Ransomware – The Most Dangerous Cyber Threat

HISTORY

Between 2005 and 2006, instances of ransomware first appeared in Russia, according to Trend Micro’s data. This ransomware variant compressed specific file types before overwriting the original files. An SMS ransomware threat that instructed customers to call a premium number to pay the ransom was covered by Trend Micro in 2011. Another noteworthy revelation concerned a ransomware variant that corrupts a susceptible device’s Master Boot Record (MBR), preventing the operating system from booting. Infections with ransomware were first exclusive to Russia, but they later extended to other nations in North America and Europe. By March 2012, Trend Micro has seen a steady increase in ransomware attacks in North America and Europe. Instead of the standard ransom letter, this new wave of ransomware presented a notice page (ostensibly from the victim’s local police department).

The ransomware variant known as Reveton, which poses as law enforcement organization, is notorious for displaying a notice page that appears to be from the victim’s neighborhood police department. Reveton variations keep track of the whereabouts of its victims so they may determine which local law enforcement agency is appropriate to users. By encrypting files in addition to locking a machine, CryptoLocker, a new kind of ransomware, appeared in late 2013. In exchange for a decryption key to open the locked data, crypto ransomware asks money from the afflicted customers. Analysis reveals that the virus employs asymmetric key cryptography, namely AES + RSA.

The spam campaign that caused CryptoLocker infections used spammed email with malicious attachments from the TROJ_UPATRE malware family. A new CryptoLocker variant, known as WORM_CRILOCK.A, that can spread through portable devices and does not rely on downloaded software like CRILOCK, appeared at the end of 2013. Database, web, office, video, picture, script, text, and other non-binary files can all be encrypted by CryptoDefense or CryptorBit, another sort of file-encrypting ransomware. To prevent encrypted files from being restored, it also deletes backup files and charges money to obtain the decryption key for the locked files.²

“Ransomware attacks have been on the rise, with a 148% increase in 2020 and an attack happening every 14 seconds. These cyber threats have a global impact, targeting organizations and individuals across the world. The primary motive for ransomware attacks is often economic gain, leading to significant financial losses for businesses and individuals. Ransomware can disrupt technological growth, causing downtime, data loss, and financial damage.

To mitigate and prevent ransomware, organizations and individuals must prioritize cybersecurity measures, such as regular software updates, employee training, and robust backup and recovery strategies. Collaborative efforts between public and private sectors are essential. Governments and regulatory bodies are developing or enhancing regulations to combat ransomware attacks, and compliance with these regulations is becoming more critical for organizations. Backup and recovery strategies, such as regular data backups and incident response plans, are crucial for recovering from ransomware attacks without paying the ransom. Public awareness and education are also essential in the fight against ransomware.” ³

CASE STUDIES

DHARMA 
Using a ransomware-as-a-service (RaaS) business model, the ransomware outbreak known as Dharma has been active since 2016. According to this strategy, the creators provide other criminals a license to use the ransomware or sell them the virus, who then use it to launch actual assaults. Affiliates of the Dharma don’t appear to focus on any industries, but rather cast a wide net.

CrowdStrike has determined that the original Dharma developer made the source code accessible in 2016 but then stopped their operations. Since this threat actor left, Dharma has been adopted and sold by a number of seemingly unrelated parties. Two or more of these performers were active in 2019, and at least one was still going strong in January 2020.⁹

Kaseya
The REvil organization targeted the software business Kaseya on July 2, 2021, inflicting the largest ransomware assault. The hack made Kaseya’s IT management software, causing organizations to unknowingly download a malicious update that infected their machines with ransomware. The victims’ data had been encrypted, and ransom letters informed the victims of this. The message offered to supply decryption software, enabling people to retrieve their files, for $45,000 in 00 in Bitcoin.¹⁰

Covid-19
Data leaks, appointment cancellations, and delays in COVID-19 testing were caused by a ransomware assault that struck Irish hospitals in May 2021. A weakness in a virtual private network that the Health Service Executive managed was exploited by the attackers. The cybercrime organization Wizard Spider from Russia demanded $19,999,000. To preserve records manually until the matter was addressed, the Irish prime minister refused to pay.¹¹

Ryuk
A wire transfer phishing case from mid-2020 brought to light the risk of this type of online fraud, which involves a fictitious invoice and a stolen email account. Businesses lose billions of dollars annually as a result of this kind of fraud. In this specific case, though, the bogus invoice led to a ransomware infestation rather than a fraudulent wire transfer.

An email with a malicious Microsoft Word file attachment was opened by a food and beverage manufacturer employee. The Emotet and Trickbot malware was let loose on the employee’s PC as a result of this activity. These malware infections opened a backdoor for hackers to access the company’s systems and use them to spread the Ryuk ransomware.Even though the business declined to pay the ransom, it nevertheless suffered heavy losses. More than half of the company’s systems were left inoperable for 48 hours, and the company was forced to call in security specialists to get access back.¹²

Hive 
Around 1,500 companies worldwide were the target of the Ransomware as a Service (RaaS) platform Hive in April 2022. A pass-the-hash approach was employed in the assault, which impacted users of Microsoft Exchange Server in a number of industries, including healthcare, financial services, energy, and organisations. It was already possible for the attackers to run malicious malware on the Exchange server since they had installed a backdoor web script. After obtaining the NTLM hash via Mimikatz, they took over via the pass-the-hash method. Before releasing their ransomware payload, Hive carried out reconnaissance and collected data. The Hive backend servers were taken over by the US Department of Justice, which also declared the activities to be shut down. In response to ransomware assaults, Attorney General Garland stressed the need of cybersecurity awareness.¹³

Colonial Pipeline Company
Targeted by the Darkside ransomware group on May 6, 2021, the US’s largest refined oil pipeline is the Colonial Pipeline Company. In addition to causing significant interruptions at petrol stations, the ransomware gang made millions of dollars from the attack. By taking advantage of a hacked password—possibly obtained from the dark web—the fraudsters were able to enter Colonial’s servers. The company’s billing processes were impacted by the theft of about 100 terabytes of data. Some sections of the southern US experienced petrol shortages and panicked gasoline purchases as a result of the strike, which momentarily stopped oil shipments. A state of emergency was proclaimed by the Biden government. To get through the situation, Colonial Pipeline paid a $4.4 million Bitcoin ransom. Daily living was disrupted by the ransomware’s direct impact on petrol pricing and supplies.¹⁴

1. Ransomware. (n.d.). https://www.trendmicro.com/vinfo/us/security/definition/Ransomware
2. Ransomware. (n.d.). https://www.trendmicro.com/vinfo/us/security/definition/Ransomware
3. Carrillo, M. R., & García-Teodoro, P. (2022, August 1). Ransomware: An Interdisciplinary Technical and Legal Approach. Security and Communication Networks; Hindawi Publishing Corporation. https://doi.org/10.1155/2022/2806605
4. INDIA CONST. art, 21
5. INDIA CONST. art, 21
6. Indian Penal Code1860 §463
7. Indian Penal Code1860 §465
8. Indian Penal Code1860 §468
9. 16 Ransomware Examples From Recent Attacks – CrowdStrike. (2023, April 27). crowdstrike.com.  https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-examples/
10. T. (2023, October 4). 18 Examples of Ransomware Attacks. Tessian.
11. T. (2023, October 4). 18 Examples of Ransomware Attacks. Tessian.
12. T. (2023, October 4). 18 Examples of Ransomware Attacks. Tessian.
13. 16 Ransomware Examples From Recent Attacks – CrowdStrike. (2023, April 27). crowdstrike.com. https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-examples/
14. T. (2023, October 4). 18 Examples of Ransomware Attacks. Tessian.