Ransomware and the increasing malware landscape in Iran
Recently we have seen an ever-increasing number of successful ransomware attacks carried out in cyberspace. While attacks often seem to be clustered in time followed by periods of little to no activity it would seem wea re now in a period of high activity with hacking groups such as N3tworm, BlackShadow and Pay2Key actively engaging in ransomware attacks across the globe. At ICNA we decided to give our readers a overview of some of the history of ransomware and where it is going.
Whats is Ransomware?
Before I talk about Ransomware it is worth taking a moment to explain what malware is, malware is any software that is intentionally designed to cause damage to a computer system and globally damage caused by malware hit $6 trillion dollars in 2020. A wide variety of malware exists including computer viruses, worms, trojans and spyware. originally ransomware was a type of malware that affected files and systems by encrypting important information so that the owner was unable to access the information. The attacker would usually then demand payment in bitcoin in exchange for a decryption key. More recently attackers have also started stealing large amounts of information from victims by covertly entering target systems and copying sensitive information which they then steal and threaten to leak on the Darkweb unless payment is made. This form of malware has been a prominent trick since the mid 2000’s. Last year alone it was estimated that there were more than 184 million ransomware attacks.
How does it happen?
A system can be infected in a number of ways however the most common is through the use of phishing emails that look like they have come from legitimate sources that ask you to download a file and once downloaded the file will encrypt the victims files or gives the attacker a backdoor into the victim’s system.
The first Ransomware attack happened in 1989 when an attack occurred in the USA, when a professor distributed 20,000 floppy disks to researchers spanning more than 90 countries. He claimed the disks contained software to help with their research but what the disks really contained was a program that encrypted their systems after they had turned on their machines 90 times. This attack was later known as the Trojan or PC Cyborg
Modern day Ransomware attackers have turned the extortion of victims into a business model, they offer Ransomware -as-a-service to groups who do not have the skill themselves to develop their own malware. Names of tools are shared on hacker forums where some of the more popular have generated more than $320 million in revenue.
Who are the Iranian ransomware groups we know of?
Iranian groups such as Pay2Key, N3tw0rm and Black Shadow regularly use Ransomware to achieve their goals and groups such as Darkside are making news around the world with attacks on Oil pipelines and one group even managed to steal the database of the police in the US capital.
Why do they do it?
What are the real motives behind ransomware attacks? Most people believe it is solely for monetary gain but experts are now saying this is not always the case. NotPetya which is a ransomware that destructively targeted Ukrainian computer systems is believed to have been a state sponsored attack on a foreign country, not for money but to further a political aim. The attack in 2017 brought down banks, ministries, newspapers and electrical firms inside the country and although 80% of the effected systems were within Ukraine due to the global nature of modern world computers in 65 other countries were also affected
Ransomware is on the rise with no sign that it will slow down however before you think about a change in career you should note that as the rate of attacks increase so does the very real consequences of being caught, consequences that can include lengthy jail times, large fines and indictments.