Ransomware has consistently been in the spotlight since attacks first began emerging a few years ago. Now that new and powerful samples like WannaCry are being used to infiltrate large-scale organizations, ransomware continues to grab headlines.
According to Trend Micro, one of the latest ransomware attacks involving the fearsome sample WannaCry took place in mid-August, when LG Electronics was infected. Due to the breach to the company's service centers, service kiosks had to be shut down to prevent the ransomware from infecting other systems in the business.
This instance, like many in the news lately, demonstrates the threat that ransomware can pose to businesses in any industry. The first step toward protection is awareness, including education about the latest threats. In today's ransomware update, we'll take a look at some of the newest attack styles being used today, as well as the best ways your organization can guard against ransomware.
New Locky variants discovered
Locky is a formidable ransomware sample, typically categorized in the same league as WannaCry. In late August, Trend Micro researchers discovered new variants of this sample, adding to the growing RANSOM_LOCKY family.
The variants are connected to several ransomware campaigns, backed by more than 11,600 unique IP addresses within over 130 countries. In a single day, the campaigns were responsible for more than 62,000 spammed messages, which include a malicious, attached Word document, .pdf file or image file. Once opened, the sample encourages victims to enable certain capabilities that allow the ransomware to prevent detection by some onboard security solutions. Victims are then asked to pay 1 bitcoin, or about $2,200 to $4,200 for the return of their encrypted files.
Currently, there are several Locky variants being used, including at least three versions popping up in recent weeks. In this way, Locky continues to be a top threat when it comes to ransomware infections.
"Even with payment, hackers will only decrypt half of the infected hardware systems."
SAMSAM demands increasingly costly ransom
SAMSAM, a sample that first emerged in April, appears to have been updated with new capabilities lately. According to Trend Micro, hackers now have more visibility over the infection than ever before and are tailoring their ransom demands according to the number of affected systems.
Alongside heightened reports of SAMSAM distribution, security researchers also discovered changes in ransom demands. SAMSAM requests 1.7 bitcoin, or approximately $7,267 if one machine is infected, and the ransom increases to 6 bitcoin, or more than $25,000 if more than one system is affected – and even with payment, hackers will only decrypt half of the infected hardware systems. SAMSAM demands 12 bitcoin, or $51,000, to decrypt all maliciously encrypted machines.
This case demonstrates the strong motivation behind ransomware infections. Cybercriminals are known to make considerable profit, especially with a sample like SAMSAM that demands such a considerably high ransom.
Defray targets specific industries
While every organization can be a victim of ransomware, certain samples, like the recently discovered Defray, focus on specific verticals. Trend Micro reported that Defray appears to favor victims in the health care, education, manufacturing and technology spaces, leveraging advanced phishing emails to support infection. Victims are asked to pay $5,000 for decryption, and are urged to use either email or BitMessage to communicate with hackers and organize payment.
Businesses in these industries should be particularly aware of Defray, and ensure that IT and security admins make efforts to educate employees about phishing emails and other suspicious activity.
CRYPSHED leans on the legitimacy of Amazon
One of the latest ransomware advancements centers around CRYPSHED and its new variant that disguises itself as an Amazon confirmation email. Hackers have been leveraging increasingly sophisticated messages to encourage victims to open and launch infections, and this new CRYPSHED variant falls perfectly in step with these practices. The sample's malicious email even includes the "amazon.co.uk" logo in its header, further hoping to trick victims.
Guarding against ransomware
The vast majority of ransomware samples have one thing in common: they leverage a malicious email that typically includes an infected link or attachment to launch the ransomware file within the victim's system. In this way, the best way to guard against infection is to block samples at the web and email gateways within your organizations infrastructure.
Check out this blog to find out more about protection best practices, and contact Trend Micro about advanced security solutions today.