By Thursday, May 6, 2021, most people had heard of ransomware and some had a vague awareness of it as a growing worldwide problem. But by Monday, May 10, most of the world awoke to an understanding of just how destructive and impactful ransomware can be.
You see, May 6 was the day that a relatively low-level ransomware actor, or one of that actor’s affiliates, found an old username and password to a virtual private network (VPN) for a company’s ex-employee. That ransomware actor used those old credentials, which should have been disabled, to gain access to the network of Colonial Pipeline, a company that delivers gasoline to much of the East Coast of the United States. The ransomware actor then exploited their breach to get access to other parts of Colonial Pipeline’s IT network, but not its Operational Technology (OT) network. The OT network is the network actually responsible for controlling the pipelines. Had the ransomware actor gained access to the OT network, they could’ve caused significantly more damage. Instead of a gasoline shortage along the East Coast caused primarily by panic buying, there could’ve been a real shortage of gasoline for weeks or longer. The actor used common tools, used by many ransomware actors, to get administrative access to Colonial Pipeline’s network, eventually taking over the Active Directory servers.
Once the ransomware actor had control of the Active Directory servers, the actor was able to push the DarkSide ransomware to thousands of machines on Colonial Pipeline’s network, leaving the organization crippled. The news of the ransomware attack didn’t get picked up until Friday evening, and even then, for most people, it just caused a power outage. But by Saturday everyone knew Colonial Pipeline had been hit by ransomware. It was on the front page of The Washington Post, The New York Times, and The Wall Street Journal. The Colonial Pipeline ransomware attack led the news on CNN, FOX, and MSNBC, as well as the nightly news on NBC, ABC, and CBS.
The rapid news cycle, along with serious gas shortages the following week, caused Colonial Pipeline’s inability to deliver gas, and kept the attack in the headlines. Colonial Pipeline finally got much of its network back online by May 12, and gasoline delivery resumed soon thereafter. The May 12 announcement did little to quell the panic buying of gasoline that was occurring all up and down the East Coast.
For many people the Colonial Pipeline ransomware attack was a wakeup call about the dangers of ransomware, but ransomware itself has been around, and disrupting—if not completely devastating—people’s lives, since 1989.
The AIDS Trojan
(aka PC Cyborg) - Created by Dr. Joseph Popp and distributed to 20,000 attendees at the World Health Organization (WHO) AIDS conference
- Released on 5¼” floppies
- Demanded $189 ransom
- Message displayed on a user’s home screen, directing them to a .txt file posted on their desktop. The file contained details of how to pay the ransom and unlock the affected files
- Demanded $200 ransom
- Primarily a Windows-based attack
- Encrypted the MyDocuments directory
- First ransomware to use RSA encryption
- A category of ransomware that hit mobile devices
- Prominent examples: WinLock, Reveton
- First ransomware to demand payment in bitcoin
- Leveraged a Java vulnerability
- Nearly 1,000 victims; estimated losses of at least $18 million
- First widespread ransomware
- As many as 500,000 phishing emails per day were sent out
- Other ransomware made its debut in 2016 as well, including:
- WannaCry attacked an estimated 200,000 computers in 15 countries
- Prominent examples: WinLock, Reveton
- U.S. and U.K. officials claimed North Korea was behind the WannaCry attack
- NotPetya was a variant of Petya that targeted victims in Ukraine, including the National Bank of Ukraine
- U.S. officials estimated damages from the NotPetya ransomware at more than $10 billion
- Colonial Pipeline attack
- Pipeline was shut down for six days
- Colonial paid a $4.4 million bitcoin ransom
Locky ransomware was first reported in 2016 and quickly became one of the most widespread cyberthreats ever seen. At one point, Locky accounted for 6% of all malware observed, across all malware types, and the group behind Locky was sending out as many as 500,000 phishing emails a day in 2016. For context, in 2020 it was estimated that 122 billion phishing messages were sent across 241,000 separate campaigns. That means the average phishing campaign in 2020 sent approximately 500,000 messages the whole year, the same number that Locky was sending in a single day in 2016.
Locky wasn’t alone in making 2016 the year that ransomware groups potentially amassed their first $1 billion USD in extorted ransom payments. Other ransomware such as Cerber, TeslaCrypt, Petya, and Jigsaw were also extremely prevalent.
All of these variants were used in automated ransomware attacks that infected only a single machine. They were generally delivered via a phishing campaign, exploit kit, or malicious banner ad, often on very popular websites. There were so many ransomware variants popping up, all following that same model, that 2016 was repeatedly declared to be “the year of ransomware.”
Samsam Kandi is a rural village in the Northeastern part of Iran, and if security researchers were better at geography, the threat actors behind the SamSam ransomware may have been indicted a whole lot sooner.
SamSam first appeared in 2016, and it was different from the start. It wasn’t delivered via exploit kit or phishing. Instead, SamSam exploited vulnerabilities in JBOSS and looked for exposed Remote Desktop Protocol (RDP) servers to launch brute force password attacks to gain access (a technique still used by many ransomware actors today). Unlike contemporary ransomware groups, SamSam didn’t install the ransomware on a single machine. Instead, it used a variety of tools and exploits to spread throughout the victim network once it had access to one host, and to install the ransomware on as many machines as possible.
Over several years SamSam managed to hit several high-profile targets, most notably Hollywood Presbyterian Medical Center in Los Angeles and the city of Atlanta. The ransomware attack against Atlanta took city services offline for weeks and cost as much as $17 million for recovery. During its multiyear run, it’s estimated that SamSam collected almost $6 million in ransom. In November 2018, the Department of Justice issued an indictment for two men in Iran who were believed to be behind SamSam: Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri. Even though they were never turned over to the United States, the indictment was enough to stop SamSam ransomware attacks.
Unfortunately, other ransomware actors started copying the tactics used by SamSam, and “Big Game Hunting” ransomware attacks are now the norm. SamSam made $6 million over two years, but there are now regular news reports of ransomware attackers getting much more than $6 million from a single ransomware attack.
MAZE ransomware was first discovered in May 2019, about the same time as the Baltimore ransomware attack. MAZE started as a typical hands-on-keyboard ransomware group with a RaaS offering. It had some early success, but didn’t stand out in a crowded field of RaaS offerings.
Then, in November 2019, MAZE did something that would take ransomware to the next evolutionary step: It launched a leak site. The site went through several iterations and domains, but the most well-known was mazenews.top. Until this point, most security professionals considered ransomware attacks to be primarily data encryption attacks, not data theft attacks. MAZE changed that perception and codified the idea of double extortion: If victims wouldn’t pay to decrypt their files, maybe they would pay to not have their sensitive files published (or pay to take them down after publication).
The way the MAZE attacks worked, and that double extortion attacks continue to work, is as follows: While ransomware actors are in victim networks conducting reconnaissance prior to deploying the ransomware, they look for interesting files to steal. After the ransomware is deployed, victims are told that files have been stolen as well as encrypted, and the victim has a period of time (usually a week or two) to pay the ransom or the files will be published for all to see.
As with other lucrative ideas, this one was quickly copied by other ransomware actors and expanded upon so that double, triple, and even quadruple extortion is now the norm in ransomware attacks.
That motivation to make as much money as possible needs to be considered when measuring the risk of a ransomware attack. In August 2019 there was a lot of discussion around the potential for Canon DSLR cameras to be vulnerable to a ransomware attack.
The analysis wasn’t incorrect: There was indeed a vulnerability in the Canon DSLR operating systems that could be exploited “over the air” to install ransomware. The question missing in all of the breathless coverage was: Why? Why would a ransomware actor rewrite their ransomware to infect cameras?
Are the pictures on a camera so valuable that a victim would be willing to pay hundreds or thousands of dollars to get them decrypted? And, how would a decryptor on a MicroSD card even work? This type of “lab attack” is valuable for understanding vulnerabilities, but the cost/benefit analysis doesn’t make sense from the ransomware actor’s perspective.
Despite the still-too-common misconception that all hackers are “400-pound losers” who “live in their mom’s basement,” most ransomware groups see themselves as business people performing a valuable service. As with most people, ransomware groups think of themselves as the good guys in their own stories. If an organization falls victim to a ransomware attack, it’s really the organization’s own fault for not securing its network better.
This righteous self-perception repeats itself over and over again. In chats with victims, ransomware actors admonish the victims not to curse at them or call them names. In one chat a ransomware actor even said, “I have been nothing but professional with you, I would appreciate the same level of respect.” A common refrain during these chat-based negotiations is the need for a ransomware actor to “speak to my manager” to see whether a proposed deal from a negotiator is acceptable.
Understand: Just because the ransomware actors adopt the veneer of respectability doesn’t mean they aren’t ruthless scumbags—that’s exactly what they are. But they don’t see themselves that way and victims need to have that mindset when approaching them. (Law enforcement, fortunately, doesn’t need to have the same mindset.)
A great example of ransomware actors thinking of themselves as professionals comes from an interview by Dmitry Smilyanets in The Record with Unknown, the handle that the operator of the REvil ransomware used. Dmitry asks the question, “What makes REvil so special? The code? Affiliates? Media attention?” Unknown’s response, in part:
“I think it’s all of that working together. For example, this interview. It seems like, why would we even need it? On the other hand, better we give it than our competitors. Unusual ideas, new methods, and brand reputation all give good results. As I said, we are creating a new branch of development for extortion. If you look at the competitors, unfortunately, many people simply copy our ideas and what is most surprising—the style of the text of our messages.” - (TheRecord.media)
A ransomware actor worried about brand reputation and referring to other ransomware actors as competitors is absolutely a sign that they think of themselves as professionals, even if the rest of the world knows the truth.
The STOP ransomware family has been continuously active since December 2017. There are more than 300 variants of this particular ransomware family, making it by far the most prolific ransomware family operating today. According to a report from Emsisoft, STOP ransomware accounted for more than 71% of all submissions to the ID Ransomware project or approximately 360,400 attacks—and those are only the submissions to ID Ransomware, so the actual number is much higher.
Given its longevity and proliferation, why doesn’t STOP ransomware make the headlines more often? Quite simply, it’s throwback ransomware. STOP ransomware installs itself only on the victim’s machine and doesn’t spread throughout the network. The ransom demand is also lower, usually between $500 and $1,200, compared to the millions demanded by other ransomware actors. It’s also relatively easy to defeat using traditional security tools, such us up-to-date anti-virus services.
This means that most of STOP’s victims are small businesses, home users, or victims in less developed countries, so the attacks don’t get the attention lavished on the hands-on-keyboard attackers that go after larger targets, so-called "Big Game Hunting" attacks. That doesn’t mean these attacks are any less devastating to the victims than the larger attacks; they’re just not going to make the news.
Conti ransomware first appeared in February 2020, but wasn’t seen extensively in the wild until June 2020. Conti is one of the most prolific hands-on-keyboard ransomware strains, with more than 450 known victims and undoubtedly many more that weren’t publicized. Conti uses the RaaS model and is considered to be a cousin of the Ryuk ransomware, as both are operated by subgroups of the Wizard Spider cybercriminal group.
Some of Conti’s victims include the Health Service Executive (HSE) in Ireland, which is responsible for all healthcare services in that country, the Volkswagen Group, Cambria County in Pennsylvania, Pearson Foods Corp., and Adams County Memorial Hospital. The threat actors behind Conti are known for their ruthlessness. While many ransomware groups swore off going after healthcare facilities during the COVID-19 pandemic (it should be said with very “inconsistent” follow through on that pledge), Conti specifically targeted healthcare organizations in the hopes that the COVID-19 emergency would force victims to pay.
Despite Conti’s reported ruthlessness, there are limits to how much attention even it can withstand. After the attack against HSE crippled healthcare providers throughout Ireland for a week, Conti was forced to hand over the decryption key out of fear of government reprisal. Like many RaaS groups, the persona that Conti projects is one of brashness and boldness; it's “untouchable.” But, as history has repeatedly shown, ransomware organizations are very much touchable when they cross certain lines.
LockBit ransomware first appeared in September 2019 and has been incredibly prolific. In 2020, Emsisoft reported more than 9,600 submissions to ID Ransomware from infected LockBit victims, making it the second-most-prevalent hands-on-keyboard ransomware submitted to the site that year.
Like Conti, LockBit is a RaaS offering with dozens of affiliates, making it hard to catalog how it operates. Some LockBit affiliates use phishing campaigns to gain initial access, while others use exposed RDP servers and still others use exploitation of known vulnerabilities in common VPN or other edge infrastructures, such as SonicWall, Microsoft SharePoint, Microsoft Exchange, and more.
After the disappearance of the REvil ransomware group, LockBit relaunched itself as LockBit 2.0 along with an updated affiliate program, in the hope of attracting ex-affiliates from REvil and other ransomware groups that have been forced to shut down. Some of LockBit’s victims include Yaskawa Electric Corp., Carrier Logistics Inc., Dragon Capital Group, and United Mortgage Corp.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!