The new breed of ransomware viruses


Ransomware has been devastating businesses for a long time, but no more so than in the last couple of years. The global WannaCry attack that hit the NHS in May 2017 finally brought the insidious malware into mainstream headlines, shortly followed by another worldwide attack – Petya/NotPetya. Compared to 2016 and 2017, this year has been somewhat quiet on the ransomware front.

This doesn’t mean that ransomware is dead, however. In fact, the forms that we’ve seen this calendar year suggests hackers have been busy creating more effective and deceptive strains than we’ve ever seen before.

Check out our infographic to find out everything you need to know about ransomware.

Customisable KeyPass ransomware

The recently-discovered KeyPass ransomware has been described as significantly more sophisticated than its predecessors. With success in 20 countries and counting, KeyPass looks simple at first, but is customisable. By using the ‘manual’ option, hackers can change a number of encryption parameters including the encryption key, ransom message and the encrypted file extension. But the most destructive feature is that it can allow astute cyber-criminals to take control of an infected system.

KeyPass enters a system by posing as a fake software installer, which downloads the ransomware virus on the users’ systems. Whilst it doesn’t look like KeyPass has reached the UK yet, its success across the globe means we should take this advanced threat seriously.

One standout ransomware variant that has made its way to England, with 8% of businesses affected by this strain based here, is SamSam.

SamSam, the six-million dollar ransomware

SamSam has so far received over $1 million in ransom payments in 2018 alone, with close to $6 million overall since 2016. The reason this strain stands out is because no two attacks are the same, and with each attack the strain grows in sophistication. SamSam activates itself at the most inopportune moments (not that there’s a ‘good’ time to be infected with ransomware!), usually in the middle of the night when most system admins will be asleep. Additionally, SamSam goes beyond the traditional encryption of files and images and also encrypts the system configuration and data files required to run applications. This means those using file backup only won’t be able to restore their systems easily.

Hackers utilising SamSam use brute force attacks to crack weak passwords on Windows RDP (Remote Desktop Protocol) accounts in order to infiltrate the business network. Once inside, the hacker uses an arsenal of sophisticated hacking tools, including credential harvesting tools, to elevate their admin privileges; this can take days at a time. You can’t accuse SamSam hackers of not being dedicated to the cause. The good news, if you could call it that, is that SamSam doesn’t spread automatically but rather needs to be commanded to do so.

These new ransomware variants show that, while 2018 may have been quiet in terms of attacks, we could soon see an increase in attacks (and the sophistication of those attacks) that will rival 2016 and 2017.

How can you prevent KeyPass and SamSam ransomware?

The use of brute force password attacks in SamSam variants highlights the importance of using strong, unique passwords. However, it’s concerning that many big businesses still use the outdated password policies that dictate passwords need complex characters like symbols, capital letters and numbers. Whilst there’s no harm in applying those rules to your passwords, the key factor is the length. Pa55w0rd will be infinitely easier to crack than, say, witbeyondmeasureisamansgreatesttreasure (thanks for the wise words, Dumbledore). You’ll notice there are no complex characters in this password, but it’s near impossible to crack. Find out more about creating truly strong passwords in our Senior Technical Specialist Grant Campbell’s blog.

KeyPass highlights the need to be vigilant when downloading and installing files, programmes and software. When downloading software from the internet, it’s important to ensure you’re on a legitimate website – for example, if you’re downloading a video editor, make sure you’re on the brand’s official site. These threats could also be email-borne and are also prolific on social media. For email-borne threats, you could use a tool like Phish Threat to simulate attacks on your employees. Not only can you gauge their level of scrutiny when it comes to suspicious emails, you can also train those who fall victim.

SamSam’s sophisticated encryption means a simple file backup just isn’t enough. That’s why we’d recommend a hybrid disaster recovery and backup solution like Datto. You can recover physical machines and servers immediately with its instant virtualisation. We’ve been awarded Datto’s EMEA Partner of the Year 2018, so why not talk to us about how Datto can protect you from the ever-increasing cyber-threat landscape?

Sophos also offers a specific anti-ransomware solution, Intercept X, which uses machine learning to adapt to these ever-evolving threats. You can also read Sophos’ whitepaper on SamSam, which the business has spent a long time studying and defending against.

Even with the newer, more dangerous variants of ransomware emerging, our advice remains the same:

  1. Use strong passwords and use unique ones for each of your systems
  2. Be vigilant and educated about how hackers can infiltrate your systems – email-borne threats are particularly prevalent
  3. Use a disaster recovery and backup solution that can also restore servers and machines
  4. Implement a multi-layered cyber-security strategy, with particular attention to anti-ransomware solutions