For decades, cybercriminals have successfully exploited flaws and vulnerabilities on the World Wide Web. However, in recent years there has been a clear increase in the number of attacks, as well as an increase in their level - attackers are becoming more dangerous and malware is spreading at a rate never seen before.

Introduction

We're talking about ransomware, which took an incredible leap in 2017, causing damage to thousands of organizations around the world. For example, in Australia, ransomware attacks such as WannaCry and NotPetya even caused concern at the government level.

Summing up the “successes” of ransomware malware this year, we will look at the 10 most dangerous ones that caused the greatest damage to organizations. Let's hope that next year we will learn our lessons and prevent this type of problem from entering our networks.

NotPetya

The attack of this ransomware began with the Ukrainian accounting program M.E.Doc, which replaced 1C, which was banned in Ukraine. In just a few days, NotPetya infected hundreds of thousands of computers in more than 100 countries. This malware is a variant of the older Petya ransomware, the only difference being that the NotPetya attacks used the same exploit as the WannaCry attacks.

As NotPetya spread, it affected several organizations in Australia, such as the Cadbury chocolate factory in Tasmania, which had to temporarily shut down their entire IT system. The ransomware also managed to infiltrate the world's largest container ship, owned by Maersk, which reportedly lost up to $300 million in revenue.

WannaCry

This ransomware, terrible in its scale, has practically taken over the entire world. His attacks used the infamous EternalBlue exploit, which exploits a vulnerability in the protocol Microsoft Server Message Block (SMB).

WannaCry infected victims in 150 countries and more than 200,000 machines on the first day alone. We published this sensational malware.

Locky

Locky was the most popular ransomware in 2016, but continued to operate in 2017. New variants of Locky, dubbed Diablo and Lukitus, emerged this year using the same attack vector (phishing) to launch exploits.

It was Locky who was behind the email fraud scandal at Australia Post. According to the Australian Competition and Consumer Commission, citizens have lost more than $80,000 due to this scam.

CrySis

This instance was distinguished by its masterful use of the Remote Desktop Protocol (RDP). RDP is one of the most popular methods for distributing ransomware because it allows cybercriminals to compromise machines that control entire organizations.

CrySis victims were forced to pay between $455 and $1,022 to recover their files.

Nemucod

Nemucod is distributed using a phishing email that looks like an invoice for transportation services. This ransomware downloads malicious files stored on hacked websites.

In terms of the use of phishing emails, Nemucod is second only to Locky.

Jaff

Jaff is similar to Locky and uses similar techniques. This ransomware is not notable for its original methods of spreading or encrypting files, but on the contrary, it combines the most successful practices.

The attackers behind it demanded up to $3,700 for access to encrypted files.

Spora

To spread this type of ransomware, cybercriminals hack legitimate websites by adding JavaScript code to them. Users who land on such a site will see a pop-up warning prompting them to update. Chrome browser to continue browsing the site. After downloading the so-called Chrome Font Pack, users became infected with Spora.

Cerber

One of the many attack vectors that Cerber uses is called RaaS (Ransomware-as-a-Service). According to this scheme, attackers offer to pay for the distribution of the Trojan, promising a percentage of the money received. Thanks to this “service,” cybercriminals send out ransomware and then provide other attackers with the tools to distribute it.

Cryptomix

This is one of the few ransomware that does not have a specific type of payment portal available within the dark web. Affected users must wait for the cybercriminals to email them instructions.

Users from 29 countries were victims of Cryptomix; they were forced to pay up to $3,000.

Jigsaw

Another malware from the list that began its activity in 2016. Jigsaw inserts an image of the clown from the Saw film series into spam emails. As soon as the user clicks on the image, the ransomware not only encrypts, but also deletes the files if the user is too late in paying the $150 ransom.

conclusions

As we see, modern threats are using increasingly sophisticated exploits against well-protected networks. While increased awareness among employees can help manage the impact of infections, businesses need to go beyond basic cybersecurity standards to protect themselves. Defending against today's threats requires proactive approaches that leverage real-time analytics powered by a learning engine that includes understanding threat behavior and context.

Kaspersky Lab about the WannaCry ransomware

Kaspersky Lab specialists analyzed information about infections with a ransomware program called “WannaCry” that companies around the world encountered on May 12

Kaspersky Lab specialists analyzed information about infections with a ransomware program called “WannaCry” that companies around the world encountered on May 12. As the analysis showed, the attack occurred through the well-known network vulnerability Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program.

All Kaspersky Lab solutions detect this malware that was used in this attack with the following verdicts:

• Trojan-Ransom.Win32.Scatter.uf
• Trojan-Ransom.Win32.Scatter.tr
• Trojan-Ransom.Win32.Fury.fr
• Trojan-Ransom.Win32.Gen.djd
• Trojan-Ransom.Win32.Wanna.b
• Trojan-Ransom.Win32.Wanna.c
• Trojan-Ransom.Win32.Wanna.d
• Trojan-Ransom.Win32.Wanna.f
• Trojan-Ransom.Win32.Zapchast.i
• Trojan.Win64.EquationDrug.gen
• Trojan.Win32.Generic (to detect this malware, the System Monitoring component must be enabled)

To decrypt the data, the attackers demand a ransom of $600 in Bitcoin cryptocurrency. On this moment Kaspersky Lab has recorded about 45,000 attack attempts in 74 countries around the world. The largest number of infection attempts is observed in Russia.

If your files are encrypted, you should absolutely not use decryption tools offered on the Internet or received in emails. The files are encrypted with a strong encryption algorithm and cannot be decrypted, and the utilities you download can cause even more harm to both your computer and computers throughout the organization, since they are potentially malicious and are aimed at a new wave of the epidemic.

If you discover that your computer has been infected, you should turn it off and contact the information security for further instructions.

• Installofficial patch fromMicrosoft , which closes the vulnerability used in the attack (in particular, updates are already available for versionsWindowsXPAndWindows2003);
• Make sure that security solutions are enabled on all network nodes;
• If you are using a Kaspersky Lab security solution, make sure that its version includes the “System Monitoring” component and it is enabled;
• Run the task of scanning critical areas in the Kaspersky Lab security solution to detect possible infection as early as possible (otherwise detection will occur automatically within 24 hours);
• After detecting Trojan.Win64.EquationDrug.gen, reboot the system;
• In the future, to prevent such incidents, use threat reporting services to promptly receive data on the most dangerous targeted attacks and possible infections.

More detailed information about the “WannaCry” attacks can be found in the Kaspersky Lab report

Modern technologies allow hackers to constantly improve methods of fraud in relation to ordinary users. As a rule, virus software that penetrates the computer is used for these purposes. Encryption viruses are considered especially dangerous. The threat is that the virus spreads very quickly, encrypting files (the user simply will not be able to open a single document). And if it’s quite simple, then it’s much more difficult to decrypt the data.

What to do if a virus has encrypted files on your computer

Anyone can be attacked by ransomware; even users who have powerful anti-virus software are not immune. File encrypting Trojans come in a variety of codes that may be beyond the capabilities of an antivirus. Hackers even manage to attack large companies in a similar way that have not taken care of the necessary protection of their information. So, having picked up a ransomware program online, you need to take a number of measures.

The main signs of infection are slow computer operation and changes in document names (can be seen on the desktop).

1. Restart your computer to stop encryption. When turning on, do not confirm the launch of unknown programs.
2. Run your antivirus if it has not been attacked by ransomware.
3. In some cases, shadow copies will help to restore information. To find them, open the “Properties” of the encrypted document. This method works with encrypted data from the Vault extension, about which there is information on the portal.
4. Download the utility latest version to combat ransomware viruses. The most effective ones are offered by Kaspersky Lab.

Ransomware viruses in 2016: examples

When fighting any virus attack, it is important to understand that the code changes very often, supplemented by new antivirus protection. Of course, security programs need some time until the developer updates the databases. We have selected the most dangerous encryption viruses of recent times.

Ishtar Ransomware

Ishtar is a ransomware that extorts money from the user. The virus was noticed in the fall of 2016, infecting a huge number of computers of users from Russia and a number of other countries. Distributed via email, which contains attached documents (installers, documents, etc.). Data infected by the Ishtar encryptor is given the prefix “ISHTAR” in its name. The process creates a test document that indicates where to go to obtain the password. The attackers demand from 3,000 to 15,000 rubles for it.

The danger of the Ishtar virus is that today there is no decryptor that would help users. Antivirus software companies need time to decipher all the code. Now you can only isolate important information(if they are of particular importance) to a separate medium, waiting for the release of a utility capable of decrypting documents. It is recommended to reinstall operating system.

Neitrino

The Neitrino encryptor appeared on the Internet in 2015. The attack principle is similar to other viruses of a similar category. Changes the names of folders and files by adding "Neitrino" or "Neutrino". The virus is difficult to decrypt; not all representatives of antivirus companies undertake this, citing a very complex code. Some users may benefit from restoring a shadow copy. To do this, right-click on the encrypted document, go to “Properties”, “Previous Versions” tab, click “Restore”. It would be a good idea to use a free utility from Kaspersky Lab.

Wallet or .wallet.

The Wallet encryption virus appeared at the end of 2016. During the infection process, it changes the name of the data to “Name..wallet” or something similar. Like most ransomware viruses, it enters the system through attachments in emails sent by attackers. Since the threat appeared very recently, antivirus programs do not notice it. After encryption, he creates a document in which the fraudster indicates the email for communication. Currently, antivirus software developers are working to decipher the code of the ransomware virus. [email protected]. Users who have been attacked can only wait. If the data is important, it is recommended to save it to external storage, cleaning the system.

Enigma

The Enigma ransomware virus began infecting the computers of Russian users at the end of April 2016. The AES-RSA encryption model is used, which is found in most ransomware viruses today. The virus penetrates the computer using a script that the user runs by opening files from a suspicious email. There is still no universal means to combat the Enigma ransomware. Users with an antivirus license can ask for help on the developer's official website. A small “loophole” was also found - Windows UAC. If the user clicks “No” in the window that appears during the virus infection process, he will be able to subsequently restore information using shadow copies.

Granit

A new ransomware virus, Granit, appeared on the Internet in the fall of 2016. Infection occurs according to the following scenario: the user launches the installer, which infects and encrypts all data on the PC, as well as connected drives. Fighting the virus is difficult. To remove you can use special utilities from Kaspersky, but the code has not yet been decrypted. Perhaps restoring previous versions of the data will help. In addition, a specialist who has great experience, but the service is expensive.

Tyson

Was spotted recently. It is an extension of the already known ransomware no_more_ransom, which you can learn about on our website. Gets to personal computers from Email. Many corporate PCs were attacked. The virus creates Text Document with instructions for unlocking, offering to pay a “ransom”. The Tyson ransomware appeared recently, so there is no unlocking key yet. The only way to recover information is to return previous versions, if they have not been deleted by a virus. You can, of course, take a risk by transferring money to the account specified by the attackers, but there is no guarantee that you will receive the password.

Spora

At the beginning of 2017, a number of users became victims of the new Spora ransomware. In terms of its operating principle, it is not very different from its counterparts, but it boasts a more professional design: the instructions for obtaining a password are better written, and the website looks more beautiful. The Spora ransomware virus was created in C language and uses a combination of RSA and AES to encrypt the victim’s data. As a rule, computers on which the 1C accounting program was actively used were attacked. The virus, hiding under the guise of a simple invoice in .pdf format, forces company employees to launch it. No treatment has been found yet.

1C.Drop.1

This 1C encryption virus appeared in the summer of 2016, disrupting the work of many accounting departments. It was designed specifically for computers that use software 1C. Once on the PC via a file in an email, it prompts the owner to update the program. Whatever button the user presses, the virus will begin encrypting files. Dr.Web specialists are working on decryption tools, but no solution has been found yet. This is due to the complex code, which may have several modifications. The only protection against 1C.Drop.1 is user vigilance and regular archiving of important documents.

da_vinci_code

A new ransomware with an unusual name. The virus appeared in the spring of 2016. It differs from its predecessors in its improved code and strong encryption mode. da_vinci_code infects the computer thanks to an executive application (usually attached to email), which the user launches independently. The da Vinci code copy the body to the system directory and registry, ensuring automatic launch when turning on Windows. Each victim's computer is assigned a unique ID (helps to obtain a password). It is almost impossible to decrypt the data. You can pay money to attackers, but no one guarantees that you will receive the password.

[email protected] / [email protected]

Two email addresses that were often accompanied by ransomware viruses in 2016. They serve to connect the victim with the attacker. Attached were the addresses of the most different types viruses: da_vinci_code, no_more_ransom and so on. It is highly recommended not to contact or transfer money to scammers. Users in most cases are left without passwords. Thus, showing that the attackers' ransomware works, generating income.

Breaking Bad

It appeared at the beginning of 2015, but actively spread only a year later. The infection principle is identical to other ransomware: installing a file from an email, encrypting data. Conventional antivirus programs, as a rule, do not notice the Breaking Bad virus. Some code cannot bypass Windows UAC, leaving the user with the option to restore previous versions of documents. No company developing anti-virus software has yet presented a decryptor.

XTBL

A very common ransomware that has caused trouble for many users. Once on the PC, the virus changes the file extension to .xtbl in a matter of minutes. A document is created in which the attacker extorts cash. Some varieties XTBL virus cannot destroy files to restore the system, which allows you to return important documents. The virus itself can be removed by many programs, but decrypting documents is very difficult. If you are the owner of a licensed antivirus, use technical support by attaching samples of infected data.

Kukaracha

The Cucaracha ransomware was discovered in December 2016. The virus with an interesting name hides user files using the RSA-2048 algorithm, which is highly resistant. Kaspersky antivirus labeled it as Trojan-Ransom.Win32.Scatter.lb. Kukaracha can be removed from the computer so that other documents are not infected. However, infected ones are currently almost impossible to decrypt (a very powerful algorithm).

How does a ransomware virus work?

There are a huge number of ransomware, but they all work on a similar principle.

1. Hitting on Personal Computer. Typically, thanks to an attached file to an email. The installation is initiated by the user himself by opening the document.
2. File infection. Almost all types of files are encrypted (depending on the virus). A text document is created that contains contacts for communicating with the attackers.
3. All. The user cannot access any document.

Control agents from popular laboratories

The widespread use of ransomware, which is recognized as the most dangerous threat to user data, has become an impetus for many antivirus laboratories. Every popular company provides its users with programs that help them fight ransomware. In addition, many of them help with document decryption and system protection.

Kaspersky and ransomware viruses

One of the most famous anti-virus laboratories in Russia and the world offers today the most effective tools for combating ransomware viruses. The first barrier to the ransomware virus will be Kaspersky Endpoint Security 10 s latest updates. The antivirus simply will not allow the threat to enter your computer (although it may not stop new versions). To decrypt information, the developer presents several free utilities: XoristDecryptor, RakhniDecryptor and Ransomware Decryptor. They help find the virus and select the password.

Dr. Web and ransomware

This laboratory recommends their use antivirus program, the main feature of which was file backup. The storage with copies of documents is also protected from unauthorized access by intruders. Owners of licensed product Dr. Web function is available to request help from technical support. True, even experienced specialists cannot always resist this type of threat.

ESET Nod 32 and ransomware

This company did not stand aside either, providing its users with good protection against viruses entering their computer. In addition, the laboratory recently released free utility with current databases - Eset Crysis Decryptor. The developers say that it will help in the fight against even the newest ransomware.

A wave of a new encryption virus, WannaCry (other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), has swept across the world, which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

After installing the updates, you will need to reboot your computer.

How to recover from the Wana Decrypt0r ransomware virus?

When the antivirus utility detects a virus, it will either remove it immediately or ask you whether to treat it or not? The answer is to treat.

How to recover files encrypted by Wana Decryptor?

We can’t say anything reassuring at the moment. No file decryption tool has yet been created. For now, all that remains is to wait until the decryptor is developed.

According to Brian Krebs, a computer security expert, at the moment the criminals have received only 26,000 USD, that is, only about 58 people agreed to pay the ransom to the extortionists. No one knows whether they restored their documents.

How to stop the spread of a virus online?

In the case of WannaCry, the solution to the problem may be to block port 445 on the Firewall, through which the infection occurs.