Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/31/2017
11:10 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

10 Scariest Ransomware Attacks of 2017

A look back at WannaCry, NotPetya, Locky, and other destructive ransomware campaigns to infect the world this year.

Who needs a horror movie when you have the 2017 ransomware news cycle? There has been a constant stream of increasingly destructive attacks hitting victims around the world.

Ransomware attacks are getting easier to launch as well. New research from Trustwave shows ransomware is now being distributed through an exploit for Microsoft Dynamic Data Exchange (DDE). Attackers can use Word and Outlook to execute malicious code with DDEAUTO, which allows for automatic code execution that can be abused by threat actors.

Major threat actors have started to toy with this exploit and use the Necurs botnet to distribute massive attacks on email gateways. The Necurs email campaign has an attached Open Office Word document with the malicious DDE exploit code. This code executes a PowerShell script, which downloads another script, which eventually downloads a Locky ransomware file.

The ease of this type of attack, complexity of defending against it, and number of applications infected means the DDE exploit will continue to be used among attackers, Trustwave researchers predict, and more in the near future.

When it comes to ransomware campaigns, "this past year was unlike anything we've ever seen," said David Dufour, vice president of engineering and cybersecurity at Webroot, which recently compiled the most destructive ransomware campaigns to hit so this year.

Locky is one of the nastiest attacks to hit in 2017. What are the others? Let's take a look back:

NotPetya: In June 2017, a fake Ukrainian tax software update spread laterally through infected networks like a worm, using attack vectors Supply Chain ME.doc and the EternalBlue and EternalRomance exploits. NotPetya, a variant of the older Petya attack, charged $300 in ransom from victims in 100+ countries.

WannaCry: The first ransomware to spread via Server Message Block (SMB) exploit was created in March 2017 and attacked in May 2017. WannaCry used the EternalBlue SMB Exploit Kit to infect more than 200,000 machines on day one. Victims spanning 150+ countries were charged $300-$600 in ransom.

Locky: It first appeared in 2016 but continues to be a threat in 2017, with 28+ countries hit in total. Locky arrives as a fake shipping invoice spam email which, once opened, downloads malware and encryption components. Ransom ranges between $400-$800.

Jaff: This May 2017 campaign also hit victims with phishing emails. Like Locky, it contains traits related to other forms of malware. It has demanded $3,700 in ransom from victims in 21+ countries.

Spora: Kicked off the first month of 2017 with a campaign that used a fake font pack update in a browser message. Spora hacks legitimate websites to add JavaScript code, and tells users to update their Chrome browsers to continue viewing the website. Once they download, users are infected. Spora has hit 28+ countries and demands $20-$79 from each victim.

Nemucod: This spam email attack has been around for a while, first appearing with Teslacrypt in 2015 and 2016, and on its own in 2017. It uses phishing emails, like fake shipping invoices, with a zipped attachment containing malicious JavaScript that downloads the malware. It has hit 26+ countries and demands $300 in ransom.

CrySis: Appeared in February 2016 and uses Remote Desktop Protocol (RDP) to remote desktop unsecured machines by brute-forcing passwords. It demands $455-$1,022 in ransom and infected victims in 22+ countries. CrySis is a common way to spread ransomware because hackers can compromise administrators' machines.

Cerber: First hit in March 2016 and uses RDP, spam email, and ransomware-as-a-service (RaaS). Cerber distributes RaaS by packagaing itself and giving cybercriminals the tools to spread as they wish. It demands $300-$600 in ransom and has hit 23+ countries.

CryptoMix: Another March 2016 arrival, CryptoMix spread through RDP and exploit kits like malvertising. It has also been known to hide on flash drives. CryptoMix demands $3,000 in ransom and has infected victims in 29+ countries.

Jigsaw: If you've seen the "Saw" movies, you're familiar with the creepy character after which this spam email attack was named. Jigsaw appeared in April 2016. When users click, it encrypts files and deletes them every hour until the ransom ($20-$200) is paid. It has hit 29+ countries.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.