The Archiveus Trojan is an early, significant type of ransomware that dates from 2006. It targeted Windows users, and was the first ransomware code to utilize RSA encryption to link files together and encrypt them into a single file. Archiveus was primarily distributed via spam emails and file-sharing sites, although it could infect a system in other ways.
Big-game hunting is the process of targeting high-value data or assets within businesses for ransomware attacks. The attackers choose targets that are sensitive to downtime, knowing that they’ll be more likely to pay a ransom. This is why many ransomware attacks are made against industries like government agencies, educational institutions, healthcare, and manufacturing.
Bitcoin is the most common type of cryptocurrency demanded in a ransomware attack. Although there are other types that are used, Bitcoin is by far the most popular. The rise of Bitcoin usage correlated strongly with the rise of ransomware, given its anonymity and lack of traceability.
BlackMatter was a ransomware gang that appeared in July 2021, but by November of that year, it had apparently gone extinct. It was widely reported that its demise was tied to the high-profile arrests of several of its leaders. Authorities reported that during its brief lifespan, BlackMatter had claimed at least 1,800 victims across eight countries.
Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. It deploys an agent named “Beacon” on the targeted machine, which provides the attacker a strong foothold of attack functionality. Its use exploded among cybercriminals in 2021.
Conti is one of the most famous (and infamous) ransomware gangs currently operating. It’s based out of Russia, and was first noticed in 2020. The Cybersecurity and Infrastructure Security Agency (CISA) reports that Conti has been seen in more than 400 attacks, in both the United States and internationally. It is a very active group, and has its own ransomware-as-a-service offering. It was one of the first gangs to exploit to the Log4Shell vulnerability that wreaked havoc on the globe in late 2021.
Crypto ransomware, as the name suggests, encrypts files on a hard drive. Not all ransomware behaves this way, but the vast majority does. The attacker promises to provide a decryption key in return for the paid ransom.
Cryptocurrency is digital currency. Most ransomware demands payment in cryptocurrency, which is popular because it’s nearly impossible to trace. Its rise in usage in the tech industry led to a huge increase in ransomware attacks. The most popular type of cryptocurrency demand in a ransomware attack is Bitcoin, but there are others as well.
First posted on the Internet in September 2013, CryptoLocker targeted computers running Microsoft Windows, using a Trojan. Due to its widespread nature, it’s been called “The real beginning of the ransomware scourge.” From late-2013 through mid-2014, the threat actor behind CryptoLocker made $27 million from an estimated 234,000 victims around the world.
Data exfiltration, also known as data extrusion, is the unauthorized removal of data from a device. In ransomware scenarios, it’s typically a second way to extort payment from a victim—the ransomware actor will threaten to release the (usually private) data publicly unless the ransom is paid. This is in addition to the ransom to de-encrypt locked files.
DeadBolt is a new type of ransomware that entered the scene as of January 2022. It’s most famous for attacking QNAP network-attached storage (NAS) devices, of which there are hundreds of thousands on the Internet. The ransom note demands a 0.03 Bitcoin ($1,100 US) payment in return for a decryption key.
Double extortion is another way to get money from a ransomware victim. In addition to a fee to unencrypt encrypted data, an attacker will demand an additional payment or threaten to expose information—often personally identifiable information (PII) like social security numbers or credit card numbers—obtained through the attack.
Encryption is the process of encoding information, and is the primary tool used by ransomware actors to extort victims. Encryption converts plaintext into ciphertext. Once in that state, it can be be read only by someone with the ability to return it to its original state, usually with a unique “key” that the ransomware actor offers to the victim in return for a fee, typically in cryptocurrency.
Lapsus$ is a ransomware gang that started gaining notoriety at the end of 2021, with an attack on Brazil’s Ministry of Health. On New Year’s Day 2022 it attacked Portugal’s largest media conglomerate, and in March went after Samsung. In the Samsung attack, it allegedly gained access to a large amount of confidential information.
“Living off the Land” (LotL) means to use what already exists in the victim’s environment for various attacks, including ransomware. It’s simpler, and less likely to be spotted by monitoring and antivirus software, since they’re using known, trusted software rather than new tools. LotL attacks are often called “fileless” because they don’t leave artifacts behind.
Locker ransomware infects PCs and locks the user’s files, blocking access to and all the computer’s data. In its early days, Locker typically demanded gift cards as its form of payment. It is still very active today, mostly targeting mobile users.
Malware is short for “malicious software.” It's any software that infects computers and causes some kind of damage or opens them up to attack. The software can be in the form of viruses, bugs, and so on. Ransomware is a type of malware.
MDRs are a recent addition to the security vendor landscape, and are often more ransomware-specific in their provided services. They tend to take a more proactive approach than MSSPs, often looking for specific threats, and with a strong focus on endpoint monitoring.
MSSPs have been around for several decades. Traditionally, they offer a comprehensive monitoring and alerting solution, collecting logs from a diverse set of security devices and generating automatic alerts when there is a security event. MSSPs are becoming more heavily involved in ransomware protection for clients, as the threat increases.
Petya and NotPetya were two versions of the same basic ransomware, and hit the world in 2016 and 2017. They are both encrypting types of ransomware, and substantially raised the profile of these types of attacks when they were unleashed. One of NotPetya’s distinguishing features is that it is commonly believed to have originated as a state-sponsored Russian cyberattack. NotPetya is also generally understood to be much more dangerous than Petya.
Petya and NotPetya were two versions of the same basic ransomware, and hit the world in 2016 and 2017. They are both encrypting types of ransomware, and substantially raised the profile of these types of attacks when they were unleashed.
Phishing is a primary method of initiating ransomware attacks. In a phishing attack, files or links containing malware are sent to users, usually in an email. When the link or attachment is clicked, the ransomware activates. Teaching users how to spot phishing attacks should be a primary objective of organizations.
RaaS is an adaptation of Software-as-a Service (SaaS) methodology to ransomware. Like SaaS, RaaS is a subscription-based model that provides ransomware tools in exchange for giving the developer a portion of the proceeds. RaaS has dramatically opened up the field of ransomware.
A ransomware gang is a group of individuals who coordinate to carry out ransomware attacks. They can be loosely affiliated or a well-organized group that operates very much like a normal business, with help desks and branding. Some of the most common ransomware groups as of 2022 include REvil, Conti, and DarkSide.
Software used to maliciously block or impede access to a system until a certain sum is paid. Once the financial demands are met, the malicious party will, in theory, release control of the targeted system and give it back to the original owners. Ransomware most often encrypts hard drives, locking access to them, although other types exist and are still used.
REvil is one of the most infamous ransomware gangs active today. It operates a ransomware-as-a-service (RaaS) business model: its malware platform is used by its own hackers for some attacks, while others are conducted by affiliates on a revenue-sharing basis. Numerous high-profile attacks have been attributed to REvil, especially in 2021, although its days maybe numbered, as at least some of its major operatives have been arrested by law enforcement in various countries.
Scareware is a type of scam in which users are fooled into thinking there’s something wrong with their computer, and that downloading a piece of software will fix it. It often comes via a pop-up ad with a warning that a computer’s infected, and needs to be cleaned immediately. Instead, a piece of malware is installed. It’s a common way to get victims to download ransomware.
Social engineering involves convincing people into giving up valuable information like passwords, personally identifiable information (PII) like social security numbers, banking information, and so on. It's a common method of entry to an organization for ransomware threat groups.
A ransomware tabletop exercise is an activity that simulates a full ransomware attack and the organization’s response to it. Its chief goal is to determine the organization’s readiness to withstand and recover from an attack, finding weaknesses in the process that it can shore up or eliminate.
Threat hunting involves proactively searching through logs, endpoints, NetFlow traffic, DNS data, and any other security source for malicious activity on the network that may not be detected by existing security tools. Threat hunting is the first step in a ransomware protection process—it has to be integrated into the regular security workflow.
Time-to-Ransom, or TTR, is the time between initial compromise of the first system and the execution of ransomware. This can be immediate, or much longer, even up to months, depending on what the attackers' goal is. For example, an exploit may be found in a network, and the ransomware gang may sell access to that exploit, and not take any action itself.
Triple extortion is an attempt by a ransomware gang to use stolen data to inform or extort the victim organization’s customers and clients. It’s called “triple extortion” because it’s a third method—following ransom demands for a decryption key and exposing confidential information—for prying a fee from a victim. Triple extortion demands can happen week, months, and even years after the original incident.
WannaCry ransomware was launched on May 12, 2017, and quickly spread around the world, infecting as many as 230,000 computers in 150 countries. Believed to have been created by North Korea, the ransomware demanded a payment of $300 in Bitcoin–but no encryption key was available, so the victims who paid (about 1,000 in all) weren't able to recover their files.
A zero-day attack is one for which there is no current patch or fix available. These are the Holy Grail for ransomware actors, as they are essentially unstoppable. Note that the majority of successful attacks that hit systems are those for which fixes and patches have been available for some time, frequently even weeks or months.