Illusive Blog September 12, 2016

Defend Against These 7 Dangerous Ransomware Families

By The Illusive Networks team

ransomware_familiesThe subject of ransomware no longer needs an introduction. We recently looked ahead to the Advanced Ransomware Threats (ARTs) of the future, but it’s equally important to look at the topic at a lower level to understand the ransomware families that are threatening your organization.
There are many different ransomware families that attackers can use to encrypt valuable files, but these 7 have are responsible for the biggest, most recent cyberattacks.

7 of the Most Dangerous Ransomware Families 

At their very cores, all ransomware families operate in a similar fashion—attackers exploit a vulnerability to penetrate their target and use their script of choice to encrypt valuable files in the hopes of collecting a ransom to decrypt them.ransomware1

However, each individual ransomware family is created with slight variations that make it difficult (or impossible) for businesses to stay ahead of the malware curve.

These 7 families are particularly notable and have proven problematic for higher education, state/local government, hospitals and more:

  1. CryptXXXThe latest version of the popular CryptXXX evades detection by masking itself as a dynamic-link library (DLL) for the CyberLink PowerDVD Cinema software for Windows machines. The ransomware encrypts targeted files using a combination of RSA and RC4 and compromises the Windows Startup folder to open a ransom note every time the machine boots up.
  2. CrypMICThis family emerged as a copycat of CryptXXX, sharing the same distribution channel (Neutrino exploit kit) and target entry point. However, CrypMIC uses AES-256 encryption to target 901 file types without autostart or persistence. Like CryptXXX, CrypMIC can challenge businesses by encrypting both local and networked drives from a single infected machine.
  3. CerberUsing a JSON configuration file, attackers can configure specific file extensions they wish to encrypt with Cerber’s AES encryption methods. The ransomware installs itself in a machine’s AppData folder, forces machines to boot in Safe Mode, and can encrypt any data found on unmapped Windows shares.
  4. Maktub LockerLike other ransomware families, Maktub is launched through spam campaigns and encrypts files using randomly generated extensions. Where Maktub is unique is in its ability to compress files. The faster ransomware can encrypt your files, the faster attackers can reap monetary returns. By compressing files as they’re encrypted, Maktub can speed up the process and get to monetization faster.
  5. TeslaCryptTeslaCrypt is designed for mass distribution. It is a commodity malware platform that is sold to groups to distribute through spam campaigns, botnets, and exploit kits. The JavaScript file that contains the malware is especially adept at evading antivirus scanners, so it’s up to individual users to identify phishing campaigns that might put them (and their companies) at risk.
  6. ChimerWhile Chimera functions much the same as any other ransomware family (spam campaign delivery and targeted file encryption), it is differentiated by its demands. Chimera uses a blackmail technique called doxing in which it doesn’t just threaten to deny access to files until a ransom is paid—it threats to publish all encrypted documents publicly. This may not be a more dangerous threat to home users, but it is much more threatening to business targets.
  7. CryptFile2Mass spam campaigns have targeted government agencies and educational institutions with CryptFile2. Rather than employing attachments to launch the malware, these campaigns used malicious links to prompt a Microsoft Word document download which would enable macros and execute the ransomware payload.

All of these ransomware families have challenged ransomwarebusinesses across multiple industries to improve their cybersecurity practices. However, attackers have proven they can create new families at a much faster pace than security researchers can create decryption keys for them.


As Attackers Iterate Ransomware Families, Turn to Attacker-Based Defense

If you look into any of the ransomware families we’ve mentioned, you’ll notice that some of them are currently on their second or third version—or you’ll notice that some of them are merely spinoffs of other popular ransomware scripts. The second researchers create a decryption key to help companies mitigate ransomware damages, attackers tweak the scripts slightly to maintain their leverage.

To keep these iterative ransomware changes from taking your company hostage, you need a more proactive defense that targets ransomware activity as opposed to blocking specific ransomware families.

Ransoms may be relatively small today, but as ARTs come into play they will increase exponentially. If you want to learn how the illusive networks® Advanced Ransomware Guard™ can help you turn the tables on ransomware attacks, contact us today for a free demo.


Recommended reading for you: