Top 11 Ransomware Attacks in 2020-2021Orhan Sari
Ransomware attacks 2020-2021 – Recently, cybersecurity researchers have shown that ransomware attacks doubled in number. In the first quarter of 2020’s financial year, ransomware attacks have dramatically increased due to the home-office working that the COVID-19 pandemic has brought along. It is pointed out that the main reason for this increase is the lack of cybersecurity measures during this process of home-office working.
Compared to the previous years, the increase rate in 2020 is the highest due to the chaos that has been created by the cybercriminals. Attackers have carried out many attacks one after another to infiltrate into the companies and to steal their data.
Furthermore, many ransomware families have improved their skills of stealing sensitive data from various sectors such as banking, financial services, governmental services, insurance and manufacturing sectors.
Ransomware attacks are a great danger to all organisations regardless of their sizes all over the world. This type of attacks allows attackers to access the organisations’ networks. In this way, sensitive or financial data can be turned into inaccessible for organisations by means of encryption. Cybercriminals demand ransom from the organisations for the encrypted data. Meanwhile, they generate profit out of these data by selling them on cybercrime forums. So, what are the Top Ransomware attacks that threaten the organisations in 2020 and 2021?
Top 11 Ransomware Attacks 2020-2021
1- REvil Ransomware
REvil is a file encryption virus that encrypts all the files and demands money from the victim once it infiltrates into the system. In the ransom demand, criminals force victims to pay the money via bitcoins. If the victim does not pay the ransom within a specific time period, the ransom rate doubles in amount.
It has been discovered that the data leak in Grubman Shire Meiselas & Sacks the law corporation was caused through Revil Ransomware. Attackers breached the data that belonged to famous clients and shared them on the dark web.
According to reports, the personal information of Drake, Robert De Niro, Rod Stewart, Elton John, Mariah Carey and many other stars may have been obtained through this Ransomware attack. In addition, screenshots of computer files of celebrities like Madonna’s tour contract, or the files of belonging to Bruce Springsteen, Bette Midler, and Barbra Streisand were also leaked. This Ransomware is top in our Ransomware attacks 2020-2021 list.
2- Sodinokibi Ransomware
Also known as Sodin, Sodinokibi ransomware is a type of REvil ransomware. It spread in September 2019 by using a zero-day vulnerability in the servers of Oracle Weblogic. Later, when the vulnerability was fixed, it continued to spread through software installers that have remote desktop servers and other backdoor vulnerabilities; and also by the tools that abuse this ransomware. This Ransomware is second in our Ransomware attacks 2020-2021 list.
After a deep analysis, it has been discovered that this ransomware is closely related to GandCrab software; that they both have similar codes. In the same period of time, use of GandCrab was decreasing, whereas the use of Sodinokibi was increasing. This information led the analysts to think that this two ransomware have a strong relation.
When activated on the target, Sodinokibi ransomware, due to its configurable structure, can process certain things that are mentioned below:
- Expanding one’s authorization by using CVE-2018-8453 weakness.
- Preventing resource conflict by ending blacklisted projects.
- Deleting files that are in the blacklist.
- Encrypting mobile or web drivers that have not yet been taken to the whitelist.
- Transferring the system data to the attacker that belongs to the target.
3- Nemty Ransomware
Nemty Ransomware is the top third in our Ransomware attacks 2020-2021 list. Different from other ransomware, Nemty Ransomware acts like a ransomware service. When it first appeared, it was frequently advertised in the Russian pirated forum websites. It has been active from 2019 summer till 2020 summer.
During the time that RaaS (Ransomware as a Service) was actively serving, its clients were able to access a portal that allows them to create a special version of Nemty Ransomware. Afterward, clients were able to spread these versions in a way that they preferred.
Phishing emails actively took part in spreading this malware. When a computer that had been infected by Nemty paid the ransom, 30% of the payment was transferred to Nemty developers and the rest to the clients.
A few months ago, Nemty developers announced that they will no longer act as ransomware provider service but they will work privately. They also stressed that files would never be saved if the clients did not pay them within a week.
4- Nephilim Ransomware
When it first appeared, cybersecurity researchers discovered that Nephilim’s resource codes are very similar to Nempty ransomware. Not only the codes were similar, but also the design, the attitude was the same. They both threatened their victim with publishing sensitive data in case they do not pay the ransom demanded.
Nephilim’s victims have usually been big organisations and companies. In December, attackers planned to attack governmental organisations and companies by using the weakness that they discovered in the devices of Citrix Gateway. Besides, they managed to encrypt victims’ data by using the vulnerability of a remote desktop network and VPN.
In the ransom note, it has been stressed that the data have been encrypted by a military level algorithm and sensitive data have been breached. To prove their authority, Nephilim attackers demand two encrypted files from the victims, they decrypt them and send it back to the victims so that victims will be convinced that they are the only ones that can decrypt the files.
5- NetWalker Ransomware
Also known as Mailto, Netwalker is one of the latest variations of the ransomware. Governmental agencies, healthcare organisations, corporations, remote employees are targeted by NetWalker-using attackers.
NetWalker uses the network of the victim to encrypt all Windows devices. It uses a configuration including ransom note and file names.
According to the cybersecurity researchers, NetWalker follows two different ways to attack. Those are A) Coronavirus phishing mails and B) executable files that spread through networks. NetWalker is one of the most destructive malicious software in the Ransomware attacks 2020-2021 list.
6- DoppelPaymer Ransomware
DoppelPaymer Ransomware and its variations first appeared in April 2019, targeted its first victims in June 2019. The first variation that appeared with the intention of testing, did not have malicious intentions.
Up until now, 8 different variations have been discovered; and it has been verified that there are 3 confirmed victims and cybercriminals have made a profit of 142 Bitcoins. Considering the fluctuations in exchange differences between the American Dollar and Bitcoin, they have made about 1,200,000 dollars.
DoppelPaymer ransomware leaves a note for its victims after encrypting their files. This note has similar motives to the note that was left in 2018 by BİTPaymer. The note includes not only the amount of ransom but also a keyword that has a URL and DATA that one can access through TOR.
The Payment portal of DoppelPaymer is almost the same as the payment portal of BitPaymer. In the portal, one can see the amount of ransom, the countdown, and the bitcoin wallet address.
7- Ryuk Ransomware
Ryuk is one of the most active ransomware and it blocks access to the system or the device until the ransom is paid off.
Ryuk uses other malware to infect the targeted system. Moreover, it can access the systems such as TrickBot and Remote Desktop Service. For each file, it uses unique military algorithms such as RSA and AES.
Large companies and government agencies are usually targeted by Ryuk. For instance, USA Based EMCOR which is a company that belongs to Fortune 500 is a recent victim of Ryuk and some of its IT systems have been deactivated.
8- Maze Ransomware
Previously known as ‘ChaCha Ransomware’, Maze Ransomware is the most dangerous software for the organisations in the world and was discovered by Jerome Segura on May 29th 2019. This ransomware attacking group launched their attacks by using exploit tools called Fallout and Spelvo.
This ransomware is infamous for publishing leaked sensitive data publicly after stealing them by using different methods. Maze ransomware encrypts all the files and demands a ransom for recovery.
At the same time, it poses a threat for publishing data if the ransom demands are not met. Cognizant, Canon allegedly, Xerox, and some healthcare industries are the most recent victims of Maze ransomware. Maze is also one of the most destructive malicious software in the Ransomware attacks 2020-2021 list.
9- CLOP Ransomware
It has been discovered that attackers used CLOP ransomware to attack companies and organisations around the world. Recently cybercriminals using CLOP breached the sensitive data of some organisations, encrypted them, and threatened them for some ransom.
Attackers used a phishing method to breach the sensitive data and transfer them to their own servers. CLOP ransomware adds the “.clop” extension to every file which is encrypted by it. Besides, it creates a “ClopReadMe.txt” file. In this ransomware, the RSA algorithm is used to encrypt data, and the keys created are kept in a remote server which is controlled by the attackers.
If the negotiations over ransom fail, ransomware publishes the data on a leak site called ‘CL0P ^ _- LEAKS’ on the dark web. Moreover, updated and recent versions of CLOP are able to deactivate local security systems such as Windows Defender and Microsoft Security Essentials; and they try to enlarge their range of attack. This ransomware also can infect the system with a trojan horse or other malware.
10- Tycoon Ransomware
Tycoon is a recently discovered ransomware type. Plenty of organisations in the education and software industry have suffered from this malware. It was written in Java.
This malware compiled in ImageJ is considered to be out of the ordinary because it was added to a trojanized version of the Java Runtime Environment. It is also the first time that a personalized and malicious JRE compilation is using the JIMAGE format in Java.
Since it was identified six months ago, Tycoon has been showing an aggressive approach. However, the number of victims of this attack is limited. It is known that their attackers use various techniques to remain hidden.
Infecting the system, Tycoon denies access to the administrator then launches another attack on the file servers and domain controller. Weak passwords are a great advantage for Tycoon.
11- Sekhmet Ransomware
Sekhmet Ransomware first appeared in June 2020. It encrypts the files and asks for money to decrypt them. Infected files’ extensions are randomly changed such as “.HrUSsw, .WNgh, .NdWfEr” After the successful attack, every single file is left with a ransom note, as “RECOVER-FILES.txt”
In the note within RECOVER-FILES.txt, it is said that the victim’s company network has been attacked, sensitive data has been stolen and encrypted. Cybercriminals demand from the victims to contact them within 3 days, otherwise, data will be published online.
To encrypt the files, Sekhmet uses a combination of RSA-2048 ve ChaCha encryption algorithms. To decrypt, you need a decryption key. However, this key is kept in a server that belongs to the cybercriminals.
1- Keep your anti-virus software updated.
2- Use the attack-detector technologies and follow them.
Intrusion Detection systems work on suspicious Network traffic; when detected, it sends alerts that imply a breach. Follow these tools and use tools that analyse security gaps.
3- Use email filtering and content scanner tools.
Those tools are the easiest way to prevent users from clicking malfunctioning codes and ransomware links. They stop ransomware before the emails reach users’ inboxes.
These technology tools scan the suspicious emails that are already in mailboxes, analyses, and reports. These tools can also be integrated into other analysis engines; therefore it provides an advanced technology tool.
5- Have a recovery plan
This plan is an organized, written strategy that explains the outlines of how to continue functioning after an incident. However, a written plan itself is not enough and should always be tested.
6- Have an Efficient Backup Procedure
Have at least 3 copies of your data. Firstly, store your data in 2 different platforms such as the cloud. Moreover, store one copy off-site to preserve your data against natural disasters.
7- Do not pay the ransom
Security specialists and law enforcement officials state that ransoms funds cybercrimes and attracts for fırther crimes. Instead of paying the criminals, restore your systems with your backup plans.
8- Train Your Employees Against Ransomware Attacks Through Security Awareness Training
Cybersecurity awareness training on a regular basis is a must to stop ransomware attacks. Users must be trained with cybersecurity awareness training so that they can increase their awareness in terms of distinguishing between false and legitimate emails.
9- Use Phishing Attack Simulations
Using these sorts of simulations is one of the ways to train your users against phishing attacks. Simulated phishing attacks are important to increase awareness against phishing. By using Phishing simulator tools, you can make sure that your employees’ are prepared against Ransomware attacks.
10- What Should You Do During A Ransomware Attack?
- If you should be the victim of a ransomware attack, you can use cloud backup software and acquire your files back quickly without having to pay the ransom. Cloud software is the best against ransomware.
- If you are attacked by ransomware as a cloud software user, there are 4 steps to follow:
- Close all file-sharing activity in your device if you notice any ransomware infection.
- Evaluate the virus and the damage caused by it. If needed, find the encrypted files with the help of antivirus software.
- Clean all infected ones.
- Recover the infected files by backing them up with the help of a cloud system.
11- Protect your organization against ransomware attacks with Keepnet!
By constantly training the employees of the institutions with Cyber Security Awareness Training, you will reduce the risks of attacks such as malicious software and information disclosure against ransom attacks and e-mail, and you will protect your organization by training employees. By teaching your employees how to understand suspicious e-mails and fake web pages, you increase the cyber security awareness of your employees against phishing attacks.
Thanks to our Cyber security awareness training module, you can provide your employees with HTML5 Training Presentations in Turkish and English languages, Animation Training Videos in Turkish and English, Posters, Screensavers, Cyber Security Newsletters, Tips, Ninjio Animation Training Videos, rich training materials for your employees’ cyber security. You can do studies to increase their awareness and get automatic reports.
Keepnet Labs has also a phishing test software, Phishing Simulation Module which offers more than 750+ English, German, French, etc. in 8 languages in total, each with a different phishing campaign. By customizing phishing campaigns specific to your organization and then sending these real-world phishing campaigns to your employees, you can measure their awareness of a phishing email, and again, thanks to this module, you can make your users aware of what phishing emails look like and what they should check on fake websites for phishing protection. You can review the results of the automatic phishing campaign in the report and watch live statistics such as how many people opened the phishing email, clicked the link, and the people who lost their information.