Blog

The Many Faces of Ransomware

May 24, 2017

If you’ve been following the news, you know that the new ransomware, WannaCry, has crippled organizations and end users across the world. Within several hours, WannaCry infected tens of thousands of computers in more than 99 countries and in 27 languages. This attack was so impactful that Microsoft took the rare step of releasing a patch for previously retired versions of Windows operating systems. Even though the initial WannaCry attack was halted the same day that it launched, stronger variations that lacked the weakness of the original version started springing up within just two days.

The number of ransomware attacks grew exponentially in 2016, and even more growth is expected in 2017. This drastic increase in ransomware attacks is a result of new variants with self-propagation features, which allow them to spread unassisted from system to system (WannaCry had this feature), as well as the availability of inexpensive, customizable tools—such as ransomware as a service (RaaS)—that allow relatively unskilled criminals to get in on the action. But the biggest reason for the increase in these attacks is that they work.

According to NSS Labs’ CAWS cyber threat protection platform, TeslaCrypt was the most prevalent type of ransomware in 2016. Since its developers decommissioned TeslaCrypt, there has been a drastic shift towards Cerber, accounting for 82% of the ransomware captured by CAWS in the first four months of 2017. Locky is another well-known type of ransomware, but many other lesser known flavors of ransomware are beginning to surface, with various themes and operating models. These are a few interesting variations of ransomware that demonstrate the growing creativity of its developers:

  • Spora: This ransomware’s unique ability to operate offline means that the attacker does not need a command-and-control (C&C) server. Spora works by hiding files and folders on a victim machine and replacing them with shortcut links (.LNK) with the same name and icon as the hidden files and folders. When a user clicks on one of these shortcuts, the original file is opened, along with the malware. Another feature of Spora is that it gives the victim the chance to purchase “insurance” against future attacks, when paying the ransom, for an additional fee.
  • Popcorn Time: This ransomware operates along the same lines as old-fashioned chain letters, but it tests the morality of its victims by tempting them with the reward of immunity if they are willing to pass the malware onto others, and if at least two of their victims pay the ransom to the original attacker.
  • Koolova: This ransomware may be the strangest yet and is very “gray hat” in nature. Once the malware is downloaded, text appears on the victim’s machine to inform them that their files have been encrypted. To retrieve the decryption key, the victim must read two of the provided online articles on cybersecurity, describing how to avoid future attacks via unsafe downloads. The ransomware warns that should the victim be “too lazy” to read the articles, it will follow through on its promise to delete all their files.
  • Kirk: One of the more recently discovered versions of ransomware, Kirk follows a Star Trek theme, appending a .kirk extension to encrypted files and referring to its decryptor as “Spock.” This is the first known version of ransomware that demands payment in Monero currency. Although it appears to be a highly sophisticated program developed by skilled programmers, little is known about Kirk since there have been no verified victims.

The vast majority of ransomware attacks are spread by email through malicious links or attachments; however, ransomware can come through several other vectors, including compromised websites, browser exploit kits, infected file downloads, or mobile app downloads. Although most ransomware attacks are opportunistic, there is a growing trend toward targeted attacks against organizations. One of the most popular tactics are emails that appear to be from a company’s human resources department, pertaining to an employee’s pay or benefits that contain an infected link or attachment.

NSS Labs will continue to track these as well as other ransomware variations that develop, so check back on our blog for updates. For real-time validation of how well your existing security controls are holding up against cyberthreats that are active in the wild, including ransomware, check out NSS Labs’ CAWS Cyber Threat Protection Platform.