2020 was the year that ransomware officially went mainstream. Once a fairly niche threat, generally deployed against multinational corporations and government contractors, it is now a major source of concern for organizations of all sizes and types.
Our recent Threat Bulletin highlighted the danger of ransomware, particularly to some organizations that have historically lagged behind when it comes to cybersecurity. Ransomware is also becoming a big problem for schools, and attackers have used this type of malware to take aim at city governments as well.
The risks of ransomware come not just from this expanded set of targets, however. The malware that is central to these attacks is also increasing in sophistication. This is abundantly clear in the following roundup of the most dangerous ransomware we saw in 2020:
1. Netwalker Ransomware
Netwalker ransomware was one of the most popular and successful forms of ransomware in 2020. It was seen frequently in the months after COVID-19 appeared and formed a major part of the explosion of phishing campaigns and malware infections that accompanied work-from-home orders.
Netwalker is an evolution of the Mailto ransomware that was first seen at the end of 2019 and is still most often delivered via email phishing campaigns. It has been used to target businesses of all sizes, as well as educational and governmental agencies.
Netwalker has chalked up some notable successes. The malware was used to launch successful attacks against Australian transportation company Toll Group, Michigan State University, and most recently, the University of California San Francisco.
2. Nefilim Ransomware
Nefilim ransomware was responsible for several high-profile attacks in 2020, and was particularly used to target companies that manage critical infrastructure: health, energy, supply chain, and government services. This has been a worrying trend over the past few years, and Nefilim ransomware is one of the tools driving it.
The exact attack pathway used for Nefilim attacks remains poorly understood, but the malware appears to exploit weaknesses in Remote Desktop Protocol (RDP) systems. There are therefore two factors that can be used to explain the rise of Nefilim in the past year.
One is that there are multiple vulnerabilities in Microsoft’s RDP. Each of these vulnerabilities can be exploited for easy access, with brute force being the most common attack method used by cybercriminals. The second is that RDP systems have seen their number of users increase dramatically over the past year, due to the pandemic.
For enterprises, Dynamic Application Security Testing (DAST) can be an effective way to detect this type of malware. This system constantly scans your applications for vulnerabilities while they are being run to detect the threat of ransomware as early as possible.
3. WastedLocker Ransomware
WastedLocker is the latest in a series of ransomware variants used to target large corporations in the U.S. The use of this malware is most commonly attributed to the Evil Corp Gang, one of the largest operations of ransomware in the world today.
WastedLocker has been developed from several earlier malware variants. The infamous Zeus banking trojan was developed by the same gang, as was the Locky ransomware that went after homeowners over four years ago.
In 2020, WastedLocker targeted large corporations. Generally, the attacks that have been launched using this malware have been tightly targeted toward specific corporations, all of which are in the U.S.
The most notable of these attacks was on Garmin, a navigation and smartwatch maker, who in July underwent a worldwide outage.
The BlackBerry® Threat Research team gained a WastedLocker ransomware sample for testing and provided a summary of what was learned.
4. Tycoon Ransomware
The increased threat faced by educational and governmental organizations has been the news story of 2020, and the Tycoon ransomware has been at the forefront of this shift. This malware was first observed in the wild back in December 2019, and initially appeared to be a fairly benign, unusual example of a Trojanized JRE.
Unfortunately, that was not the case. The malware managed to infect the machines of many workers forced to access their work networks from home, largely due to insufficient security on the VPN tools that staff were provided. Today, most consumer VPN services offer users the option to use either SHA512 authentication hashes or 2048-bit DHE RSA key exchanges, which are among the best encryption standards.
Many of the low-cost VPN apps being used by new remote workers, however, do not meet these encryption standards. This makes them particularly vulnerable to targeted attacks using Tycoon ransomware. As explained in our article on this malware, we were able to help some organizations recover their data without paying the ransom.
5. Nuke Ransomware
Nuke ransomware is by far the oldest piece of malware on this list, but it is no less dangerous. This malware was first discovered back in 2016 and is generally delivered via an email phishing scam.
Once inside a victim’s machine, Nuke encrypts files using an AES 256-bit encryption key. Once a file is encrypted, the name of the file is changed to a character combination followed by a .nuclear55 extension. The encryption key is protected by asymmetrically encrypting it using 2048-bit RSA.
Concluding Thoughts
Though 2020 was an unusual year for ransomware – with more malware, and increasingly sophisticated attacks, than ever before – it is unlikely to be an exception. Ransomware was on the rise long before 2020, and the way that ransomware has been used in the age of COVID-19 indicates it will become far more common in the coming few years. That’s why it’s important to protect yourself, your data, your staff, and your business today.
BlackBerry has the cybersecurity solutions and consulting services organizations need to transition seamlessly from a reactive to a prevention-first security posture. Read the best practices guide and learn more about ransomware protection and remediation.