Ransomware has been around since its the early 1990’s. Infection numbers across the globe peaked in 2017 but it still remains a severe threat. Ransomware and other cyber-crimes are costing UK businesses billions of pounds annually. First, the ransomware infects a network through an email phishing scheme, executable file, or website. The virus then encrypts data, leaving the victim locked out and unable to access their files until they make a ransom payment. Following this, the hackers send the encryption keys to the victim, allowing them to recover their data provided that the encryption keys are not fake.
2016 and 2017 marked a high point in ransomware history. Two notorious ransomware attacks, WannaCry and NotPetya, infected hundreds of thousands of computer systems. The devastating attacks closed down hospitals, radio stations, and other businesses. Since then, attacks have continued, but recent trends show hackers are now carefully targeting victims with specific vulnerabilities. The following are some examples of recent ransomware attacks.
Several months following an attack on healthcare facilities in January 2018, SamSam attacked The Colorado Department of Transportation (CDOT), which shut down 2000 computer systems, forcing employees to conduct business on personal devices. Since that time, SamSam has morphed into several malicious variants, repeatedly attacking CDOT in 2018.
In one instance, having just cleaned 20% of their computers from an attack, SamSam changed into another variant, reinfecting cleaned systems, staying one step ahead of anti-malware tools. While CDOT has paid no ransoms, SamSam has forced the agency to take many systems offline as they recover data, resorting to handling duties by personal devices or by old-fashioned pen and paper.
The City of Atlanta suffered a similar SamSam attack in 2018, shutting down systems and demanding $55,000 ransom. Hackers removed the payment portal and The City of Atlanta did not pay the ransom. However, the city allocated over two million dollars to restore backup files, clean systems, and take measures to avoid future attacks.
A common feature of ransomware is its development origins in shady, rogue states or criminal organizations. Ryok, believed to have evolved from a North Korean version of ransomware called Hermes, but was then modified by a Russian hacker group. One particular nasty aspect of Ryok is that it disables the Windows restore function, eliminating that popular avenue of system data recovery.
Ryok began attacking agencies and businesses in 2018, targeting newspapers and one water utility in North Carolina. The affected newspapers had to issue reduced content to maintain paid circulation. Cleaned systems became reinfected with the malware when the server restarted, forcing repeated reboot attempts to restore operations.
Ransomware is continuing to evolve, even as new protection tools develop. In its most successful form, ransomware can morph into new variants that are able to thwart even the best security measures. Some businesses simply can’t afford downtime and pay ransoms hoping to recover data needed to keep their businesses open. As ransomware continues to gain popularity with criminal hackers and the malware itself gets more sophisticated, both businesses and private individuals need to be aware and vigilant to the risks they may encounter every time they access the internet.