Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/31/2017
11:10 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

10 Scariest Ransomware Attacks of 2017

A look back at WannaCry, NotPetya, Locky, and other destructive ransomware campaigns to infect the world this year.

Who needs a horror movie when you have the 2017 ransomware news cycle? There has been a constant stream of increasingly destructive attacks hitting victims around the world.

Ransomware attacks are getting easier to launch as well. New research from Trustwave shows ransomware is now being distributed through an exploit for Microsoft Dynamic Data Exchange (DDE). Attackers can use Word and Outlook to execute malicious code with DDEAUTO, which allows for automatic code execution that can be abused by threat actors.

Major threat actors have started to toy with this exploit and use the Necurs botnet to distribute massive attacks on email gateways. The Necurs email campaign has an attached Open Office Word document with the malicious DDE exploit code. This code executes a PowerShell script, which downloads another script, which eventually downloads a Locky ransomware file.

The ease of this type of attack, complexity of defending against it, and number of applications infected means the DDE exploit will continue to be used among attackers, Trustwave researchers predict, and more in the near future.

When it comes to ransomware campaigns, "this past year was unlike anything we've ever seen," said David Dufour, vice president of engineering and cybersecurity at Webroot, which recently compiled the most destructive ransomware campaigns to hit so this year.

Locky is one of the nastiest attacks to hit in 2017. What are the others? Let's take a look back:

NotPetya: In June 2017, a fake Ukrainian tax software update spread laterally through infected networks like a worm, using attack vectors Supply Chain ME.doc and the EternalBlue and EternalRomance exploits. NotPetya, a variant of the older Petya attack, charged $300 in ransom from victims in 100+ countries.

WannaCry: The first ransomware to spread via Server Message Block (SMB) exploit was created in March 2017 and attacked in May 2017. WannaCry used the EternalBlue SMB Exploit Kit to infect more than 200,000 machines on day one. Victims spanning 150+ countries were charged $300-$600 in ransom.

Locky: It first appeared in 2016 but continues to be a threat in 2017, with 28+ countries hit in total. Locky arrives as a fake shipping invoice spam email which, once opened, downloads malware and encryption components. Ransom ranges between $400-$800.

Jaff: This May 2017 campaign also hit victims with phishing emails. Like Locky, it contains traits related to other forms of malware. It has demanded $3,700 in ransom from victims in 21+ countries.

Spora: Kicked off the first month of 2017 with a campaign that used a fake font pack update in a browser message. Spora hacks legitimate websites to add JavaScript code, and tells users to update their Chrome browsers to continue viewing the website. Once they download, users are infected. Spora has hit 28+ countries and demands $20-$79 from each victim.

Nemucod: This spam email attack has been around for a while, first appearing with Teslacrypt in 2015 and 2016, and on its own in 2017. It uses phishing emails, like fake shipping invoices, with a zipped attachment containing malicious JavaScript that downloads the malware. It has hit 26+ countries and demands $300 in ransom.

CrySis: Appeared in February 2016 and uses Remote Desktop Protocol (RDP) to remote desktop unsecured machines by brute-forcing passwords. It demands $455-$1,022 in ransom and infected victims in 22+ countries. CrySis is a common way to spread ransomware because hackers can compromise administrators' machines.

Cerber: First hit in March 2016 and uses RDP, spam email, and ransomware-as-a-service (RaaS). Cerber distributes RaaS by packagaing itself and giving cybercriminals the tools to spread as they wish. It demands $300-$600 in ransom and has hit 23+ countries.

CryptoMix: Another March 2016 arrival, CryptoMix spread through RDP and exploit kits like malvertising. It has also been known to hide on flash drives. CryptoMix demands $3,000 in ransom and has infected victims in 29+ countries.

Jigsaw: If you've seen the "Saw" movies, you're familiar with the creepy character after which this spam email attack was named. Jigsaw appeared in April 2016. When users click, it encrypts files and deletes them every hour until the ransom ($20-$200) is paid. It has hit 29+ countries.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.
CVE-2012-6071
PUBLISHED: 2019-11-19
nuSOAP before 0.7.3-5 does not properly check the hostname of a cert.
CVE-2012-6135
PUBLISHED: 2019-11-19
RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.
CVE-2016-10002
PUBLISHED: 2019-11-19
Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.