Ransomware

Attack
Topics covered previously

1. What is ransomware attack?

2. History of ransomware attack

3. Types of ransomware attacks

Some latest Cases
of
Ransomware
Attacks
 Fujifilm (June 2021)

• FUJIFILM Corporation confirmed the company suffered a

ransomware attack that disrupted its business operations. In the
late evening of June 1, 2021
• the company shut down all networks and servers to determine
the extent and scale of the attack, and suspended all affected
systems in coordination with their various global entities.
• FUJIFILM confirmed that the impact of unauthorized access is
confined to a specific network in Japan. 
 Intel's Habana Labs (13th December 2020)
• I​ ntel-owned AI processor developer Habana Labs has suffered a cyberattack
where data was stolen and leaked by threat actors.
• The Pay2Key ransomware operation leaked data allegedly stolen from Habana
Labs during a cyberattack. This data includes Windows domain
account information, DNS zone information for the domain, and a file listing
from its Gerrit development code review system.
• In addition to the content posted on their data leak site, the Pay2Key operators
have leaked business documents and source code images
• It is not known what ransom demands are being made, if any, to stop the leaking
of data.
• It is believed that this attack is not meant to generate revenue for the threat actors
but rather to cause havoc for Israeli interests.
 Shirbit (November 2020)

• On Dec. 1, the Israel National Cyber Directorate (INCD) and Capital Market
Authority announced that Shirbit Insurance, an Israeli insurance provider that serves
many government employees, was the victim of a vaguely described “data breach
event” that they’d started investigating on Nov. 30.
• Black Shadow, initially demanded 50 Bitcoin in exchange for not publishing the
company’s sensitive client information. But after Shirbit missed the first payment
deadline, that rate increased to 100 BTC and, later, 200 BTC.
• Because Shirbit’s representatives are refusing to play ball, the hackers have since
released not one but three large batches of information via their Telegram channel.
The Times of Israel reports that the attackers may have sold at least some of the stolen
data to an unknown third party.
Top 5 Ransomware Attacks
to Watch Out for in 2021
 Maze Ransomware

• The Maze is the most infamous ransomware threat to enterprises all over the
world at the moment. It was previously known as “ChaCha ransomware” and was
discovered by Jerome Segura on May 29, 2019.
• The Maze ransomware encrypts all files and demands for the ransom to recover
the files.
• It threatens to release the information on the internet if the victim fails to pay the
demanded ransom.
• Some big giant companies suffering a Maze ransomware attacks are Cognizant,
Canon allegedly, Xerox, etc. 
 Revil Ransomware
• REvil is a file blocking virus and is considered
as a cyber threat that encrypts victim’s files
after infecting the system and sends a
request message. The message explains that
the victim is required to pay the requested
ransom in bitcoin. If the victim fails to pay
the ransom in time, the demand gets
doubled.
• This attack vector is also known for targeting
A-list celebrities and leaking their data on
the dark web.
• According to The Times,  series of
screenshots including a legal document of
Madonna’s tour contract and dozens of
computer files of celebrities like Bruce
Springsteen, Bette Midler, and Barbra
Streisand were leaked. 
 Ryuk Ransomware
• Ryuk is one of the most active ransomware and the biggest players among other
ransomware. It is a type of crypto-ransomware that blocks access to a file, system, or
device by using encryption until the ransom is paid.

• It either uses TrickBot or other means like Remote Desktop Services to gain
unauthorized access to a system. It uses robust military algorithms such as RSA and
AES to encrypt files using a unique key for each executable.

• Ryuk ransomware mainly targets business giants and government agencies that can
pay huge ransom in return. A US-based Fortune 500 company, EMCOR, is one of the
victims of this particular attack that took down some of its IT systems.
 Tycoon Ransomware
• Tycoon is a recently discovered ransomware strain that is written in
Java. This malware has been targeting several organizations in the
education and software industries.
• This malware is considered an unusual one as it is deployed in a
trojanized version of the Java Runtime Environment.
• Tycoon denies access to the administrator after it infects the system,
following an attack on the file servers and domain controller.
• It takes advantage of weak or compromised passwords and is a common
attack vector that exploits servers for malware.
 NetWalker Ransomware
• NetWalker, also known as Mailto, is one of the newest variants of the ransomware
family. Various remote working individuals, enterprises, government agencies as
well as healthcare organizations have reported being attacked by NetWalker last
year.
• NetWalker ransomware compromises the network of its victim and encrypts all the
Windows devices that are connected to it.
• When executed, it uses an embedded configuration that includes ransom notes, file
names, and several configuration operations.
• According to security researchers, this ransomware spreads itself in two ways:
• Through a VBS script that is attached to Coronavirus phishing emails
• Executable files that spread through networks
Ransomware Prevention and
Protection
1. END POINT PROTECTION

Modern endpoint protection platforms provide next-generation antivirus (NGAV), which

protects against evasive or obfuscated ransomware, fileless attacks like WannaCry, or zero-
day malware whose signature is not yet found in malware databases. They also offer device
firewalls and Endpoint Detection and Response (EDR) capabilities, which help security teams
detect and block attacks occurring on endpoints in real time

2. Data Backup

Regularly backup data to an external hard-drive, using versioning control and the 3-2-1 rule
(create three backup copies on two different media with one backup stored in a separate
location). If possible, disconnect the hard-drive from the device to prevent encryption of the
backup data

3. Patch Management
Keep the device’s operating system and installed applications up-to-date, and
install security patches. Run vulnerability scans to identify known vulnerabilities
and remediate them quickly.
4. Application Whitelisting and Control
Establish device controls that allow you to limit applications installed on the device to a
centrally-controlled whitelist. Increase browser security settings, disable Adobe Flash and other
vulnerable browser plugins, and use web filtering to prevent users from visiting malicious sites.

5. Email Protection
Train employees to recognize social engineering emails, and conduct drills to test if employees
are able to identify and avoid phishing. Use spam protection and endpoint protection technology
to automatically block suspicious emails, and block malicious links if user does end up clicking
on them.

6. Network Defenses
Use a firewall or web application firewall (WAF), Intrusion Prevention / Intrusion Detection
Systems (IPS/IDS), and other controls to prevent ransomware from communicating with
Command & Control centers.