Reveton In 2012, a major ransomware Trojan known as Reveton began to spread. Based on the Citadel
Trojan (which, itself, is based on the
Zeus Trojan), its payload displays a warning purportedly from a law enforcement agency claiming that the computer has been used for illegal activities, such as downloading
unlicensed software or
child pornography. Due to this behaviour, it is commonly referred to as the "Police Trojan". The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as
Ukash or
paysafecard. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer's
IP address, while some versions display footage from a victim's
webcam to give the illusion that the user is being recorded. In a statement warning the public about the malware, the Metropolitan Police clarified that they would never lock a computer in such a way as part of an investigation. By August 2012, a new variant of Reveton began to spread in the United States, claiming to require the payment of a
$200 fine to the FBI using a
MoneyPak card. In February 2013, a Russian citizen was arrested in
Dubai by Spanish authorities for his connection to a crime ring that had been using Reveton; ten other individuals were arrested on
money laundering charges. In August 2014,
Avast Software reported that it had found new variants of Reveton that also distribute password-stealing malware as part of its payload.
CryptoLocker Encrypting ransomware reappeared in September 2013 with a Trojan known as
CryptoLocker, which generated a 2048-bit RSA key pair and uploaded in turn to a command-and-control server, and used to encrypt files using a
whitelist of specific
file extensions. The malware threatened to delete the private key if a payment of
Bitcoin or a pre-paid cash voucher was not made within 3 days of the infection. Due to the extremely large key size it uses, analysts and those affected by the Trojan considered CryptoLocker extremely difficult to repair. Even after the deadline passed, the private key could still be obtained using an online tool, but the price would increase to 10 BTC—which cost approximately US$2300 as of November 2013. CryptoLocker was isolated by the seizure of the
Gameover ZeuS botnet as part of
Operation Tovar, as officially announced by the
U.S. Department of Justice on 2 June 2014. The Department of Justice also publicly issued an
indictment against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet. It was estimated that at least US$3 million was extorted with the malware before the shutdown. A notable victim of the Trojans was the
Australian Broadcasting Corporation; live programming on its television
news channel ABC News 24 was disrupted for half an hour and shifted to
Melbourne studios due to a CryptoWall infection on computers at its
Sydney studio. Another Trojan in this wave,
TorrentLocker, initially contained a design flaw comparable to CryptoDefense; it used the same
keystream for every infected computer, making the encryption trivial to overcome. However, this flaw was later fixed. By late-November 2014, it was estimated that over 9,000 users had been infected by TorrentLocker in Australia alone, trailing only Turkey with 11,700 infections.
CryptoWall Another major ransomware Trojan targeting Windows, CryptoWall, first appeared in 2014. One strain of CryptoWall was distributed as part of a
malvertising campaign on the
Zedo ad network in late-September 2014 that targeted several major websites; the ads redirected to rogue websites that used browser plugin exploits to download the payload. A
Barracuda Networks researcher also noted that the payload was signed with a
digital signature in an effort to appear trustworthy to security software. CryptoWall 3.0 used a payload written in
JavaScript as part of an email attachment, which downloads executables disguised as
JPG images. To further evade detection, the malware creates new instances of
explorer.exe and
svchost.exe to communicate with its servers. When encrypting files, the malware also deletes volume shadow copies and installs spyware that steals passwords and
Bitcoin wallets. The FBI reported in June 2015 that nearly 1,000 victims had contacted the bureau's
Internet Crime Complaint Center to report CryptoWall infections, and estimated losses of at least $18 million. The most recent version, CryptoWall 4.0, enhanced its code to avoid antivirus detection, and encrypts not only the data in files but also the file names.
Fusob Fusob is a major family of mobile ransomware. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob. Like most other pieces of ransomware, it employs scare tactics to extort a hefty sum from the user. The app
acts as if it were a notice from the authorities, demanding the victim to pay a fine from $100 to $200
USD or otherwise face a fictitious criminal charge. Fusob requests iTunes gift cards for payment, unlike most cryptocurrency-centric ransomware. In order to infect devices, Fusob
masquerades as a pornographic video player. When it is installed, it first checks the device's system language. If the language is Russian or Eastern-European, Fusob remains dormant. Otherwise, it locks the device and demands ransom. About 40% of victims are in Germany, while the United Kingdom encompasses 14.5% of victims and the US encompasses 11.4%. Fusob and Small (another family of ransomware) represented over 93% of mobile ransomware between 2015 and 2016.
WannaCry In May 2017, the
WannaCry ransomware attack spread through the Internet, using an exploit vector named
EternalBlue, which was allegedly leaked from the U.S.
National Security Agency. The ransomware attack, unprecedented in scale, infected more than 230,000 computers in over 150 countries, using 20 different languages to demand money from users using
Bitcoin cryptocurrency. WannaCry demanded US$300 per computer. The attack affected
Telefónica and several other large companies in Spain, as well as parts of the British
National Health Service (NHS), where at least 16 hospitals had to turn away patients or cancel scheduled operations,
FedEx,
Deutsche Bahn,
Honda,
Renault, as well as the
Russian Interior Ministry and Russian telecom
MegaFon. The attackers gave their victims a 7-day deadline from the day their computers got infected, after which the encrypted files would be deleted.
Petya Petya was first discovered in March 2016; unlike other forms of encrypting ransomware, the malware aimed to infect the
master boot record, installing a payload which encrypts the file tables of the
NTFS file system the next time that the infected system boots, blocking the system from booting into Windows at all until the ransom is paid.
Check Point reported that despite what it believed to be an innovative evolution in ransomware design, it had resulted in relatively-fewer infections than other ransomware active around the same time frame. On 27 June 2017, a heavily modified version of Petya was used for a global cyberattack primarily targeting
Ukraine (but affecting many countries). This version had been modified to propagate using the same EternalBlue exploit that was used by WannaCry. Due to another design change, it is also unable to actually unlock a system after the ransom is paid; this led to security analysts speculating that the attack was not meant to generate illicit profit, but to simply cause disruption.
Bad Rabbit On 24 October 2017, some users in
Russia and Ukraine reported a new ransomware attack, named "Bad Rabbit", which follows a similar pattern to WannaCry and Petya by encrypting the user's file tables and then demands a Bitcoin payment to decrypt them.
ESET believed the ransomware to have been distributed by a bogus update to
Adobe Flash software. Among agencies that were affected by the ransomware were:
Interfax,
Odesa International Airport,
Kyiv Metro, and the Ministry of Infrastructure of Ukraine. As it used corporate network structures to spread, the ransomware was also discovered in other countries, including Turkey, Germany, Poland, Japan, South Korea, and the United States. appending to CrowdStrike Bad Rabbit and NotPetya's dynamic link library (DLL) share 67 percent of the same code) though the only identity to the culprits are the names of characters from the
Game of Thrones series embedded within the code. Further, the sites that had been used to spread the bogus Flash updating have gone offline or removed the problematic files within a few days of its discovery, effectively killing off the spread of Bad Rabbit.
SamSam In 2016, a new strain of ransomware emerged that was targeting
JBoss servers. This strain, named "
SamSam", was found to bypass the process of phishing or illicit downloads in favor of exploiting vulnerabilities on weak servers. The malware uses a
Remote Desktop Protocol brute-force attack to guess weak passwords until one is broken. The virus has been behind attacks on government and healthcare targets, with notable hacks occurring against the town of
Farmington, New Mexico, the
Colorado Department of Transportation,
Davidson County, North Carolina, and most recently, a
ransomware attack on the infrastructure of
Atlanta. The two have allegedly made $6 million from extortion and caused over $30 million in damages using the malware.
DarkSide On May 7, 2021, a cyberattack was executed on the US Colonial Pipeline. The
Federal Bureau of Investigation identified
DarkSide as the perpetrator of the
Colonial Pipeline ransomware attack, perpetrated by
malicious code, that led to a voluntary shutdown of the main pipeline supplying 45% of fuel to the
East Coast of the United States. The attack was described as the worst cyberattack to date on the U.S.
critical infrastructure. DarkSide successfully extorted about 75
Bitcoin (almost US$5 million) from Colonial Pipeline. U.S. officials are investigating whether the attack was purely criminal or took place with the involvement of the Russian government or another state sponsor. Following the attack, DarkSide posted a statement claiming that "We are apolitical, we do not participate in
geopolitics...Our goal is to make money and not creating problems for society." In May 2021, the FBI and
Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert urging the owners and operators of critical infrastructure to take certain steps to reduce their vulnerability to DarkSide ransomware and ransomware in general.
Syskey Syskey is a utility that was included with
Windows NT-based operating systems to encrypt the
user account database, optionally with a password. The tool has sometimes been effectively used as ransomware during
technical support scams—where a caller with remote access to the computer may use the tool to lock the user out of their computer with a password known only to them. Syskey was removed from later versions of
Windows 10 and
Windows Server in 2017, due to being obsolete and "known to be used by hackers as part of ransomware scams".
Ransomware-as-a-service Ransomware-as-a-service (RaaS) became a notable method after the Russia-based or Russian-speaking group
REvil staged operations against several targets, including the Brazil-based
JBS S.A. in May 2021, and the US-based
Kaseya Limited in July 2021. After a July 9, 2021 phone call between United States president
Joe Biden and Russian president
Vladimir Putin, Biden told the press, "I made it very clear to him that the United States expects when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is." Biden later added that the United States would take the group's servers down if Putin did not. Four days later, REvil websites and other infrastructure vanished from the internet. == Mitigation ==