Blog

All in the Ransomware Family: Biggest Phishing Threats

Written by Eyal Benishti | Jan 17, 2017

Ransomware has been the most prevalent cyber threat since 2005

However, recent ransomware events have proven that the threat is increasing significantly in both frequency and complexity – so much so that 2016 has been designated ‘the year of ransomware.’ In fact, according to ISTR’s Special Report on Ransomware and Business, “ransomware has quickly emerged as one of the most dangerous cyber threats facing both organizations and consumers, with global losses now likely running to hundreds of millions of dollars.” Attacks have become so sophisticated that even the FBI advises companies to just pay the ransom – a demand that has more than doubled since the end of 2015.

Further, the number of new ransomware families continues to increase and evolve, with strains now appearing and retiring every month, making it even more difficult for organizations to combat ransomware threats. For example, according to Symantec, TeslaCrypt was one of the most widespread ransomware variants in late 2015 and early 2016, only to cease operations last May.

In December, we projected the ransomware problem to get worse in 2017. With 7 out of 10 malicious phishing and spear-phishing emails now containing ransom, On May 12, a new strain of ransomware called WannaCrypt / WannaCry / Wcry spread rapidly around the world. UK hospitals such as the NHS were hit hard as well as the telecommunications enterprise Telefonica which was held at ransom for millions in bitcoin. Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries, making it one of the broadest and most damaging cyberattacks in history.

Ransomware protection is as challenging as ever before.

To help organizations stay up to date on current threats, we’ve outlined some of the most prevalent ransomware families of the moment:

  • WannaCry: The most recent and prolific ransomware to date using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online claiming victims all over the world in huge numbers. The ransomware’s name is WCry but is also referenced online under various names, such as WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. The exploit was leaked last month as part of a trove of NSA spy tools. The ransomware worm is spread by self propagating and taking advantage of a Windows vulnerability that Microsoft (MSFT, Tech30) released a security patch for in March 2017. But computers and networks that hadn’t updated their systems were still at risk. “Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”
  • LOCKY: First detected in February 2016, Locky spreads malware through spam, typically through an email message, though its recently been spreading via social media. Once infected, Locky scrambles and renames all important files with the extension .locky – with the attacker holding the decryption key for ransom. It’s most famous victim to date has been Hollywood Presbyterian Medical Center, which was forced to shut down its IT systems in an attempt to remove the ransomware, resulting in delaying patient care, but the hospital failed to remove the virus and ultimately paid the ransom. Last year we wrote about stopping a Locky attack targeting an Israeli defense company.
  • CERBER: Cerber emerged in early March 2016 and, though a newer strain, has made a significant impact already, as it was recently named one of the most lucrative ransomware-as-a-service (RaaS) platforms in the world. The ransom demand ranges from $513 to $1,026 and it is sophisticated enough to read the ransom note aloud to the victim
  • HDDCRYPTOR: This variant rewrites a computer’s Master Boot Record (MBR) and locks users out of their systems. First detected in September 2016, the virus was responsible for the attack on San Francisco Municipal Transport Agency that demanded $70,000.
  • PEYTA AND MISCHA: This package combines to different approaches to encryption. Similar to HDDCryptor, Peyta encrypts Master File Table (MFT) and MBR, and the Mischa variant is deployed and individually encrypts files where Peyta is not successful. In addition, Peyta and Mischa can work offline. Deployed as a RaaS program last July, distributors are paid based on how much money they can extort from their victims.
  • CRYPTXXX: Discovered in April 2016, the new and improved CryptXXX extorted more than $45,000 in less than three weeks. Though researchers from Kaspersky Labs released a free tool to decrypt victims’ data without paying the ransom, hackers have since worked to update the virus to much success.

While the prevalence of certain variance ebbs and flows, one thing is for certain – if you have email security that can prevent phishing and spear phishing, then you can prevent ransomware. Recognizing the ever-increasing ransomware threats in phishing attacks, IRONSCALES built a patent-pending, automatic email phishing response solution to analyze and remediate incoming threats in real time. With on premise and cloud-based automatic server-side remediation, IRONSCALES can help remove ransomware emails even when a user is offline or not logged in. Our newest product, Federation, anonymously shares phishing attack intelligence with enterprises and organizations worldwide, enabling them to proactively defend their network gateways and endpoints from increasingly frequent and sophisticated phishing attacks.

It’s simple: Stop phishing, significantly reduce ransomware.

Contact us to start your FREE TRIAL TODAY.