What Is Ransomware?

Ransomware is a type of malicious software used by cyber-criminals to hold data for a set ransom price - requiring payment to get back the files. The software usually works by encrypting the data and only offering the decryption key once the ransom has been made. Since its discovery, ransomware has been a rapidly growing and evolving piece of cyber ammunition – infecting individual users and companies alike. During the first half of 2022, Statista reports that there were a total of 236.1 million ransomware attacks worldwide.

Another report estimates that 71% of companies worldwide were affected by ransomware in 2022 alone and a total of 62.9% of the victims of ransomware attacks paid the ransom. So, let’s delve further into this cyber menace.

What Is Ransomware?

How Does a Ransomware Attack Work?

Major Ransomware Attacks Use

Ransomware attackers modify and innovate their usual ammunition using the anonymity and dynamic nature of most cyberspaces.

WannaCry Attack – May 2017

The WannaCry ransomware exploded onto the scene in May 2017, infecting at least 75,000 computers across 99 countries and affecting hospitals and businesses. The ransomware targeted computers using Microsoft Windows as an operating system and encrypted essential data then extorted payments in the form of Bitcoin for its return. The ransomware hit around 230,000 computers globally. In 2018, the WannaCry malware also hit Taiwan Semiconductor Manufacturing – the world’s largest contract chipmaker.

Acer Attack – March 2021

The Taiwanese computer giant, Acer was the victim of a ransomware attack in March of 2021 wherein a US$50 million ransom was demanded - the largest ransom ask made of any victim at that time. The REvil ransomware gang took credit for the breach and published images of financial statements and other documents allegedly stolen from the company as a means of claiming responsibility for the attack.

Brenntag Attack – May 2021

The German chemical distributor Brenntag SE reportedly paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang on May 11 to obtain a decryptor for files encrypted by the hackers during a recent ransomware attack on the company. Threat actors encrypted devices on the network and claimed to have stolen 150GB of data during their attack – which they proved by creating a private data leak page with a description of data taken and screenshots of files.

Colonial Pipeline Attack – May 2021

At the beginning of May, the Colonial Pipeline Company announced that they had fallen victim to a ransomware attack. The company suspended its affected IT assets, as well as its main pipeline – which is responsible for transporting 100 million gallons of fuel every day between Texas and New York. Over the course of assisting the Colonial Pipeline Company with its recovery efforts, the FBI confirmed that the DarkSide ransomware gang had been responsible for the attack.

Accenture Attack – August 2021

The global IT consultancy giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the company's systems. As reported by Bleeping Computer, the ransomware gang claimed to have stolen six terabytes of data from Accenture's network and demanded a US$50 million ransom. In September, the company denied claims made by the LockBit gang that they also stole credentials belonging to Accenture customers that would enable them to compromise their networks.

Ultimate Kronos Group Attack – December 2021

One of the largest human resources companies disclosed a crippling ransomware attack in December 2021 that impacted the payroll systems for multiple workers across industries. According to NBC News, the company said that its programs that rely on cloud services—including those used by Whole Foods, Honda, and local governments to pay their employees—would be unavailable for several weeks. In a statement, the city of Cleveland alerted that sensitive information may have been compromised in the attack – such as employee names, addresses, and the last four digits of social security numbers.

Nvidia Attack - February 2022

Nvidia, the world’s largest semiconductor chip company, was compromised by a cyber-attack in February of 2022. The California-based company confirmed that the threat actor had started leaking employee credentials and proprietary information online. Lapsus$ - a hacking gang, took responsibility for the attack and claimed they had access to 1TB of crucial company data then demanded a $1 million ransom and a percentage of an unspecified fee from Nvidia. In January, Lapsus$ also claimed the credit for the ransomware attack on Impresa - Portugal’s largest media conglomerate.

Costa Rican Attack – April 2022

The Costa Rican president declared a state of emergency after the Conti ransomware attack threw the country into chaos in April of this year. The attack affected healthcare systems amid covid-19 testing and will likely have lasting effects on the country.

Nikkei Group Asia Attack – May 2022

Lastly, the media giant Nikkei Group’s Singapore-based headquarters was also the victim of a ransomware attack in May of 2022. Unauthorized access to their internal servers was noticed and the company discovered a breach - stating that it was likely that customer data has been affected. This comes after the 2019 incident in which an employee was given fraudulent instructions to transfer a sum of money to a third party through a BEC swindle - costing the organization approximately $29 million.

Most of these attacks were carried out by hacking groups that tend to use Ransomware-as-a-service models. These are similar to software-as-a-service frameworks, except they facilitate the installation and running of malware into a network. Users of this service pay to launch ransomware developed by operators.

Ransomware Known to Date

For most ransomware attacks to be successful, they have to rely on an advanced form of ransomware. According to Statista, there were 78 newly discovered ransomware families in 2021 - representing a 39% year-over-year decrease compared to the 127 newly discovered ransomware families detected in the previously measured period.

Year Number of new ransomware families found
2015 29
2016 247
2017 327
2018 222
2019 95
2020 127
2021 78

Sourced from Statista

The trend of new ransomware found is constantly fluctuating depending on a number of factors which include emerging technologies, vulnerabilities in global systems and the general cybersecurity practices followed and legislated in that time.

This is malware that targets computers running the Microsoft Windows operating system and is typically spread as an email attachment. This malware is often used in phishing scams The CryptoLocker ransomware was used to attack the Italian Vaccine system in September this year. 

Sangfor Engine Zero with its multi-stage AI analysis engine can detect CryptoLocker variants and is available on both Next Generation Firewall (NGAF) and Endpoint Secure platforms. Engine Zero is used on the NGAF firewall to detect CryptoLocker malware files that may be embedded in email attachments and used on Endpoint Secure to detect and remove CryptoLocker malware files on the endpoint before they can be activated.

The Petya ransomware variant was seen first in 2016 and targets Microsoft Windows-based systems. The malware encrypts a computer’s master file table, replacing the master boot record with a ransom note and rendering the computer unusable until the ransom is paid. It evolved later to include direct file encryption capabilities as a failsafe and the modified version named “NotPetya”. This malware was among the first ransomware variants to be offered as part of a ransomware-as-a-service operation.

This new malware is based on Conti ransomware and was first believed to be a potential wiper malware. According to Bleeping Computer, the Onyx ransomware facilitates the destruction of files larger than 2MB instead of encrypting them - which prevents those files from being decrypted even if a ransom is paid. The destructive nature of the malware makes cybersecurity specialists adamant that victims should not pay the ransom submitted.

The US Cybersecurity and Infrastructure Security Agency released a warning about the hive ransomware, stating that FBI information revealed it had victimized over 1,300 companies worldwide and received approximately US$100 million in ransom payments as of November 2022. Hive threat actors gain access to networks by distributing phishing emails with malicious attachments or using single-factor logins via remote network connection protocols.


Sourced from the US Cybersecurity and Infrastructure Security Agency page

According to the FBI, the Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as Ransomware as a Service (RaaS). Its threat actors request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars. The malware installs itself in a temporary folder named “.zeppelin” and then spreads throughout the infected device encrypting files. Once spread, it begins to encrypt files. Afterward, a note appears in the notepad informing the victim that they have been attacked and that ransom must be paid for the return of their data.

The Cybersecurity and Infrastructure Security Agency (CISA) released another advisory about this ransomware which relies on vulnerabilities in Remote Desktop Protocols (RDP) to gain access to a network. After encrypting the data, a ransom note is left with communication instructions in every folder containing an encrypted file with details of payments to a specific Bitcoin wallet address. 

Ransomware is constantly evolving and advancing in its ways to infiltrate networks. While it may seem impossible for individuals to do anything when big companies are breached, people can implement proper cybersecurity measures on a smaller scale to ensure that they won’t be the next victim of a ransomware attack.

The Sangfor Solution for Ransomware Attacks

Sangfor Technologies is a world-class cybersecurity and cloud computing company that offers intensive and advanced Anti-Ransomware prevention and state-of-the-art IT infrastructure.

Ransomware detection and avoidance have never been simpler with this integrated solution that pieces together several advanced Sangfor products:

Next-Generation Firewall (NGFW)

Sangfor’s ransomware solution uses an advanced network security firewall for comprehensive and integrated surveillance and protection of your entire security network with help from Endpoint Secure to root out any malicious threats.

Next-Generation Firewall (NGFW)

Cyber Command NDR

The groundbreaking network detection and response solution from Sangfor provides automated responses to threats – with AI and machine learning technology to help your company isolate, analyze and eliminate potential threats before they can infiltrate your system. 

Cyber Command NDR

Sangfor Endpoint Secure

Sangfor Endpoint Secure is a potent ransomware prevention solution as it installs advanced ransomware honeypot technology to quickly identify and kill file encryption processes before major damage is done.

Sangfor Endpoint Secure