Friday, 12 June 2020

Most Dangerous Ransomware’s in World | All of Time

What is ransomware?

Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card.

How does a computer become infected with Ransomware?

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

The ransomware, malware variants that encrypt files, which spread through similar methods and also been spread through social media, such as Web-based instant messaging applications. Additionally; newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network.

Some example of Most Dangerous Ransomware in listed below.

1. WannaCry

WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computers, it encrypts files on the PC’s hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.

A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain’s National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.

2. Bad Rabbit

Bad Rabbit first appeared in October of 2017 targeting organizations in Russia, Ukraine and the U.S. with an attack that is basically a new and improved NotPetya ransomware. Ukrainian authorities attribute Bad Rabbit to Black Energy, the threat group they also believe was behind NotPetya. Many security experts believe Black Energy operates in the interest and under the direction of the Russian government. The attack didn’t last for a long time, indicating the controllers shut it down themselves.

The attack started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, giving victims 40 hours to pay before the ransom goes up.

3. TeslaCrypt

TeslaCrypt is a type of ransomware, first detected in February 2015. It originally affected computer gamers, since it was infecting mostly gaming files, such game saves, custom maps, recorded gameplays, player profiles, etc. However, later versions also target a wider range of filetypes, including JPEG, Word, PDF, etc.

TeslaCrypt encrypts user’s files and prompts a message asking the user $500 ransom in bitcoins to obtain the key to decrypt the files. TeslaCrypt’s behaviour is very similar to Cryptolocker, since both of them are ransomware, although they have been developed independently and don’t share code.

Recently, the creators of TeslaCrypt have released the master decryption key to the public, thus shutting down their ransom business model. However, malware is still circulating on the internet.

4. Cerber

Cerber ransomware is ransomware-as-a-service (RaaS), which means that the attacker licenses Cerber ransomware over the internet and splits the ransom with the developer. For a 40% cut of the ransom, you can sign-up as a Cerber affiliate and deliver all the Cerber ransomware you want. Most ransomware doesn’t use this service paradigm. Typically, an attacker would adapt and deliver the ransomware and keep all of the money. By setting up Cerber as RaaS the developer and partner are able to send more attacks with less work.

Cerber is an example of evolved ransomware technology. The author of the ransomware offloads the work of finding targets and infecting systems to a partner in exchange for a cut of the profit. The partner gets a highly functional piece of software they are free to distribute, and bitcoin keeps the exchanges all anonymous and difficult to track.

5. Peet

Peet is malicious software that is classified as ransomware. This malware is a part of the Djvu ransomware family. Like most programs of this type, Peet is designed to encrypt victims’ files and keep them inaccessible unless they are recovered with decryption software and a key. To obtain these, victims are required to pay ransoms to cybercriminals (Peet’s developers). Furthermore, Peet adds the “.peet” extension to the filename of each encrypted file. For example, “1.jpg” becomes “1.jpg.peet”. Instructions about how to decrypt files and pay the ransom are provided within the “_readme.txt” text file, which can be found in each folder that contains encrypted data.

Peet encrypts all files (including photos, databases, documents, and so on) with a strong encryption algorithm. The “_readme.txt” ransom message states that the only way to recover files is using a decryption tool and unique key, which can be purchased from the cybercriminals who developed Peet. The regular cost is $980, however, if contacted within 72 hours of encryption, cybercriminals supposedly offer a 50% discount (thus the cost is reduced to $490).

Also read: How To Remove Peet Ransomware From PC | Full Guide

6. Simplelocker

The ‘SimpleLocker’ Ransomware is a ransomware infection. Ransomware like the ‘SimpleLocker’ Ransomware is used to take over a computer, encrypt the victim’s files and stipulate the payment of a ransom in exchange for access to the encrypted files. The ‘SimpleLocker’ Ransomware will change encrypted files’ extensions, and drop text files containing instructions on how to pay the ‘SimpleLocker’ Ransomware ransom.

Simplelocker, also known as Andr/Slocker-A, which is Tor-enabled mobile device ransomware, targets Android OS and spreads through a Trojan downloader masquerading as a legitimate application. Once installed, it scans the device for various file types and encrypts them using AES, changing the file extensions to .enc. It also collects information like the IMEI number, device model, and manufacturer and sends it to a C2 server. Newer versions access the device camera and display a picture of the victims to scare them into paying the ransom.

Files that have been encrypted by the ‘SimpleLocker’ Ransomware cannot be recovered unless computer users have the decryption key. It is why it is essential that computer users always back up their files, which will allow them to restore their encrypted files using it. The payment of the ‘SimpleLocker’ Ransomware amount is usually carried out using TOR and BitCoins for anonymity.

7. LockerGoga

The binary for this particular variant of LockerGoga does not utilize any type of security evasion or obfuscation. Instead, the binary-only goes as far as encoding the RSA public key that is used in its later stages for file encryption. It’s possible to speculate that the attackers may have already been fully aware of the target companies’ security measures, and were therefore confident that their malware would not be intercepted even without any obfuscation.

Another interesting fact is that the malware uses open-source Boost libraries for its filesystem, and inter-process communication and Crypto++ (Cryptopp) for file encryption. One of the advantages of using these libraries is easier development and implementation since developers only need to work with wrapper functions instead of calling individual native APIs to achieve the same goal.

And since this utilizes a higher level of programming, statically and dynamically analysing the application without source code is more complicated than just reading a straight sequence of Windows APIs. However, since they do not use standard libraries, they need to be manually linked and the functions need to be physically added to the final binary, which results in a larger file size than usual.

Final Words,

Today’s ransomware threats are capable of inflicting damage that goes well beyond extortion. With so much on the line, organizations must adopt a proactive over reactive mentality. Coupled with extensive business continuity planning, a security strategy that emphasizes prevention and early detection is the way forward in ransomware protection. If recent history has taught us anything, it’s that waiting for ransomware to strike can lead to irreparable damage.

Free Decryptors for some Ransomware