Since WannaCry swept the world in 2017, ransomware attacks have continued to evolve and gradually become industrialized. Its attack scale, impact, and destructive effects have further expanded, and have seriously affected key fields such as global manufacturing, finance, energy, medical care, and government organizations. , in some cases, attackers hijacked critical infrastructure and demanded high ransoms, which may even affect the normal operation of the country.
According to the 2022 Mid-Year Cyber Threat Report, 236.1 million ransomware attacks were recorded worldwide from January to June 2022 alone, and a report also stated that 80% of cyber security leaders believe that ransomware is a threat to public safety Significant threat and predicts ransomware damages will grow from $325 million in 2015 to $265 billion in 2031.
All signs point to the fact that ransomware attacks are intensifying, and individuals, businesses, and organizations may become the next victim at any time. At the same time, with the advancement of the digital transformation of enterprises, supply chain security risks are becoming increasingly serious, blackmail attacks continue to evolve, multiple blackmails have become the norm, and blackmail attacks continue to threaten industrial security.
In order to better understand the technical evolution and development trend of ransomware attacks, and gain insight into the motives and strategies of cybercriminals, this article will take stock of the top ten ransomware attack incidents in the world in the past six years, with a view to establishing pre-prevention protection for enterprises and continuous protection during the incident. The whole-process ransomware protection system of monitoring, post-event rapid response and security reinforcement provides a valuable reference.
01 WannaCry is sweeping the world——ransomware virus attracts global attention for the first time
In May 2017, the WannaCry ransomware attack swept the world. At least 150 countries and regions, 300,000 users, and more than 100,000 computers were attacked and infected by the ransomware virus, causing losses of more than 8 billion US dollars, affecting finance, energy, and medical care. and many other industries.
Some Windows operating system users in China were infected, and campus network users were the first to suffer. A large amount of laboratory data and graduation projects were locked and encrypted; application systems and database files of some large enterprises could not work normally after being encrypted, which had a huge impact. So far, ransomware attacks have officially entered the public eye and attracted global attention.
02 NotPetya's sword against infrastructure - one of the most destructive ransomware attacks in history
In June 2017, NotPetya was used to launch a large-scale explosion targeting Ukrainian infrastructure. In Kiev alone, 4 hospitals, 6 power companies, 2 airports, more than 22 Ukrainian banks, retailers and transportation were hit. The ATM and card payment systems of the industry, as well as nearly every federal agency, were affected.
Originating from an update to the local accounting software package Medoc, the malicious attack has a worldwide reach. The attackers used the EternalBlue and Mimikatz vulnerabilities to form a deadly combination, quickly sweeping ports, factories, offices and other facilities in more than 60 countries and regions in Europe, America, Russia, Poland, France, Italy, the United Kingdom, Germany and the United States. According to statistics from the White House, NotPetya has caused more than $10 billion in losses to the global economy, making it one of the most extensive and destructive international cyber attacks in history.
03 Bad Rabbit's disguised raid—the first sounding alarm for data security protection
In October 2017, the new ransomware virus Bad Rabbit raided Eastern Europe, affecting organizations in Russia, Ukraine, Bulgaria, Turkey, Japan and other countries, which sounded the alarm for corporate data security protection. Bad Rabbit tricks users into downloading and running by disguising itself as an Adobe Flash Player installation program, and after infection, it will use weak passwords to attack other machines in the LAN. According to statistics, more than 200 institutions and enterprises around the world have been attacked, and some Ukrainian and Russian companies and infrastructure, including Kiev Metro, Odessa Airport, and Interfax, have been seriously affected.
04 GandGrab hunts down large enterprises—one of the most active ransomware
In January 2018, the GandGrab ransomware family appeared for the first time, distributing ransomware to virus spreaders through the RaaS model of the dark web, mainly through emails, using RSA+ASE encryption for encryption, and files cannot be restored. GandCrab is the first ransomware that uses Dash (DASH) as a ransom, and it is also one of the most active viruses in 2018. It spreads in many ways, including weak password blasting, phishing email attack, webpage hanging horse attack, watering hole attack, etc.; the update speed is fast, and 5 major versions and several smaller versions have been updated within one year; Widespread, it has affected dozens of countries and regions such as Ronania, Brazil, and India, and more than 1.5 million users worldwide have been infected; the accumulation of black industry profits is so high that it has accumulated as much as 2 billion U.S. dollars since its launch.
05 SamSam Expensive Blow - Record Highest Recovery Cost
In March 2018, a ransomware called SamSam disrupted online services in several cities in Atlanta, and many internal applications and customer-facing applications could not be used normally due to server downtime, including those used by customers to pay bills or access Some applications of court-related information have resulted in millions of dollars in damages. Additionally, there were reports that the Atlanta ransomware recovery cost as much as $17 million, making it one of the costliest attacks on any local government in the US in 2018.
06 Demant hit hard - one of the attacks with the highest cyber insurance payouts
In September 2019, Demant, one of the world's largest hearing aid manufacturers, suffered a ransomware attack. Although the company has limited the further spread of the incident by shutting down IT systems in multiple sites and business units, key business processes across the value chain are still affected by the incident, including research and development, production and distribution. The cumulative impact of these outages will cost the company nearly $100 million for all of 2019, an amount that would have been higher, but the company expects to receive $14.6 million in cyber insurance claims. This is one of the most costly cybersecurity incidents since the NotPetya ransomware outbreak.
07 DoppelPaymer double extortion attack - the most widely affected multiple extortion method
In March 2020, Visser Precision, a parts supplier to industry giants such as Tesla, Boeing, Lockheed Martin, and SpaceX, was attacked by ransomware DoppelPaymer. The company's military equipment data, billing and payment data, supplier information and related confidentiality agreements, and some legal documents were stolen and encrypted, and then demanded a ransom, but Visser Precision did not choose to pay, which eventually led to the The content is made public. Obviously, the double extortion strategy of the MegaCortex operator stealing data first and then asking for a ransom has greatly inspired the DoppelPaymer operator.
08 Darkside hits the global industrial chain - one of the most serious cyber attacks on the United States Guanji
In May 2021, Colonial Pipeline, the largest oil and gas pipeline operator in the United States, was attacked by the Darkside ransomware, which had a huge chain impact on the global industrial chain. The attackers stole important data files and hijacked its fuel pipeline transportation management system, which directly led to the shutdown of critical fuel supply pipelines in the eastern coastal states of the United States, causing great pressure on fuel supply in 17 states on the eastern coast of the United States. It was the worst cyber attack on critical U.S. infrastructure to date.
09 Conti indiscriminate attack - the first time a country's government declared a state of emergency
In 2022, several terabytes of data and more than 800 servers of Costa Rica's National Treasury were affected, and digital tax services and customs control IT systems were paralyzed, affecting not only government services, but also the private sector engaged in import and export. In addition, another wave of HIVE-related attacks directly impacted the general population of the country, taking the country's healthcare system offline abnormally. This series of attacks against the Costa Rican government clearly demonstrates the devastating consequences that ransomware attacks can have on government organizations, which may usher in a new era of ransomware.
10 HardBit Divorce Mechanism - The Weirdest Way of Extortion So Far
In February 2023, the operators of the HardBit family ransomware version 2.0 changed their extortion ideas from extorting victims directly to obtaining ransom from the victim’s insurance company, requiring victims to provide policy details to specify the optimal extortion amount, allowing their own Maximize financial gain so that insurance companies cover all ransom costs.
Ransomware attacks are everywhere. They are crypto kidnappers, data thieves, and cunning scammers who are after your money and data. In the past six years, ransomware attacks have been "hurricane" all the way, from individuals to enterprises and even the government's target extension changes, from ransom for keys to double extortion to extortion from insurance companies. At the same time, reports indicate that the threat of ransomware continues to rise, and new attack methods such as the combination of "ransomware" + "supply chain vulnerabilities" have emerged.
In the continuous evolution, ransomware attacks have become a data disease that cannot be prevented alone. It requires the joint application of many ransomware protection technologies to jointly improve the company's ransomware protection capabilities. This also inspires security practitioners in all walks of life to continuously improve their technology and capabilities, and find suitable solutions to achieve high-efficiency, high-quality, and high-level security prevention and control, that is, security vendors need to promote more effective ransomware Research and development of prevention and control related products; enterprises need to build a solid defense-in-depth baseline from the source, build endogenous immunity, and achieve immunity against ransomware attacks through "strengthening needles" in the blackmail virus prevention and control plan.
Faced with the severe and complex situation of ransomware attacks, Tencent Security has developed a set of solutions based on years of practical experience and technical advantages accumulated in the field of zero trust security.
Zero trust technology can hide business resources from Internet exposure, thereby reducing the risk of malware penetration. Tencent Zero Trust iOA exclusively combines the accumulated experience of traditional terminal security in ransomware protection, and integrates it into the zero trust security system to reduce the probability of intrusion, prevent attack entrances, block encrypted behaviors, Controllable, preventable, monitorable, and restoreable ransomware protection targets for backing up important documents.
WAAP can effectively protect against vulnerability attacks, changing from "passive" to "active" to reduce the risk of ransomware attacks. Tencent Security WAF can provide BOT protection capabilities, and has active defense capabilities against various automated tools. It can effectively protect against various vulnerability scanning and zero-day vulnerability detection, and prevent attackers from using application vulnerabilities to launch blackmail attacks. In addition, for email phishing, which is most commonly used in ransomware attacks, Tencent Security NDR can perceive the traffic information of each stage of ransomware attacks through the traffic side, split and analyze the attack process, and fully grasp the scope of influence of intranet ransomware viruses. At present, Tencent Security NDR has supported the detection of more than 1,000 types of ransomware and more than 500 types of ransomware ransomware files, covering all popular ransomware families, and provides one-click blocking of risky assets from connecting to the attacker's C&C server.
Ransomware attacks are inherently complex network security issues, and the fight against ransomware attacks is a long-term and continuous work. Tencent Security will continue to rely on the accumulation of more than 20 years of security practices to help enterprises build The security "dome" of the entire process of the enterprise operation and each link of the industrial chain builds a deep full-process protection system to prevent ransomware attacks reasonably and efficiently.