Ransom and Ransomware revisited


In Here to Stay, you read that this kind of computer virus is the worst of the worst. You remember that ransomware is a form of malicious software that seizes control of a victim’s data or device and issues a menacing ultimatum: either pay a ransom to the perpetrator or endure the dire consequences. According to the 2023 IBM Security X-Force Threat Intelligence Index, ransomware incidents accounted for 17 percent of all cyberattacks recorded in 2022. In its early iterations, ransomware merely demanded payment in exchange for the decryption key necessary to regain access to compromised data or the affected device. Organizations could mitigate the financial impact of such ransomware attacks and often circumvent the ransom demand by maintaining regular or continuous data backups. However, ransomware attacks have undergone a sinister transformation in recent years, introducing the spectre of double-extortion and triple-extortion tactics that significantly raise the stakes. Even for entities diligently safeguarding their data and contemplating paying the initial ransom, these evolving attacks pose unprecedented challenges. Double-extortion schemes introduce the menace of pilfering the victim’s data and subsequently exposing it online. Meanwhile, triple-extortion attacks escalate the threat by leveraging stolen data to target the victim’s clients or business partners. We are now going to take a historical look at five of the biggest attacks carried out by this menace.


NotPetya -$10 billion ransom


In June 2017, the ExPetr, also known as NotPetya, ransomware outbreak swept across the world, unleashing significant disruptions and devastating consequences. Unlike conventional ransomware, ExPetr wasn’t crafted with the intent of monetary extortion; its primary objective was to wreak havoc on an unprecedented scale. Initially designed to target Ukraine, it proved too potent to be confined to its intended borders. It soon became apparent that NotPetya was a wolf in sheep’s clothing—a destructive wiper masquerading as ransomware. It zeroed in on Windows systems, exploiting the SMB vulnerability known as EternalBlue, which had been infamously leveraged by the WannaCry ransomware just a month earlier. The wiper malware spread with astonishing speed, encrypting the master boot record (MBR) to render affected systems unbootable. Once infiltrated into a network, it employed an array of techniques, including the utilization of the Mimikatz tool, to pilfer credentials and propagate laterally. Prominent global entities such as Maersk, a leading shipping company, and pharmaceutical titan Merck suffered the most severe blows, with Maersk reporting staggering losses of approximately $300 million. The overall financial toll exacted by NotPetya was estimated at a staggering $10 billion, solidifying its status as the costliest known cyberattack in history.





WannaCry – $4 billion ransom


In May 2017, the global landscape was rocked by the WannaCry ransomware assault, an insidious event that extended its reach across 150 countries and left a trail of over 200,000 compromised computers in its wake. Initial estimates of the incurred costs hovered around the $4 billion mark, yet some entities contended that potential future losses in the United States alone could surpass a staggering $7 trillion. WannaCry’s infamy stemmed from its remarkably effective dissemination tactics and its exploitation of critical vulnerabilities. This malevolent software capitalized on a pivotal weakness in Microsoft’s implementation of the Server Message Block (SMB) protocol, an Achilles’ heel known as EternalBlue. This vulnerability was widely believed to have originated from the United States National Security Agency (NSA) and was subsequently disclosed to the world by a shadowy group known as the Shadow Brokers. WannaCry, like all ransomware strains, was engineered to encrypt files residing on a victim’s computer, rendering them inaccessible. Once the files were locked away, the ransomware would display a menacing notification, apprising the victim of the encryption and demanding a ransom payment in Bitcoin in exchange for the elusive decryption key. The standard ransom demand amounted to $300, with the threat of doubling the sum if payment was not remitted within a tight three-day window. Once infiltrating a system, WannaCry exhibited worm-like behaviour, autonomously traversing networks and replicating itself without necessitating any user interaction. This characteristic endowed it with the ability to propagate with astonishing rapidity on a global scale, causing widespread havoc and disrupting critical sectors such as healthcare, finance, logistics, and transportation networks.


GandCrab – $2 billion ransom


In 2018, GandCrab surfaced as a formidable presence, swiftly ascending to the ranks of the most prevalent and financially rewarding ransomware incursions. What made GandCrab distinctive was its adoption of a Ransomware-as-a-Service (RaaS) model. Under this scheme, the malware was licensed to affiliated parties who orchestrated their own attacks and then shared a portion of the ill-gotten gains with the GandCrab creators. The ransomware predominantly propagated through phishing emails and exploit kits, with a particular focus on the GrandSoft and RIG kits. Once infiltrating a victim’s system, GandCrab executed its file encryption routine and proceeded to demand a ransom, payable in the form of Dash cryptocurrency, as the sole means of decrypting the hostage files.


Locky – $1 billion ransom


Locky, predominantly active from 2016 to 2018, stands out as one of the most prolific ransomware strains, its propagation facilitated through extensive phishing campaigns. It infiltrated systems via deceptive emails containing malicious Word document attachments. When an unwitting user opened the document and enabled macros, the ransomware’s malevolent payload was unleashed and set in motion. Locky possessed the capability to encrypt a diverse array of data file formats, obfuscating filenames in the process and then demanding payment in Bitcoin for decryption. Particularly noteworthy was its capacity to encrypt files located on network shares, thereby amplifying its potential for causing extensive harm. Employing a combination of RSA and AES encryption methods, Locky effectively rendered a victim’s files inaccessible until the stipulated ransom was remitted. Typically, the extortionists requested a ransom ranging from 0.5 to 1 Bitcoin.


REvil – $70 million ransom


The REvil group emerged as a prominent ransomware menace in 2019, but their most disruptive endeavours unfolded during the year 2020. Their tactics underwent refinements over time, yet their primary modus operandi involved exploiting software vulnerabilities, deceiving users into downloading ransomware via phishing emails, or capitalizing on weaknesses within Remote Desktop Protocol (RDP). Once penetrating a network’s defenses, REvil exhibited lateral movement, elevating privileges, acquiring administrative control, and subsequently deploying ransomware to encrypt files within the compromised system. A distinguishing hallmark of REvil’s approach was its utilization of a double extortion strategy. Prior to initiating the encryption process, they pilfered sensitive data from the targeted networks. Following the encryption of a victim’s files, they then issued a ransom demand in exchange for the decryption key. In cases where victims hesitated or declined to comply, REvil resorted to threats of exposing the purloined data on their infamous “Happy Blog,” intensifying the pressure on their targets. One of the most infamous incidents attributed to REvil was the Kaseya VSA supply-chain attack in 2021. REvil exploited a zero-day vulnerability within the Kaseya VSA software, a tool employed by IT organizations for managing and overseeing IT infrastructure. By exploiting this vulnerability, they managed to disseminate ransomware to a multitude of Kaseya’s clients, impacting up to 1,500 businesses across the globe. Another notable attack involved JBS, the world’s largest meat processing company. In this instance, REvil executed a successful spear-phishing campaign to infiltrate JBS systems, ultimately coercing JBS into paying a substantial $11 million ransom to forestall the disclosure of sensitive data.




I’ve worked in the professional IT support industry for more than 20 years, having witnessed first-hand the exponential rise in cybercrime. I also know what we need to do to protect ourselves from bad actors. You don’t need to fret about falling prey to hackers through a phishing or ransomware attack. I’m here to help you get your cybersecurity and cyber hygiene into shape. Contact me today and let me show you how.



Leave a comment