Ransomware attacks are the bane of most IT professionals' existence. Experts caution that ransomware attacks will likely get qualitatively worse this year as criminals become more organized and targeted with their attacks. With so many potential points of risk and entry for nefarious cybercriminals, it can be a daunting task to consistently stay on top of the latest threats (and what to do when you’re presented with one!). Let’s take a look at five of the most dangerous ransomware attacks and what you can do to protect your business.
First discovered in 2019, Maze Ransomware is infamous for publishing sensitive information in a public forum using a variety of methods. Maze encrypts all files and demands a ransom to recover the files, threatening to release the information to the public should the company fail to pay. And, as some large enterprise organizations found out first-hand, these are not empty threats.
In a recent statement, the Maze Ransomware group claims to be “shutting their doors,” which many experts caution to take with a grain of salt. In fact, Maze has been known to serve as a ransomware-for-hire to other groups. One ransomware expert and analyst has been quoted as saying “It’s certainly possible that the group feels they have made enough money to be able to close shop and sail off into the sunset. However, it’s also possible — and probably more likely — that they’ve decided to rebrand.”
REvil (also known as Sodinokibi) is a virus that enables cybercriminals to block and encrypt files. After the victim’s system is infected, the cybercriminals will send a message to the company, requesting a ransom in bitcoin. If the company does not pay the ransom in time, the ransom demand is doubled.
The group responsible for REvil ransomware recently posted an announcement on the dark web to recruit new members. The core team for REvil is comprised of highly skilled developers who design the ransomware. Affiliate members then act as sherpas for the virus, infecting devices, and compromising enterprise organizations. As a reward, “developers receive 20-30% cut of the proceeds of any successful ransomware attack, while affiliates receive a 70-80% payout.” It’s obvious this team is motivated and willing to sweeten the deal for cybercriminals interested in joining their group.
In simpler times, the name Ryuk was associated with a fictional character in a Japanese comic book. Today, however, Ryuk has built a much darker reputation as dangerous ransomware, responsible for a third of all ransomware attacks. Ryuk ransomware not only encrypts network drives and resources, but it also deletes shadow copies on the endpoint. “This means the attackers can then disable Windows System Restore for users, making it impossible to recover from an attack without external backups or rollback technology.”
The group behind Ryuk ransomware targets high-profile organizations to increase the likelihood of ransom payment. In a 2020 report, Ryuk generated approximately $61 million between February 2018 and October 2019 from these attacks.
Known to target higher education, software companies, and small and midsize businesses, Tycoon ransomware is a multiplatform Java ransomware that targets Windows and Linux systems. Cybercriminals gain access to a company’s system using a remote desktop protocol (RDP) jump server. Weak or compromised passwords provide the perfect opportunity for these criminals.
Using an image file, the attackers deploy malware in the form of a Trojanized Java Runtime Environment (JRE) build. This enables the group to maintain a persistent back door entry into the company network, enabling the criminals to spread the ransomware across the system and hold data hostage until a ransom is paid.
Netwalker (also known as mailto) is a relatively new player to the ransomware circuit. With healthcare organizations, remote working individuals, enterprise organizations, and others reporting attacks from Netwalker in 2020, this is certainly ransomware to keep on the radar. Netwalker typically gains entry into a company’s network via phishing emails or encrypted files.
After an individual engages with a malicious email or file, Netwalker then uses an embedded configuration to encrypt all Windows devices connected to the device used at entry.
According to a report published by the HHS Cybersecurity Program, these cyberattacks have increased during the pandemic, with the majority of attacks directed toward the healthcare sector. Other industries targeted by this group include manufacturing, education, business management solutions, and more.
Increasing security protocols and staff training is paramount. Even the most dangerous ransomware attacks will be rendered useless without a weak point in your security to take advantage of. Start by revamping password security measures. Require employees to update their password on a regular interval, and put in place specific criteria to ensure strong passwords are used. Educate staff members about the importance of strong passwords and the threat to the individual and company should a cyberattack occur. The more you can paint the picture of the threat, the better staff members will be able to understand and comply.
Beyond increasing password security and network access controls, there may still come a time when your organization falls victim to a ransomware attack. When that happens, your organization will need to make a critical decision -- to pay or not to pay. "As long as extortion payments continue to be made and cybercriminals continue to profit from these schemes, targeted ransomware attacks that enlist the pay-or-get-breached method will likely continue well into and beyond 2021," says Kacey Clark, a threat researcher at Digital Shadows. At the end of the day, you won’t be able to stop cyberattacks from happening, but you can have an action plan in place to respond. In a world of remote work and increased risks, taking a proactive approach to security is a must.