resetting the PIN of your phone to permanently lock you out of your own device. Dubbed LockerPin, the ransomware changes the infected device's lock screen PIN code and leaves victims with a locked mobile screen. LockerPin then demanded $500 to unlock the device.

Ransomware-as-a-Service (RaaS) started in 2015. These services typically included user-friendly ransomware kits which could be purchased on underground markets. Typically selling for $1,000 to $3,000, buyers shared roughly a 10 percent to 20 percent cut of their profits with the seller. Tox is often considered the first and most widely distributed RaaS toolkit/ransomware.
TeslaCrypt appeared in 2015 as well and would go on to be a persistent threat as developers made roughly four versions. It was first distributed via Angler exploit kits and grew to be distributed by others. TeslaCrypt used AES-256 to encrypt files, then RSA-4096 to encrypt the AES private key. C2 domains within Tor were used for payment and distribution efforts. Included in its infrastructure were multiple tiers, including proxy servers. TeslaCrypt itself was highly advanced, containing functions which allowed resiliency and persistence on victim machines. In 2016, TeslaCrypt authors gave up their master decryption key to ESET.
LowLevel04 ransomware was discovered in 2015, targeting Remote Desktop and Terminal Services. Unlike other ransomware campaigns, attacks were done manually by attackers in which they remoted into servers, mapped out internal systems and drives before manually distributing the ransomware. In this case, attackers were observed deleting application, security and system logs.

Chimera ransomware was discovered towards the end of 2015. Considered to be the first “doxing” ransomware of its kind, Chimera threatened to publish sensitive or private files online to the public. Chimera used BitMessage’s P2P protocol for communication to C2s. It turned out these C2s were just Bitmessage nodes
Ransom32 was discovered and considered to be the first ransomware written in JavaScript. The malware itself was extremely large compared to others, coming in at 22MB. It used NW.js which allowed it to process and execute actions similar to other ransomware written in C++ or Delphi. Ransom32 was considered a game changer because it could theoretically work on multiple platforms such as Linux, Mac OSX, and Windows.

7ev3n ransomware has become publically known in the past few months. At 13 bitcoins, it probably demands the highest ransom yet. 7ev3n ransomware not only performed the typical encryption then ransom demands, but also trashed Windows systems as well. The malware developers seemed to be heavily focused on ensuring 7ev3n had the capabilities to destroy any possible way of recovering encrypted files. 7ev3n-HONE$T was released shortly, lowering the ransom demand and adding some efficient functionalities.
During 2016, malware authors of EDA2 and Hidden Tear publicly released the source code on GitHub, claiming to do so was for research purposes. Those who discovered it quickly copied the code and made custom changes, causing a huge spike in random variants to appear.

The infamous Locky ransomware was discovered in 2016 as well. Locky quickly began to spread via aggressive phishing campaigns and by leveraging the Dridex infrastructure, which was already spread globally. Locky also made headlines for infecting multiple hospitals based in Kentucky, California, Kansas and foreign regions. Threat actors quickly discovered that infecting systems tied to necessary facilities within healthcare paid off as multiple hospitals quickly paid the ransoms, thus starting a trend of phishing emails that led to ransomware downloads in the healthcare industry.
SamSam or SAMAS ransomware was observed being distributed specifically to vulnerable JBoss servers. At first, threat actors performed reconnaissance against JBoss servers using a tool known as JexBoss, before exploiting vulnerabilities and installing SamSam. Unlike others, SamSam included a channel so attackers could communicate in real-time directly with their victims via a .onion website.
The first official Mac OSX-based ransomware, KeRanger was discovered in 2016, delivered via a Transmission BitTorrent client for OSX. The ransomware was signed with a MAC development certificate, allowing it to bypass Apple’s GateKeeper security software.
Petya became popular in 2016 as it was being delivered via Drop-Box and overwrote the Master Boot Record (MBR) of infected machines, then encrypted the physical drive itself. It also used a fake CHKDISK prompt while encrypting the drive. If the payment of $431 was not received within seven days, the payment doubled. Petya was updated to include a second payload, which turned out to be Mischa ransomware variant, which did not encrypt the hard drive
Maktub was discovered as well in 2016, proving to researchers that ransomware developers were attempting to create extremely advanced variants. Maktub was the first of its kind to use a Crypter, which is software used to hide or encrypt the source code of malware. Instead of using C2s for retrieving and storing encryption keys, Maktub performed the encryption offline using Windows CryptoAPI.
The Jigsaw ransomware became the first of its kind in which the ransom note contained the popular Jigsaw characters from the movie series SAW. It also threatened to delete a file every 60 minutes if the $150 ransom was not paid. Additionally, if a victim attempted to stop the process or restart their machine, it then deleted 1,000 files.
As of the end of May 2016, CryptXXX is the latest ransomware variant being heavily distributed. Researchers suggest that it is connected to the Reveton ransomware variant because of similar footprints during the infection period. CryptXXX is spread via multiple exploit kits, primarily Angler, and is typically observed after Bedep infections. Included functionalities are, but not limited to, Anti-Sandbox detection, mouse activity monitoring capabilities, custom C2 communication protocols and payment through TOR.
Microsoft released an article detailing a new ransomware variant named ZCryptor. Besides the adapted functionalities as its predecessors such as encrypting files, adding registry keys for persistence and so forth, Zcryptor can be considered one of the very first “Cryptoworms”. Distributed through spam email, Zcryptor has self-propagating techniques to infect external devices and other systems on the network while encrypting every machine and shared drive as well.

What is the future of ransomware?...
Go to the link at the top of the page to find out what is predicted.

Fellow MT Members...
What Software do you trust your protection from Ransomware to?
Have you had (or know someone who has had) any encounters with the above Ransomware (or others)?..
..If Yes,then was it by accident or through testing?..
Great share, thank you :)

I use both HMP.A (shut down for Malware HUB participation) and Emsisoft Internet Security for protection.
I encountered TeslaCrypt (the one with .mp3 extension) when playing (within SD protected environment) with both ZAM and HMP.A. Both were able to detect, but not to stop encryption at that time somehow.
Since that time, Qihoo 360 TS and now EIS 11 were able to stop every sample (note I had one Locky sample malfunctioning (so not encrypting) lately when Qihoo 360 TS HIPS were not working for some reason).
 

Logethica

Level 13
Thread author
Verified
Top Poster
Well-known
Jun 24, 2016
636
Great share, thank you :)

I use both HMP.A (shut down for Malware HUB participation) and Emsisoft Internet Security for protection.
I encountered TeslaCrypt (the one with .mp3 extension) when playing (within SD protected environment) with both ZAM and HMP.A. Both were able to detect, but not to stop encryption at that time somehow.
Since that time, Qihoo 360 TS and now EIS 11 were able to stop every sample (note I had one Locky sample malfunctioning (so not encrypting) lately when Qihoo 360 TS HIPS were not working for some reason).
You are welcome @Der.Reisende ...and thank you for the interesting reply :)
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

17 years between the first and second ransomware :eek:
It became so lucrative since, that it's growing growing ... in few years (exponential ?)
(At least, a physical object explode at the end ... but ransomware...)
 

Logethica

Level 13
Thread author
Verified
Top Poster
Well-known
Jun 24, 2016
636
Thanks for the share :)

17 years between the first and second ransomware :eek:
It became so lucrative since, that it's growing growing ... in few years (exponential ?)
(At least, a physical object explode at the end ... but ransomware...)
Thanks @DardiM :).....and to think..we were both just babies when it first started;)
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks @DardiM :).....and to think..we were both just babies when it first started;)
No, because there was a error on my birthday when I registered (I don't even remember have entered this info) :) I'm 44 years old (Mai,29 1972)
So the way it's evolved in few years make me wonder how will be the future of malware, and security :rolleyes:

To answer yours questions from your thread :

I first trust on me => I never run any unknown/new file on my PC before the step below ;)

- I use KTS and Cloud base scanners

If the file isn't seen as a malware :
=> I like to analyse it myself to see what it does , with Shadow Defender activated (with several monitoring tools or editing it if the file is a script).

If the file is seen as a malware :
=> same as above, lol

I saw some of the ransomware you have cited, but never get infected or seen a person around me infected. I use a free e-mail account specially to received new malware waves :) (not my personal of course :p )
 
Last edited:

Logethica

Level 13
Thread author
Verified
Top Poster
Well-known
Jun 24, 2016
636
No, because there was a error on my birthday when I registered (I don't even remember have entered this info) :) I'm 44 years old (Mai,29 1972)
Now I know when to get the cake and candles ready for ;)

Thank you for that information.I am Interested in MT members experiences such as yours...
I am glad that you have not been infected:)
 
Last edited:

Logethica

Level 13
Thread author
Verified
Top Poster
Well-known
Jun 24, 2016
636
Ransomware threat on the rise as 'almost 40% of businesses attacked'

Security firm Malwarebytes surveyed 500 companies in four countries and found one-third of victims lost revenue as a result of an attack

Ransomware is fast becoming a ubiquitous security threat, with nearly 40% of all businesses experiencing an attack in the past year, according to research from computer security firm Malwarebytes. The figure is even worse in Britain, where 54% of surveyed businesses had been targeted with such an attack

The group surveyed IT heads at over 500 companies in four countries, and found that more than one-third of the ransomware victims lost revenue as a result of the attack.

Although not new, ransomware has rapidly risen in popularity as a method of attacking businesses and other large organisations. The term refers to a number of versions of malicious software which takes control of a targets computer and then encrypts all the data on it, rendering it inaccessible. The software’s developers then demand a payment, typically in an digital currency such as bitcoin, in exchange for handing over the encryption keys.

The ransom demanded can be huge: one-fifth of British companies who had been hit by ransomware reported being charged more than $10,000 to unlock their files, and 3% of the demands were in excess of $50,000.

But just as many are low figures, with one-fifth coming in at under $500, which goes some way to explaining why so many businesses pay up. Malwarebytes’ research suggests that over half the businesses hit by ransomware in the UK will eventually pay, but the figure varies wildly internationally: 97% of American businesses didn’t pay the ransom, while 75% of Canadian ones did. The researchers suggest that in Britain, “infections tend to be more widespread … than they are in other nations, and ransomware had much more of an impact on the ability of UK-based organisations in terms of their loss of revenue resulting from the attacks.”

The difference may also be down to the response of police. American law enforcement organisations have been outspoken against victims paying ransoms to retrieve their data. The FBI’s cyber division assistant director, James Trainor, said “Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom.

“Paying a ransom not only emboldens current cyber criminals to target more organisations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organisation might inadvertently be funding other illicit activity associated with criminals.”...

Continue reading this article at the link at the top of this post.
 

Logethica

Level 13
Thread author
Verified
Top Poster
Well-known
Jun 24, 2016
636
88 Percent of All Ransomware Targets the Healthcare Sector

The education sector comes second at 6 percent, according to a recent report.

According to the Solutionary SERT Quarterly Threat Report for Q2 2016, companies in the healthcare industry were hit by the vast majority of ransomware in the second quarter of this year, accounting for 88 percent of all ransomware detections. Other affected industries included education (6 percent) and finance (4 percent).

The report also notes that Cryptowall ransomware accounted for almost 94 percent of all detections in Q2 2016 -- other leading ransomware variants included Locky and Cerber. Ransomware detections decreased between January and February 2016, but increased by an average of 11 percent per month from March through May.

"Healthcare has been a target for ransomware campaigns because the industry has often paid ransom to retrieve vital customer data quickly," Solutionary SERT director of research Rob Kraus said in a statement. "Furthermore, healthcare organizations use an abundance of systems and devices that are crucial pivot points for an attacker, and they can even be victims of ransomware themselves."

Continue reading this article at the link at the top of this post.

MT members: I will post all future "Ransomware Related" Articles on THIS thread..
I do not see the logic in my creating dozens of new threads all about Ransomware.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top