BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
What Should You Know About Ransomware

What Should You Know About Ransomware

BRANDEFENSE
Ransomware
22/09/2022

Last updated on December 12th, 2022 at 04:19 pm

Table of Contents

  • Introduction
      • Categories of Ransomware
      • Ransomware Wariants
      • Some Common Vulnerabilities and Associated Ransomware Groups
      • The Most Popular Ransomware
  • Statistics
      • Associated Vulnerabilities of Some Popular Ransomware Groups:
      • Some interesting facts:
  • Tactics to Infect Users
  • Upcoming Threats
  • Should You Pay Ransom?
  • Prevention Methods
  • Conclusion

Introduction

As an increasing threat, ransomware attacks pose a threat to corporations and rarely individuals. Therefore, managers, individuals, security professionals, and hackers become more interested in this topic.

Ransomware is a type of malware that encrypts files or the entire system of the infected machine and demands a ransom to decrypt them. Ransomware is an easy way to profit since attackers directly demand ransom. They do not have to infiltrate sensitive data and sell them to others which requires more effort.

While ransomware is nothing new, it’s been on the rise in recent years and shows no sign of stopping. So what should you know about ransomware?

Categories of Ransomware

It uses various ways to infect and encrypt. We can categorise ransomware.

  • Locker Ransomware: It locks the entire system and the victim cannot reach any feature after booting up the system.
  • Crypto Ransomware: This encrypts the files of the victim machine and the users cannot reach their data.

These are the two types of ransomware as mentioned above and a ransomware uses just one of them.

Ransomware Wariants

  • BadRabbit: This ransomware generally affected Russian media sector and demands 0.05 Bitcoin as ransom. Victims downloaded a malicious Adobe Flash file and run it manually. Then the malicious code runs and encrypts files.
  • BitPaymer: This ransomware attacked mainly to the medical sector and is associated with Dridex malware.
  • Cerber: This encrypts files and adds .cerber extension to the encrypted files. It encrypts files without online connection with C2 servers.
  • CryptoLocker: This targeted Windows machines and encrypts files with RSA-2048 public key. Decryption can be made by a private key and attackers left a note saying if the ransom is not paid, then the private key will be deleted.
  • Dharma: This malware is spread from RDP (Remote Desktop Protocol). Attackers search for the victims using RDP on port 3389 and guess their password by brute forcing so that they can gain access to the victim’s computer. Then they encrypt the computer. Phishing is also used to spread malware.

Some Common Vulnerabilities and Associated Ransomware Groups

  • CVE-2021-35211 – Clop Ransomware
  • CVE-2021-34527 – Magniber Ransomware
  • CVE-2021-30116 – REvil Ransomware
  • CVE-2020-1472 – Ryuk Ransomware
  • CVE-2019-11539 – Sekhmet, Mailto, Maze, REvil, Black Kingdom Ransomware
  • CVE-2019-11510 – REvil Ransomware
  • CVE-2019-19781 – Revil, Nefilim Ransomware
  • CVE-2019-11634 – Nefilim Ransomware
  • CVE-2018-13379 – Cring, REvil Ransomware
  • CVE-2017-0144 – WannaCry, Petya Ransomware
  • CVE-2016-1019 – Locky Ransomware
  • CVE-2015-1701 – Locky Ransomware

The Most Popular Ransomware

The most popular ransomware is WannaCry since it has affected 7.000 computers in the first hour and 110.000 distinct IP addresses in two days. It has affected 230.000 computers worldwide. It has used the EternalBlue exploit. It caused NHS (National Health Service) in the UK to be collapsed. Malware is written in a random file in the ProgramData folder with the name “tasksche.exe” or in C:\Windows\ folder with the names “mssecsvc.exe” and “tasksche.exe”.

Statistics

Associated Vulnerabilities of Some Popular Ransomware Groups:

  • Conti: CVE-2018-12808, CVE-2018-13379, CVE-2020-0796, CVE-2020-1472, CVE-2021-34473, CVE-2021-34523, CVE-2021-44228, CVE-2020-0609, CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2021-26855
  • LockBit: CVE-2021-22986, CVE-2018-13379
  • REvil: CVE-2021-30116, CVE-2019-2725, CVE-2018-13379, CVE-2019-11510, CVE-2018-8453, CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108, CVE-2019-11539, CVE-2019-18935, CVE-2019-19781, CVE-2020-2021, CVE-2020-5902, CVE-2020-1472
  • Maze/Egregor: CVE-2018-8174, CVE-2020-0688, CVE-2018-4878, CVE-2018-15982, CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108

Some interesting facts:

  • 34 TB data has been stolen through ransomware attacks in the first half of 2022.
  • Ransomware attacks cost 20 billion dollars worldwide in 2021.
  • %32 of ransomware victims have paid the ransom, but they get their %65 of their data back.
  • Average ransom increase from 6.000 dollars in 2018 to 84.000 dollars in 2019.

Tactics to Infect Users

Exploit kits are tools that are embedded into a website, and the victim is redirected there. An exploit kit tries to exploit a specific vulnerability and infect it with ransomware. After infection, ransomware encrypts files or the systems and demands a ransom to decrypt. EternalBlue is a common vulnerability that can be exploited.

Malicious email attachments and links are known as phishing attacks. These campaigns may target employees so that attackers can inject malware into the company’s systems and escalate privileges to encrypt more important files. Therefore, employees, even if they do not work in the cyber security field, should be informed about these campaigns.

Upcoming Threats

Sometimes ransomware groups invent a new tactic and surprise security professionals. These new tactics or methods can be group-specific or a new invention everyone uses. For example, RaaS (Ransomware-as-a-Service) is a particular version of SaaS (Software-as-a-Service) that provides customers to control already injected ransomware. Both the customer and the provider profit from the ransomware attack. There are various payment methods for customers depending on the RaaS platform: Monthly subscription, one-time payment, or profit sharing. RaaS could be a very beneficial way to attack, especially if the RaaS customer does not have enough knowledge to infect the target, escalate privilege, hide the malware, demand ransom, and decrypt successfully.

Another threat is both encrypting and infiltrating victim data. This method is called double extortion. This method provides attackers a second chance to threaten the victim, especially if the victim has backed up their data. If the data is backed up, then encryption will not work, and the attack may fail. However, if the attacker infiltrates data over the network, the victim can be threatened by publishing or selling the victim’s data. This creates a difficult situation for both the victim and the security professionals.

Modern ransomware attacks do not have to be industrialized as RaaS. They can be done especially for a specific company. Attackers search for the company’s features (size, revenue, security systems, etc.) and employees (profiles and interests) to conduct a more sophisticated attack. Moreover, security professionals will have a more difficult time after the attack since they cannot use memorized security measures. They need to use specific measures.

Change in the payment method increases the anonymity of the ransomware group. Cryptocurrency does not reveal the attacker’s information (especially geographical information), so the attacker uses it. This creates a hard time for security professionals to find and catch the attacker.

Should You Pay Ransom?

Paying a ransom does not guarantee that you can get your data back. The only thing is that if the victim is a well-known company and the attacker does not give your data back after getting a ransom, then the attacker’s popularity and reliability will be damaged. Then no one will pay them the ransom they demand. Nevertheless, paying ransom creates another risk: You will get marked as a payer. Hackers will know that if you get hacked and someone demands ransom from you, they predict that you will pay. That prediction may increase your possibility of getting hacked.

Prevention Methods

  • Prevent yourself from phishing campaigns. Especially emails are one of the most common ways to deceive. For more information, click here.
  • Periodically scanning your systems to catch vulnerabilities is crucial. Exploiting vulnerabilities is another way to distribute malware. To get help with vulnerability management, click here.
  • Do not forget to keep your software up-to-date.
  • Back up your data (especially sensitive ones) so that if a ransomware attack occurs, you will not have to pay ransom to get your data back. You can continue with backed-up data. Do not forget to update your backup regularly.
  • Threat intelligence service may benefit your company so that you can take measures before any cyber attack happens. For threat intelligence service for proactive security, visit here.

Conclusion

Ransomware is a popular and modern way of profiting from a cyber attack. Thus, ransomware attacks increase from year to year. There is no need to take risks and say, “this won’t happen to me.” that’s why you need to inform your employees/colleagues about ransomware. Keep your system as safe and vulnerability free as possible as it is. Take proactive measures like backing data up so that you will not worry when a ransomware attack comes to you.

Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • Perspective of the Month | APT Groups
    Perspective of the Month | APT Groups
  • BellaCiao: The New Malware From Iran’s Charming Kitten
    BellaCiao: The New Malware From Iran’s Charming Kitten
  • Security News Digest | Security Newsletter | April 27, 2023
    Security News Digest | Security Newsletter | April 27, 2023
  • Cyber Security Trends in 2023: What You Need to Know
    Cyber Security Trends in 2023: What You Need to Know
2023 Ransomware Trends Report
Let’s Dive in Ransomware Attack Trends
Report

Let’s Dive in Ransomware Attack Trends

Download Report
Follow us!

Continue Reading

Previous post

Security News – Week 38

cyber security newsletter week 38 data breach security breach
tarfile python vulnerability
Next post

Tarfile: The 15 Years Old Critical Python Vulnerability Affects More Than 350,000 Projects

particle element
We know what hackers know about you
Our cyber threat intelligence and security research team is ready to help you.
Request a demo
Free Trial
Contact
Login

Follow us on

brandefense logo brandefense

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Turkey:

Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
Channel PartnersDeal Registration
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
Close
Search

Hit enter to search or ESC to close