Ransomware attacks are arguably the most malicious of all cyberattacks, whether the victim is an organization or an individual. In this blog, we'll learn about some of the ransomware strains seen recently. We'll examine how they are different in their approach and how they affect their victims. The strains we'll cover are:
These five strains have caused grievous damage to victims, are different in the way they attack, but ultimately all demand a ransom. Cybersecurity professionals should be aware of these ransomware strains and the ways to defend against them.
The name JigSaw is inspired by the popular horror movie, "Saw." It even uses the image of Billy, the puppet from the movie, in the threatening extortion notice it sends to victims. The JigSaw ransomware strain first appeared in 2016; since then, various variants of the strain have evolved. Its basic objective is the same as any other ransomware, i.e., to encrypt the victim's data and demand a ransom. Generally, most ransomware only threaten to delete data or block access if the ransom is not paid; JigSaw was the first of its kind to actually delete the data when the ransom was not paid within the stipulated time. The strain uses the AES encryption algorithm to encrypt files, and uses file extensions like .fun, .game, .btc, .YOLO, and .data to rename them. Once infected, a threatening notice will be displayed on the victim's screen, along with a countdown timer. The strain starts deleting files by the stipulated time if the ransom is not paid, and the speed of deletion of files increases exponentially if the payment is delayed. There are decryption tools available, but it is critical to act fast as the data gets erased based on time. Usually, the ransom is demanded in the form of Bitcoin.
The VirLocker ransomware strain, also known as VirLock or Vir Ransom, was first identified in 2014. However, it became prominent in 2016 when researchers found that the variants of this strain were capable of spreading through cloud storage and collaboration apps. The strain not only attacks the system and encrypts all files, but also converts the files into polymorphic file infect-or. The infect-or is similar to a virus and infects the other non-infected files. VirLockers is the world's first self-replicating polymorphic ransomware. This strain usually infects some of the most common file types like doc, pdf, ppt, jpg, png, mp3, and zip. Unlike most regular ransomware attacks, where the ransom is demanded directly, the VirLocker disguises itself as an anti-piracy warning from regulatory bodies, and claims that some pirated software has been detected on the victim's computer. It then threatens them with legal consequences if they don't pay the ransom. Several standalone cleaners and removal tools are available for this ransomware strain. Although the overall number of victims of this ransomware might be less compared to other strains, the parasitic nature still makes it dangerous.
The Conti ransomware strain was first identified in early 2020, and is believed to be operated by a Russian group. It targeted large corporations as well as influential individuals. Attacks were mostly concentrated in the US. The common attack tool vectors include phishing or spam emails, weak Remote Desktop Protocol (RDP) credentials, and software and hardware vulnerabilities. This variant operates as a ransomware-as-a-service (RaaS) model, and this makes it more dangerous as the speed of the attack and the subsequent encryption is high. Conti invasions are mostly human operated (as opposed to automatic propagation) and would follow the double extortion strategy, in which highly skilled attackers take time to discover sensitive data, and not only steal and encrypt it, but also threaten victims that their data will be published if the ransom is not paid. A group known as Wizard Spider of Saint Petersburg, Russia, is behind Conti. There are about 180 publicly known victims of this ransomware. There are no decryption tools or software available yet available for detection. Some of the affected companies are JVCKenwood, Ireland's Health Service, and Volkswagen Group.
Security researchers at Malware Hunter have reported that Onyx is a new variant of the Chaos ransomware. It was first seen in April 2022. The Onyx strain operates on a double extortion strategy, where attackers not only steal data but also threaten to publish the data if the demanded ransomware is not paid. Onyx ransomware has taken threat and destruction to the top-level by overwriting victims' data in files with junk data, instead of encrypting them. With this it is understood that victims' data is essentially destroyed and cannot be decrypted and retrieved. Initially it was believed that the strain attacks files of size 200MB and higher. But, in reality, the strain attacks files of size more than 2MB, causing larger volumes of files to be infected.
The Black Cat Ransomware strain, a.k.a ALPHV ransomware, is a sophisticated RaaS ransomware-as-a-service that has attacked more than 60 organizations from November 2021 to April 2022. This strain was developed using Rust Programming, which is easier for attackers to execute. The Black Cat creators provide access to their malicious code to franchisees; and in return the parent organization receives a percentage of the ransom. The franchisee's job is to somehow establish a connection with the corporate IT environment, compromise Active Directory users, and bypass security systems. The tools used for this attack are the Cyrtor, and Fendr utilities. A large, South American oil and gas industry organization fell victim to this strain in 2022. The Black Cat Attackers usually demand ransom in Bitcoin or Monero.
These five ransomware strains are different in their modus operandi. They all mostly try to steal and encrypt data, and demand a ransom. We should also acknowledge that the new business model, RaaS, has made it easier for attackers by providing the infrastructure and services. Any organization with an IT environment should invest in cybersecurity tools proactively and should secure networks and operations, as "prevention is better than cure" at anytime. But in case an attack does happen, they should also have the ability to track it quickly, investigate the root cause, and take remedial actions, like investing in SIEM solutions. Our SIEM solution, ManageEngine Log360, helps prevent attacks by alerting if any unusual events or activities are diagnosed, and initiating an automatic remediation processes. To fully evaluate how Log360 can help your organization defend against cyberattacks, sign up for a personalized demo.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.