The NJCCIC has profiled a total of 181 ransomware variants since June of 2015. 88 of those ransomware variants have known decryption tools or remediation solutions. Detailed profiles on each variant are available below, along with more information and mitigation strategies.
Known RANSOMWARE VARIANTs
The below list is not exhaustive and is meant to provide an overview of the most prevalent ransomware variants impacting US victims. This page is updated regularly with new information. Ransomware variants with an *asterisk appended to its name have known decryption tools or remediation solutions.
What is Ransomware?
Ransomware is a type of malicious software (malware) that attempts to extort money from victims by restricting access to a computer system or files. The most prevalent form of this profit-motivated malware is crypto-ransomware, which encrypts files into encoded messages that can only be decrypted (decoded) with a key held by the malicious actor.
How does ransomware work?
- Ransomware infections occur when a user opens a malicious email attachment, clicks on a malicious link, or visits a website infected with malicious code, known as a drive-by download.
- Once a system is infected, the ransomware contacts a command and control (C2) server to generate an encryption key and begins encrypting files on the victim’s machine.
- The ransomware runs quietly in the background performing in-depth searches of all disk folders, including removable drives and network shares, and encrypts as many files as it can.
- Ransomware may also delete Shadow Volume Copies, destroy restore points, and overwrite free disk space to prevent victims from recovering their files and systems without paying the ransom.
- If a system is powered off as files are being encrypted, some ransomware variants resume where they left off when the system or device is powered on again.
- After files are encrypted, a ransom note is displayed on the screen with instructions on how and where to pay the ransom and the length of time before the hacker or software destroys the decryption key.
- Some recent variants offer victims a ‘second chance’ to pay after the initial timer expires; however, the ‘second chance’ is often at least double the original ransom amount.
- If the victim pays the ransom, the malware is supposed to contact the C2 server for the decryption key and begin decrypting the victim’s files; however, in many cases, the files are never decrypted.
- Some ransomware files can delete themselves in order to avoid detection and analysis by security researchers or law enforcement.
RANSOMWARE Mitigation strategies
For many organizations, preventing ransomware entirely is nearly impossible, however, the impact of a successful infection can be greatly reduced if a robust data backup process is in place. Comprehensive data backups should be scheduled as often as possible and must be kept offline in a separate and secure location. The most effective method to prevent ransomware infections is to conduct regular training and awareness exercises with all employees to ensure users are proficient in safe Internet-browsing techniques and the ability to identify phishing emails. For specific recommendations for data protection, systems management, network management, mobile device management, and post-infection remediation click below:
To counteract ransomware variants that modify the Master Boot Record (MBR) and encrypt the Master File Table (MFT), Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.
Cybersecurity company, Cybereason, has released a free application called RansomFree designed to monitor files and folders for changes and stop encryption processes related to over 40 ransomware variants. More information about how RansomFree works can be found on Bleeping Computer. Other ransomware prevention software includes Bitdefender’s Anti-Ransomware Tool and Cryptostalker, which runs on Windows, Linux, and OSX.
CryptoSearch, has been developed by security researcher Michael Gillespie that automates the process for finding files encrypted by ransomware and provides the option of copying or moving the files to a new location. Victims who have been impacted by a variant for which there is currently no free decryption tool available may want to use CryptoSearch to locate and store encrypted files until a later date when a decryption solution may become available.
The NJCCIC makes no claim as to the effectiveness of these tools and users are advised to exercise caution when downloading and installing any software from the internet.
If you or your organization is the victim of a ransomware infection, please contact a Cyber Liaison Officer at firstname.lastname@example.org.