Top Internet Based Ransomware Attacks
- WannaCry: A ransomware attack that spread rapidly in May 2017, targeting computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
- NotPetya: A destructive ransomware variant that appeared in June 2017. It primarily affected Ukraine and targeted the Windows OS, with encryption rendering machines unusable.
- Ryuk: Known since 2018, Ryuk is a sophisticated ransomware variant targeted towards large organizations, particularly those in the healthcare sector.
- Sodinokibi (REvil): A ransomware-as-a-service (RaaS) operation responsible for numerous high-profile attacks on organizations across various sectors.
- Maze (Ransomware): Known for not only encrypting data but also extracting it, threatening victims to release their data if the ransom isn't paid.
Impact and Prevention of WannaCry
The WannaCry ransomware attack in May 2017 caused an estimated $4 billion in damages worldwide. It utilized a technique known as EternalBlue, exploiting a vulnerability in the Windows SMB protocol to propagate the ransomware.
To guard against attacks like WannaCry, it is vital to:
- Keep your operating system and all software updated with the latest patches and updates.
- Maintain regular backups of your important data and verify they can be restored successfully.
- Install and maintain a reputable antivirus and anti-malware software to detect and block suspicious files.
- Be cautious with email attachments and links from unknown sources.
- Implement network segmentation and least privilege model to reduce exposure of critical systems. Network segmentation involves dividing a computer network into smaller parts() to improve performance and security. Utilize Software Defined Networking (SDN) and different routers for network segmentation to enhance security and manageability.
Impact and Prevention of NotPetya
The NotPetya attack caused over $10 billion in damages globally. It employed a method similar to the one used by WannaCry, exploiting the EternalBlue vulnerability, along with some additional attack vectors such as the Mimikatz tool to spread laterally within networks.
To protect against attacks like NotPetya, consider implementing the following measures:
- Ensure all systems have the latest security patches applied, especially vulnerability updates related to EternalBlue.
- Disable SMBv1 protocol on all machines unless absolutely necessary, as it is outdated and more vulnerable.
- Use robust intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor and analyze network traffic for malicious patterns.
- Conduct regular security awareness training to educate employees on recognizing phishing attempts and social engineering tactics.
- Implement strict access controls and least privilege policies to limit the impact of potential lateral movement within the network.
Impact and Prevention of Ryuk(Ransomware)
The Ryuk ransomware attack has been estimated to have cost victims over $640 million. It often uses a technique involving the deployment of the TrickBot or Emotet trojans to gain initial access and subsequently deliver the ransomware payload.
To protect against attacks like Ryuk, the following safety measures are advisable:
- Regularly update all systems and software to patch vulnerabilities that could be exploited by trojans like TrickBot or Emotet.
- Implement comprehensive email filtering to block phishing emails containing malicious attachments or links.
- Conduct frequent data backups and ensure they are offline or stored in a way that is safe from ransomware encryption.
- Exercise caution when granting administrative privileges and adopt the principle of least privilege to reduce risk.
- Enable system-wide logging and monitoring to detect suspicious activities early and react promptly.
Impact and Prevention of Sodinokibi (REvil)
The Sodinokibi (REvil) ransomware has been estimated to have caused over $2 billion in damages. Sodinokibi is known to employ sophisticated techniques such as exploiting vulnerabilities in remote desktop protocols, supply chain attacks, and leveraging phishing emails to gain initial access.
To protect against attacks like Sodinokibi, consider the following safeguards:
- Regularly apply security patches, especially focusing on vulnerabilities related to remote access technologies.
- Implement multi-factor authentication (MFA) to strengthen the security of user accounts, particularly for remote access.
- Conduct security training to raise awareness about phishing tactics and ensure employees can identify suspicious communications.
- Restrict access using network segmentation and apply the principle of least privilege to limit the potential damage of a breach.
- Maintain offline data backups to ensure that critical data can be restored without paying ransom in the event of an attack.
Impact and Prevention of Maze (Ransomware)
The Maze ransomware attack has been known for not only encrypting data but also exfiltrating it, threatening to publicly release it if the ransom is not paid. The financial cost of the Maze ransomware is difficult to quantify precisely, but its double extortion technique makes it particularly damaging to organizations.
To protect against attacks like Maze, consider implementing the following safety measures:
- Regularly update and patch all software to protect against known vulnerabilities.
- Use encryption to protect sensitive data both at rest and in transit, minimizing the impact of data exfiltration.
- Ensure comprehensive data backup strategies are in place, with backups stored offline or in a secure location not directly accessible from the network.
- Strengthen endpoint security with advanced threat detection and response tools.
- Conduct security awareness training focusing on recognizing phishing attempts and social engineering attacks, as these are common initial attack vectors for ransomware.