Threatlist: The Top 5 Enterprise-Toppling Ransomware Threats in 2017

Ransomware has long been a concern for enterprises, but it has taken on an ominous new tone in recent months. Sophisticated new programs successfully lock up data at businesses, hospitals and government agencies, introducing a new threat in an already-challenging security environment. Headline-making Trojans like Petya and Wannacry have brought attention to the dangers of ransomware, but they are only two of the many malicious programs circulating in 2017. Here are the top five ransomware threats affecting enterprises in 2017, starting with the most recent:


One of the most unnerving aspects of this piece of code is that even experts cannot agree on what it is or where it came from. According to Tom’s Guide, it first appeared in a software update from a Ukrainian company called Medoc and then spread to other enterprises through corporate virtual private networks. Once inside, it attacked central servers and PCs to encrypt master boot records and other files. It also copied usernames and passwords so that it could target additional machines. Things got even murkier in late June, when Janus Cybercrime Solutions, the author of Petya, claimed that it had nothing to do with the most recent attack and even offered to help restore files on affected machines. As Gizmodo’s Dell Cameron noted, the “NotPetya” virus actually seemed to have elements of multiple types of ransomware. It appeared to be more of a “wiper” than traditional ransomware; that is, it didn’t seem to hold data for ransom as much as it simply wiped out data for good.


WannaCry, aka WannaCrypt, made the rounds in early May but was quickly neutralized by what many experts consider to be a temporary fix. Wannacry leveraged the EternalBlue exploit of the Windows Server Message Block (SMB) protocol, which itself was reportedly hacked from the National Security Agency. This allowed it to spread rapidly from machine to machine once it got inside the enterprise LAN, encrypting files and demanding money to unlock them. Large organizations like Nissan, the British National Health System and the Russian Ministry of Internal Affairs were all affected. Fortunately, the software had a flaw in the form of a built-in kill switch. When the researcher who discovered the kill switch purchased a particular domain and activated it, the attack was halted. But experts say it is only a matter of time before a revised version of the ransomware is released.


Locky is a pernicious bit of code that emerged in 2016, receded and then re-emerged in a more virulent form earlier this year. Locky arrives as an email attachment that requires the recipient to download a macro to open it. Users who hit the macro link are immediately infected. The virus loads into system memory and encrypts both document and network files. The novelty of Locky is that it is spread through the Necurs botnet, which has become a favorite of cybercriminals waging DDoS attacks, phishing scams and the like but has never been used for malware before Locky.


Perhaps the most unsettling development in ransomware is Cerber, which is described as “Ransomware as a Service.” Cerber is available to anyone who wants to use it and split the profits with its creators. Like Locky, it enters a computer through an email attachment. It then renames files with “.cerber” or some other random extension. Interestingly, if the software detects that your computer is located in Russia, Ukraine, Turkmenistan or about a dozen other former Soviet republics, it automatically deactivates itself.


This is an old one that resurfaces time and time again. According to security expert Rich Werk, the latest version, CryptoWall 4.0, subverts Windows’ Shadow Copy features, making it nearly impossible to recover lost files from backup or to even know which files have been lost. The program uses the same email-attachment approach as other attacks, but in this case, there is an extra extension to the normal .pdf or .doc that opens a browser and downloads the malicious code. For previous versions of CryptoWall, government investigators were able to track down the server that held the decryption keys, but that has yet to happen for Version 4.0. It’s been said that the trouble with giving names to ransomware is that it focuses attention on defeating yesterday’s threats while tomorrow’s are evolving. Undoubtedly, each of these programs will morph into something entirely new… sooner rather than later. That is why enterprises should never become complacent when it comes to security. The longer the digital economy goes without a major attack, the greater the danger becomes.