Ransomware scams have become a serious threat to individuals and organizations worldwide. These attacks involve encrypting the victim’s data and demanding a ransom for its release. This article will discuss ten types of ransomware scams, methods for prevention, provide a Q&A section, offer examples, and explain how to report such incidents.
10 Types of Ransomware Scams
CryptoLocker
One of the first widespread ransomware attacks, CryptoLocker used strong encryption and demanded Bitcoin payments for the decryption key.
CryptoLocker is a type of ransomware that first appeared in 2013. It is a particularly virulent strain of ransomware that encrypts the victim’s files and demands payment in exchange for the decryption key. Once the victim’s files are encrypted, they are unable to access them unless they pay the ransom.
CryptoLocker typically spreads through phishing emails that contain malicious attachments or links to infected websites. Once the victim clicks on the attachment or link, the ransomware is downloaded and installed on their computer, and begins to encrypt files.
CryptoLocker uses strong encryption algorithms to encrypt the victim’s files, making it extremely difficult to recover the data without the decryption key. The ransom demanded by CryptoLocker is usually paid in Bitcoin or other cryptocurrencies, which makes it difficult to trace the payment and identify the attacker.
It’s important to note that paying the ransom does not guarantee that the victim’s files will be decrypted. In some cases, the attacker may not provide the decryption key even after receiving the payment, or the decryption key may not work properly. The best way to protect against CryptoLocker and other types of ransomware is to maintain up-to-date backups of your important data and to be vigilant against phishing emails and other forms of malware.
WannaCry
WannaCry is a ransomware cryptoworm that targeted computers running the Microsoft Windows operating system. It encrypts data and demands a ransom payment in the Bitcoin cryptocurrency. The WannaCry ransomware attack was a worldwide cyberattack in May 2017. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack.
WannaCry spread rapidly through organizations that had not patched their Windows systems. It infected over 200,000 computers in over 150 countries. The attack caused widespread disruption, including the closure of schools, hospitals, and businesses.
The WannaCry ransomware attack was a major wake-up call for organizations around the world. It highlighted the importance of patching software vulnerabilities and having a strong cybersecurity posture.
Here are some of the key features of WannaCry:
- It is a ransomware cryptoworm, which means that it can spread automatically without victim participation.
- It uses EternalBlue to exploit vulnerabilities in the Windows operating system.
- It encrypts files on the hard drives of Windows devices so users can’t access them.
- It demands a ransom payment of between $300 to $600 in bitcoin within three days to decrypt the files.
If you think your computer has been infected with WannaCry, there are a few things you can do:
- Do not pay the ransom. There is no guarantee that you will receive the decryption keys even if you pay.
- Back up your files. If you have a recent backup, you can restore your files from the backup.
- Scan your computer with antivirus software. Antivirus software may be able to remove the ransomware from your computer.
- Report the attack to the authorities. This will help them to track down the attackers and bring them to justice.
The WannaCry ransomware attack was a major cyberattack, but it can be prevented. By patching software vulnerabilities and having a strong cybersecurity posture, you can help to protect your organization from ransomware attacks.
Sources
en.wikipedia.org/wiki/WannaCry_ransomware_attack
Petya/NotPetya
Petya and NotPetya are two strains of ransomware that were first discovered in 2016 and 2017, respectively. Both strains are known for their ability to encrypt files on a victim’s computer and demand a ransom payment in order to decrypt them. However, there are some key differences between the two strains.
Petya is a file-encrypting ransomware, while NotPetya is a disk-wiping ransomware. This means that Petya only encrypts the files on a victim’s computer, while NotPetya also overwrites the Master Boot Record (MBR), which is the part of a computer’s hard drive that tells the computer how to boot up. This makes it much more difficult to recover from a NotPetya infection, as the victim’s computer will not be able to boot up at all.
Another key difference between Petya and NotPetya is the way they spread. Petya spreads through a variety of methods, including email attachments, malicious websites, and USB drives. NotPetya, on the other hand, spreads through a vulnerability in the Windows OS called EternalBlue. This vulnerability was originally developed by the NSA, but it was stolen and leaked by a group called The Shadow Brokers in April 2017.
The NotPetya attack was particularly devastating, as it infected computers in over 60 countries and caused billions of dollars in damage. The attack targeted a wide range of organizations, including businesses, hospitals, and government agencies.
If you think your computer has been infected with Petya or NotPetya, there are a few things you can do:
- Do not pay the ransom. There is no guarantee that you will receive the decryption keys even if you pay.
- Back up your files. If you have a recent backup, you can restore your files from the backup.
- Scan your computer with antivirus software. Antivirus software may be able to remove the ransomware from your computer.
- Report the attack to the authorities. This will help them to track down the attackers and bring them to justice.
The Petya and NotPetya attacks were major cyberattacks, but they can be prevented. By patching software vulnerabilities and having a strong cybersecurity posture, you can help to protect your organization from ransomware attacks.
Locky
Locky is a ransomware malware that was first discovered in February 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase “Enable macro if data encoding is incorrect,” a social engineering technique.
Once the macros are enabled, Locky encrypts the victim’s files using a combination of RSA-2048 and AES-128 encryption. The encryption keys are generated on the server side, making manual decryption impossible. Locky can encrypt files on all fixed drives, removable drives, network and RAM disk drives.
After the files are encrypted, Locky displays a ransom note that demands a payment in Bitcoin in exchange for the decryption keys. The ransom note typically includes the victim’s name, email address, and a countdown timer. If the ransom is not paid within the specified time period, the decryption keys will be deleted and the victim’s files will be lost permanently.
Locky has been used to attack a wide range of organizations, including businesses, hospitals, and government agencies. The attacks have caused millions of dollars in damage.
There are a few things that you can do to protect yourself from Locky:
- Do not open email attachments from unknown senders.
- Be careful about enabling macros in Microsoft Word documents.
- Keep your software up to date, including your antivirus software.
- Back up your files regularly.
If you think that your computer has been infected with Locky, there are a few things you can do:
- Do not pay the ransom. There is no guarantee that you will receive the decryption keys even if you pay.
- Back up your files. If you have a recent backup, you can restore your files from the backup.
- Scan your computer with antivirus software. Antivirus software may be able to remove the ransomware from your computer.
- Report the attack to the authorities. This will help them to track down the attackers and bring them to justice.
Locky is a serious threat, but it can be prevented. By following these safety tips, you can help to protect yourself from this ransomware.
Sources
Cerber
Cerber is a ransomware-as-a-service (RaaS) malware that was first discovered in March 2016. It is a modular malware, which means that it can be customized to target specific organizations or industries. Cerber is spread through a variety of methods, including email attachments, malicious websites, and USB drives.
Once Cerber is installed on a victim’s computer, it encrypts the victim’s files using a combination of RSA-2048 and AES-128 encryption. The encryption keys are generated on the server side, making manual decryption impossible. Cerber can encrypt files on all fixed drives, removable drives, network and RAM disk drives.
After the files are encrypted, Cerber displays a ransom note that demands a payment in Bitcoin in exchange for the decryption keys. The ransom note typically includes the victim’s name, email address, and a countdown timer. If the ransom is not paid within the specified time period, the decryption keys will be deleted and the victim’s files will be lost permanently.
Cerber has been used to attack a wide range of organizations, including businesses, hospitals, and government agencies. The attacks have caused millions of dollars in damage.
There are a few things that you can do to protect yourself from Cerber:
- Do not open email attachments from unknown senders.
- Be careful about enabling macros in Microsoft Word documents.
- Keep your software up to date, including your antivirus software.
- Back up your files regularly.
If you think that your computer has been infected with Cerber, there are a few things that you can do:
- Do not pay the ransom. There is no guarantee that you will receive the decryption keys even if you pay.
- Back up your files. If you have a recent backup, you can restore your files from the backup.
- Scan your computer with antivirus software. Antivirus software may be able to remove the ransomware from your computer.
- Report the attack to the authorities. This will help them to track down the attackers and bring them to justice.
Cerber is a serious threat, but it can be prevented. By following these safety tips, you can help to protect yourself from this ransomware.
Here are some additional details about Cerber:
- It is a highly sophisticated malware that is constantly being updated.
- It is very difficult to remove from a computer.
- There is no guarantee that paying the ransom will result in the decryption of your files.
If you think that your computer has been infected with Cerber, it is important to contact a professional cybersecurity firm for help.
Ryuk
Ryuk is a type of ransomware that was first discovered in 2018. It is a targeted ransomware, meaning that it is specifically designed to attack large organizations. Ryuk is known for its high ransom demands, which can reach into the hundreds of thousands of dollars.
Ryuk is spread through a variety of methods, including phishing emails, malicious websites, and USB drives. Once it is installed on a victim’s computer, Ryuk encrypts the victim’s files using a strong encryption algorithm. The encryption keys are stored on the attacker’s servers, making it impossible for the victim to decrypt the files without paying the ransom.
After the files are encrypted, Ryuk displays a ransom note that demands a payment in Bitcoin in exchange for the decryption keys. The ransom note typically includes the victim’s name, email address, and a countdown timer. If the ransom is not paid within the specified time period, the decryption keys will be deleted and the victim’s files will be lost permanently.
Ryuk has been used to attack a wide range of organizations, including businesses, hospitals, and government agencies. The attacks have caused millions of dollars in damage.
There are a few things that you can do to protect yourself from Ryuk:
- Do not open email attachments from unknown senders.
- Be careful about enabling macros in Microsoft Word documents.
- Keep your software up to date, including your antivirus software.
- Back up your files regularly.
If you think that your computer has been infected with Ryuk, there are a few things that you can do:
- Do not pay the ransom. There is no guarantee that you will receive the decryption keys even if you pay.
- Back up your files. If you have a recent backup, you can restore your files from the backup.
- Scan your computer with antivirus software. Antivirus software may be able to remove the ransomware from your computer.
- Report the attack to the authorities. This will help them to track down the attackers and bring them to justice.
Ryuk is a serious threat, but it can be prevented. By following these safety tips, you can help to protect yourself from this ransomware.
Here are some additional details about Ryuk:
- It is a highly sophisticated malware that is constantly being updated.
- It is very difficult to remove from a computer.
- There is no guarantee that paying the ransom will result in the decryption of your files.
If you think that your computer has been infected with Ryuk, it is important to contact a professional cybersecurity firm for help.
Sodinokibi/REvil
Sodinokibi/REvil is a ransomware-as-a-service (RaaS) operation that was active from April 2019 to January 2022. It is considered to be one of the most sophisticated and dangerous ransomware families in existence.
REvil ransomware encrypts files on a victim’s computer and demands a ransom payment in exchange for the decryption key. The ransom is typically paid in Bitcoin. REvil ransomware is also known for its aggressive tactics, such as threatening to publish stolen data if the ransom is not paid.
In July 2021, REvil ransomware was responsible for a major attack on Kaseya, a software company that provides IT management services to businesses. The attack affected over 1,500 businesses worldwide, and resulted in the loss of data for many of those businesses.
In January 2022, the Russian Federal Security Service (FSB) announced that they had dismantled the REvil ransomware operation and arrested several of its members. However, it is possible that the REvil ransomware operation will continue under a different name.
Here are some of the key features of Sodinokibi/REvil ransomware:
- It is highly sophisticated and difficult to detect.
- It can encrypt files on a victim’s computer without the victim’s knowledge.
- It demands a ransom payment in exchange for the decryption key.
- It is known for its aggressive tactics, such as threatening to publish stolen data if the ransom is not paid.
If you think that your computer has been infected with Sodinokibi/REvil ransomware, there are a few things you can do:
- Do not pay the ransom. Paying the ransom will only encourage the attackers to continue their criminal activities.
- Back up your data. If you have a recent backup of your data, you can restore it after the ransomware is removed.
- Contact a security professional. A security professional can help you to remove the ransomware and restore your data.
Here are some tips to help you protect your computer from Sodinokibi/REvil ransomware:
- Keep your software up to date. Software updates often include security patches that can help to protect your computer from ransomware attacks.
- Use a firewall and antivirus software. A firewall can help to block unauthorized access to your computer, and antivirus software can help to detect and remove ransomware infections.
- Be careful about what emails you open and what links you click on. Ransomware attackers often use phishing emails to trick people into clicking on malicious links.
- Back up your data regularly. If your computer is infected with ransomware, you can restore your data from a recent backup.
Maze
Maze ransomware is a type of malware that encrypts files on a victim’s computer and demands a ransom payment in exchange for the decryption key. The ransom is typically paid in Bitcoin. Maze ransomware is also known for its aggressive tactics, such as threatening to publish stolen data if the ransom is not paid.
Maze ransomware was first seen in May 2019, and it quickly became one of the most active ransomware families in the world. It has been used to attack a wide range of victims, including businesses, government agencies, and individuals.
Maze ransomware is typically distributed via email phishing or spear phishing attacks. The attacker will send an email that appears to be from a legitimate source, such as a bank or a government agency. The email will contain a malicious attachment or link that, when clicked, will download the Maze ransomware onto the victim’s computer.
Once Maze ransomware is installed on a victim’s computer, it will encrypt all of the files on the computer. The encrypted files will be renamed with a .maze extension. The ransomware will then display a ransom note that demands a ransom payment in exchange for the decryption key.
If the ransom is not paid, the attacker may publish the victim’s stolen data. This could include sensitive financial information, personal data, or intellectual property.
There is no guarantee that paying the ransom will result in the victim receiving the decryption key. In some cases, the attackers have simply taken the money and disappeared.
The best way to protect your computer from Maze ransomware is to keep your software up to date, use a firewall and antivirus software, and be careful about what emails you open and what links you click on. You should also back up your data regularly so that you can restore it if your computer is infected with ransomware.
Here are some additional tips to help you protect your computer from Maze ransomware:
- Be suspicious of any emails that you receive from unknown senders.
- Do not open attachments or click on links in emails from unknown senders.
- Keep your software up to date. Software updates often include security patches that can help to protect your computer from ransomware attacks.
- Use a firewall and antivirus software. A firewall can help to block unauthorized access to your computer, and antivirus software can help to detect and remove ransomware infections.
- Back up your data regularly. If your computer is infected with ransomware, you can restore your data from a recent backup.
If you think that your computer has been infected with Maze ransomware, there are a few things you can do:
- Do not pay the ransom. Paying the ransom will only encourage the attackers to continue their criminal activities.
- Back up your data. If you have a recent backup of your data, you can restore it after the ransomware is removed.
- Contact a security professional. A security professional can help you to remove the ransomware and restore your data.
DoppelPaymer
DoppelPaymer is a type of ransomware that encrypts files on a victim’s computer and demands a ransom payment in exchange for the decryption key. The ransom is typically paid in Bitcoin. DoppelPaymer is also known for its aggressive tactics, such as threatening to publish stolen data if the ransom is not paid.
DoppelPaymer was first seen in April 2019, and it quickly became one of the most active ransomware families in the world. It has been used to attack a wide range of victims, including businesses, government agencies, and individuals.
DoppelPaymer is typically distributed via email phishing or spear phishing attacks. The attacker will send an email that appears to be from a legitimate source, such as a bank or a government agency. The email will contain a malicious attachment or link that, when clicked, will download the DoppelPaymer ransomware onto the victim’s computer.
Once DoppelPaymer is installed on a victim’s computer, it will encrypt all of the files on the computer. The encrypted files will be renamed with a .doppeled extension. The ransomware will then display a ransom note that demands a ransom payment in exchange for the decryption key.
If the ransom is not paid, the attacker may publish the victim’s stolen data. This could include sensitive financial information, personal data, or intellectual property.
There is no guarantee that paying the ransom will result in the victim receiving the decryption key. In some cases, the attackers have simply taken the money and disappeared.
The best way to protect your computer from DoppelPaymer is to keep your software up to date, use a firewall and antivirus software, and be careful about what emails you open and what links you click on. You should also back up your data regularly so that you can restore it if your computer is infected with ransomware.
Here are some additional tips to help you protect your computer from DoppelPaymer:
- Be suspicious of any emails that you receive from unknown senders.
- Do not open attachments or click on links in emails from unknown senders.
- Keep your software up to date. Software updates often include security patches that can help to protect your computer from ransomware attacks.
- Use a firewall and antivirus software. A firewall can help to block unauthorized access to your computer, and antivirus software can help to detect and remove ransomware infections.
- Back up your data regularly. If your computer is infected with ransomware, you can restore your data from a recent backup.
If you think that your computer has been infected with DoppelPaymer, there are a few things you can do:
- Do not pay the ransom. Paying the ransom will only encourage the attackers to continue their criminal activities.
- Back up your data. If you have a recent backup of your data, you can restore it after the ransomware is removed.
- Contact a security professional. A security professional can help you to remove the ransomware and restore your data.
Egregor
Egregor is a type of ransomware that was first seen in September 2020. It is a variant of the Sekhmet ransomware family, and it is known for its aggressive tactics, such as threatening to publish stolen data if the ransom is not paid.
Egregor is typically distributed via email phishing or spear phishing attacks. The attacker will send an email that appears to be from a legitimate source, such as a bank or a government agency. The email will contain a malicious attachment or link that, when clicked, will download the Egregor ransomware onto the victim’s computer.
Once Egregor is installed on a victim’s computer, it will encrypt all of the files on the computer. The encrypted files will be renamed with a .egregor extension. The ransomware will then display a ransom note that demands a ransom payment in exchange for the decryption key.
If the ransom is not paid, the attacker may publish the victim’s stolen data. This could include sensitive financial information, personal data, or intellectual property.
There is no guarantee that paying the ransom will result in the victim receiving the decryption key. In some cases, the attackers have simply taken the money and disappeared.
The best way to protect your computer from Egregor is to keep your software up to date, use a firewall and antivirus software, and be careful about what emails you open and what links you click on. You should also back up your data regularly so that you can restore it if your computer is infected with ransomware.
Here are some additional tips to help you protect your computer from Egregor:
- Be suspicious of any emails that you receive from unknown senders.
- Do not open attachments or click on links in emails from unknown senders.
- Keep your software up to date. Software updates often include security patches that can help to protect your computer from ransomware attacks.
- Use a firewall and antivirus software. A firewall can help to block unauthorized access to your computer, and antivirus software can help to detect and remove ransomware infections.
- Back up your data regularly. If your computer is infected with ransomware, you can restore your data from a recent backup.
If you think that your computer has been infected with Egregor, there are a few things you can do:
- Do not pay the ransom. Paying the ransom will only encourage the attackers to continue their criminal activities.
- Back up your data. If you have a recent backup of your data, you can restore it after the ransomware is removed.
- Contact a security professional. A security professional can help you to remove the ransomware and restore your data.
The name Egregor comes from the occult world and is defined as “a group effort to conjure up a magical spirit.” It can also refer to a psychic connection between members of a group. The word is also sometimes spelled as egregore.
Egregor ransomware is a serious threat, and it is important to take steps to protect your computer from it. By following the tips above, you can help to keep your computer safe from this and other types of ransomware.
Prevention
To protect yourself from ransomware scams:
- Keep your operating system and software up to date with the latest security patches.
- Install a reputable antivirus software and keep it updated.
- Use strong, unique passwords and enable multi-factor authentication wherever possible.
- Regularly back up your data to an external storage device or cloud service.
- Be cautious when opening email attachments or clicking on links from unknown sources.
- Educate yourself and your employees about the risks of phishing and social engineering.
- Limit access to sensitive data and use the principle of least privilege.
- Implement network segmentation to limit the spread of malware.
- Regularly audit and monitor your network for signs of intrusion.
- Develop an incident response plan to handle ransomware and other cybersecurity threats.
Common Signs Of a Ransomware Attack?
Here are some common signs of a ransomware attack:
- Unusual file extensions: Ransomware often encrypts the victim’s files and adds a new extension to the filenames, indicating that they have been encrypted. For example, “.encrypted”, “.locked” or “.crypt”.
- Unusual pop-up messages: Ransomware may display pop-up messages claiming that the victim’s files have been encrypted and demanding payment in exchange for the decryption key.
- Unresponsive system or programs: Ransomware may slow down the victim’s computer or cause programs to become unresponsive due to the heavy processing required for encryption.
- Missing or renamed files: Ransomware may delete or rename files as part of its encryption process, leaving the victim unable to access their data.
- Suspicious network activity: Ransomware may communicate with a command-and-control server to send information about the victim’s computer or to receive instructions from the attacker.
- Large numbers of files being encrypted: Ransomware often targets many files in a short amount of time, so if you notice that a large number of files have been encrypted or changed recently, it could be a sign of ransomware.
It’s important to note that some ransomware strains are designed to operate quietly in the background, so not all ransomware attacks may exhibit these signs. If you suspect that your computer may be infected with ransomware, it’s important to seek help from a cybersecurity professional as soon as possible.
Q&A
- What is ransomware?
Ransomware is a type of malicious software that encrypts data on a victim’s computer or network and demands a ransom for the decryption key. - How does ransomware spread?
Ransomware spreads through phishing emails, malicious attachments, exploit kits, and other infection vectors. - What is the average ransom demand?
Ransom demands vary but often range from hundreds to thousands of dollars for individuals and tens of thousands to millions for organizations. - Should I pay the ransom?
Law enforcement and cybersecurity experts generally advise against paying ransoms, as it encourages future attacks and there’s no guarantee you’ll recover your data. - What happens if I don’t pay the ransom?
If you don’t pay the ransom, you risk losing access to your encrypted data permanently. - Can ransomware be removed?
While ransomware can often be removed, this doesn’t guarantee the recovery of encrypted data. - How can I recover my data without paying the ransom?
Regular backups are the best way to recover your data without paying the ransom. In some cases, free decryption tools may be available. - What industries are most targeted by ransomware?
Healthcare, education, government, and financial sectors are among the most targeted industries due to their sensitive data and potential for disruption. - What is a ransomware-as-a-service (RaaS)?
RaaS is a business model where criminals provide ransomware tools and infrastructure to other criminals for a fee or a share of the profits. - Can ransomware spread to other devices on a network?
Yes, ransomware can often spread laterally across a network, encrypting data on multiple devices.
Examples
- Colonial Pipeline attack (2021): The DarkSide ransomware group targeted the largest fuel pipeline in the United States, causing widespread disruption and a temporary shutdown.
- Garmin (2020): The navigation technology company suffered a WastedLocker ransomware attack that led to service outages and a reported $10 million ransom payment.
- City of Atlanta (2018): The SamSam ransomware attack on the City of Atlanta resulted in a massive disruption of city services, costing millions of dollars in recovery efforts.
- NHS (2017): The WannaCry ransomware attack affected the UK’s National Health Service, causing the cancellation of thousands of appointments and surgeries.
- Travelex (2020): The foreign exchange company Travelex fell victim to a Sodinokibi/REvil ransomware attack, resulting in a month-long outage and a reported $2.3 million ransom payment.
Reporting Ransomware Scams
If you or your organization are a victim of a ransomware attack, it’s essential to report the incident to the appropriate authorities. In the United States, you should contact your local FBI field office or the Cybersecurity and Infrastructure Security Agency (CISA). In the UK, report ransomware incidents to the National Cyber Security Centre (NCSC) and Action Fraud. In other countries, contact your local law enforcement or cybersecurity agency.
In addition to reporting the incident to the authorities, consider sharing information about the attack with relevant industry groups or information sharing and analysis centers (ISACs) to help others mitigate similar threats.
Remember, ransomware scams are a growing problem, but by staying informed, taking proactive measures, and working together, we can reduce the impact of these malicious attacks.