CLOUD ADOPTION DURING THE COVID-19 PANDEMIC
July 14, 2020

RANSOMWARE STRAINS THAT PLAGUED 2019

When you understand ransomware and the strains that impacted organizations like yours in 2019, you can better prepare for the rest of 2020 and beyond.

What is Ransomware?

A ransomware attack occurs when a cybercriminal locks, or kidnaps, your files and holds them hostage until you pay them the requested amount of money or bitcoin. Ransomware attacks are different from typical cyberattacks because they don’t steal credentials or private information. Instead, these criminals focus on isolating essential data with the threat to destroy them unless financial demands are met.

Ransomware malicious code can be hidden anywhere from email links or attachments to applications or websites. They appear harmless on the surface, but the attack ensues when the user clicks on the link or launches the app. Victims may not even know they are the subject of a ransomware attack until they realize that specific files or applications are locked. Victims will likely receive a popup message informing them to pay a certain amount within a time limit to regain access to their files or be destroyed.

Ransomware Affects More Than Individuals

While individuals are easy targets for ransomware attacks, cybercriminals go after businesses as well. The critical difference is in the way they are executed. For individuals, ransomware campaigns are typically part of a larger scam where malware is sent to hundreds or even thousands of people in hopes that a few will click through and run the malware.

For businesses, however, ransomware attacks are often more targeted and intentional. Cybercriminals will look for specific holes to deliver the malware and request a more substantial amount of money depending on the company’s size. Medical facilities have been the most notable victims of ransomware, as attackers can shut down access to critical patient information that doctors and nurses need to provide adequate care. This makes these types of businesses more likely to pay the monetary demands.

Whether you are a business or an individual, it’s essential to understand what happened last year so you can be aware of the various strains of ransomware and take proactive steps to protect yourself, your employees, and your business.

The Largest Strains in 2019

Understanding the strains that impacted 2019 can deliver insights to help learn how and where they strike. This can help us know how to overcome them ultimately. Without further ado, here are the top ransomware strains of 2019.

Syrk

Fortnite has taken the world by storm, and many gamers try to get an edge on the competition by employing “hacks” to get them further in the game. This ransomware is aimed directly at these greedy gamers, posing as a way to cheat the system. But players end up getting more than they bargained for because when they try to download the cheat pack, they download malware that immediately begins encrypting their files and adding the ‘.Syrk’ extension. Anti-malware software is, unfortunately, bad at dealing with this type of attack.

GlobeImposter 2.0

In early 2019, GlobeImposter 2.0 accounted for about 6.5% of all ransomware strains detected, with the most notable victim being A2 Hosting. This attack infected and encrypted their Windows hosting servers, and their hosted systems were down for over a week to contain the outbreak. This ransomware attack comes in a few different forms – from an email with a malicious zip file attachment to a free add-on to an application download.

GandCrab

GandCrab is behind millions of malware infections worldwide and takes in millions of dollars each week with their ransomware ploys. This ransomware targets individuals and businesses running on Microsoft Windows and encrypts victims’ files while demanding ransom payments to regain access. This cyberthreat remains at the forefront of Ransomware-as-a-Service (RaaS), which, similar to Software-as-a-Service (SaaS), is a subscription-based model.

RobbinHood

RobbinHood is a sinister type of ransomware that targets individual machines and uses a kernel driver to shut down over 200 different Windows services. The cybercriminals behind these targeted attacks then demand tens of thousands of dollars to unlock the encrypted services and files. This type of attack successfully secured payouts from the cities of Baltimore, Maryland, and Greenville, North Carolina, in 2019.

Buran

Buran is a new version of Ransomware-as-a-Service (RaaS) that was first detected in May 2019. It is unique because it speaks an outdated programming language, leveraging code written in Object Pascal in Delphi IDE. This code was used over 20 years ago in Latin America and the former Soviet Union. It continues to evolve to avoid detection – this latest strain uses the RIG Exploit Kit, which merges web technologies like Flash and VB Script to complicate the attack.

Sodinokibi

Sodinokibi ransomware is also known as REvil or Sodin and exploits an Oracle WebLogic vulnerability to access machines. This type of malware grants elevated user rights so that any restricted files or connected resources become targets. This type of attack can even wipe out all backup folders during the encryption process to force the victims into making the ransom payments.

Ryuk

Ryuk, like many other crypto-ransomware strains we’ve covered, uses encryption to block access to systems, devices, and files. Ryuk often makes its way into a machine via another malware, notably TrickBot, or via Remote Desktop Services. In 2019, this strain crippled ASCO, a Belgian airplane parts maker, causing production to stop for weeks, costing the company their reputation, lost productivity, and a large sum of money to restore the encrypted systems.

Nemty

The strain of Nemty that emerged in 2019 shares qualities with both Buran and GandCrab ransomware strains, but this type of malware originated from a fake PayPal website. With only a few months under its belt, this ransomware racked up thousands of dollars in ransom payments because the secure encryption process uses the overkill 8092-bit RSA key.

Unidentified Louisiana Attack

Yes, there are ransomware strains that have not been identified yet. In 2019 ransomware hit the state of Louisiana’s public school systems that caused the governor to declare an official emergency so that technology and law-enforcement agencies could respond. It’s speculated that this could have been attributed to Ryuk ransomware but just goes to show that no organization, even our public school systems, are safe.

Unidentified Riviera Beach Attack

A ransomware attack targeting the city of Riviera Beach, Florida, cost the city over $1.5 million ($600,000 they paid in ransom plus $900,000 investing in new hardware to seal the security gaps to prevent this type of attack from happening in the future). Attacks like these prove just how profitable the ransomware business can be, further encouraging cybercriminals to continue executing new attacks on unsuspecting companies and individuals.

How to Spot Ransomware

Now that you understand a little more about the different ransomware attacks that businesses and individuals fell victim to in 2019, it’s time to learn how to spot a ransomware attack. The most common ransomware attack vehicle is through email – whether it’s an infected link or attachment. These emails can be carefully crafted and difficult to discern, so it’s essential to pay careful attention to each email that you receive because an email could look entirely professional (that’s how they get you).

First, always check the email sender. Is it a trusted source? If it’s someone you don’t know, it’s still best to exercise caution. Avoid clicking on any links or attachments from sources that you do not know and trust. If an attachment asks you to enable macros, this is a big red flag. Ransomware is commonly spread this way, so double-check the sender before opening. We even encourage you to go as far as to verify the sender’s email address. Some cybercriminals sneakily put a trusted name in the “from” section of the email, but the actual email address maybe something completely different.

Check out the image below to learn about other common ways ransomware can infect you and your employees’ machines.

Key takeaway: Understanding what happened in 2019 can help you prepare for 2020 and beyond

Now that we’ve shared more information about ransomware and the types of attacks that plagued 2019, you are armed with the knowledge to proactively identify ransomware attacks and prevent them before they even happen. Be sure to share this with all your employees, so they don’t inadvertently expose your company’s private data. Here are some tips you can use for your future cybersecurity approach, specifically when it comes to ransomware.

Preventing a ransomware attack means that you need to be diligent about what you are clicking and downloading on your computer or mobile device. Follow the recommendations below to keep you from becoming a victim of a ransomware attack, and don’t forget to educate your employees on these guidelines.

  • Double-check every email you receive and look carefully when clicking a link or opening an attachment. It may seem like an authentic email, but if a bank asks you to click a link to their website, it’s safer to visit their website in your browser and log in that way. If you receive an email that you weren’t expecting, look closely at the return address to ensure there aren’t any misspelled words. All it takes is one click to jeopardize all your files.
  • Be careful when downloading software or applications. Be sure you are using reputable sources and even read the reviews to make sure it’s the right program. Sometimes, companies might try and pose as an application that looks real when it is an imitation. Always use caution and triple check anything you are adding to your machine.
  • Always run the latest version of your computer or mobile device’s operating system. This way, you still have the latest security updates and patches that may detect malicious code before it reaches your machine.
  • Consistently back up your files so that you have them stored in a location other than your computer. This way, your locked files will not cause panic due to lost memories or work. Instead, you let those files go and refer to the data you backed up. Use an external hard drive or flash drive to save the copies, so you never need to worry.

If you suffer a ransomware attack, the FBI recommends that you do not pay the criminals. The criminals could determine that you are easy prey and ask for more money before unlocking your files. You should report the crime with the Internet Crime Complaint Center (IC3) immediately.

If you have further questions about ransomware or need additional training for your business, contact the security and IT experts at Level4 IT today.

About Us

Level4 IT is a Computer and IT Management company located in Schaumburg, IL. We provide Cloud-IT Services, Computer Management, Server Management, Internet & Cyber Security, Data Backups, Cloud Services, and Technical Support for Small & Midsize Companies.

Our focus is to help businesses stay safe on the internet while providing ongoing Technical Management, Consulting, and Support. We help our clients stay ahead of the competition.

Contact us at 888-831-6412 or email us at info@level4it.com.