Despite being one of the biggest threats to organisations, there isn’t a lot of information about the different types.  There isn’t even a lot of information on how to identify and differentiate between them. We’re going to explain three different types of ransomware, one of which was active as recently as June 2021, and which category of ransomware they fall into.

WannaCry – still active as of 18th June 2021

This ransomware is true to its name, it really does make people want to cry.  WannaCry uses the EternalBlue exploit (now known as MS17-010, after Microsoft released the patch) found in Microsoft’s SMBv1 protocol.  This sounds really technical, but essentially, this protocol means that shared access to files, printers, and ports can be possible – it allows Windows machines to talk to other Windows machines.  SMBv1 can still be found installed as default in some versions of Windows 10, meaning this exploit is alive and well.  Make sure your operating system is up-to-date as Microsoft have released a lot of patches to resolve this issue.

WannaCry has an extremely interesting feature.  It has a built-in kill switch.  Two researchers in the UK working for a Los Angeles-based cybersecurity firm found that when a certain domain was registered, it massively cut the ability of WannaCry being able to spread.  The URL for the domain was hard-coded (embedded into) the source code.  When first infecting a new machine, the WannaCry program will look for the URL.  If the domain has been registered, it shuts itself off.  The ransomware may still run, but it doesn’t hold anything for ransom.  If the domain is unregistered, the program will proceed to finish installation and the ransom appears.

In its peak, WannaCry used this vulnerability to crypto-lock files across thousands of computers internationally.  A crypto-lock means that in order to get their files back, the victims have to pay a ransom in cryptocurrency e.g., Bitcoin.  In this case, victims were demanded to pay 300 dollars’ worth of Bitcoin.  If it wasn’t paid, it would double to $600 worth.  After 3 days, if the ransom still wasn’t paid, files and data would be deleted.  WannaCry has cost an estimated $4 billion dollars globally.

Ryuk – still active as of 3rd March 2021

Ryuk has been around for quite a few years now, but shows no signs of being slowed down.  It is distributed by TrickBot, a Trojan used to steal or capture banking credentials.  TrickBot is deployed through phishing emails, or EmoTet (another banking Trojan).

Once in the system, Ryuk leaves a ransom note with detailed instructions of how to recover the crypto-locked files.  This note typically contains an email address to contact the hacker, as well as a Bitcoin wallet.  However, recent discoveries of Ryuk no longer include the Bitcoin wallet straightaway.  This means the victim has to reach out to the email address in order to get the wallet – and hopefully their files.  This was the old Ryuk.  The new version is a lot more sinister.  The newer versions of Ryuk contain a worm-like infection.  But what does this mean?  The creators of Ryuk used scheduled tasks in Windows 10 in order to replicate versions of itself across a network.  Scheduled tasks allow a user to schedule launches of computer programs or scripts at selected times.  This is possibly the worst feature the creators could’ve added in, as it massively decreases the time it takes to infect a whole network.

The two previous types of ransomware are crypto-ransomware.  This is when the files/data are encrypted and may be unlocked by paying the ransom.  Our last example is a locker/wiper, and one of the most known in the cyber industry - NotPetya.

NotPetya – unknown if still active

This was perhaps the most fascinating to research.  NotPetya appeared shortly after WannaCry, and the effects was just as devastating.  NotPetya is a locker/wiper – this means that not only is this malware able to lock the user out of the machine, but can also wipe the data completely.  Similarly, to WannaCry, NotPetya uses the EternalBlue exploit.  It also uses an accounting software commonly used in Ukraine called Medoc, as well as another MS17-010 exploit called EternalRomance.  In short, EternalRomance runs a remote code execution attack.  This attack means a hacker can run code with system-level privileges on a server.

There are a couple of key features in NotPetya that make it so dangerous.  First thing, NotPetya runs Mischa.  Mischa was a part of the original Petya ransomware, it encrypts and permanently damages individual files.  These files will also be damaged beyond repair.  Next, it reboots the operating system, and then encrypts the Master File Table.  The MFT is a database of all files, and includes details such as size, time, and date.

After encrypting the MFT, NotPetya then makes the Master Boot Record – provides information on loading the operating system and the storage space/partition of a storage device e.g., a hard drive – completely unusable.  The Master Boot Record is then overwritten with a ransom note file, leaving the operating system unbootable.

However, while NotPetya has a ransom note file appear, it isn’t all what it seems.  It looks exactly like a ransomware, acts like a locker-ransomware, and even has a Bitcoin wallet.  But this wallet was hardcoded just like the URL in WannaCry, so the wallet wasn’t easily found.  Its clear financial gain wasn’t the motive for this attack, some say (this is only alleged) that it was a state-sponsored cyberattack by Russia.