The Most Malicious Ransomwares Demanding Crypto to Watch Out For

Published at: July 4, 2020

As interconnectivity turns the world into a global village, cyberattacks are expectedly on the rise. According to reports, the tail end of last year saw a spike in the average amount of payments made to ransomware attackers, as several organizations were forced to pay millions of dollars to have their files released by malware attackers.

Apart from the fact that the current pandemic has left many individuals and corporations vulnerable to attacks, the notion that cryptocurrencies are an anonymous and untraceable payment method has led many ransomware attackers to demand payment in Bitcoin (BTC) and other altcoins. 

Just recently, a report published on June 23 by cybersecurity firm Fox-IT revealed a malware group named Evil Corp that has been on a rampage with new ransomware that demands its victims to pay a million dollars in Bitcoin.

The report also reveals that groups such as Evil Corp create ransomware that targets database services, cloud environments and file servers intending to disable or disrupt backup applications of a company’s infrastructure. On June 28, cybersecurity firm Symantec reported blocking a ransomware attack by Evil Corp that targeted about 30 United States firms demanding Bitcoin in payment.

These attempted attacks are just the most recent examples of the escalating threat of ransomware attacks. Below are some of the most malicious ransomware demanding payment in crypto.

WastedLocker 

WastedLocker is the latest ransomware created by Evil Corp, a group that has been active since 2007 and is regarded as one of the most lethal cybercrime teams. After the indictment of two alleged members of the group, Igor Turashev and Maksim Yakubets, in connection to the Bugat/Dridex and Zeus banking trojans, Evil Corp reportedly reduced its activity.

However, researchers now believe that as of May 2020, the group has resumed attacks once again, with the WastedLocker malware as its latest creation. The malware has been named “WastedLocker” due to the filename created by the malware, which adds an abbreviation of the victim’s name to the word “wasted.”

By disabling and disrupting backup applications, database services and cloud environments, WastedLocker prevents its victims’ ability to recover their files for a longer period of time, even if there is an offline backup setup. In cases where a company lacks offline backup systems, recovery can be prevented indefinitely. 

Researchers, however, note that unlike other ransomware operators that leak victim’s information, Evil Corp has not threatened to publish victims’ information in order to avoid attracting public attention to itself.

DoppelPaymer 

DoppelPaymer is ransomware designed to encrypt the files of its target, preventing them from accessing files and subsequently encouraging the victim to pay a ransom to decrypt the files. Used by an eCrime group called INDRIK SPIDER, the DoppelPaymer malware is a form of BitPaymer ransomware and was first discovered in 2019 by CrowdStrike software endpoint protection company. 

Recently, the ransomware was used in an attack against the City of Torrance in California. More than 200 GB of data was stolen, with the attackers demanding 100 Bitcoin in ransom. 

Other reports reveal that the same malware was used to attack the city of Alabama state’s information technology system. The attackers threatened to publish citizens’ private data online unless they are paid $300,000 in Bitcoin. The attack came after warnings from a cybersecurity firm based in Wisconsin. A cybersecurity specialist analyzing the case mentioned that the attack that had brought down the city’s email system was made possible through the username of a computer belonging to the city’s manager of information systems.

Data from Chainalysis shows that the DoppelPaymer malware is responsible for one of the largest payouts, one of only two to reach the $100,000 mark.

Dridex

According to a report by cybersecurity provider Check Point, the Dridex malware entered the top-10 list of malware for the first time in March 2020 after an initial appearance in 2011. The malware, also known as Bugat and Cridex, specializes in stealing bank credentials using a system of macros on Microsoft Word. 

However, new variants of the malware go beyond Microsoft Word and now target the entire Windows platform. Researchers note that the malware can be lucrative for criminals thanks to its sophistication, and is now being used as a ransomware downloader.

Even though last year saw the takedown of a botnet linked to Dridex, experts believe that such successes are often short-lived, as other crime groups can pick up the malware and use it for other attacks. However, the ongoing global pandemic has further escalated the use of malware such as Dridex, easily executed through email phishing attacks, as more people are required to stay and work from home.

Ryuk 

Another malware that has resurfaced as a result of the coronavirus pandemic is the Ryuk Ransomware, which is known for targeting hospitals. On March 27, a spokesman of a British-based IT security firm confirmed that despite the global pandemic, Ryuk ransomware is still being used to target hospitals. Like most cyberattacks, the Ryuk malware is distributed via spam emails or geo-based download functions.

The Ryuk malware is a variant of Hermes, which is linked to the SWIFT attack in October 2017. It is believed that the attackers who have been using Ryuk since August have pulled in over 700 Bitcoin across 52 transactions. 

Revil

As the ransomware landscape continues to be overcrowded by novel malicious solutions, cybercriminal groups such as the REvil (Sodinokibi) ransomware gang have seemingly evolved with the times with increased sophistication of their operation. The REvil gang operates as a RaaS (Ransomware-as-a-Service) and creates malware strains that it sells to other criminal groups. 

A report by security team KPN reveals that the REvil malware has infected more than 150,000 unique computers across the globe. Yet these infections only emerged from a sample of 148 strains of the REvil ransomware. Each strain of the REvil ransomware is deployed according to the infrastructure of the company’s network to increase chances of infection.

Recently, the notorious REvil ransomware gang launched an auction to sell off stolen data from companies unable to pay the ransom with prices starting at $50,000 payable in Monero (XMR). Out of privacy concerns, the REvil gang switched from demanding payment in Bitcoin to Monero, a privacy-centric cryptocurrency.

As one of the most active and aggressive ransomware operators, the REvil gang is primarily targeting corporations, encrypting their files and asking for astronomical fees averaging about $260,000.

PonyFinal

On May 27, Microsoft’s security team revealed in a series of tweets information regarding a new ransomware called “Pony Final,” which uses brute force to get access to its target network infrastructure to deploy ransomware.

Unlike most malware that use phishing links and emails to trick the user into launching the payload, PonyFinal is distributed using a combination of a Java Runtime Environment and MSI files that deliver malware with a payloader that is activated manually by the attacker. Like Ryuk, PonyFinal is mainly being used to attack healthcare institutions amid the COVID-19 crisis.

Declining payouts

Despite the overall increase in the number of cyberattacks, experts believe there is a decrease in the number of successful attacks, since for most corporations, ransomware attacks amid a global pandemic are proving to be a final stroke, leaving them unable to pay the ransom. 

This is evident in a report published by malware lab Emsisoft on April 21, revealing a significant drop in the number of successful ransomware attacks in the U.S. Likewise, a Chainalysis report published in April found a significant decrease in ransomware payments since the coronavirus pandemic intensified in the U.S. and Europe. 

So it seems that despite the growing number of attacks, victims are not paying the ransoms, leaving criminal groups like REvil with no other option but to auction out the stolen data. It is also likely that a call for employees to work from home has paradoxically posed a new challenge for hackers. While speaking to Cointelegraph, Emsisoft’s threat analyst Brett Callow stated:

“It’s very obvious to ransomware attackers that they’ve got a potentially valuable target when they hit a corporate endpoint. It may however be less obvious when they hit a personal device that an employee is using while working remotely, and which is only connected to corporate resources on an intermittent basis.”

Tags
Related Posts
Hackers Stole and Encrypted Data of 5 U.S. Law Firms, Demand 2 Crypto Ransoms
Hackers compromised five United States law firms and demanded two 100 Bitcoin (BTC) (over $933,000 at press time) ransoms from each firm: one to restore access to the data, one to delete their copy instead of selling it. According to data shared with Cointelegraph by cybersecurity firm Emsisoft, the hacker group — called Maze — already started publishing part of the data stolen from the aforementioned firms. Two of the five law firms were hacked within the 24 hours leading to Feb. 1. The hackers published the data on two websites that were shared with the author of this article, …
Bitcoin / Feb. 3, 2020
Bitcoin Ransomware and Remote Working: What the Future Holds
The new work-from-home culture is gaining more traction than ever before as businesses, government departments and schools try to remain afloat while flattening the pandemic curve. This migration to remote working is a double-edged sword that creates a fertile land for cybercriminals to thrive on. There is no way that cyberattacks can be eliminated completely. The best that companies can do is minimize the frequency of the threats. What is ransomware? Cybercriminals use malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies such as Bitcoin (BTC) have made it …
Technology / Aug. 21, 2020
Did Jack Daniels Thwart a Ransomware Attack or Not?
Ransomware gang REvil, known also as Sodinokibi, claims to have mounted a successful attack against the U.S. wine and spirits giant, Brown-Forman Corp — but the company claims otherwise. The company is the official manufacturer of Jack Daniels whiskey. According to cybersecurity services provider, AppGate, the famous alcoholic beverages manufacturer did fall victim to an attack but refused to pay the ransom demanded by REvil. However, Brown-Forman Corp told Infosecurity-Magazine in a statement they had successfully prevented cybercriminals from encrypting its files. This does not necessarily mean the gang’s claim to have compromised the internal network and stolen sensitive data …
Bitcoin / Aug. 20, 2020
McAfee Says NetWalker Ransomware Generated $25M Over 4 Months
Cybersecurity firm McAfee released a study showing the activities of NetWalker, a ransomware first known as Mailto that was initially discovered in August 2019. According to the report, the operators of NetWalker have collected over $25 million from ransom payments since March 2020. From March 1 to July 27, the group collected around 2,795 Bitcoin (BTC), purportedly making it one of the most profitable types of ransomware for cybercriminals. According to the report, the Bitcoin transactions received by the gang — where the amount is split among several different addresses — reflects that NetWalker is a "ransomware-as-a-service" malware. Such a …
Bitcoin / Aug. 4, 2020
PennyWise crypto-stealing malware spreads through YouTube
A new strain of crypto-malware is being spread via YouTube, tricking users to download software that’s designed to steal data from 30 crypto wallets and crypto-browser extensions. Cyber intelligence company Cyble in a June 30 blog post said it had been tracking the malware known as PennyWise — likely named after the monster in Stephen King’s horror novel It — since it was first identified in May. “Our investigation indicates that the stealer is an emerging threat,” wrote Cyble in a blog post on June 30: “In its current iteration, this stealer can target over 30 browsers and cryptocurrency applications …
Bitcoin / July 6, 2022