Cybercriminals, and criminals in general, always seek to cover their tracks to avoid prosecution. With that in mind, many hackers have turned to the difficult-to-track world of cryptocurrency in demanding ransom payments. There has been a rise over the past couple of years of ransomware strains that ask exclusively for cryptocurrency. Here are 4 notable examples:
DoppelPaymer ransomware is created to encrypt the files of its victim, blocking them from accessing files and subsequently encouraging the victim to pay a ransom in bitcoin to decrypt the files. It is the preferred infection of the eCrime group INDRIK SPIDER. DoppelPaymer ransomware is an evolved form of BitPaymer ransomware.
It has been known to be deployed against government entities, as the ransomware was used in an attack against the City of Torrance in California where more than 200 GB of data was stolen, and the attackers demanded 100 Bitcoin in ransom. DopplePaymer ransomware was also used in an attack against Alabama’s state information technology system. The hackers threatened to publish citizens’ private data online unless they are paid $300,000 in Bitcoin.
The REvil cybercriminal group operates as a Ransomware-as-a-Service outfit and creates malware strains that it sells to other hacking groups. A report from security firm KPN reveals that REvil malware has infected more than 150,000 computers around the world.
Recently, the REvil ransomware gang initiated an auction to sell off stolen information from companies unable to pay the ransom demand with prices starting at $50,000 payable in Monero cryptocurrency. As a result of privacy concerns, the REvil gang switched from demanding payment in Bitcoin to Monero, a privacy-centric cryptocurrency.
As one of the most prolific ransomware operators, the REvil gang is primarily targeting corporations, encrypting their data and asking for exorbitant fees, which average about $260,000.
Ryuk ransomware has resurfaced as a result of the ongoing coronavirus pandemic and is targeting hospitals. On March 27th of 2020, a spokesman for a British-based IT security firm confirmed that despite the global COVID-19 outbreak, Ryuk ransomware isbeing used to target hospitals. Like most hacking events, Ryuk malware is distributed via spam emails or geo-based download functions.
Ryuk ransomware is a variant of Hermes ransomware, which is linked to the SWIFT attack from October 2017. It is believed that the attackers who have been using Ryuk since August of 2019 have pulled in over 700 Bitcoin across 52 transactions.
According to cybersecurity firm Check Point, Dridex malware entered the top-10 list of malware for the first time in March 2020, after an appearance way back in 2011. The malware, which is also known as Bugat and Cridex, specializes in stealing bank credentials using a system of macros on Microsoft Word.
New variants of the malware go beyond Microsoft Word and now target the entire Windows platform. Researchers have noted that the malware can be lucrative for criminals thanks to its sophistication, and is now being deployed as a ransomware downloader.
Although last year saw the takedown of a botnet linked to Dridex, researchers believe that such successes are often short-lived, as other criminal outfits pick up the malicious code and use it in other attacks. Due to the ongoing global pandemic and people having to work from home, the use of malware such as Dridex, which is easily executed through email spear phishing attacks, has escalated.