Investigating the increasing menace of ransomware!

Part 1 - With ransomware like CryptoWall, CryptoLocker & Chimera what’s in store next?

First the good news. In November 2015, Kaspersky announced the ransomware variants Coinvault and Bitcryptor were dead. The alleged authors were arrested and all 14,000 decryption keys were released. But as we mentioned in our blog “Cyber Security Predictions for 2016”, ransomware is an increasing menace. That is because it is a big moneymaker for cybercriminals. The malware uses strong encryption to prevent users from recovering files unless they pay a ransom. Be warned: even if you pay, the attackers may or may not deliver a valid key to unlock your files!

There are many types of ransomware, including (among others) CryptoWall, CryptoLocker, TorrentLocker, Chimera, TeslaCrypt, and CTB-Locker. A new entrant is Ransom32, touted as the first JavaScript ransomware.

Three Notorious Ransomware Groups of 2021


REvil recently attacked the French electronics manufacturer Asteelflash. The ransom attackers demanded $24 million. REvil not only encrypted data during the attack but also stole large amounts of data as a lever to put pressure on the company to pay the ransom. This tactic of double-extortion is the latest trick in the tale of ransomware gangs. REvil takes this stolen data and posts it on a site known as “Happy Blog”. One striking characteristic of modern ransomware groups is the scale of operations. This is achievable by using a collective approach and an affiliate business model, based on an ‘at-a-Service’ delivery of the ransomware components, to build momentum.

REvil demonstrates well, the business efficiency and operational capability of ransomware attacks carried out by a collective of individuals, who are working towards a common goal of making a large amount of money. This business-like approach to cybercrime is demonstrated in an expose on REvil by CNBC. An interview with a researcher from Arete Incident Response talks about a job advert for a position with the gang; the job was to gain access to networks.


Egregor started out as the Maze ransomware gang. Maze is less of a gang and more of a collection of affiliates who are using ransomware 'as-a-service', to target specific industry sectors.

Ransomware gangs often like to glamorize what they do by using names associated with mythology and the like. Sophos researchers recently noted the rebranding of Maze as Egregor, which according to Sophos, is a word derived from the Greek word ἑγρήγορος used to describe a ‘group mind’. The Egregor ransomware has been used to target schools, with around 130 schools attacked by the ransomware in 2021.


The DarkSide hacking group was behind the massive Colonial Pipeline ransomware attack. The attack shut down 5,500 miles of pipeline badly impacting the U.S. critical infrastructure. The attackers demanded a ransom of $5 million equivalent in bitcoin.  DarkSide is a highly sophisticated hacking group that even runs a press center called “DarkSide Leaks”.

DarkSide is known to go after big targets and use the Ransomware-as-a-Service (RaaS) model. DarkSide and its RaaS affiliates are masters of reconnaissance. They will explore their targets, find out about their revenue, look for vulnerabilities and misconfigurations, and calculate their likelihood of success at extracting a large payout.

DarkSide has said that they will only target large organizations and have said that affiliates will not go after smaller organizations or those in healthcare and the public sector. The group has even said they will donate to charity making this claim on their press center. However, some countries, including the USA, preclude charities from taking money obtained illegally.

Paying the ransom fee 

A recent trend is a threat to post user data and photos online unless the ransom is paid. This has been seen most often with Chimera ransomware. Most security analysts think this is simply a scare tactic. Here’s why:

  • Why would a victim pay the ransom if he could retrieve the data online for free? This undermines the purpose of the attack.
  • Exfiltrating user files makes it much easier to trace the source of the attack. A ransomware attacker, like any criminal, does not want to get caught.
  • Attackers want to make a quick buck. He would have to peruse a lot of kitten photos looking for personal information that is marketable.

Ransomware is not just for Windows anymore

In the past ransomware largely affected Windows-based devices. But Linux devices are a tempting target because a large number of servers use Linux. Not only can servers be victims; they can be used to further distribute the malware to other devices. As of November 2015, Malwarebytes reported a new variant of Linux ransomware, bringing the total to four. The new ransomware demands up to $999 for any victim who is not a citizen of Russia and the Commonwealth of Independent States.

In June 2017 a South Korean web hosting company Nayana agreed to pay $1 million in Bitcoin after a ransomware attack hit 153 Linux servers. According to the  initial announcement, the hacker demanded 550 Bitcoins (over $1.6 million) ransome to decrypt the affected files.  This is another example of "it doesn't matter what you run’’.

Ransom32 makes multiplatform attacks easier

This is the first ransomware utilizing Javascript, making it easy to concurrently develop versions for Windows, Linux and MacOS X. Setting up a campaign with Ransom32 is easy. Use the web interface and click on the “Download client.scr” button. The client.scr download file is a 22-MB WinRAR self-extracting archive. (Normally ransomware download files are no larger than 1 MB.) Inside the archive is a packaged NW.js JavaScript application.

CryptoLocker – which one?

This malware first appeared in 2013. In May 2014, a combination of law enforcement agencies and security companies seized a worldwide network of hijacked home computers that was being used to spread Cryptolocker. While the cybercriminals were transmitting their key database for backup, the authorities intercepted it. As a result, all 500,000 victims of Cryptolocker can now recover CryptoLocker-encrypted files without paying a ransom.

Original CryptoLocker continues to claim new victims

An interesting aside: The original CryptoLocker continues to claim new victims. Early in 2015, American Electric Power , the largest power grid operator in the US, was infected when a supervisor opened a personal email on a company laptop. In addition, since November 2015, there is also CryptoLocker Service. This scheme has lowered the expense of a ransomware campaign by charging $50 plus a ten percent commission on each ransom paid plus a fee for payload customization. Although the developer also calls the software CryptoLocker, he says it is completely different from the older software.


Based on several IT forum conversations many small and medium-sized businesses experienced mainly CryptoWall and TorrentLocker ransomware attacks in the fall of 2015. TorrentLocker is known for spear phishing from purported delivery services and utilities. In Australia, spear phishes referred to bogus speeding fines sent by the Australian Federal Police. TorrentLocker targets individuals as well as businesses.

CTB Locker

Curve-Tor-Bitcoin (CTB) Locker is spread via a bulk spam campaign instead of spear phishing. Unlike most other ransomware, it does not require an active internet connection before it starts encrypting files. A unique feature is a reliance on Elliptic Curve Cryptography (ECC), requiring a significantly smaller key size compared with RSA encryption. Attackers use the ransomware to recruit CTB Locker “affiliates” from their victims, accelerating dissemination of the malware.


TeslaCrypt appears to be a derivative of the original Cryptolocker ransomware. It is reported to have had the largest number of infections seen widely across all countries, second only to CryptoWall. Most infections are spread by phishing / spam emails. TeslaCrypt, like many ransomware types, obscures code to evade detection.

In Part 1, we looked at some new wrinkles in the ransomware game and then examined the specifics of Ransom32, CryptoLocker, CTB Locker, and TeslaCrypt.

2.  In Part 2, we move on to Cryptowall.


Let’s first look at CryptoWall Version 3 which was thoroughly studied by the Cyber Threat Alliance, and then discuss the changes since then.  Here are some highlights:

It first surfaced in January 2015, and infects all versions of Windows. North America and Australia experienced the brunt of the attacks.

  • One attack group extorted an estimated $325 million in the US alone in 2015.
  • A CryptoWall 3.0 attack begins with an exploit kit attack, usually Angler, or phishing emails with .scr or .exe attachments. Angler supports vulnerabilities in HTML, JavaScript, Flash, Silverlight, Java and more. The kit is updated regularly to include new zero-day exploits. Other kits used are Sundown, Magnitude, and Fiesta.
  • CryptoWall 3.0 injects its encrypted payload directly into the memory of the victim’s machine. The payload can include banking Trojans, rootkits, and backdoor Trojans as well as ransomware.
  • It detects virtual machines and disables security products.
  • Backup shadow copies of files are removed on the victim machine and Startup Repair is disabled.
  • CryptoWall communicates with its command and control (C2) server. It often uses a compromised WordPress website to proxy requests to a secondary IP address.
  • Encryption begins. File attributes and time stamp information is modified for each file that is encrypted.
  • The malware removes its own registry keys and uninstalls itself.
  • The TOR URL and unique victim URI are used to generate a contact URL.
  • The victim sees a website ransom page with instructions, the contact URL, and the BitCoin ransom amount.

CryptoWall Version 4.0 popped up in October 2015. Infection statistics show that Europe, South America, Africa and southern Asia have been hard hit. Both the Nuclear and Angler exploit kits now include CryptoWall, making the attacks easy to launch. In Version 4, the malware alters filenames in addition to file contents. Attacks are even harder to detect, evading many of the newest firewalls. Instead of demanding a ransom, the cybercriminals are trying new angles:

The victims are asked to pay for “security software”. As the victim’s files are being encrypted, the victim receives a notice that antivirus programs are “protecting” their data.

Attackers may threaten to publish user data online if a ransom is not paid.

An especially vicious variant of CryptoWall encrypts files randomly over many weeks. This makes recovery from backups difficult.

Most security experts saw an acceleration in CryptoWall 4.0 attacks in 2016.


Chimera appeared in September 2015, and the German anti-botnet advisory centre Botfrei reported a new strain in November. This variant threatens to publish the victim’s data on the Internet unless a £450 ransom is paid. Spear phishing regarding job applications or offers refers the victim to information on Dropbox, and clicking on the Dropbox link begins the infection. Like CTB Locker, Chimera offers its victims an opportunity to become an “affiliate”, with a 50 percent commission for selling the ransomware as a service. The security community foresees more Chimera infections in future, especially in English-speaking countries.


The latest headline-grabber (Q2 2016), “Locky”, doesn’t sound very malicious, but to many individuals and companies, its effect has been traumatic. This new strain of ransomware is named after the file extension used when all your important files have been encrypted - .locky. It attempts to scramble many of the files on all the drives it can find. This includes removable drives, network shares and mapped drives on Windows, Linux or MAC OSX.  As with all ransomware, you can only unscramble them after you have paid up!

Victims are invited to visit the dark-web and pay the crooks in bitcoins, after which the decryption key is provided. So far, so similar. The difference here is the way the ransomware is distributed. The main source of infection has been through spam email, many mostly disguised as invoices. The attachment is a Word document  containing the old virus-carrier, the macro. This was the virus writers’ go-to method back in the late 1990s.  With Locky, the recipient is asked to enable editing within the document, which allows the malware to run. And it has been pretty effective in persuading the innocent reader to click on the yellow “Enable Editing” button.

Once the macro runs, it downloads ransomware, which  starts the task of encrypting all your files. Reports suggest that the Locky spam email campaigns are well resourced and distributed on a scale much larger than most. Many email messages had a subject line like “ATTN: Invoice…” or “Tracking documents”. The malware has been spreading quickly, it caught out many anti-virus vendors and hit businesses that were lax in ensuring frequent security updates happened. 

Despite its high profile, ransomware is just another type of malware; threatening your corporate data, reputation or bank balance. Despite all the information and warnings about not opening suspicious or unexpected email, the cyber criminals are finding more and more successful ways to make their messages appear as legitimate and innocent as possible. 

What You Need to Know About WannaCry Ransomware -   May 2017

The WannaCry ransomware cyberattack proves that ransomware has now matured from a malicious menace to a global threat. For many people up to now, ransomware has been a foreboding threat limited to poor end user security awareness or the organization afflicted with poor patching practices and a dearth of enforced security policies.  We have written numerous times about the fact that Ransomware became a $1 billion industry in 2016.  A billion dollars brings a lot of interest and spotlight to something, even something as dangerous as encrypting malware.  It also brings a lot of legitimacy to those who create it, design, package it and deliver it.  Having surpassed the billion-dollar watermark, it was obvious that malware was not going to be a mere flash in the pan. Something big was surely going to happen in 2017, and on Friday afternoon, May 12, 2017, it did, surpassing all expectations.

Affected 150 countries and put more than 200,000 computers out of service

WannaCry delivered a crippling blow across the world, interrupting digital services and operations.  It became a debilitating threat on a worldwide basis that included 150 countries and put more than 200,000 computers out of service.  Just as breathtaking as ransomware’s exponential growth rate over the past two years, the span and reach of the attack was both astounding and unsettling.  Ransomware is traditionally encountered in some haphazard occurrence such as a user clicking an embedded email link that was arbitrarily sent to him or her.  In other cases, it is a result of a serendipity wrong place, wrong time occurrence involving a drive-by website visitation.  In other cases, it is the result of a targeted attack upon a single organization or industry.  In those cases, ransomware is carefully designed and crafted to serve as a silent chameleon that gets lost in the shuffle. 

Friday’s global assault was no random arbitrary occurrence nor was it carefully targeted.  Instead, it was a comprehensive attack driven by a replicating worm that was reportedly stolen from the National Security Agency (NSA) by a hacking organization that calls itself the Shadow Brokers.  This self-driven worm knew no bounds, and it seems that no industry was spared. 

Some of the victims included:

  • Britain’s National Health Service that included the disruption of 48 hospitals who were forced to turn away patients and cancel operations.  In addition, 16 organizations connected with the NHS were affected
  • The Russian Interior Ministry reported 1,000 of its computers had been afflicted
  • Operations for major corporations such as Nissan, French automaker Renault and FedEx were hampered
  • Thousands of students were locked out of their theses and final papers at universities across Asia just days before graduation
  • Throughout Spain, key infrastructure structures were infected such as telecom, power and natural gas companies.
  • Other countries such as Germany who had rail operations disrupted also reported ransomware infections

The attack shows how critically imperative it is for companies and organizations to keep their computing devices properly patched and to retire machines that have reached end-of-life.  The worm exploited a flaw found within the Windows operating system that although patched by Microsoft for their current versions such as Windows 10, was left unabated for outdated releases such as Windows XP and Windows 8.  As another sign of the seriousness of this attack, Microsoft released a patch for both operating systems to remedy the exploit.  Microsoft also released an update for Windows Defender that will report the infestation as WannaCrypt.

The potential loot that the hackers may pocket could be as high as $1 billion.  Though it appears unlikely that these hackers will make off with that much, the millions that they will most likely bring in will be further inducement for even more attacks on a grand scale such as this.

Petya or ExPetr Ransomware Attack

June 2017 saw a major global cyber-attack using ransomware which used modified EternalBlue and EternalRomance exploits.  Initial findings from Kaspersky suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality.  Kaspersky have named it "ExPetr".

This appears to be a complex attack, which involves several vectors of compromise. We can confirm that modified EternalBlue and EternalRomance exploits - which were used during WannaCry ransomware attack in May - are used by the criminals for propagation within the corporate network. Kaspersky identifies the threat as one of DangerousObject.Multi.Generic, Trojan-Ransom.Win32.ExPetr.a, Trojan-Ransom.Win32.ExPetr.gen, Trojan.Win32.Generic, Exploit.Win32.Generic.

Steps to specifically protect yourself from malware are:

  • Backup data often. Minimally follow the 3-2-1 rule, maintaining at least three copies in two different formats with one copy stored off-site.
  • Some ransomware infects only local drives and mapped network drives, including Dropbox. Company IT services should secure shares by only allowing writable access to the necessary user groups or authenticated users. For Dropbox and Google and iCloud drives, choose to pause synching whenever possible.
  • IT services should block TOR since the TOR network and TOR proxy servers are routinely used by most ransomware.
  • Make sure to scrub the malware from all devices on your network before recovering from backup.
  •  Be wary of emails, even if they refer to mutual friends or familiar services; you may be a victim of spear phishing. Do not click on links in emails before verifying that the website is OK, and do not download email attachments without verifying the source.
  • Keep software up-to-date. This will not protect against zero-day exploits, but it will patch the more recent vulnerabilities in your software.
  • Use multiple antivirus products to increase your chances of nipping an infection in the bud.
  • Install advanced email spam filtering.

Part 3. Should You Pay and Play When Ransomware Hits?

Most of us know that ransomware encrypts data and then demands payment to decrypt it. Attacks reached their highest historical level in April 2016 according to Enigma Software. This represented a 159 percent jump from March. Although this is an unusual surge, ransomware attacks have been increasing between 9 and 20 percent per month for a while now. There are various reasons for the increase:

Attackers are taking advantage of the panic caused by the highly-publicized attack in February against Hollywood Presbyterian Medical Center. The hospital paid a $17,000 ransom. Higher-level encryption technology such as 2048-bit version of the RSA cryptographic algorithm has become more widely available. Innovations in handling digital currencies such as Bitcoin have made it even harder to trace transfers. Attacker no longer need to be tech-savvy since most ransomware is available as packaged exploit kits.

How big a security threat is ransomware?

Public entities are panicking. The U.S. and Canadian governments jointly released a ransomware alert in March . A U.S. Senate Judiciary subcommittee held a hearing in May to explore the issue. Since Hollywood Presbyterian Medical Center is in California, it is not surprising that the state has drafted legislation to establish specific penalties for ransomware.

Fighting Ransomware – some good news

Before you panic, consider that such malware comprises less than 1 percent of total infections. There has also been a determined fight against ransomware. Here are some examples:

In November 2015, Kapersky announced the ransomware variants Coinvault and Bitcryptor were dead. The alleged authors we arrested and all 14,000 decryption keys were released. Recently, a hacker (of the good variety) rendered a Locky ransomware distribution harmless. Instead of demanding money, the distribution warns potential victims not to open strange files. Whitehats tracked Cryptolocker and took down some of the command and control servers.  Unfortunately this meant that some victims who had paid the ransom were not able to receive unlock keys.  Strangely enough, in May 2016, the developers of TeslaCrypt shut down the ransomware and released the master decryption key. 

Paying the ransom is a business decision.

In a recent BitDefender study, half of the ransomware victims said they paid, and two-fifths of the respondents said they would pay if they were ever in that situation. Paying the ransom is not a security decision; it's a business decision. Recovering files from backup takes time and effort and can lead to lost revenue.

Should you pony up the ransom?

If you are a victim, should you pony up the ransom or not? Be warned: even if you pay, the attackers may not deliver a valid key or appropriate unlock code to free your files. According to the FBI, most organizations that pay the ransom do get access to their data. However, there is the recent experience of Kansas Heart Hospital. It was victimized on May 18 and paid, but the attackers demanded more money for the unlock key. The hospital refused to pay again.

However there is a concern with the Cerber ransomware variant that has been discovered which can potentially “sleep” in the attacked network. At a later date, it would be converted into a botnet, launching distributed denial of service (DDoS) attacks from the comprised network at third parties. The victims would have to pay a ransom again… and again?

Can you trust criminals to unlock your data?

As with any business, it is actually in its best interest to follow through on promises. CryptoWall attackers are known for decrypting the files upon payment. They have even walked victims through the procedure to obtain bitcoins and have given victims deadline extensions to procure the ransom. Then again, other ransomware families have less reliable reputations.

IT Pros vote NO to paying

What does the law enforcement community recommend? The U.S. Federal Bureau of Investigation  issued a notice in June about ransomware, advising victims to contact their local FBI field office if their data is held ransom. But individual FBI agents have cautioned that the Bureau most often cannot unencrypt the ransomed data. One agent was quoted, “The easiest thing may be to just pay the ransom.”  Some business professionals suggest that paying encourages criminals to attack again and extort a higher ransom. In the same vein, some victims say that they decided to pay the ransom to preclude the attacker from causing more damage in retaliation. There seems to be no firm data supporting these positions.

The IT community in general is against paying.  In a survey of the Spiceworks community, an online network of IT professionals, there was near unanimity against paying the ransom. This opinion was held even by members whose networks had been infected. These victims reported that most data was recoverable from backups, although they experienced data loss due to unmonitored and failed backups as well as the loss of between 1-24 hours of data from their last backup cycle. We are assuming that the organization has a choice of paying the ransom or not. But if it has no unaffected backups, there is no choice but to pay the ransom.

Give your organization the option -  There is much that can be done to mitigate the damage that a ransomware attack can create, and even to prevent one.  TitanHQ customers are optimally protected. Although  ransomware gains massive media exposure we block dangerous malware like  WannaCry, Spora and Cryptolocker  daily with both SpamTitan anti spam and our content filtering solution, WebTitan. Ransomware it seems, has matured, and that maturity brings with it an even greater threat. It’s well worth taking a look at both solutions.

Take a look into how to protect your organisation from Ransomware gangs.

Any comments or questions on this or other articles we'd be delighted to hear from you, contact us at info@titanhq.com

Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Contact Us