Throughout the past few years the notorious Ransomware type of malware has become one of the worst cyber-threats and, as the time passes, it only seems to be gaining more momentum. 2017 has been a year marked by a number of big Ransomware outbreaks with businesses, schools, hospitals, subway systems and even government bodies as well as millions of users falling prey to different variants of this family of malicious programs. In this article, I will review the most important and momentous examples of Ransomware outbreaks that have occurred throughout the current year as well as elaborate upon the current trends and the potential future of this malware category according to the information provided by security researchers in that field.
What is a Ransomware?
If you are already aware of what this malware category is all about, you can skip to the next paragraph and where I elaborate upon its trends and development throughout 2017.
Nearing the end of 2017, more and more users seem to be getting acquainted (in one way or another) with the Ransomware virus category. Some are lucky enough to simply read an article like this one and safely acquire the information that they might need regarding this form of malware while others, not so fortunate individuals, get a more hands-on experience with Ransomware by actually landing one such noxious program on their computers. If you do not belong to the latter group, consider yourself lucky as this is truly one of the nastiest possible forms of malicious software that you can get your system attacked by, especially if you keep important and valuable data on your hard-drives.
So, what is a Ransomware? The most general description of a program which belongs to this category would be that a Ransomware is any malicious piece of software that seeks to extort money from its victim by demanding a certain ransom payment. In most cases, the virus blocks a certain component/s of the user’s system and keeps it locked until the payment is made. There are couple of separate Ransomware types:
Lockscreen Ransomware – noxious programs that of this type are normally regarded as less advanced in comparison to the other forms of Ransomware. A lockscreen virus normally seeks to display a big banner on the targeted device’s screen hiding everything such as the desktop, programs, folders, etc. behind it thus making the user unable to use their device. The ransom demand is stated within the lockscreen banner along with instructions regarding the payment method. In the past, this type of Ransomware was highly-effective but now there are a lot of guides out there that can easily allow anyone to manually disable such a malware piece. Still, though, lockscreen viruses are still highly popular and widely spread, especially among Android users.
Encryption-based Ransomware – for some time now, this has been the bane of the Internet. Encryption-based Ransomware programs also known as cryptoviruses are truly some of the most devastating and difficult to deal with forms of malware. The general way of functioning of those viruses is as follows: once the malware makes it into the victim’s PC system, it scans the HDD for certain file formats. Once all data that belongs to those file formats is accounted for, the malware goes on to use an advanced encryption process to render the targeted files inaccessible to the user. Once the process has been completed, the malware would generate a pop-up or a notepad message on the computer within which pop-up/message the ransom demand is stated. Additionally, the note also provides the user with details on how to execute the requested payment. The preferred ransom currency is typically BitCoin or some other cryptocurrency which would ensure that the attacker stays anonymous.
Master Boot Record (MRB) encrypting Ransomware – though this isn’t really a separate subcategory of Ransomware, it is worth saying a couple more words about it. MRB-encrypting Ransomware are viruses that not only mess with the files on the infected machine but also modify its Master Boot Record so that it doesn’t allow the computer to boot into Windows. If infected by this sort of malware, the user will not be able to use their PC whatsoever until the malicious program gets taken care of.
Leakware – this is a less common example of Ransomware viruses but for the sake of completeness, I will mention a few words regarding this subcategory. Instead of locking-up the device or encrypting files that are on it, Leakware versions threaten to publish sensitive user-related data online. Obviously, such attacks would only be effective if the victim actually has any sensitive information stored on their device to begin with which is likely why Leakware attacks are not as common.
Ransomware throughout 2017
As I already mentioned in the beginning of this article, 2017 has been an year during which the overall Ransomware threat drastically increased in scale. I won’t be going through each and every single virus released under this category as there are just way too many of them. Therefore, I will limit myself to only the most notable examples of Ransomware outbreaks.
WannaCry (also known as WannaCrypt) virus marked one of the biggest Ransomware outbreaks ever and likely the largest one this year. In a very short amount of time (read couple of days) it managed to distribute itself and infect hundreds of thousands of machines all over the world. Aside from regular users who got infected, other victims of this virus were banks, schools, hospitals, infrastructure systems, airlines, etc. According to some researchers, the scale of this Ransomware outbreak was unprecedented with over 200 000 machines infected throughout 150 countries, the most affected of which were Russia, Ukraine, Taiwan and India. One of the main reasons why this virus was so effective was the way it got distributed – the hackers exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol which allowed the malware to be distributed without requiring the user to actually make a mistake and somehow download the malware.
The NotPetya outbreak was the second large-scale Ransomware attack this year. This virus works similarly to the infamous Petya Ransomware – it encrypts the Master Boot Record of the PC thus preventing the user from booting into Windows. In just a few days, hundreds of thousands of PC’s got infected over 100 countries. Again, instead of relying on the end user making a mistake and loading the virus on the PC, the hackers behind Petya, too, exploited the SMB protocol vulnerability to deliver the malware.
This is a more recent example of Ransomware that, despite not becoming as widely spread as the previous two examples, still managed to cause serious damage during the time it was “alive”. Similarly to Petya and NotPetya, this malware program, apart from encrypting the user’s personal files, also modifies the MRB, locking the victim out of their computer. Initially, it was reported that this virus was got distributed through fake flash update pop-ups displayed on a number of hacked websites but it was later revealed that it had a secondary method of distribution. The malware was able to spread to other machines connected to the same network as the “patient zero” computer which allowed it to quickly infect a huge number of systems. Again, the BadRabbit Ransowmare had the most effect in countries from Eastern Europe (Ukraine, Russia, Bulgaria, Turkey).
Tendencies and future predictions
Despite security experts’ best efforts, a large portion of modern Ransomware versions are still left without a working solution that would allow the victim to recover from the attack without paying the ransom. In fact, the difficulty that most hackers face isn’t making their viruses so advanced that no one would be able to deal with them but making sure that they get distribute to enough systems.
During the past two years, phishing and spam e-mails were enough to distribute a Ransomware but with the increasing popularity of this particular form of malware, more and more users started to become more aware and vigilant, which decreased the effectiveness of those distribution techniques. Therefore, the cyber criminals seem to have started seeking new alternatives which bypass the need for tricking the user into loading the malware on their PC. The WannaCry and NotPetya outbreaks are clear examples of one way this could happen and the scale and effectiveness of their attacks only shows that this is likely the future for a lot of the newer Ransomware versions. Although Microsoft has taken measures to eliminate the SMB protocol vulnerability that those two viruses exploit, there’s nothing to say that the online criminals won’t come up with some other similar method for spreading their malicious software to more and more victims.
As before, regular users are currently the largest group of Ransomware victims worldwide. However, throughout 2017, the number of businesses and companies targeted by this malware category has increased drastically. Hackers who use Ransomware are starting to turn their sights towards higher-value targets and it seems to be working out pretty well for them. One of the main reasons for that is the insufficient security level that a lot of companies operate under which allows for swift and devastating Ransomware attacks.
Likely as a direct consequence of the previous Ransomware tendency, the average demanded ransom sum has gone up quite substantially. Only during 2016, an over 250% percent increase in the average ransom demand (compared to 2015) was reported by Symantec.
In 2017, only a small percentage of businesses have actually paid the hackers (below 5% according to a survey by Barkley). Out of those who have paid, 1 out of 5 were never given the decryption codes necessary for the unlocking of the encrypted data. This further comes to show just how unreliable making the ransom payment could be. As many experts have said times and times again, it is highly inadvisable to agree to the blackmailers’ terms and send them the money unless there’s no other potential alternative and only if the decryption of the data is highly important.
The future of Ransomware
The tendencies from 2017 with regards to the Ransomware threat are likely to transfer into 2018 as well. The money demands would likely go up with more businesses getting targeted and the distribution methods of Ransomware will probably get more diverse due to the slowly but steadily improving of the users’ technical knowledge and understanding of how to avoid exposing their devices at malware risks. Still, though, nothing is for certain. Probably the most likely prediction that one can make is that Ransomware will be around for quite some time and won’t go away easily.