Since the start of the global COVID-19 pandemic, cybersecurity researchers have shown that ransomware attacks have doubled over the past year. This in-part is due to more people working from home. With more people working from home, it creates an absence of cybersecurity measures that are not being followed. As organizations scramble to adapt, cyber criminals are taking advantage of this opportunity to exploit people’s fears and confusion to reach their goal.

Most ransomware follow a similar pattern.

1. The malware used to execute the attack is delivered via an online communication platform. Usually, it will come in the form of a malicious link or attachment that a user clicks on in order to install it unknowingly on the user’s system.
2. Once the malware makes it to the victim’s system, it will gain access to your files and start to encrypt them.
3. A message will usually pop up on the victim’s screen notifying them that their files have been encrypted and that they are required to pay a ransom in order to get them back.

With the above being said, here are the top 5 ransomware your organization should be looking out for.

1. REvil Ransomware

REvil is a relatively new ransomware that has been taking the world by storm recently. Some of its recent targets have been celebrities, the media, and entertainment lawyers specifically. Like most ransomware, REvil is a file-blocking virus that encrypts the victim’s files and spits out a message to inform the victim that a ransom needs to be paid in order to get their files back. What’s more, is that if the ransom isn’t paid in the allocated amount of time that the message states, the ransom will get doubled.

Additionally, the cyber criminals responsible for deploying this ransomware added an auction feature to a dark web website that allows other cyber criminals to bid on the information that’s been stolen. So not only can the criminals make off with the ransom but they could continue to auction it off to make even more money.

2. Ryuk Ransomware

Ryuk has been around for a few years and still remains to be one of the most active ransomwares out there. Like most other ransomware, Ryuk will infect the system, encrypt the system files and then display a ransom note instructing the victim to pay a ransom. The professionals that operate these attacks go by the name WIZARD SPIDER and share a common methodology of “Big Game Hunting”. This means that they only target large corporate enterprises that would be able to give them a large ransom payment. Ryuk uses a banking trojan known as TrickBot to harvest personal information such as banking information, account credentials, and any other personal identifiable information.

Fortunately, if you’re business is on the smaller to medium scale you shouldn’t have to worry about Ryuk wreaking havoc on your network.

3. Maze Ransomware

Maze ransomware is one of the most destructive ransomware attacks in 2020-2021 and is one of the most challenging ransomware organizations are facing today. The reason it’s so destructive is that before encrypting all of an organization’s files, they first steal them. After they steal the files, they threaten to publicize every file if the ransom isn’t paid on time. Even if a company does regular back ups (which they should) and refuses to pay the ransom, these cyber criminals will post everything online anyway.

According to Cisco Talos Incident Response engagements, the average life cycle of Maze would look something like this:

• Day 0 – 6 Initial Compromise. Administrative accounts get compromised
• Day 7 – 13 Additional Active Reconnaissance, data is typically stolen and upload to a file server
• Day 14 – 21 Maze ransomware starts to spread, taking down the network. This is when victims become aware.

4. DoppelPaymer Ransomware

What’s interesting about DoppelPaymer is that it originally had no intentions to be malicious and was to only be used for testing purposes. Unfortunately, 8 different variations (so far) of the ransomware have been discovered and attackers are using it to target organizations in critical industries.

What’s more is this ransomware uses command-line parameters in order to execute its routines. However, it’s been discovered that there are multiple parameters that can be entered thus giving different samples for researchers. This in-turn, makes it very challenging for security researchers to isolate the malware and reverse engineer it because it keeps changing.

5. Tycoon Ransomware

Tycoon is a relatively new ransomware type that mainly targets the education and software industries. What makes Tycoon unique is that it doesn’t act like any ordinary ransomware. The ransomware gets added to a trojanized version of the Java Runtime Environment. Not too much is known about this ransomware as the attackers use a multitude of techniques in order to stay hidden. What we do know, however, is that their victims have been limited

Once Tycoon is on the target system it starts by denying access to all administration accounts which then launches more attacks on file servers and domain controllers. Tycoon also really takes advantage of weak passwords which makes it especially important for these industries to have strong password polices.

Protect Yourself!

There are multiple ways your organization can prevent these types of attacks from occurring on the network. By following these tips, you can better strengthen the security posture of your organization:

• Keep your anti-virus software up to date. Most anti-virus manufacturers are constantly updating their malware database to prevent any new threats
• Implement an IDS/IPS on your network to react quicker to potential breaches
• Ensure you are doing proper and frequent backups of your data incase the breach does happen
• Never pay the ransom! It’s said that when you pay the ransom it funds the cyber criminals to do future crimes
• Educate yourself and employees on the threats of ransomware and what forms it can present itself in.