7 of the Most Notable Ransomware of the Last Decade
by Michelle Krasniak
As we mentioned in a previous post, ransomware attacks have been happening for many years but they’ve been getting larger, more frequent…and more expensive to remediate. We’ve compiled a list of some of the most notable ransomware to illustrate not only how long it's been around, how dangerous it can be, and how it's evolving as time passes and cyber criminals are getting more brazen and greedy.
Originally discovered in September 2013, CryptoLocker encrypted files and folders in victims’ systems using a Rivest-Shamir-Adleman key pair, then used its C&C server to encrypt data before finally demanding a ransom. Other variants of this ransomware cropped up in Australia the following year, this time breaching users’ systems using phishing and payload mechanisms. The Australian Broadcasting Corporation fell victim to this particular attack.
In 2014, CryptoWall ransomware infiltrated networks in two ways: the first by gaining access through exploited browser plugins and downloading the payload, and the second encrypted as a payload inside an image and sent via anonymous email campaigns. Once the image was downloaded, the payload ran the CryptoWall script, infecting the computer.
This ransomware is said to have caused around $18 million in damage. A recent, unbreakable version of CryptoWall, 4.0, not only encrypted files but also the file’s name, as these are difficult to decrypt.
Accounting for 56 percent of mobile ransomware breaches to date, 2015’s Fusob ransomware first encrypted data and then ordered victims to pay a ransom (in the form of iTunes gift cards) after displaying a warning message that accused the user of some made up activity.
Fusob came packaged as a pornographic video player, so when the user downloaded the app, they also downloaded Fusob’s payload in the back end. Once Fusob was installed, it would verify whether or not the device’s default language was set to an Eastern European language. If it was, nothing would happen. If it wasn’t, the ransomware would activate and lock the device, demanding payment.
Let us show you how vulnerable you are to ransomware
Launched in May 2017, WannaCry had one of the largest attack vectors to date, with upwards of 400,000 computers infected across 150 countries. WannaCry infiltrated networks using the EternalBlue vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. A cyberattack exploit originally developed by the U.S. National Security Agency (NSA), they did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced the agency to come clean about the issue.
Exploiting vulnerabilities in Remote Desktop Protocols (RDP) and File Transfer Protocol (FTP), SamSam ransomware cropped up in 2015 but made headlines in 2018 when it infected the city of Atlanta, the Colorado Department of Transportation, and the Port of San Diego, causing major disruptions of service. That same ransomware was utilized by different bad actors again that same year against hospitals, municipalities, and public institutions, causing an estimated loss of $30 million.
Both 2019 and 2020 were dominated by Ryuk a ransomware spread mainly via phishing emails, containing dangerous links and attachments. Prior to recent attacks, Ryuk was the costliest to remediate, with ransom amounts exceeding $300,000 in some cases.
Authorities state that Ryuk’s attacks have already caused more than $60 million in damage worldwide after stopping the operations of major newspapers in the United States. More than 100 other companies suffered attacks.
Named after the group that perpetrated the incident, this 2021 ransomware attack targeted Kaseya VSA and managed service providers (MSPs). An authentication bypass vulnerability in the software allowed attackers to infect the Virtual System Administrator (VSA) with a malicious payload through hosts managed by the software. In other words, this attack affected over 1,000 additional organizations because the bad actors targeted a third party they had in common. The hacker group demanded a ransom of $70 million to release the key, making it the most expensive ransomware attack to date. At the time of the attack, Kaseya reported that between 800-1500 organizations were affected.
While any and all organizations are vulnerable to ransomware attacks, what makes this one stand out is that the pool of victims is comprised of businesses that weren’t direct targets of themselves. They were victims because of vulnerabilities in the cybersecurity postures of a third party they do business with.
All cyber attacks—ransomware included—can be prevented by taking a proactive approach to your cyber risk management. With features like Framework Mapper and its associated threat profiles, you get 360-degree visibility into the cybersecurity postures of not only your third parties, but you can also use the platform and tool to view your own organization’s controls coverage, giving you the opportunity to mitigate vulnerabilities before they’re exploited by criminals.