Recently, 22 Texas cities were victimized by what appeared to be coordinated ransomware attacks. The attacks have been attributed to Sodinokibi, the latest and greatest ransomware example. Sodinokibi, also known as REvil, was also responsible for a recent attack that affected hundreds of dentist offices.
Cryptoviral malware, better known as ransomware, locks your screen, encrypts your files, and restricts access until a payment is made.
Despite malware like Sodinokibi making more headlines than ever, the volume of ransomware attacks has actuallydropped sharply in recent years. Unfortunately, newer ransomware attacks are tailored for specific victims and target them directly, leading to more success on a percentage basis. For example, Baltimore was recently paralyzed for several weeks by a directed ransomware attack that cost the city more than $18 million.
In fact, a recent Malwarebytes report found that ransomware targeted directly at specific businesses increased by a whopping 500% between 2018 and 2019.
This means that endpoint security solutions and data backup systems have never been more important. Surprisingly, a recent GetApp survey found that only 69% of respondents report the use of a data backup system as part of their company’s IT security program. Clearly, too many businesses are not taking threats like ransomware seriously enough.
5 infamous ransomware examples
To better understand ransomware’s history and why all businesses should take the scheme seriously, we’ll explore some of the most infamous ransomware examples.
Brain virus – 1986
Way back in 1986, two brothers were frustrated with computer users who were installing pirated copies of software they had written. To exact their revenge, they created a virus known as Brain which displayed menacing messages such as “Welcome to the Dungeon”, “Beware of VIRUS”, and “Contact us for vaccination” along with their names, address, and phone numbers.
The brothers were surprised by the response and outrage they received claiming it was simply intended as a way of expressing their disappointment with software counterfeiters. Brain wasn’t the first virus—that honor goes to 1971’s Creeper—but it is considered by many as the first ransomware example.
However, some argue that 1989’s “AIDS” trojan was the original ransomware example because it was the first to actually encrypt a victim’s files. This of course depends on how you define ransomware. Comment below if you have strong feelings one way or the other.
In 2011, IT security company F-Secure released a short documentary about the Brain virus.
CryptoLocker – 2013
In late 2013, CryptoLocker rapidly became one of the internet’s most pervasive threats, affecting more than 250,000 machines during the last quarter of 2013. The offending malware was distributed by a vast botnet named Gameover Zeus .
In May 2014, the U.S. Department of Justice led an international coalition to pull the plug on the Gameover Zeus botnet and CryptoLocker, but not before it could tally more than $100 million in proceeds.
Botnet is a portmanteau combining the words robot and network. Botnets are networks of computing devices (e.g., desktop computers, mobile phones, IoT devices) that have typically been infected by malware and act as zombies at the command of an operator. Botnets combine the distributed computing power of their zombified machines to launch a variety of ploys such as DDoS attacks, cryptojacking, and ransomware.
WannaCry – 2017
In the summer of 2017, WannaCry spread like wildfire and affected computers in 150 countries around the globe within days of its first infection. WannaCry was the start of a new era of ransomware in that it was the first to take advantage of the National Security Agency’s EternalBlue exploit which allowed the self-replicating worm to spread rapidly among vulnerable Windows machines.
But the overwhelming speed of the WannaCry outbreak was only part of the story; the malware affected major businesses all over the world including Spain’s Telefónica and even caused the UK’s National Institute of Health to temporarily suspend services and turn away patients.
For these reasons WannaCry is perhaps the most well-known ransomware attack on record. In fact, a Google trends search of the term “ransomware” returns the following result—the spike is the media frenzy surrounding WannaCry.
Incredibly, the fallout would have been much worse were it not for the discovery of a hidden kill switch buried in the malware’s code.
While examining WannaCry, security researcher (and reformed hacker) Marcus Hutchins identified a nonsensical URL. Intrigued by his find and having verified that the URL was inactive, Hutchins purchased the domain for about $10. Once the URL went live, WannaCry miraculously stopped spreading. The inactive URL had apparently been included in the malware as a type of kill switch.
Earlier this year, Hutchins, known online as MalwareTech, pleaded guilty to hacking charges stemming from the Kronos banking trojan he had been involved in developing many years earlier. Following overwhelming support of journalists and the cyber-security community, the judge sentenced Hutchins to time served.
NotPetya – 2017
Petya ransomware arrived in 2016 as a fairly straightforward ransomware scheme, although its encryption method was unique in that it encrypted the master file table instead of files.
In contrast, NotPetya was an especially powerful example of ransomware. NotPetya used the EternalBlue exploit just as WannaCry had earlier in the year, but added an element called Mimikatz which allowed it to spread to machines that had already been patched.
This was accomplished by pulling Windows passwords from RAM on unpatched machines and using them to gain access to other machines on the network that used the same credentials.
NotPetya is generally understood to have originated as a cyberattack by Russia directed at Ukrainian companies, but businesses all over the world were caught in the crossfire at a total cost of $1.2 billion.
The hardest hit was Danish shipping company Maersk. NotPetya crippled the shipping giant’s entire network and halted operations at dozens of ports around the world. In the end, Maersk reported losses approaching $300 million.
GrandCrab – 2018
GrandCrab ransomware emerged in January 2018 and ruled the ransomware world until its developers announced their retirement in June 2019 while claiming profits of $2 billion.
GrandCrab gained most of their illicit proceeds through a ransomware-as-a-service (RaaS) model whereby affiliate cybercriminals deployed the attacks and received payment after GrandCrab operators took a cut. In other words, GrandCrab was a fully realized cybercrime franchise operation.
GrandCrab thrived by continually releasing new and improved versions of the malware, thereby staying ahead of security researchers and decryption tools.
Recently, researchers have begun to suspect that GrandCrab’s supposedly retired operators are behind the new king of ransomware, Sodinokibi.
Recommended reading: Why Ransomware Encrypted Baltimore’s Systems and How It Could Have Been Prevented
Sodinokibi and strategies going forward
We’ve covered a handful of the most infamous ransomware examples, but countless others don’t make the headlines or go unreported.
Sodinokibi’s current reign has likely just begun as it appears to be a dynamic threat that doesn’t rely on phishing. Reports indicate that Sodinokibi is installing in numerous way including via a WordPress hack that overlays bogus answer boxes on Q&A sites that install the malware when clicked. Sodinokibi’s operators have also hacked into numerous managed service providers (MSPs) to gain access to endpoints and infect them with malware.
Ransomware creates downtime that no business can afford, but smaller companies with fewer resources might not be able to bounce back after an attack by something as aggressive as Sodinokibi. In fact, some examples, such as GermanWiper, permanently destroy your files before demanding a ransom leaving no chance of recovering your files without a plan.
The best strategy is to ensure that your software is patched, adopt an endpoint security platform, and, most importantly, develop a solid data backup strategy.
The data security survey referenced in this article was conducted by GetApp in June 2019 using Amazon Mechanical Turk among 714 respondents who reported full-time employment in the United States.