Nine of the most serious ransomwares in history
Today the ransomware is again topical. Guilty? The attack on intranet, which has caused it to be blocked. As a result of this, the company has ordered its employees to turn off all computer equipment. This attack has already managed to hijack several of the company’s equipment and asks for ransoms of up to 300 dollars to free them.
The supposed culprit of all this commotion is Wanna Decryptor, the ransomware that has been attributed the infection of the equipment for now. For this same reason and given the magnitude of the problem, we thought it convenient to review the nine most serious ransomwares in history.
AIDS Trojan, the first ransomware
Although this type of malware has been appearing since 2005 as a recurring computer security problem, the first of them all dates back to 1989, neither more nor less. We refer to AIDS Trojan, created by engineer Joseph L. Popp.
The virus was distributed through 20,000 infected diskettes (a barbarity for the time) to those attending the conferences of the World Health Organization on AIDS. Its main weapon was symmetric cryptography, and it did not take long to decipher the names of the files to retrieve them. However, this pioneer was the kick-off to what are already almost three decades of ransomware.
Reveton, an old acquaintance
In 2006 there was a kind of “resurgence” of the ransomware with Archievus , which introduced the asymmetric encryption as a novelty and encrypted only the My Documents folder, requesting purchases on certain websites as a rescue. However, it would not be until 2012 that Reveton, the first major threat, would not arrive.
This malware was present all over the world, infecting millions of machines and posing as a warning from the security bodies of each country. Yes, we are referring to the “Virus of the Police”. In 2014 Avast reported that Reveton had evolved, this time also stealing users’ passwords.
CryptoLocker, a classic of ransomware
September 2013 is an important month in the history of ransomware. At that time, CryptoLocker was born, the first malware that was spread through downloads from compromised websites, or that was sent to businesses as an attachment in an email of suspicious customer complaints.
CryptoLocker infections expanded rapidly due to the infrastructure of the GameOver Zeus botnet, used by the Russian Evgeniy Bogachev for his cybercrime scheme. Currently, ransomware is distributed through P2P networks.
CryptoLocker uses an AES-256 encryption with which it attacks files with specific extensions, and then uses a 2048-bit RSA key generated in a command-and-control server to encrypt the AES-256 key. Cryptolocker asked for a ransom of 300 dollars or 300 euros, and then threatened the user with deleting their data if the amount demanded was not paid.
CryptoWall, among the most common
Between April 2014 and the beginning of 2016, from the ashes of CryptoLocker was born CryptoWall, which was among the most used ransomwares in the world. The malware took various forms throughout its period of greatest activity, attacking hundreds of thousands of companies and individuals. By mid-2015, ransomware had raised $ 18 million in ransoms.
When CryptoWall infected a computer, it encrypted certain extensions using an RSA key of 20148 bits . Once he had encrypted the files that interested him, he asked the user to pay 500 dollars or 500 euros within 48 hours, threatening to double the amount if their demands were not met.
TeslaCrypt, a variant of CryptoWall extinct
TeslaCrypt appeared in 2015 and became a persistent threat. Its creators came to develop four versions, and used an AES-256 key to encrypt certain file extensions, which were then re-encrypted using an RSA-4096 key. During the past year, this ransomware was among the most used.
TeslaCrypt was one of the most advanced of its time, containing functions that allowed the persistence of malware in the victim’s machine, among other things. Finally, the authors of the ransomware would deliver their master decryption key to ESET.
Locky, the king of ransomware
When talking about Locky, it is inevitable not to think of him as the king of ransomware , something that was found in July last year . At this time it was found that this variant of CryptoLocker was responsible for 69% of infections received by spam. The malware was inactive for a while, and has recently returned after a period of inactivity.
In fact, phishing campaigns were his favorite method of infection, although he is currently using a botnet known as Dridex along with another known as Necurs to expand. The creators of the mawlare want their creature to return to war, and are trying to increase the chances of compromising objectives in this way.
As for its attack method, Locky first encrypted certain files with an AES-128 key, which was then encrypted again using an RSA-2048.
Petya, for the boot sector of your hard drive
This malware was among the most common ransomware threats of 2016. That’s right. Petya did not encrypt certain file extensions, but it was installed in the boot sector of the infected machine’s hard drive . This malware was aimed at companies rather than individual users, and managed to infect 32 million machines last year.
Its main means of transmission was based on emails with Dropbox links. The Dropbox link supposedly points to an application that the employee had to install to perform their work. When the executable was launched, the ransomware is inserted into the main boot record and the system is restarted, at which point it encrypts the data of the unit.
Jigsaw, “let’s play a game …”
The Jigsaw ransomware was a particular case, as it placed the Saw character on the screen by issuing the ransom note for the infected machine. It also threatened to erase a file every hour if the ransom was not paid. Also, if the victim tried to stop the process or restart the computer, then he deleted 1,000 files.
In Bleeping Computer they asked themselves if, given the quantity demanded (it varied between 20 and 200 dollars) and the way to press the user, if this malware would be a game for its creators. When a machine became infected with this ransomware, in addition to seeing the aforementioned character, a 60 minute counter appeared to pay the ransom.
CryptXXX, the evolution of Reveton?
As reported in CSO, CryptXXX could be the evolution of Reveton, because they share similarities during the infection process. The malware was discovered by ProofPoint researchers, and calls for a ransom of approximately $ 1,000 so that the files of the infected machine can be recovered.
In Bleeping Computer an extensive list of the files that it encrypted was published , changing the name of the extensions. For example, if you encrypted a Word document called documento.doc, after going through the attention of CryptXXX it was like documento.doc.crypt.