The biggest ransomware attacks of 2017

Ransomware viruses threatened home computer users and corporations in 2017

This year developers of ransomware had a little bit of fun and profits from the illegal money-making business. Crypto-viruses was actively attacking home computer users' files, as well as causing havoc in medical institutions, schools, infrastructure and whole cities.^[1]

We saw new cyber threats emerging and creating chaos in the United States, Europe, and other regions. At the end of the year, we are looking back and sharing 5 biggest ransomware attacks of 2017. There’s no doubt that we will hear about some of these threats in 2018 as well.

WannaCry created worldwide chaos in May

WannaCry ransomware attack was definitely the highlight of the year.^[2] Criminals managed to infect more than 230,000 computer in 150 within one day since the first attack on the 12th of May.

Among the victims of ransomware are Parts of UK’s National Health Service (NHS), Spanish telecommunication company Telefónica, American courier service FedEx, and many other businesses.

Ransomware targeted unsupported and unpatched Windows OS versions using EternalBlue exploit kit that takes advantage of the vulnerability in Windows’ Server Message Block (SMB) protocol. Only Windows 10 users avoided the attack.

Malware researchers managed to stop WannaCry’s distribution by shutting down “Kill Switch” feature. However, new versions and imposers of ransomware were released that keep threatening computer users all over the world.

Petya/NotPetya caused many problems in Ukraine

On June 2017, the main news in cybersecurity topic was massive ransomware attack that hit Ukraine, Russia, and other European countries. The malicious program hit banks, airports, law firms, advertising agencies and even power plants.^[3]

At first, it was thought that it was a new variant of Petya ransomware virus. However, later analysis showed that it’s a different cyber threat that only uses some parts of Petya’s source code. Thus, the virus was named as NotPeyta.^[4]

It used the same EternalBlue vulnerability that gave success for WannaCry. Though, the second outbreak showed that many companies did not pay enough attention to cybersecurity after the first attack.

The biggest damage was done to Ukraine where the virus attacked Kiev’s electric power supplier “Kyivenergo,” Ukrainian power distributor “Ukrenergo” and Chernobyl’s radiation monitoring system. Later on, reports about the attacks came from Danish power distributor “Maersk,” Spanish “Mondelez” offices and law firm “DLA Piper,” British advertising group WPP, etc.

BadRabbit hit Ukraine and Russian organizations

On the 24 of October, Ukraine and Russian authorities reported about massive ransomware attacks that hit International Airport in Odessa, metro in Kiev and Ministry of Infrastructure of Ukraine^[5]. However, these two countries were not the only ones.

Detected as BadRabit, ransomware attacked home and corporate computers in Japan, South Korea, the United States. Turkey, Germany, Poland, and other European countries. Differently than previous viruses, this one was installed using a drive-by attack.

According to the researchers, malware was spreading as fake Adobe Flash update via compromised websites. Fortunately, soon after the detection of the sites were shut down or removed malicious files. Thus, BadRabit’s distribution was quickly stopped. But it doesn’t mean that developers are not working on an update that might emerge in 2018.

Cerber reminded of itself in summer and started using new monetization method

Cerber^[6] ransomware was one of the most dangerous viruses of 2016. However, after the successful year, it was not very active in 2017. Developers presented only a few versions of malware this year, inlcuding, Help_help_help ransomware, which is a variant of Red Cerber, and Cerber 6. Meanwhile, last year they have created 5 versions of malware.

In July 2017, malware researchers reported that cerber was actively spreading in Asian countries using Magnitude exploit kit.^[7]The virus used targeted attacks and hit South Korea the hardest. Malware used malvertising as the main distribution strategy.

Furthermore, developers of Cerber started using a new monetization method. Ransomware was updated and became capable of stealing Bitcoin wallet files^[8] and passwords saved in Internet Explorer, Google Chrome, and Mozilla Firefox.

Locky – the star of 2016 launched massive malspam campaigns

It seems that developers of Locky did not disappear from the cyberspace like everyone was assuming. Last year it was entitled to the most dangerous cyber threat, and was almost inactive for half a year.

However, despite the silence in the first part of the year; criminals came back with a few new versions of ransomware:

• Diablo6;
• Lukitus;
• Ykcol;
• Asasin.

In August security researchers reported that criminals launched two malspam campaigns. One of the sent 62.000 malicious emails with IKARUSdilapidated^[9] Locky variant. However, it’s a tiny campaign compared with the one that was held a few weeks later. On August 28, researchers reported that criminals sent 23 million spam emails in 24 hours^[10] with a new version of ransomware called Lukitus.