Security research firm Malwarebytes had, in August, revealed that Mac and Android devices were hit by more ransomware attacks in the first half of this year compared to all of 2016, thereby signifying how this attack vector has become a weapon a choice for cyber criminals.
A number of ransomware attacks, either sponsored or motivated, have targeted the UK’s businesses, universities, hospitals, government departments and citizens.
Despite several advancements in device security and encryption patterns, today’s hackers are able to breach IT systems at universities, healthcare organisations, businesses, and government departments with increasing regularity, thereby giving rise to questions on whether the country is equipped enough to deter or defeat ransomware attacks in the future.
Here are the top ten ransomware attacks that caused great havoc in the digital world and resulted in shutting down of operations in many organisations across the UK until their solutions were found. Some of these continue to pose a major threat to citizens and businesses alike.
Even though it was probably the most destructive ransomware attack on UK’s organisations in history, WannaCry resulted in increased awareness of the threat among the citizenry and forced business leaders and the government to sit up and take notice of the fact that their cyber security practices were nowhere close to perfect.
Originating in April this year, the WannaCry ransomware disrupted operations at a large number off organisations in the UK, particularly those associated with the NHS. As per a recent report released by the National Audit Office, the ransomware impacted 81 out of 236 NHS trusts across England as well as 603 primary care and other NHS organisations, including 595 GP practices. As many as 19,000 appointments were also cancelled as a result of the attack.
Between 15 May and mid-September, NHS England identified a further 92 organisations, including 21 trusts, that were hit by the ransomware attack. 32 of the 37 NHS trusts that were effectively infected and locked out of devices were located in the North NHS Region and the Midlands & East NHS region.
Following close on the heels of WannaCry, the NotPetya ransomware affected operations at global firms like Danish shipping company Maersk, TNT, Russian oil giant Rosneft, British advertising agency WPP, Deutsche Post in Germany, French glass-manufacturer Saint-Gobain, aircraft manufacturer Antonov, US pharmaceutical giant Merck as well as its subsidiary Merck Sharp & Dohme (MSD) in the UK. It had, reportedly, also taken down Ukraine’s state power distributor and Kiev’s main airport.
Unlike WannaCry, NotPetya featured two layers of encryption, thus preventing the victim’s computers from being booted up in a live OS environment and retrieving stored information or samples. The ransomware also forcefully crashed computers to trigger reboots that rendered such computers unusable until the $300 ransom was paid.
Bad Rabbit ransomware
Originating in October this year, Bad Rabbit turned out to be among the most destructive ransomware attacks in history, disrupting several organisations in Russia, Ukraine, Turkey, and Germany.
First detected by Kaspersky Lab, Bad Rabbit wasn’t an exploit-driven attack but was, instead, a drive-by one, infecting websites with fake Adobe Flash installers. Once a user downloaded the installer and ran it manually, he/she got infected by the ransomware which proceeded to encrypt files stored on the computer.
Significantly, Bad Rabbit wasn’t discovered by most antivirus software until their makers started rolling out new software updates, thereby enabling the malware to spread its wings quickly and decisively. The ransomware also exploited various flaws in traditional endpoint security solutions to disrupt IT systems at a number of organisations.
Discovered last week by researchers at security firm Forcepoint Security Labs, the new Scarab ransomware is a potent file-encrypting ransomware distributed by hackers using the Necurs botnet. Hackers behind the operation certainly wanted to make a lot of money, for Forcepoint researchers observed the presence of the ransomware in as many as 12.5 million e-mails sent out to Internet users across the world.
The Necurs botnet, which was used to spread the ransomware, is well known to security researchers as a distributor of ransomware and has been used by various hackers since 2015. In the same year, the botnet was, after the Kelihos Trojan, the second-most frequently used attack weapon to disrupt or to hack into UK businesses.
Between October and December 2015, cyber-attacks using the Necurs botnet grew 30 times and hackers often used a destructive cocktail of Necurs and Bedep, another Trojan, to attack businesses. As such, the return of the Necurs botnet posed a major threat to businesses as well as government organisations.
Back in September, security research firm Barracuda observed as many as 27 million phishing e-mails that contained a new and destructive ransomware. According to researchers, the ransomware was designed to take control over systems and demand ransom from affected users but the hackers behind it had no intention of keeping their world after receiving money from their victims.
This was because the ransomware came with a single identifier which was being sent to all victims. This meant that even after a victim paid a ransom, there was no way the hackers could identify the victim’s system to send back decryption keys.
What made the ransomware very dangerous was that like WannaCry, it was being sent to millions of users across the globe in the form of emails. In these emails, the sender either listed himself as ‘Herbalife’ or a copier file delivery eg. ‘firstname.lastname@example.org’.
Sent from several countries including Vietnam, India, Columbia, Turkey and Greece, the new ransomware featured various abilities including the ability to encrypt files, download executables from a remote location, ability to use cryptography API, modify Windows initialisation files, deleting samples after the execution and ability to retrieve system default language identifier.