The most popular ransomware strains targeting UK businesses

What threats you're likely to face can significantly depend on the region in which you operate

Regardless of the type of industry you're in, the size of your workforce, the products and services you create, or the value of the data you hold, you have one thing in common with every other digital business: You are a target for ransomware.

In 2019 we saw a surge in the number of ransomware attacks against businesses. The UK alone saw a 195% increase in reported incidents, reflected in an estimated 6.4 million ransomware attacks in the first of half 2019 - which makes it the most targeted region in the world behind the US. This issue has been compounded further by the rise of ransomware as a service, with a significant proportion of attacks in the UK now being launched by hired malware.

Advertisement - Article continues below

You don't need us to tell you how serious a threat ransomware poses to business, nor how damaging it can be if an attack is successful. However, while it's easy to spot, it's not always clear precisely what ransomware is likely to target your business, and given that many hundreds, potentially thousands of strains exist in the world, deciding on what preventative measures to take can feel a little like guess work.

The good news is that we now have some idea what ransomware is becoming popular among hackers targeting the UK. Cyber security firm Malwarebytes recently analysed the distribution of malware across the world, including a breakdown of the UK's most popular ransomware families, and presented its findings at London's DTX Europe in October 2019.

As you can see from the charts above, the region in which your business operates is a significant factor in determining what ransomware you are likely to encounter. However, it's also worth pointing out that GandCrab, by far the most popular across all regions, and Cerber were both distributed as ransomware as a service.

Yet, this doesn't give the whole picture for UK businesses. In fact, in the list of the top five most targeted regions in the UK, a London borough only features twice. Manchester, Royal Kensington and Chelsea, Reading, Harrow and Leeds faced the highest number of ransomware attacks between 2018 and 2019, but the types of malware used differed drastically.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

As is reflected in the European average, GandCrab made up a significant chunk of the attacks against Manchester businesses and those in the London borough of Royal Kensington and Chelsea. However, there were no GandCrab attacks recorded in Harrow, Reading or Leeds.

What's equally surprising is that a ransomware strain known as BTCWare, which was not featured in the EMEA analysis, made up 80% of the attacks against businesses in Reading.

"Reading is the only one with this big BTCware section. BTCware is ransomware that works on RDP (remote desktop protocol, see below), so is basically installed if there is an RDP breach. So the delivery method is very manual. The only thing I can think of is that in Reading there are lots of RDP servers," explained Malwarebytes sales engineer Claudio Tosi.

GandCrab

GandCrab's popularity has made it a best seller in the ransomware space, allowing users with very limited malware knowledge to tailor the scope of their attack and the nature of their intended campaign using an online tool, and then pay for the service on a sliding scale. This effectively removes the risk to the individual and makes it near impossible to identify the true source of an attack.

Advertisement - Article continues below

Spread through phishing emails, this strain attempts to convince users to open an attachment, often containing romantic phrases and references to Valentines Day or love letters. However, some of the more business-focused GandCrab attacks have even used fake updated emergency exit maps or similar notices that pretend to be of critical importance. These attachments contain malicious JavaScript that is automatically triggered if the file is downloaded.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

The script will then start to encrypt every file on a user's system, and those it is connected to. The victim will then be instructed to pay a ransom in order to get their files back.

Advertisement
Advertisement - Article continues below

Cyber security firm Avast suggests the following extensions are often used during GandCrab infections:

GDCB, .CRAB, .KRAB, .%RandomLetters% foobar.doc -> foobar.doc.GDCB document.dat -> document.dat.CRAB document.xls -> document.xls.KRAB foobar.bmp -> foobar.bmp.gcnbo

What's unusual about this ransomware is that we know its author is no longer in operation. "A fun fact about GandCrab is that its creator decided six months ago to retire," said Tosi. "They sent out a message to everybody saying 'guys I'm cashing up, I'm retiring, sorry about that, that's it, finished, I'm closing my ransomware as a service'. This guy is informing his customers."

Defending against GandCrab

The best defence is to have a robust security suite in place to prevent the ransomware from triggering if accidentally downloaded most anti-virus software will be able to detect GandCrab.

Advertisement - Article continues below

However, it's also important to be vigilant against the tell-tale signs of GandCrab, especially the distinguishable phishing emails that it favours.

As a result of hacking efforts by Europol last year, certain versions of GandCrab can be decrypted using free online tools, allowing a user to recover their files fairly quickly.

Avast also has a free GandCrab decryptor tool, available here.

Ryuk

A Ryuk ransomware note, courtesy of Checkpoint

Ryuk is a fairly recent entry to the ransomware industry, having emerged just last year. Although it is often spread using spam email campaigns, it's also used to target specific organisations for high payouts.

"Ryuk always for some reason spikes during the holidays," explained Tosi. "So during Christmas time usually we get some presents, well in the UK [in 2018] we got Ryuk. It [then] lay dormant for a few months, and after that it surfaced again on 13 September, which was a Friday. Friday the 13th was the day they chose to start Ryuk again. It's just fantastic."

Advertisement - Article continues below

Researchers have also discovered that the Ryuk strain shares many similarities with the Hermes ransomware, which is believed to have originated from North Korea. However, investigations seem to suggest that the Ryuk variant was a Russian creation.

Advertisement
Advertisement - Article continues below

The file extension of .RYK is often associated with Ryuk infections.

Defending against Ryuk

Robust security software is also highly effective at stopping Ryuk in its tracks.

However, Ryuk uses the extremely robust RSA encryption algorithm and there are currently no free online decryption tools, which makes it near-impossible for users to brute force their way to their files. This means a full system restore using a secure backup is necessary following an attack. 

Rapid

First discovered in early 2018, the Rapid ransomware is unusual in that it will stay hidden on a user's system and encrypt new files as they are created, before later emerging to demand a ransom.

The ransomware has received four updates in its history, which adjusted the extensions given to encrypted files and added new email addresses to allow victims to contact the authors. Ransom notes tend to be short and concise, asking the victim to contact the attacker directly in order to recover their files.

Advertisement - Article continues below

The Rapid ransomware is normally spread through malicious emails that masquerade as official notices. Most recently the authors have used messages claiming to be from the US Inland Revenue Service (IRS), alerting users that they owe back taxes.

The ransomware usually uses changes file extensions to .rapid as part of the encryption process.

Defending against Rapid

As attackers tend to favour professional-looking emails, this makes it easier to spot errors. Messages are often not tailored for specific countries, and most official organisations will rarely contact users in this manner.

Given the slow nature of the encryption process, it's also possible to stumble upon encrypted files before a user is locked out of their system, during which time anti-malware software can be run to remove the threat.

However, once files are encrypted (even if spotted early), there are currently no decryptor tools available to recover them. Unfortunately, a full system lockout requires a full system wipe and restore to regain access.

Cerber

The Cerber ransomware made up a significant chunk of attacks in Harrow and Leeds (45% and 17% respectively), and retains a healthy presence across the EMEA region.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Alongside GandCrab, it's an example of malware released as ransomware as a service, with its authors taking a 40% cut of any extorted funds.

The ransomware maintains a number of different versions that are all in operation, making it difficult to defend against. It uses elaborate phishing scams, often using infected Microsoft Word documents, to silently infect a user's machine and begin encrypting system files. Once that is complete, it will change the user's desktop wallpaper to a recognisable splash screen (above) to notify victims of an infection, providing instructions for paying the fee to unlock the files.

A Cerber infection is normally associated with files with the extension .cerber or numbered variants like .cerber1, cerber2 and so on.

Defending against Cerber

As with most other malware strains, having anti-virus software actively running on your machine should prevent Cerber from activating if a download is attempted. However, it's common for Cerber to be bundled into more malicious packages, such as rootkits, that can disable your anti-virus before attempting to run Cerber.

Advertisement - Article continues below

Unfortunately, like Ryuk Cerber also uses RSA encryption, making it incredibly difficult for users to get their files back in a timely manner.

BTCWare

BTCWare is one of the older ransomware families still operating in the UK, having first been discovered in 2017.

This strain exclusively targets Windows-based systems by brute-forcing weak remote desktop protocol (RDP) passwords and manually installing a malicious programme. However, the strain has been known to also use spam email campaigns, often using messages without subject lines or contents with malicious Zip files attached.

According to Avast, BTCWare infections will result in the following file extensions:

foobar.docx.[sql772@aol.com].theva foobar.docx.[no.xop@protonmail.ch].cryptobyte foobar.bmp.[no.btc@protonmail.ch].cryptowin foobar.bmp.[no.btcw@protonmail.ch].btcware foobar.docx.onyon

BTCWare has received a number of updates during its lifetime, but generally speaking the encryption process has remained the same. This includes creating registry entries so that the ransomware can run each time the system is rebooted and providing an email address so the attackers can be contacted.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Defending against BTCWare

As is the case with other strains, robust security suites are capable of spotting and neutralising BTCWare threats before they can activate.

Advertisement - Article continues below

If for whatever reason BTCWare ransomware has infected a system, there have been a variety of free decryptor tools released over the years to help users recover their files almost immediately.

Jigsaw

One of the more recognisable and volatile ransomware strains is the Jigsaw variant. This family is known for adopting the fictional villain "Billy the Puppet" from the Saw film series, a picture of which is included in the ransom note.

The ransomware is also known for its aggressive and menacing approach, demanding payment within a specific time frame, generally 60 minutes, before deleting files one by one. After 72 hours, all encrypted files will be deleted. The strain will also 'punish' users by deleting large chunks of files, usually around 1,000, if the user ignores the demand by trying to reboot their system.

According to Avast, Jigsaw infections will use the following extensions:

.kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush, .uk-dealer@sigaint.org, or .gefickt.

Advertisement - Article continues below

The ransomware is generally spread through malicious spam email attachments and has inspired a number of variants, all of which deploy their own characters or images to play games with their victims.

Defending against Jigsaw

Despite the menacing appearance and language employed by the ransomware, Jigsaw is relatively easy to defend against.

Anti-virus software can spot Jigsaw ransomware before it's able to execute, and so this should be installed and maintained on every system.

However, Jigsaw is also one of those variants that have been cracked by security researchers, meaning there are plenty of easily accessible online decryptors available.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020

Most Popular

Visit/security/privacy/355155/zoom-kills-facebook-integration-after-data-transfer-backlash
privacy

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020