SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Webroot reveals the 8 most prevalent ransomware variants
Thu, 30th Jun 2016
FYI, this story is more than a year old

Ransomware will continue to plague IT decision makers and organisations every single day - in fact there are 390,000 new variants today alone, and traditional antivirus applications are not enough to stop them as they become shapeshifters, changing form with every attack to avoid detection, says Dan Slattery, senior information security analyst at Webroot.

76% of IT decision makers across 10 countries reported security breaches in 2015, while 62% believe they will be victims of a successful attack this year. Slattery believes there are specific ransomware variants that are the most destructive and ubiquitous threats in the security landscape.

CryptoWall 4.0: Commonly distributed by phishing emails, it encrypts and randomises a user's computer files and makes them indistinguishable. The ransomware demands $700 to restore file access.

CryptXXX: An exploit feature mainly spread through malvertising and hacked websites. The exploit can steal financial information through infected devices, particularly if unaware users log in to banking websites. The ransomware demands $500 to restore file access.

DMA Locker: Spread in enterprise environments and hacked RDP connections sold on the black market. It can find user permissions on un-mapped shared networks and encrypt data. Although relatively new, its aggressive nature makes it a serious threat.

KeRanger: The first common ransomware to targets Macs, originally spread through a hacked version of Transmission bittorrent client, put on the official website. After three days of being installed, the ransomware activates and encrypts the device.

Locky: Tracks and encrypts multiple files and data using the same 16-character hexadecimal name, so users are unable to distinguish between files. It gives users a choice to decrypt a single file, demonstrating that the ransomware atttackers can unlock files if users pay the fee.

PadCrypt: A ransomware with a live chat feature, the attackers can talk to users to decrypt information after payment is made. Slattery says hackers will use chat to fool users into believing the cause of infection was something else and they are just helping to solve the problem. Ransomware-as-a-Service (RaaS): This puts hacking and crime in the hands of anybody, regardless of experience. The RaaS doesn't demand coding knowledge and exists in the dark web. Used by less-skilled criminals, malware creators get a maximum 30% cut from all successful ransom payouts. Slattery says this is one of the most dangerous developments in the cyber crime market.

TeslaCrypt: Recently stomped out, it was one of the biggest and smartest attackers, avoiding 'CryptoPrevent' and custom group policies to avoid detection - and it specifically targeted gamers. The ransomware survived 15 months and was responsible for 11% of successful malware attacks. It expanded from file encryption to entire computer lockouts until ransom was paid.

Webroot recommends:

1.  Deploying trusted, multi-layered endpoint security

2.  Deploying backup recovery and business continuity recovery systems

3.  Disabling autorun and macros features

4.  Creating strong and robust Windows policies

5.  Educating users about malware threats