Security

The top 10 worst ransomware attacks of 2017, so far

Ransomware variants NotPetya, WannaCry, and Locky are among those that wreaked havoc for businesses worldwide this year.

Ransomware continues to dominate the cybersecurity landscape in 2017, with businesses large and small paying millions of dollars to unlock encrypted files. These attacks appeared in 64% of all malicious emails sent in Q3, and with major successful campaigns such as NotPetya and WannaCry, show no signs of slowing down, according to a new report from security firm Webroot, released Tuesday.

"This past year was unlike anything we've ever seen," David Dufour, vice president of engineering and cybersecurity at Webroot, said in a press release. "Attacks such as NotPetya and WannaCry were hijacking computers worldwide and spreading new infections through tried-and-true methods. This list is further evidence that cybercriminals will continue to exploit the same vulnerabilities in increasingly malicious ways. Although headlines have helped educate users on the devastating effects of ransomware, businesses and consumers need to follow basic cybersecurity standards to protect themselves."

Here are the top 10 worst ransomware attacks of 2017 so far, according to Webroot:

1. NotPetya

NotPetya started as a fake Ukranian tax software update, and went on to infect hundreds of thousands of computers in more than 100 countries over the course of just a few days. This ransomware is a variant of Petya, but uses the same exploit behind WannaCry. It hit a number of firms in the US and caused major financial damage: For example, the attack cost pharmaceutical giant Merck more than $300 million in Q3 alone, and is on track to hit that amount again in Q4.

SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

2. WannaCry

WannaCry (also known as WannaCrypt) has been one of the most devastating ransomware attacks in history, affecting several hundred thousand machines and crippling banks, law enforcement agencies, and other infrastructure. It was the first strain of ransomware to use EternalBlue, which exploits a vulnerability in Microsoft's Server Message Block (SMB) protocol.

3. Locky

Locky is currently the top payload in terms of ransomware and across all malware families, according to a report from security firm Proofpoint. While Locky was 2016's most popular ransomware strain, new variants called Diablo and Lukitus also surfaced this year, using the same phishing email attack vector to initiate their exploits.

4. CrySis

CrySis—typically spread by hacking into Remote Desktop Services and manually installing the ransomware—started last year in Australia and New Zealand. RDP is one of the most common ways to deploy ransomware, Webroot noted, because cybercriminals can compromise administrators and machines that control entire organizations. In May, some 200 master keys were released allowing victims to decrypt and unlock their systems, ZDNet reported.

5. Nemucod

The Nemucod ransomware family has been active since at least 2015, and arrives in the form of a phishing email that appears to be a shipping invoice. Then, it downloads malware and encryption components stored on compromised websites.

SEE: End user data backup policy (Tech Pro Research)

6. Jaff

Jaff arose in May 2017, and heavily mimics tactics used by Locky. It uses the Necurs botnet to send millions of spam emails to targets globally over just a few hours, and demands victims pay 1.79 Bitcoins—currently more than $6,000.

7. Spora

Spora ransomware is distributed when cybercriminals hack legitimate websites and add JavaScript code, making a pop-up alert appear that prompts users to update their Chrome browsers. Upon infection, the ransomware can steal credentials from victims, making money from both extorting ransoms and potentially selling the stolen information, as ZDNet noted.

8. Cerber

Cerber uses ransomware-as-a-service to allow non-technical cybercriminals to extort payments from victims, with the developers of the malware taking a cut of the money gained.

9. Cryptomix

Cryptomix is one of the few types of ransomware that does not have a type of payment portal available on the dark web, the report noted. Instead, victims must wait for the cybercriminals who locked their machine to email them instructions for payment in Bitcoin.

10. Jigsaw

Jigsaw, first seen in 2016, embeds an image of the clown from the Saw movies into a spam email. When the user clicks it, the ransomware encrypts their files, but also deletes files if the user takes too long to make the ransom payment of $150, according to Webroot.

To learn more about how your business can avoid ransomware attacks like these, click here.

istock-807546540.jpg
Image: iStockphoto/Charnchai Guoy

Also see

About Alison DeNisco Rayome

Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.

Editor's Picks

Free Newsletters, In your Inbox