3. TABLE OF
CONTENT History of Ransomware
1
Types of Ransomware
2
Ransomware attacks around the world
3
How it started?
Modus Operandi
How was it stopped?
4. WHAT IS
RANSOMWARE?
Ransomware is a type of malware attack in which
the attacker locks and encrypts the victim’s data,
important files and then demands a payment to
unlock and decrypt the data.
6. 01
THE GENESIS OF
RANSOMWARE (1989-2006) 02
RANSOMWARE HAS BEEN
MORE PREVALENT SINCE THE
INTERNET WAS WIDELY USED
(2007–2016)
In 1989, Joseph L. Popp distributed 20,000 floppy disks
containing information about the AIDS virus to patients and
healthcare organizations worldwide. Victims paid a $189
ransom to obtain decryption software. Ransomware has been
present for almost 15 years, with digital currencies and
cryptocurrencies enabling more convenient payments and
anonymity. PGPCoder, first appearing in 2005, was one of the
earliest ransomware examples. Archievus ransomware added a
file called "how to get your files back.txt" in 2006, making
decryption more difficult.
Ransomware became more prevalent during the internet's
widespread use from 2007 to 2016. WinLock ransomware, a
pornographic image popup, and Reveton ransomware, a $200
fine-seeking variation, were popular among internet users to
escape penalties for copyright infringement or pornographic
sharing. Later, ransom demands evolved to increase the
likelihood of payment. The internet's rapid expansion during
this period contributed to the spread of ransomware.
7. 03
THE DEVELOPMENT OF
STATE-SPONSORED
WORLDWIDE ATTACKS
(2017-2018)
04 THE BIG GAME HUNTING
ERA (2019–2021)
In 2017, WannaCry, a ransomware attack, affected
300,000 devices across 150 countries. Cybercriminals
attacked backup points and erased them to prevent
data restoration. NotPetya, a ransomware borrowed
from WannaCry, was used as a weapon during wars
between Russia and Ukraine, causing large-scale data
destruction. The U.S. government valued the damage
at over $10 billion by the end of 2018.
Cybercriminals have developed a "big game hunting" technique
targeting major corporations, increasing ransom demand from
$13,000 to $36,000. They also threatened to sell targeted
companies' data on the darknet through double extortion. Maze
and Egregor ransomware used data disclosure to persuade
businesses to pay. Sodinokibi was hired to exploit this technique,
and Colonial Pipeline and Darkside were targeted. Acer and
Kaseya were also targeted, and the FBI confiscated ransom money
worth $2.3 million.
05
CYBERCRIME HAS BECOMING
MORE ORGANIZED (2021-
PRESENT)
Ransomware as a service (RaaS) has significantly impacted the cybercrime industry by providing
access to infrastructure to less skilled attackers, enabling them to profit from victims' ransom
payments. Advancements in replication, communication, and data theft have led to more complex
malware like Lockbit and DarkSide. Initial Access Brokers (IABs) pose a new threat in 2021, allowing
other organizations to access corporate networks for their own attacks. Limiting ransomware
would prevent IABs from operating and restrict their access to organizations' back doors.
8. TYPES OF
RANSOMWARE
SCAREWARE
Deceptive software that
uses fear tactics to trick
users into believing their
systems are infected with
malware in order to
extort money.
RANSOMWARE
ENCRYPTION
The process of encrypting
files and data by malicious
software (ransomware)
with the intention of
holding them hostage until
a ransom is paid, typically
in cryptocurrency, to
obtain the decryption key.
MOBILE
RANSOMWARE
The term "mobile
ransomware" refers to
malware that encrypts
data on mobile devices
like smartphones and
tablets and demands
money to decode the
data or unlock the
device.
SCREEN LOCKERS:
These applications are
made to lock the victim
out of their computer
and prevent them from
accessing any
documents or data.
Usually, a notice is
shown that requests
money in order to be
unlocked.
9. RANSOMWARE ATTACKS
AROUND THE WORLD
WannaCry
Ransomware
attack
NotPetya
ransomware
attack
Costa Rican
Ransomware
attack
10. WANNACRY
RANSOMWARE
In May 2017, the WannaCry ransomware attack, a global cyberattack,
targeted over 150 nations and 230,000 computers worldwide. The worm
encrypts data stored on a PC's hard drive and requests a bitcoin ransom
to unlock it. It targeted prominent systems, took advantage of a Windows
flaw, and was possibly related to the Lazarus Group, a cybercrime gang
with ties to the North Korean government. The malware infected 65% of
ISPs in Latin America, making it one of the largest ransomware attacks in
history. The attack affected small and medium-sized businesses, large
corporations, governmental and private sectors, railroads, hospitals,
banks, shopping centers, and ministries. The ransomware spread to over
11 countries within just a few hours, and by the end of the first day, it
had been discovered in 74 countries within thousands of organizations.
The damage to police, energy companies, and ISPs was immense, with no
end in sight.
11. HOW IT STARTED?
WannaCry was initiated through a malicious software program that exploited a
vulnerability in Microsoft Windows operating systems. According to Jenkinson,
The hacking gang behind WannaCry, which started in 2009 with primitive DDoS
attacks on systems belonging to the South Korean government, has been
identified by Symantec as the Lazarus gang. The U.S. government concurred
with this evaluation, according to Tom Bossert's op-ed in the Wall Street
Journal from December 2017. The Lazarus Group has developed its skills,
hacking Sony and committing bank heists.
12. The WannaCry ransomware malware is straightforward
to use and infects the infected system using a dropper.
It includes files including encryption keys, a copy of Tor,
and a program for encrypting and decrypting data. Once
it's run, it tries to access a hard-coded URL if it fails, it
searches for and encrypts files in a number of essential
formats, making them inaccessible to the user. After the
data are encrypted, a ransom message demanding
payment in Bitcoin emerges.
13. Removing Wannacry
install the most
recent patche
2
Implement
Security
Measures
3
1
Isolate
Infected
Systems
It is essential to quickly isolate infected systems in
order to reduce the spread and impact of
WannaCry ransomware attacks. Monitoring
network activity, cutting them off from the
internet, turning off remote access tools, isolating
them, patching vulnerabilities, utilizing antivirus or
anti-malware software, and restoring impacted
files are all part of this process. To stop such
assaults, it is crucial to reinforce security
procedures among users, such as creating strong
passwords, being cautious of phishing emails, and
updating software frequently.
Find the software or operating system that needs to be
patched, then go to the vendor's official website or
support page to rapidly install the most recent updates.
Locate the most recent patch or update that corresponds
to your version and edition. Install the proper patch by
downloading the file and following the installation
instructions. Check the software's version number or the
vendor release notes to confirm the installation. For any
more systems that require patches, repeat this
procedure. It is essential to often check for updates and
swiftly apply fixes to preserve system security and
operation.
Applying the most recent security
patches, keeping up-to-date antivirus
and anti-malware software, putting
strong network security measures like
firewalls and intrusion detection
systems in place, enforcing stringent
email security procedures, and creating
routine data backups are all examples
of effective network security practices.
Test the backup restoration procedure
frequently to make sure it works as
intended. For continued safety, it's
essential to make sure that updates are
automatic and continual. To stop
ransomware attacks, it's critical that
staff members recognize questionable
emails, avoid clicking on strange links,
and never open attachments from
unknown sources.
15. HOW IT STARTED?
The attack began in 2017, when Maersk, one of the world’s largest shipping
companies, was attacked. The attack started when Maersk staff began to
panic and gathered at the help desk with their laptops. According to
Greenberg (2018), in the laptops of the staff, there was a message
displaying repairing file system on c drive or your files are encrypted. The
attackers then demanded 300$ worth of Bitcoin for decrypting the system.
When an IT officer was abruptly interrupted while working on his machine,
he looked around to see all other machines around him were also abruptly
restarting or flickering. People in the Maersk headquarters began to realize
that a full-scale crisis was happening. Staff started taking measures to stop
the infection from spreading across networks.
16. According to Greenberg (2018), in 2017, a software company in Kiev,
Ukraine called Linkos Group served as the starting ground for one of the
most devastating cyberattacks in history. A group of Russian Hackers called
the Sandworm hijacked the software company’s update server so that they
had access to thousands of computers in Ukraine. Then, the group used
the backdoor they had access to push one of the most powerful attacks in
the history of computing. The code the attackers pushed could spread
automatically and rapidly. It was one of the fastest-propagating malware
ever.
20. MODUS OPERANDI
The architects of NotPetya used two exploits to power the ransomware. One of
the exploits was a penetration tool known as EternalBlue. This exploit was
created by the United States National Security Agency. This was accessible by
the attackers because the tool was leaked in a disastrous data breach by the
agency. The EternalBlue tool was used with another tool called Mimikatz. This
tool was originally released to show that Windows stored users’ passwords in
the memory and could pull it out of the memory. Windows rolled an update to
patch the vulnerability but out-of-date systems could still be affected. Now
with the combination of both of these tools, hackers could pull passwords out
of these out-of-date computers and then use the retrieved passwords to hack
into other machines. The ransomware was notorious because even though it
displayed a message to decrypt the user’s files after the ransom was paid, the
ransom was not payable, and it did not decrypt the files. The ransomware was
purely destructive. It destroyed the user's data irreversibly.
23. The ransomware NotPetya shared some resemblance with WannaCry. According to
Hern (2017), NotPetya was based on the same tool as the WannaCry ransomware. This
ransomware was also odd in the sense that it was not built for monetary gain. Even if
the users were able to pay the specified amount, the files were irreversibly destroyed.
This gave specialists a new approach to why the attack happened. Russia and Ukraine
have been constantly trading digital blows. This attack was powerful and spread rapidly.
This soon became a worldwide phenomenon. According to Schouwenberg (2019), it is
generally believed that NotPetya was an idea of the Russian military intelligence agency.
After the attack, most companies ended up with their whole Windows infrastructure
wiped out.
25. Measures taken to stop the attack
Up-to-date
2
Strong Firewalls
3
1
Disconnect
26. As NotPetya was initiated due to a vulnerability in Microsoft Windows,
Windows released a patch to prevent the exploit that the NotPetya depended
on. The organizations and the people that were affected by the NotPetya virus
also disconnected from the internet to stop the further spreading of the virus.
The files that were damaged by the virus were not recoverable.
28. HOW IT STARTED?
In 2022, government institutions of Costa Rica, were sieged by a ransomware group
known as the Conti. According to Nast (2022) we can also say that the attack has
crippled many of the country’s important services. The services that were halted
include the international trade grounds, and tax payments. Medical appointments
have also been rescheduled. This cost the country millions of dollars. The country
also declared a national emergency due to the damages done by the ransomware.
The group, Conti, had demanded a ransom of 10 million dollars initially which was
declined by the Costa Rican Government. Then, the group attacked many other
ministries of the government and the ransom was increased to 20 million dollars.
This was refused by the Costa Rican Government and they have struggled to get all
the systems back online. The staffs in the affected government offices of the country
have been forced to move to pen and paper due to the attack.
Ministry of Finance
29. The Administrative Board of the Electrical Service of the
province of Cartago (Jasec)
The Ministry of Science, Innovation
Technology and Telecommunications
The Ministry of Labor and Social Security (MTSS)
The National Meteorological Institute (IMN)
The Interuniversity Headquarters of Alajuela
eteorological Institute (IMN)
The Social Development and Family Allowances Fund
(FODESAF)
Costa Rican Social Security Fund (CCSS).
AFFECTED MINISTRIES
30. MODUS OPERANDI
According to Feeley and Hartley (2019), this ransomware by Conti contains new and
advanced techniques that only a few other ransomware variants have exhibited so
far. This ransomware is designed in such a way that it can remotely be controlled
and is one of the fastest encrypting ransomware. It gives the attacker such freedom
that they can even control what kind of files are encrypted and the order they get
encrypted in. Phishing and watering hole attacks are some of the methods the
attackers used to infect the systems of the Costa Rican government. The attackers
started from the Ministry of Finance. They were able to get into the system through
phishing and watering hole attacks.
Phishing Watering hole
31. Measures taken to stop the attack
Up-to-date
2
Strong Firewalls
3
1
Assist from US
32. The Costa Rican government declared a national emergency
and the United States of America assisted them technically to
get the attackers out of the system. The attacking group, Conti
shut down all sites used for ransom negotiation and took all the
data leak sites offline. Some sources even say that the attackers
had inside help from the government.
33. COURSE REFELCTION:
1
Explored the concept of the
Internet of Things (IoT) and
its applications in various
industries
2
Explored communication
protocols and networking
concepts essential for
connecting IoT devices
and facilitating data
exchange.
3
Engaged with industry
professionals invited by
the professor to share
their expertise and
insights on various
emerging technologies.
4
Had the opportunity to
directly interact with AR
and VR technology, gaining
practical experience
through games like
Pokemon Go.
5
The interactive sessions and
hands-on activities helped
deepen understanding of
emerging technologies
beyond theoretical
knowledge.
34. References
Feeley, B., & Hartley, B. (2019, February 15). “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web.
Purplesec. https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating Cyberattack in History. WIRED.
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Hassan, N. A. (2019). Ransomware overview. Ransomware Revealed, 3-28. https://doi.org/10.1007/978-1-4842-4255-1_1
Hern, A. (2017, December 30). WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017. The Guardian; The
Guardian. https://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomware
Jenkinson, A. (2022). CNA ransomware attack and cyber insurance. Ransomware and Cybercrime, 29-37.
https://doi.org/10.1201/9781003278214-5
Kiru, M. U., & Jantan, A. (2020). Ransomware evolution: Solving ransomware attack challenges. The Evolution of Business in
the Cyber Age, 193-229. https://doi.org/10.1201/9780429276484-9
Nast, C. (2022). Conti’s Attack Against Costa Rica Sparks a New Ransomware Era. Wired UK.
https://www.wired.co.uk/article/costa-rica-ransomware-conti
Paraschiva, I. (2019). WannaCry ransomware attack from Romanian police perspective. International Journal of Information
Security and Cybercrime, 8(1), 65-72. https://doi.org/10.19107/ijisc.2019.01.09
Schouwenberg, R. (2019). NotPetya Ushered In a New Era of Malware. Www.vice.com.
https://www.vice.com/en/article/7x5vnz/notpetya-ushered-in-a-new-era-of-malware