It is a malware that aims to “hijack” your victim’s data and ask in return for a reward for them.
In the world, there are many cyberattacks that use this medium to manipulate users and usually pay for the release of data or even the computer, it is through bitcoins and, if that were not enough, the cybercriminals, give a period of time in which , the affected person must pay or the information will be deleted and there will be no way to recover them again.
The first cases were reported in Russia and has spread quickly and has not been easy to eradicate, as it evolves in each attack and there are multiple variants that manifest theself in each victim.
Among the most popular attacks, those that are considered to be the most dangerous are listed:
CryptoLocker uses social engineering techniques, to make it the user himself who executes it. Specifically the victim receives an email, pretending to come from a logistics company, which carries a ZIP with a password attached.
When the user opens the zip by entering the password that comes with it in the email, he believes that inside there is a PDF file and when he opens the fake PDF is when he runs the Trojan. CryptoLocker takes advantage of the Windows policy to hide the default extensions, so that the user is tricked “thanks” to this Windows feature.
The Trojan is characterized by infecting computer players. Most TeslaCrypt infections have occurred in the United States, Germany and Spain, followed by Italy, France and the United Kingdom.
TeslaCrypt encrypts your files and demands a ransom (USD 500). Among other types of targeted files, try to infect typical game files: saved games, user profiles, recorded games, among others.
SimpleLocker is a mobile trojan that encrypts Files from the SD card of the affected devices.
This malware, once infected by the Android device, scans the SD card for certain types of files, encrypts them, and displays on screen a message asking for a ransom to be able to decrypt the files.
As far as it is known, the Cerber malware allows other cyber criminals to access their affiliate connection and allow them to distribute this virus whenever they want. The original developers of Cerber get some of the benefit and allow affiliates to keep the rest. You have to be careful, since cybercriminals mainly use this virus via spam email, so it is better to try not to open any suspicious mail that comes from unknown senders.
Security experts indicate that the operation is more or less similar to that of other threats. The first thing users see is that a file named 0000-SORRY-FOR-FILES.html appears on the desktop. If you open it using a web browser, you can see how the instructions to follow are to carry out the decryption of the information.
This is where what we might consider “new” begins. To access the entire payment process and obtain the unlock code, the user must install Tor Browser. The amount to be paid is 0.7 Bitcoin for 1 affected PC or 3 if you want for all affected PCs.
Experts have observed that the WannaCry ransomware behaves like a worm and uses two attack methods found in the leaked arsenal of the U.S. National Security Agency (ETERNALBLUE and DOUBLEPULSAR). They have also found evidence linking the ransomware outbreak to the North Korean group Lazarus.
In 2014, hackers, who use bitcoins in their operations, erased nearly a terabyte of data from Sony Pictures’ database. They also created a malicious “backdoor” in 2015 and were involved in an $81 million cyberattack on the Bangladesh Central Bank in 2016.
- Petya and NotPetya
This ransomware works very differently from any other ransomware malware, because unlike other traditional ransomware, it does not encrypt files on a target system, one by one.
En su lugar, NotPetya reinicia las computadoras de las víctimas y cifra la tabla de archivos maestros (MFT) del disco duro, inutilizando el registro de arranque maestro (MBR), restringiendo el acceso al sistema completo, aprovechando la información sobre nombres de archivos, tamaños y ubicación en el disco físico.
NotPetya replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves the computers unable to boot. This ransomware family uses a strong encryption algorithm.
- Bad Rabbit
Companies specializing in cybersecurity solutions emphasize that the attack is spread through a fake update of Adobe Flash. In addition, it proceeds in the same way that your previous Petya or WannaCry already did, so that a screen in the form of a message warns the user that their computer is infected and that they must pay a maximum of $281 (0.05 bitcoins) for the equipment to be or encryption can be recovered. A back timer reports that once that period has elapsed, the ransom price will increase.
Unlike the common ransomware, distributed via massive spam campaigns, Ryuk is used exclusively for targeted attacks. In fact, its encryption scheme is intentionally designed for small-scale operations, so it only infects crucial resources of each target network and its distribution is carried out manually by attackers.
This means that extensive network mapping, hacking, and credential collection is required before each operation. Their alleged attribution to Lazarus Group may imply that attackers already have a lot of experience in such operations, as demonstrated in the cyberattack on Sony Pictures in 2014.
GandCrab 5.0.4 is a ransomware that was first seen in early October 2018 and is a variant of the infamous GandCrab virus. After infiltration, encrypt data using RSA and Salsa 20 encryption algorithms, add a random extension (for example, . GHMFJ) to each affected personal file and places a payment note. It is uploaded from a C2 server that is controlled by hackers in order to make sure that the victims are aware of what has happened and what they should do next. To regain access to personal data, users are asked to pay in Bitcoin or Dash currency, and then contact the hackers via the email address provided. GandCrab 5.0.4 also modifies the desktop wallpaper with one that looks like a short paynote. This variant of the virus is spread with the help of the Exploit Kit Fallout, and also using various other distribution methods.