Ransomware continues to dominate the cybersecurity landscape in 2017, with businesses large and small paying millions of dollars to unlock encrypted files. These attacks appeared in 64% of all malicious emails sent in Q3, and with major successful campaigns such as NotPetya and WannaCry, show no signs of slowing down, according to a new report from security firm Webroot, released Tuesday.
“This past year was unlike anything we’ve ever seen,” David Dufour, vice president of engineering and cybersecurity at Webroot, said in a press release. “Attacks such as NotPetya and WannaCry were hijacking computers worldwide and spreading new infections through tried-and-true methods. This list is further evidence that cybercriminals will continue to exploit the same vulnerabilities in increasingly malicious ways. Although headlines have helped educate users on the devastating effects of ransomware, businesses and consumers need to follow basic cybersecurity standards to protect themselves.”
Here are the top 10 worst ransomware attacks of 2017 so far, according to Webroot:
NotPetya started as a fake Ukranian tax software update, and went on to infect hundreds of thousands of computers in more than 100 countries over the course of just a few days. This ransomware is a variant of Petya, but uses the same exploit behind WannaCry. It hit a number of firms in the US and caused major financial damage: For example, the attack cost pharmaceutical giant Merck more than $300 million in Q3 alone, and is on track to hit that amount again in Q4.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
WannaCry (also known as WannaCrypt) has been one of the most devastating ransomware attacks in history, affecting several hundred thousand machines and crippling banks, law enforcement agencies, and other infrastructure. It was the first strain of ransomware to use EternalBlue, which exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol.
Locky is currently the top payload in terms of ransomware and across all malware families, according to a report from security firm Proofpoint. While Locky was 2016’s most popular ransomware strain, new variants called Diablo and Lukitus also surfaced this year, using the same phishing email attack vector to initiate their exploits.
CrySis–typically spread by hacking into Remote Desktop Services and manually installing the ransomware–started last year in Australia and New Zealand. RDP is one of the most common ways to deploy ransomware, Webroot noted, because cybercriminals can compromise administrators and machines that control entire organizations. In May, some 200 master keys were released allowing victims to decrypt and unlock their systems, ZDNet reported.
The Nemucod ransomware family has been active since at least 2015, and arrives in the form of a phishing email that appears to be a shipping invoice. Then, it downloads malware and encryption components stored on compromised websites.
SEE: End user data backup policy (Tech Pro Research)
Jaff arose in May 2017, and heavily mimics tactics used by Locky. It uses the Necurs botnet to send millions of spam emails to targets globally over just a few hours, and demands victims pay 1.79 Bitcoins–currently more than $6,000.
Cerber uses ransomware-as-a-service to allow non-technical cybercriminals to extort payments from victims, with the developers of the malware taking a cut of the money gained.
Cryptomix is one of the few types of ransomware that does not have a type of payment portal available on the dark web, the report noted. Instead, victims must wait for the cybercriminals who locked their machine to email them instructions for payment in Bitcoin.
Jigsaw, first seen in 2016, embeds an image of the clown from the Saw movies into a spam email. When the user clicks it, the ransomware encrypts their files, but also deletes files if the user takes too long to make the ransom payment of $150, according to Webroot.
To learn more about how your business can avoid ransomware attacks like these, click here.