Famous malware attacks: Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
No edit summary
Line 27: Line 27:
Some striking data from this report are as follows:  
Some striking data from this report are as follows:  


* 74 percent of known victims are located in the USA. Canada, the United Kingdom, and the Middle East countries are among the countries most affected by the attack.  
* 74 percent of known victims are located in the USA. Canada, the United Kingdom, and the Middle East countries are among the countries most affected by the attack.  
* According to transfers made in Bitcoin, SamSam attackers managed to extort ransoms of up to 64 thousand dollars from individual victims at once.   
* According to transfers made in Bitcoin, SamSam attackers managed to extort ransoms of up to 64 thousand dollars from individual victims at once.   
* Following the emergence of the SamSam attack, new versions were also developed, more complex attack methods were used in each new version, and it was observed that more competent measures were taken to protect from operational security measures in order not to leave traces.  
* Following the emergence of the SamSam attack, new versions were also developed, more complex attack methods were used in each new version, and it was observed that more competent measures were taken to protect from operational security measures in order not to leave traces.  
* SamSam attackers targeted medium to large-sized public sector institutions in the fields of health, education and government at 50 percent, and private sector companies at 50 percent.  
* SamSam attackers targeted medium to large-sized public sector institutions in the fields of health, education and government at 50 percent, and private sector companies at 50 percent.  
* The attackers' preparation for the attack is meticulous. SamSam attackers waited for the opportune moment; they initiated encryption commands at midnight when most users were asleep, or in the early morning hours of the victim's local time zone. In the SamSam example, after attackers had successfully infected a server, they also created additional victimization by stealing network mapping and credentials. It would be appropriate to interpret this attack as a professional diamond theft rather than a simple theft. Because both the attack method and the targeted critical institutions are the basic foundations of this determination.
* The attackers' preparation for the attack is meticulous. SamSam attackers waited for the opportune moment; they initiated encryption commands at midnight when most users were asleep, or in the early morning hours of the victim's local time zone. In the SamSam example, after attackers had successfully infected a server, they also created additional victimization by stealing network mapping and credentials. It would be appropriate to interpret this attack as a professional diamond theft rather than a simple theft. Because both the attack method and the targeted critical institutions are the basic foundations of this determination.

Revision as of 00:09, 1 May 2022

Introduction

Malware is malicious software that can enter, and stay on your computer, and then perform actions without your consent, giving hackers full access to your data, and systems. The malware initially appeared as a form of cybervandalism. So it was used to change the computer's background tasks and access your personal information. Since then, these methods, adopted by cybercriminals, have begun to be used to track information and steal valuable business or personal data.


Petya

Petya is a file-encrypting Trojan that was first discovered in 2016, according to information on 2SpyWare, which was launched as a project to help people learn more about cybersecurity issues and malware. It has continued to appear in various variants with several different updates until today. Among its derivatives are PetrWrap, GoldenEye, Mamba virus, Mischa, Diskcoder.D, and Bad Rabbit. Petya has been one of the classic ransomware attacks in which the files on victims' computers are encrypted to make them inaccessible and then demand a ransom to give the encryption key. Ransoms are also typically demanded in bitcoin or other cryptocurrencies. Its beginnings were similar to WannaCry; The epidemic was not noticed from anywhere and spread rapidly. However, unlike WannaCry, this malware spread via spam e-mails, immediately after restarting the computer, it displayed the following message on the screen.

PHOTO WILL BE UPLOADED

Although this screen may seem like a system error at first glance, users In fact, Petya software silently performed file encryption in the background of the system. If the user tries to reboot the system or the file encryption operation is performed, a flashing red skeleton appears on the screen, and “Press any key” appears. After pressing the key, a new window is opened with the ransom note

PHOTO WILL BE UPLOADED

One of the email domains associated with the perpetrators of the attack was revoked in the process, thus giving a victim's computer a specific code to help retrieve the matching decoder data recovery has become impossible. It has been effective in countries such as Russia, England, France, Denmark, Iran, Brazil, and Mexico, especially in Ukraine. Spain, Netherlands, and India also confirmed the attack. Ukraine has suffered the most from the attack. Petya malware also envelops various public institutions of the country; In addition, it affected a wide area such as Kyiv Airport, metro systems, power plants, and nuclear power plants, bringing the systems to a standstill and causing many disruptions. MeDoc, a Ukrainian software company, was held responsible for the attack that brought life to a standstill in Ukraine. Although MeDoc denies these allegations, many cybersecurity experts have claimed to have evidence that the firm was the first source. 55 Public authorities stated that the affected institutions had difficulties in carrying out customer service and banking transactions, it was observed that most of the ATMs were out of service or Petya's ransomware message was displayed on their screens.

Considering that it is also exposed to similar attacks, it is understood that it is a political attack aimed at creating confusion in the country rather than for a financial purpose. It has been understood that many systems do not have enough defense against ransomware. The extent of such attacks has also revealed the widespread inadequacy of awareness of cyber security, vulnerability scanning, testing, use of correct cyber security applications, and taking backups. It can also be said that Petya, which aims to render the system unusable rather than encrypting the files, aims to have a devastating effect rather than money.


SamSam

The most comprehensive research report on ransomware named SamSam, which was first seen in December 2015 and started to spread in 2016, belongs to the global cyber security company Sophos. According to the report published in April 2018, unlike most of the well-known ransomware families that randomly attack, SamSam has been used against certain organizations that are predicted to be most likely to pay to get their data back, such as hospitals or schools. Instead of spam campaigns, the cybercriminals behind SamSam exploited vulnerabilities to access victims' networks or use brute-force tactics against weak passwords of the Remote Desktop Protocol (RDP). This is the main feature that distinguishes SamSam from other ransomware attacks. The process, which is designed to cause the highest level of damage to the IT infrastructure of the victim selected institution in the shortest time, is based on the fact that a person or group who is skilled in infiltrating the systems detects the weaknesses in the infiltrating network and manually runs the malware there. After potential targets were discovered, attackers manually deployed SamSam malware to selected systems using tools such as PSEXEC and batch scripts. The first victim of the attack was Atlanta. The attack resulted in severe digital blackouts in five of the city's 13 local government units. The attack had far-reaching effects, including disrupting the court system, preventing residents from paying their water bills, limiting vital communications such as sewer infrastructure requests, and forcing the Atlanta Police Department to work with pen and paper instead of computers. The ransom amount demanded is around $50,000. It was reported in the press that over 2.6 million dollars were spent at the first stage to eliminate these attacks. The majority of the spending is related to emergency response to systems recovery, forensics, and additional staffing. In addition, it was reported in the press that he spent an additional $650 thousand on a crisis communication center and emergency response consultancy. exceeded the dollar.


Some striking data from this report are as follows:

  • 74 percent of known victims are located in the USA. Canada, the United Kingdom, and the Middle East countries are among the countries most affected by the attack.
  • According to transfers made in Bitcoin, SamSam attackers managed to extort ransoms of up to 64 thousand dollars from individual victims at once.
  • Following the emergence of the SamSam attack, new versions were also developed, more complex attack methods were used in each new version, and it was observed that more competent measures were taken to protect from operational security measures in order not to leave traces.
  • SamSam attackers targeted medium to large-sized public sector institutions in the fields of health, education and government at 50 percent, and private sector companies at 50 percent.
  • The attackers' preparation for the attack is meticulous. SamSam attackers waited for the opportune moment; they initiated encryption commands at midnight when most users were asleep, or in the early morning hours of the victim's local time zone. In the SamSam example, after attackers had successfully infected a server, they also created additional victimization by stealing network mapping and credentials. It would be appropriate to interpret this attack as a professional diamond theft rather than a simple theft. Because both the attack method and the targeted critical institutions are the basic foundations of this determination.