After the shift to crypto-ransomware, the extortion malware has continued to evolve, adding features such as countdown timers, ransom amounts that increase over time, and infection routines that enable them to spread across networks and servers. The latest developments show how threat actors are experimenting with new features, such as offering alternative payment platforms to make ransom payments easier, routines that threaten to cause potentially crippling damage to non-paying victims, or new distribution methods.
Some of the most notable crypto-ransomware families seen in 2016:
LOCKY (RANSOM_LOCKY.A) – Discovered in February 2016, Locky was notable for its distribution methods, first seen arriving as a macro in a Word document, and then spotted being spread via Adobe Flash and Windows Kernel Exploits. One of the most actively-updated ransomware families, Locky ransomware is known for deleting shadow copies of files to make local backups useless, and is notorious for being used in multiple high-profile attacks on healthcare facilities.
PETYA (RANSOM_PETYA.D)– First seen in March 2016, PETYA overwrites the affected system’s master boot record (MBR), and is known to be delivered through legitimate cloud storage services such as Dropbox.
CERBER (RANSOM_CERBER.A) – When it was first seen in early March 2016, CERBER was notable for having a ‘voice’ feature that reads out the ransom message. CERBER was also found to have a customizable configuration file that allows distributors to modify its components—a feature common for malware that’s being sold in underground markets. CERBER is also notorious for being used in an attack that potentially exposed millions of Microsoft Office 365 users to the infection.
SAMSAM (RANSOM_CRYPSAM.B) – Discovered in March 2016, SAMSAM is installed after the attackers exploit vulnerabilities on unpatched servers—instead of the usual malicious URLs and spam emails—and uses these to compromise other machines
JIGSAW (RANSOM_JIGSAW.I) – The first JIGSAW variant seen in April 2016 mixed effective scare tactics with an innovative routine. Featuring imagery from the Saw movie franchise, Jigsaw’s ransom note features a countdown timer to pressure its victims into paying—with a promise to increase the ransom amount while deleting portions of the encrypted files every time the timer runs out. Recent Jigsaw variants also featured a chat support feature that allows victims to contact the cybercriminal.
•Avoid opening unverified emails or clicking links embedded in them.
•Back up important files using the 3-2-1 rule—create 3 backup copies on 2 different media with 1 backup in a separate location
•Regularly update software, programs, and applications to protect against the latest vulnerabilities.