Ransomware Case Studies

Ryan, Matthew

doi:10.1007/978-3-030-66583-8_5

Matthew Ryan³

Part of the book series: Advances in Information Security ((ADIS,volume 85))

2822 Accesses
3 Altmetric

Abstract

This chapter examines four major ransomware cases, with the first major ransomware attack in 2013 being used as a template for developing an influx of attacks since 2016. The individual case studies were chosen based on their global impact on organisations and high-profile media reports surrounding the attacks. The case study analysis process analysed the attack methodology and the outcome of each attack to determine similarities and evolutionary changes between each subsequent attack. The analysis also sought to detail the method and sophistication level of each attack, the encryption process and request for payment. These components provide the foundation for further understanding the rising threat posed by ransomware in later chapters.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+

from $39.99 /Month

Starting from 10 chapters or articles per month
Access and download chapters and articles from more than 300k books and 2,500 journals
Cancel anytime

Buy Now

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 149.00; Price excludes VAT (USA)

Softcover Book: USD 199.99; Price excludes VAT (USA)

Hardcover Book: USD 199.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Ransomware deployment methods and analysis: views from a predictive model and human responses

Article Open access 12 February 2019

Tom and Jerry Chase: Ransomware Analysis and Detection at a Glance

Ransomware Anatomy, Impact, and Mitigation Strategies

Notes

1.
Note: Four case studies were deemed to be an appropriate number to accurately demonstrate the evolution of major ransomware attacks profiles over a six-year period.
2.
Note: In 2018, an FBI investigation in WannaCry identified Marcus Hutchins as MalwareTech. Whilst initially Hutchins was hailed a hero for his role in stopping WannaCry, he was later arrested and has plead guilty for the development of Kronos malware. Kronos was a piece of malware used to steal banking credentials. (See Winder 2019).
3.
Note: The term “crown jewels” is a cybersecurity term synonymous with high-value data and systems. The term broadly applies to an organisation’s high-value data which typically includes intellectual property, customer data and privileged user account information.

References

M. Alazab, Profiling and classifying the behavior of malicious codes. J. Syst. Softw. 100, 91–102 (2015)
Article Google Scholar
R. Anderson, GameOver Zeus botnet disrupted: Collaborative effort among international partners, 7 Nov 2014
Google Scholar
M. Anderson, ‘NotPetya’: Latest ransomware is a warning note from the future, IEEE Spectrum (2017). Available online: https://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future. Accessed 22 Feb 2019
Australian Tax Office, Scam alerts. (2020). Available online: https://www.ato.gov.au/general/online-services/identity-security/scam-alerts/. Accessed 17 Aug 2020
B. Bechtol, Enabling violence and instability, in North Korean Military Proliferation in the Middle East and Africa, vol. 44, (University Press of Kentucky, 2018)
Google Scholar
C. Beek, Necurs Botnet leads the world in sending spam traffic, McAfee Labs. (11 Mar 2018). Available online: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/necurs-botnet-leads-the-world-in-sending-spam-traffic/. Accessed 13 June 2018
Berry, A., J. Homan, R. Eitzman, WannaCry malware profile, FireEye Threat Research. (2017). Available online: https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html. Accessed 2 Jan 2019
T. Bossert, Press briefing on the attribution of the WannaCry malware attack to North Korea, 19 Dec 2017
Google Scholar
T. Brewster, Google warns ransomware boom scored crooks $2 million a month, Forbes. (25 July 2019) 2017 [Online]. Available online: https://www.forbes.com/sites/thomasbrewster/2017/07/25/google-ransomware-multi-million-dollar-business-with-locky-and-cerber/#758974576caf. Accessed 17 Jan 2019
E. Bursztein, K. McRoberts, L. Invernizzi, Tracking desktop ransomware payments, Black Hat. Las Vegas, 2017 Google
Google Scholar
S. Chow, Hacked: The Bangladesh Bank Heist, Aljazeera. (24 May 2018) 2018 [Online]. Available online: https://www.aljazeera.com/programmes/101east/2018/05/hacked-bangladesh-bank-heist-180523070038069.html. Accessed 13 Nov 2018
C. Cimpanu, M.E.Doc software was backdoored 3 times, servers left without updates Since 2013, Bleeping Computer. 6 July 2017 (2017)
Google Scholar
M. Conti, A. Gangwal, S. Ru, On the economic significance of ransomware campaigns: A bitcoin transactions perspective. Comput. Secur. 79, 162–189 (2018)
Article Google Scholar
Department of Homeland Security, Alert (TA17-132A): Indicators associated with WannaCry ransomware. (12 May 2017)
Google Scholar
P. Ducklin, Ransomware -“Locky” ransomware – what you need to know, Naked Threats. (2016). Available online: https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/. Accessed 24 Feb 2019
K. Eichensehr, Three questions on the WannaCry attribution to North Korea, Just Security. (2017). Available online: https://www.justsecurity.org/49889/questions-wannacry-attribution-north-korea/. Accessed 10 June 2018
N. Etaher, G. Weir, M. Alazab, From ZeuS to Zitmo: Trends in banking malware, in IEEE International Conference on Trust, Security and Privacy in Computing and Communications, (Trustcom IEEE, Piscataway, 2015)
Google Scholar
Federal Bureau of Investigation, FBI Alert – Identification of ransomware variant called Locky, 11 July 2016
Google Scholar
L. Garber, Government officials disrupt two major cyberattack systems. Computer 47(7), 16–21 (2014)
Article Google Scholar
A. Gazet, Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)
Article Google Scholar
D. Gerstein, WannaCry virus: A lesson in global unpreparedness. Available online: https://www.rand.org/blog/2017/05/wannacry-virus-a-lesson-in-global-unpreparedness.html. Accessed 3 June 2018
A. Greenberg, The untold story of NotPetya, the most devastating cyber attack in history, WIRED. (2018a). Available online: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/. Accessed 23 Jan 2019
A. Greenberg, The WannaCry ransomware hackers made some real ametuer mistakes, WIRED. (2018b). Available online: https://www.wired.com/2017/05/wannacry-ransomware-hackers-made-real-amateur-mistakes/. Accessed 5 June 2018
A. Ivanov, O. Mamedov, ExPetr/Petya/NotPetya is a wiper, not ransomware. (2017). Available online: https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/. Accessed 14 Dec 2018
K. Jarvis, CryptoLocker ransomware, Threats & Defenses Threat Analysis. (2013). Available online: https://www.secureworks.com/research/cryptolocker-ransomware. Accessed 3 Jan 2019
L. Kessem, The Necurs Botnet: A Pandora’s box of malicious spam, IBM Security Intelligence. (24 Apr 2017). Available online: https://securityintelligence.com/the-necurs-botnet-a-pandoras-box-of-malicious-spam/. Accessed 22 Feb 2019
M. Korolov, Ransomware took in $1 billion in 2016 – improved defenses may not be enough to stem the tide, CSO. 5 Jan 2017 2017 [Online]. Available online: https://www.csoonline.com/article/3154714/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html. Accessed 11 Feb 2019
P. Kruse, Locky spreading through Facebook. (20 Nov 2016). Available online: https://twitter.com/peterkruse/status/800414481545187328. Accessed 2 Mar 2019
E. Lucas, Cyberphobia: Identity, Trust, Security and the Internet (Bloomsbury Publishing, London, 2015)
Google Scholar
L. Matthew, Boeing is the latest WannaCry ransomware victim, Forbes. (2018). Available online: https://www.forbes.com/sites/leemathews/2018/03/30/boeing-is-the-latest-wannacry-ransomware-victim/#218e8ea96634. Accessed 1 June 2018
D. Maynor, M. Olney, Y. Younan, The medic connection, Cisco TALOS. Available online: https://blog.talosintelligence.com/2017/07/the-medoc-connection.html. Accessed 22 Feb 2019
A. McLean, WannaCry reportedly hitting speed cameras in Victoria, ZDNet. (2017). Available online: https://www.zdnet.com/article/wannacry-reportedly-hitting-speed-cameras-in-victoria/. Accessed 2 April 2018
A. McNeil, How did the WannaCry ransomworm spread?, Blog.Malwarebytes.com. (30 May 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/. Accessed 10 June 2018
D. Meyer, WannaCry ransoms suddenly leave attackers, Bitcoin Wallets. (2017). Available online: http://fortune.com/2017/08/03/wannacry-ransom-bitcoin/. Accessed 11 June 2018
M. Molloy, Operation Tovar: The latest attempt to eliminate key botnets, Threat Research. (2014). Available online: https://www.fireeye.com/blog/threat-research/2014/07/operation-tovar-the-latest-attempt-to-eliminate-key-botnets.html. Accessed 13 Dec 2018
National Audit Office, Investigation: WannaCry Cyber Attack and the NHS (National Audit Office, London, 2018)
Google Scholar
National Health Service, Statement on reported NHS cyber-attack, 13 May 2017
Google Scholar
L.H. Newman, The ransomware meltdown experts warned about is here, WIRED. (2017). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/. Accessed 6 June 2018
L.H. Newman, The leaked NSA spy tool that hacked the world, WIRED. (2018). Available online: https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/. Accessed 6 June 2018
Palisse, A., H. Le Bouder, J.-L. Lanet, C. Le Guernic, A. Legay, Ransomware and the Legacy Crypto API, The 11th International Conference on Risks and Security of Internet and Systems. Roscoff, France, 5th–7th September 2016 (Springer, 2016)
Google Scholar
D. Palmer, Locky ransomware: Why this menace keeps coming back, ZDNet. 7 Sept 2017 (2017) [Online]. Available online: https://www.zdnet.com/article/locky-ransomware-why-this-menace-keeps-coming-back/. Accessed 27 Feb 2019
S. Ragan, Malicious images on Facebook lead to Locky ransomware, CSO. (2016). Available online: https://www.csoonline.com/article/3143173/malicious-images-on-facebook-lead-to-locky-ransomware.html. Accessed 14 Feb 2019
O. Ralph, R. Armstrong, Mondelez sues Zurich in test for cyber hack insurance, Financial Times. New York, 10 Jan 2019–11 Jan 2019
Google Scholar
M. Rivero, Locky ransomware returns to the game with two new flavors. (25 Aug 2017). Available online: https://blog.malwarebytes.com/cybercrime/2017/08/locky-ransomware-returns-to-the-game-with-two-new-flavors/. Accessed 25 Feb 2019
J. Saarinen, Hackers launch massive Locky ransomware campaign, itNews. 1 Sept 2017, (2017) [Online]. Available online: https://www.itnews.com.au/news/hackers-launch-massive-locky-ransomware-campaign-472295. Accessed 21 Feb 2019
J. Shea, How is NATO meeting the challenge of cyberspace? PRISM7(2), 18–29 (2017)
Google Scholar
J. Smith, Hospital pays hackers $17,000 in Bitcoins to return computer network, ZDNet. 18 Feb 2016 (2016) [Online]. Available online: https://www.zdnet.com/article/hospital-pays-hackers-17000-in-bitcoins-to-return-computer-network/. Accessed 22 Feb 2019
K. Sood, S. Hurley, NotPetya technical analysis – a triple threat: File encryption, MFT encryption, credential theft. 29 June 2017. Available online: https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/. Accessed 4 Mar 2019
Symantec, Ransom.WannaCry, (2017). Available online: https://www.symantec.com/security-center/writeup/2017-051310-3522-99. Accessed 7 June 2018
A. Taylor, NotPetya Malware Attributed. (16 Feb 2018)
Google Scholar
S. Thakkar, Ransomware – Exploring the electronic form of extortion. Int. J. Sci. Res. Dev.2(10), 123–126 (2014)
Google Scholar
G. Troy, Locky ransomware attacks ramp up. 28 Apr 2017. Available online: https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase. Accessed 23 Feb 2019
A. Winckles, Here’s how the ransomware attack was stopped – and why it could soon start again, The Conversation. (2017). Available online: https://theconversation.com/heres-how-the-ransomware-attack-was-stopped-and-why-it-could-soon-start-again-77745. Accessed 21 Nov 2018
D. Winder, WannaCry Hero Marcus Hutchins pleads guilty to creating banking malware, Forbes. 20 Apr 2019 (2019) [Online]. Available online: https://www.forbes.com/sites/daveywinder/2019/04/20/wannacry-hero-marcus-hutchins-pleads-guilty-to-creating-banking-malware/#13f645a4513e. Accessed 23 June 2019
J. Wolff, You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (The MIT Press, Cambridge, 2018)
Book Google Scholar

Download references

Author information

Authors and Affiliations

Maroubra, NSW, Australia
Matthew Ryan

Authors

Matthew Ryan
View author publications
Search author on:PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Ryan, M. (2021). Ransomware Case Studies. In: Ransomware Revolution: The Rise of a Prodigious Cyber Threat. Advances in Information Security, vol 85. Springer, Cham. https://doi.org/10.1007/978-3-030-66583-8_5

Download citation

DOI: https://doi.org/10.1007/978-3-030-66583-8_5
Published: 25 February 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-66582-1
Online ISBN: 978-3-030-66583-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics