The Five Families: The Most Wanted Ransomware Groups
March 27, 2018
Last week we presented a webinar on “Emerging Ransomware Threats and How to Protect Your Data”. Here we discussed the latest ransomware threats and trends, as well as strategies organizations can take to strengthen their defenses and stay compliant.
The ransomware ecosystem has evolved continuously over recent years. There are new operational models such as ransomware-as-a-service (RaaS), and cybercriminals are leveraging remote entry vectors like remote desktop protocol (RDP) and JBoss application servers. Ransomware operators are also experimenting with self-propagation techniques to increase the impact of their attacks.
With so many different variants in circulation, it can be hard to make sense of what the most critical ransomware threats are to your organization. Although we shouldn’t discount lesser known or less-popular variants, there are five main ransomware families that are prominent currently.
Locky has been active since early 2016 and has predominantly been delivered using spam emails, although the Nuclear and RIG exploit kits have also been used. This ransomware has been consistently updated, particularly with changes to the way encrypted files are appended, leading media reports to attribute different naming conventions to Locky versions, such as Zepto (named after the .zepto extention). Locky activity increased in December 2017 with the resumption of spam activity by the Necurs botnet, which delivered up to 47 million spam emails per day over the holiday period.
Cerber has been frequently developed and distributed since its inception in February 2016, with at least six different versions of the malware developed. Significantly, Cerber is run using a RaaS model, making it a highly automated operation both for actors using the platform and for servicing ransom payments and distributing decryptors to victims. The ransomware typically uses spam email and drive-by-downloads for delivery and has been associated with the RIG and Magnitude exploit kits. Cerber encrypts victim files with a random four-letter extension. Cerber RaaS customers can alter the specific ransom demands, although average prices for unlocking files fall between $1000 and $2000.
Figure 1: Cerber decryption service homepage
First detected in January 2016, DMA Locker differs from traditional ransomware variants as it does not add a file extension to encrypted files, but instead adds an identifier to the file header. DMA Locker has been delivered through RDP as well as spam emails and the RIG exploit kit. Following a successful infection, the ransomware begins encrypting files if an Internet connection is available. However, if an internet connection is not available, the ransomware installs itself and waits for a connection to be established before encrypting files.
Crysis is distributed via spam emails and the compromised RDP services. Several variants of the ransomware exist to date. The first had decryption keys publicly released, enabling decryption without payment; however, recent variants that encrypt files with .arena, .cobra and .dharma extensions do not currently have publicly available decryption keys. Crysis also has additional capabilities such as harvesting information from the victim machine to send remotely to a command and control server. This included collecting credentials, instant messaging applications, webcam, and browser information.
Active since at least December 2015, SamSam has been used in targeted attacks against high-profile victims and large organizations in the United States, Europe and Asia. These include transport organizations, such as transit authorities, as well as the healthcare and education sectors. Unlike most variants that use phishing emails and exploit kits, SamSam exploits Internet-facing JBoss application servers, then harvests administrator credentials before self-propagating and infecting all the endpoints within a network. Each infected machine is held to ransom, with demands ranging from approximately $4,000 for one machine and $33,000 for all machines within a network. SamSam is believed to be operated by a group known as Gold Lowell.
Figure 2: Overview of the top five ransomware families
Although some ransomware operators have shifted to cryptocurrency mining to make their money, we’d be wrong to assume that ransomware is no longer a threat in 2018. With the above variants still in circulation, and the Colorado Department of Transportation recently experiencing a SamSam ransomware infection on 21 February 2018, it’s clear that the threat from ransomware is a long way away from subsiding.
To that end, there are several measures organizations should employ to ensure they are well-protected in 2018.
- Regularly backup data and verify its integrity. Ensure that backups are remote from the main corporate network and machines they are backing up. Use cloud-based and physical backups.
- As SamSam has relied on vulnerable, external-facing servers, applying relevant patches and updates is recommended.
- A defense in depth strategy can aid mitigation. This includes Segmenting networks, firewalling-off SMB traffic, and restricting access to important data to only those who are required to have it.
- Develop and practice your ransomware playbook so that all members of the organization (operations, IT, security, legal, PR) know their role should the undesirable occur.
Subscribe to our weekly newsletter to get the latest news and research by Digital Shadows.