From the emergence of the world's first known ransomware virus "AIDS Trojan" in 1989 to the emergence of the first ransomware "Redplus" in mainland China in 2006, the world has been suffering from ransomware attacks. Especially in recent years, the situation of ransomware attacks has become more severe. Internationally renowned companies have been attacked by ransomware viruses in an endless stream, and ransom payments continue to set new records. Ransomware has become the number one threat to global network security. So, what are the main types of ransomware?
Encrypt user files using various encryption algorithms such as RSA and AES and demand ransom. This type of ransomware has become the main type of ransomware currently, represented by WannaCry. WannaCry has revived again this year. Government and military units are most frequently attacked, followed by manufacturing, banking, financial and medical systems.
Multiple encryption algorithms are usually used to encrypt user data. However, in the extortion process, attackers identify and steal important user data, and then disclose the important data to force users to pay ransom. In March 2021, the well-known computer manufacturer Acer was attacked by the REvil ransomware threat. The attackers demanded a ransom of US$50 million (approximately 330 million yuan), otherwise they would disclose the stolen and encrypted data. In May 2021, the FBI said Conti ransomware attacked 16 U.S. health and emergency services agencies, affecting more than 400 global organizations.
The system disk master boot record, volume boot record, etc. are encrypted through various encryption algorithms to prevent users from accessing the disk, affecting the normal startup and use of user equipment, extorting ransom from users, and even encrypting all disk data. Take the Petya ransomware virus first discovered in 2016 as an example.
Lock the screen of the user's device in full screen, and display images and text containing ransom information, or pretend to have a blue screen error in the system, directly causing the user to be unable to log in and use the device (system components will be disabled at the same time), and then blackmail the user to pay a ransom. This type of ransomware attack also exists on the mobile side. For example, the Leatherlocker discovered in 2017.
Get study materials for free
2021 full set of network security information package and latest interview questions
(Penetration tools, environment construction, HTML, PHP, MySQL basic learning, information collection, SQL injection, XSS, CSRF, brute force cracking, etc.)
Through the analysis of ransomware incidents in recent years, we can see that ransomware has not only evolved from "encrypted data" to "triple extortion" and from "bulk attacks" to "targeted attacks", but it has also clearly targeted specific industries and regions. sex.
The target of ransomware attacks has shifted from individual users to government and enterprise users who have higher ability to pay ransom and are more dependent on data. For example, colleges and universities were severely infected by WannaCry due to the neglect of security reinforcement and vulnerability repair on a large number of devices. Industries such as energy and medical care that carry important data resources have also become "high-value" targets for ransomware attacks due to their high requirements for business continuity. In addition, the risk of attacks faced by important government departments/agencies, military units, and critical infrastructure and industrial control systems related to people's livelihood is also increasing.
Economic interests drive the upgrade of the operating model, and a black production chain of ransomware viruses has initially formed. DopplePaymer, Egregor, Netwalker, REvil/Sodinokibi, DarkSide, Ryuk, and BlackMatter, which first appeared in July this year, have been relatively active in providing ransomware-as-a-service (RaaS) platform services in recent years. High threat capability.
In July 2021, hackers launched a global ransomware attack that attacked more than 1000 companies and forced Coop, one of Sweden's largest supermarket chains, to close hundreds of stores. In what appears to be the largest supply chain hack to date, hackers have targeted IT management software provider Kaseya and once again revealed the growing ransomware-as-a-service (RaaS) pandemic.
In July 2021, LockFile exploited the ProxyShell vulnerability of the Exchange server to invade the corporate internal network and has attacked at least 10 organizations or companies. Its attack targets are mainly the United States and Asia.
Since information encrypted by the ransomware virus is difficult to recover and the source of the attack is difficult to trace, once a ransomware attack is encountered, it will not only bring direct losses such as ransom losses, production suspension losses, compensation and fines, and data re-online costs, but also include possible losses due to production suspension or service interruption. social losses. For example, ransom losses. According to Censuswide's research report, a considerable number of companies will choose to pay ransom after encountering a ransomware attack. but,
In March 2021, CAN Financial, one of the largest insurance companies in the United States, was attacked by ransomware from the hacker group Phoenix. About 15,000 devices were encrypted, and countless customer data were at risk of being leaked. After trying to recover the files to no avail, CNA Financial began negotiating with the attackers, who initially demanded $60 million. Negotiations later paid the hackers $40 million, setting a record for the highest ransom paid in history.
In May 2021, Colonial Pipeline, the largest pipeline transporter of refined oil products in the United States, was attacked by a ransomware virus from the "Darkside" hacker group, paralyzing the fuel network on the eastern coast of the United States. In the same month, 17 states in the eastern United States and Washington, DC, where the capital is located, entered a state of emergency.
Picture source network
In 2021, LockBit was upgraded to version 2.0, which can encrypt data at a speed of 373MB/s. It can steal and encrypt 100GB of data from an infected device in less than 20 minutes, which is faster than the encryption speed of ordinary ransomware viruses. More than 3 times. In August, global IT consulting giant Accenture was attacked by the LockBit gang. The LockBit ransomware team claimed to have stolen more than 6TB of data and demanded a ransom of US$50 million (approximately 320 million yuan).