Ransomware families

  • 5 minutes

Ransomware has now developed into a complete business model called ransomware-as-a-service where cybercriminals license out "off-the-shelf" products. Just like a family, these products share common characteristics that make them recognizable to anti-malware security solutions. In September 2021, in an analysis of more than 12.7 million malware detections made by a key antivirus company, more than 220 ransomware families were identified.

The top 10 families will change, but some notable ones are:

  • WannaCryptor
  • Stop/DJVU
  • Conti
  • REvil

WannaCryptor

The following key facts are known about WannaCryptor:

  • It targets Windows operating devices.
  • It demands payment via Bitcoin.
  • It relies on vulnerabilities in the system to gain access.
  • It's known as a crypto worm because when it gets inside a system, it can spread by itself.
  • In 2017, it was part of a global attack that brought disruption to more than 185,000 devices across 100 countries/regions.
  • It's also known as Wannacrypt, Wanna Decryptor, Wana Decrypt0r 2.0, and WanaCrypt0r 2.0.
  • It's believed to have originated in North Korea.

Stop/DJVU

The following key facts are known about Stop/DJVU:

  • It's introduced to a system, either via spam email or by taking advantage of software vulnerabilities.
  • When it's introduced, it will run a file that loads the software onto your device to target documents, spreadsheets, images, videos, databases, and other similar data. It then blocks access to the files and demands a ransom.
  • Stop/DJVU is also known as STOP Ransomware, STOP (DJVU), or DJVU virus, and has 374 active variants.
  • It mainly targets Windows operating systems.
  • It's extremely difficult to decrypt files infected with this ransomware.

It isn't known which countries/regions the cybercriminals work from.

Conti

The following key facts are known about Conti:

  • Its main target is hospitals and healthcare organizations.
  • It targets files vital for the running of the organization, putting lives at risk while the systems are down.
  • The average ransom is $850,000.
  • As well as the installation of the ransomware, it also installs other malware to steal data.
  • The ransom for stolen data can sometimes be more than the worth of the original data.
  • The virus enters the system via phishing emails with attachments. When an attachment is opened, the virus runs and encrypts the system.

REvil

The following key facts are known about the REvil group:

  • REvil are a group of ransomware hackers also known by the name Sodinokibi.
  • It's understood that most of its members are Russian or from former Soviet Union countries/regions.
  • The ransom demands have been getting increasingly larger as they become more targeted in their approach.
  • They've announced that the agricultural sector is going to be a major target for this group.
  • They often threaten to auction off data if ransom demands aren't met.
  • REvil operate under the ransomware-as-a-service licensing model.
  • If demands aren't met, they threaten to post sensitive documents on its website, known as the "Happy Blog".
  • In 2019, they were linked to 24 local government attacks in Texas.
  • Despite a high-profile announcement that agencies in Russia had shut down the group, there are still reports of attacks using that name.

In 2021, two high-profile attacks by the REvil and DarkSide ransomware families were reported in the media.

Case study 1 – meat processing company

The following outlines the attack:

  • In June 2021, the target was a major US meat packing corporation.
  • The attackers, the REvil group, downloaded malicious code that affected operations in Australia and North America, and was described as very sophisticated.
  • The impact on the company involved halting cattle slaughtering in all US plants and suspending food production in Australia and North America.
  • To resolve the situation, the company paid a $11 million Bitcoin ransom, stating they had done so to protect customers.

The government response:

  • The scale of the attack prompted the United States to act and offer a reward of up to $10 million for any information that would lead to the cybercriminals arrest.
  • In an act of cooperation, the Russian intelligence bureau arrested the group and seized more than $560,000 of crypto currency and more than 20 premium cars bought with the "proceeds of crime".
  • The ransomware did disappear for a while but has since reemerged and once again is a major threat.

Case study 2 – major fuel distribution company

The following outlines the attack:

  • In April 2021, the target was a major oil distribution plant.
  • The attackers, the DarkSide group, downloaded malicious code that affected the company's network on the Eastern Seaboard of the United States.
  • The impact of the attack hit companies and drivers as fuel deliveries were halted, leading to panic buying throughout the affected area.
  • To resolve the situation, the fuel distribution company paid a Bitcoin ransom of $4.4 million, stating that they didn't know the extent of the intrusion, or how long it would take to restore operations.

The government response:

US investigators recovered millions in cryptocurrency as they targeted DarkSide, the company responsible for the attack. It was later revealed that DarkSide had been under surveillance for more than a year and the fuel distribution company were following the investigators' instructions so they could track the ransom payment to a cryptocurrency wallet used by the hackers. Despite this government success, the DarkSide ransomware is still active and affecting other users.