In the digital age, the threat landscape is constantly evolving, with ransomware attacks becoming a significant concern for organizations worldwide. This article delves into some of the most notable ransomware attacks, shedding light on their impact, the victims involved, and the modus operandi of the cybercriminals behind them.
|Unmasking the Ransomware Titans
|Global cyber pandemic. Infected 200,000+ computers.
|Notorious RaaS. Attacked JBS, Kaseya. High sophistication.
|Targeted high-value organizations. Used brute-force attacks.
|Relentless autonomous attacks. Notable victims: KNVB, Royal Mail.
|Disrupted Colonial Pipeline, targeted critical infrastructure.
|Exploited MoveIT vulnerability. Targeted large corporations.
|Double extortion techniques. Targeted multiple firms.
|Rapidly emerging threat. Targets various industries.
|Stealthy and sophisticated attacks. Evades detection.
WannaCry Ransomware: The Global Cyber Pandemic
In May 2017, the world witnessed one of the most widespread ransomware attacks in history – the WannaCry ransomware attack by the Shadow Brokers. This cyber onslaught affected over 200,000 computers across 150 countries, causing damages ranging from hundreds of millions to billions of dollars.
High-profile victims included the UK’s National Health Service, FedEx, and Deutsche Bahn. The WannaCry cryptoworm targeted computers running the Microsoft Windows operating system, encrypting data and demanding ransom payments in Bitcoin.
Sodinokibi / REvil: The Puppet Masters of Ransomware
REvil, a ransomware-as-a-service (RaaS) operation, emerged in April 2019. It quickly gained notoriety for its attacks on JBS, the world’s largest meat producer, and Kaseya, a software company serving over 40,000 organizations worldwide.
SamSam Ransomware: The Silent Threat
Active from 2015 to 2018, the SamSam ransomware was a cybercriminal operation that targeted high-value organizations, including hospitals, schools, and cities. The perpetrators often gained access through brute-force attacks on weak passwords, encrypting data on infected systems and demanding a Bitcoin ransom. Notable victims included the City of Atlanta, Colorado Department of Transportation, and Hancock Health.
LockBit, a notorious name in the cybersecurity world, has been making headlines with its relentless and autonomous ransomware attacks. Known victims of LockBit include the likes of the Dutch Football Association (KNVB), the British Royal Mail, Deutsche Bank, and the Dutch healthcare provider Joris Zorg.
LockBit operates on a Ransomware-as-a-Service (RaaS) model, providing tools and websites that enable hackers to infiltrate and extort businesses. According to a study by Arctic Wolf, LockBit is the market leader among RaaS providers. On data leak sites, where the data of victims is found, LockBit appears four times as often as its competitor Alphv/BlackCat
- Royal Dutch Football Association claimed as LockBit victim
- LockBit ransomware gang claims Royal Mail cyberattack
In May 2021, the hacker group DarkSide orchestrated a ransomware attack on the Colonial Pipeline, one of the largest fuel pipelines in the United States. The attack led to a six-day shutdown of the pipeline, causing fuel shortages and price increases, highlighting the potential for ransomware attacks to disrupt critical infrastructure.
- DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
- DarkSide Ransomware 101
Cl0p Ransomware and MoveIT Vulnerability: The Double-Edged Sword
The Cl0p ransomware group exploited a vulnerability in the MoveIT transfer software to gain access to victims’ networks. The group targeted large corporations, encrypting their files and demanding a ransom. If the ransom was not paid, the group threatened to leak the stolen data on their “leak site”. High-profile victims included Shell, the University of California, and Stanford University.
- Cl0P Ransomware: TD Ameritrade Hit
- Cl0P Ransomware Strikes Again: Top Companies Under Siege
- Cl0p Ransomware Group: A Threat Profile
- Clop Ransomware Group Claims TomTom
BlackCat (ALPHV) Ransomware
First seen in late 2021, BlackCat, also known as ALPHV, is a ransomware family that has been targeting multiple firms across industries. The operators employ double extortion techniques, which involve not only encrypting the system but also stealing sensitive files from their victims.
- Double Trouble: Estee Lauder Targeted by BlackCat and Cl0p Ransomware
- Gas Producer Sonangol Targeted: The Latest Victim of ALPHV Ransomware
- BlackCat Hackers Target Reddit: A Tale of Data, Ransom, and APIs
New heavy hitters
The 8BASE ransomware group, first detected in March 2022, has rapidly emerged as a significant player in the cybercrime landscape. The group maintains a so-called “leak site” where they publish the data of victims who refuse to pay their ransom demands.
The group has reportedly targeted ClearMedi Healthcare, a comprehensive cancer care provider based in India. The implications of this attack are severe, given the sensitive nature of healthcare data and 8Base’s broad target range, which includes business service providers, financial services, manufacturing, IT, and healthcare.
- ClearMedi Healthcare Targeted by 8base Ransomware Group
- 8Base Ransomware: The Rapidly Emerging Threat
Snatch Ransomware Gang: Striking from the Shadows
The Snatch Ransomware Gang, known for its stealthy and sophisticated cyber attacks, continues to pose a significant threat to organizations worldwide. The group’s unique approach to malware, which involves forcing infected hosts to reboot into Safe Mode, allows it to evade detection and carry out its malicious activities.
In a bold statement shared on their Telegram channel, the Snatch Ransomware Gang claims to have successfully breached the defenses of LiveAction, a company specializing in security solutions for businesses. LiveAction has reportedly suffered a devastating loss of over 280GB of sensitive data.
How To Defend Against Ransomware Attacks
Strengthening Your Cybersecurity: Best Practices
To conclude, the DHS and FBI advise users and administrators to implement the following best practices to bolster their organization’s system security. It’s crucial to review any configuration changes before implementation to prevent unintended consequences.
- Review Network Usage: Audit your network for systems using RDP for remote communication. Disable the service if unnecessary or install available patches. Consult with your technology vendors to ensure patches won’t disrupt system processes.
- Secure Cloud-Based Systems: Ensure that all cloud-based virtual machine instances with public IPs don’t have open RDP ports, particularly port 3389, unless there’s a valid business reason. Any system with an open RDP port should be placed behind a firewall, with users required to use a VPN for access.
- Implement Strong Passwords and Account Lockout Policies: This will help defend against brute force attacks.
- Apply Two-Factor Authentication: Implement this wherever possible.
- Regularly Update Systems and Software: Regular updates can prevent potential security breaches.
- Maintain a Robust Backup Strategy: Regular backups can help recover lost data in case of a ransomware attack.
- Enable and Review Logging: Ensure logging mechanisms capture RDP logins. Keep logs for at least 90 days and review them regularly to detect any intrusion attempts.
- Adhere to Best Practices for Cloud-Based Virtual Machines: When creating these machines, follow the cloud provider’s best practices for remote access.
- Regulate Third-Party Access: Ensure that third parties requiring RDP access comply with internal policies on remote access.
- Minimize Network Exposure: Where possible, disable RDP on critical devices.
- Regulate External-to-Internal RDP Connections: Use secure methods such as VPNs when external access to internal resources is required. Remember, VPNs are only as secure as the connected devices.
- Restrict User Permissions: Limit users’ ability to install and run unwanted software applications.
- Scan and Remove Suspicious Email Attachments: Ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Disable File and Printer Sharing Services: If these services are necessary, use strong passwords or Active Directory authentication.