Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/31/2017
11:10 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

10 Scariest Ransomware Attacks of 2017

A look back at WannaCry, NotPetya, Locky, and other destructive ransomware campaigns to infect the world this year.

Who needs a horror movie when you have the 2017 ransomware news cycle? There has been a constant stream of increasingly destructive attacks hitting victims around the world.

Ransomware attacks are getting easier to launch as well. New research from Trustwave shows ransomware is now being distributed through an exploit for Microsoft Dynamic Data Exchange (DDE). Attackers can use Word and Outlook to execute malicious code with DDEAUTO, which allows for automatic code execution that can be abused by threat actors.

Major threat actors have started to toy with this exploit and use the Necurs botnet to distribute massive attacks on email gateways. The Necurs email campaign has an attached Open Office Word document with the malicious DDE exploit code. This code executes a PowerShell script, which downloads another script, which eventually downloads a Locky ransomware file.

The ease of this type of attack, complexity of defending against it, and number of applications infected means the DDE exploit will continue to be used among attackers, Trustwave researchers predict, and more in the near future.

When it comes to ransomware campaigns, "this past year was unlike anything we've ever seen," said David Dufour, vice president of engineering and cybersecurity at Webroot, which recently compiled the most destructive ransomware campaigns to hit so this year.

Locky is one of the nastiest attacks to hit in 2017. What are the others? Let's take a look back:

NotPetya: In June 2017, a fake Ukrainian tax software update spread laterally through infected networks like a worm, using attack vectors Supply Chain ME.doc and the EternalBlue and EternalRomance exploits. NotPetya, a variant of the older Petya attack, charged $300 in ransom from victims in 100+ countries.

WannaCry: The first ransomware to spread via Server Message Block (SMB) exploit was created in March 2017 and attacked in May 2017. WannaCry used the EternalBlue SMB Exploit Kit to infect more than 200,000 machines on day one. Victims spanning 150+ countries were charged $300-$600 in ransom.

Locky: It first appeared in 2016 but continues to be a threat in 2017, with 28+ countries hit in total. Locky arrives as a fake shipping invoice spam email which, once opened, downloads malware and encryption components. Ransom ranges between $400-$800.

Jaff: This May 2017 campaign also hit victims with phishing emails. Like Locky, it contains traits related to other forms of malware. It has demanded $3,700 in ransom from victims in 21+ countries.

Spora: Kicked off the first month of 2017 with a campaign that used a fake font pack update in a browser message. Spora hacks legitimate websites to add JavaScript code, and tells users to update their Chrome browsers to continue viewing the website. Once they download, users are infected. Spora has hit 28+ countries and demands $20-$79 from each victim.

Nemucod: This spam email attack has been around for a while, first appearing with Teslacrypt in 2015 and 2016, and on its own in 2017. It uses phishing emails, like fake shipping invoices, with a zipped attachment containing malicious JavaScript that downloads the malware. It has hit 26+ countries and demands $300 in ransom.

CrySis: Appeared in February 2016 and uses Remote Desktop Protocol (RDP) to remote desktop unsecured machines by brute-forcing passwords. It demands $455-$1,022 in ransom and infected victims in 22+ countries. CrySis is a common way to spread ransomware because hackers can compromise administrators' machines.

Cerber: First hit in March 2016 and uses RDP, spam email, and ransomware-as-a-service (RaaS). Cerber distributes RaaS by packagaing itself and giving cybercriminals the tools to spread as they wish. It demands $300-$600 in ransom and has hit 23+ countries.

CryptoMix: Another March 2016 arrival, CryptoMix spread through RDP and exploit kits like malvertising. It has also been known to hide on flash drives. CryptoMix demands $3,000 in ransom and has infected victims in 29+ countries.

Jigsaw: If you've seen the "Saw" movies, you're familiar with the creepy character after which this spam email attack was named. Jigsaw appeared in April 2016. When users click, it encrypts files and deletes them every hour until the ransom ($20-$200) is paid. It has hit 29+ countries.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
CVE-2021-3504
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
CVE-2021-20309
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
CVE-2021-20310
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...