View All R&D Articles

2017 Ransomware Recap

January 4, 2018

Ransomware became a household name in 2016. As hackers extorted ransoms from hospitals, universities, and other groups in return for files, the public became aware of how vulnerable devices are in this connected age.

Even with the awareness of this threat, companies and individuals couldn’t stop the onslaught of ransomware attacks in 2017. This year has seen a steady drizzle of new ransomware variants punctuated by three large-scale attacks that used hacking tools from our own National Security Agency.

Because of ransomware attacks, two companies estimated their losses in the hundreds of millions of dollars and Britain’s National Health Service diverted ambulances and cancelled operations until they regained control of their computers. In addition to the major attacks, the underground market for smaller-scale operations continued to boom, and open-source ransomware gave hackers a head start. Here’s how the big events of 2017 went down.

st louis public library, exterior at nightSt. Louis Public Library

When staff arrived to work on Thursday, Jan. 19, they were greeted with locked computer screens throughout all branches of the St. Louis Public Library. Hackers had exploited a vulnerability in a library voicemail server and locked 700 staff and public computers. The attackers demanded $34,000 in bitcoin to restore the computers.

The library refused to pay and began furiously working to restore services. Finally, on Jan. 30, they were able to announce that all computers used by the public were fully restored. Enhancements to the library system’s cybersecurity remains an ongoing project.

Microsoft Releases Eternal Blue Patch

On March 14, Microsoft issued a critical security bulletin for a vulnerability in all unsupported versions of Windows. The reason? The NSA had discovered a security flaw in Windows operating systems and added it to the agency’s stockpile of cyber weapons. A group called the Shadow Brokers accessed and leaked this stockpile, giving hackers powerful tools for wreaking havoc.

By installing Microsoft’s patch, users protected themselves from the vulnerability that the NSA discovered (which was known as Eternal Blue). Unfortunately, those who did not patch their operating systems would fall victim to cyber attacks in the coming months when the NSA exploit was paired with ransomware and unleashed.


The first attack that paired ransomware with Eternal Blue was WannaCry. The attack initially occurred in Asia on May 12 and quickly spread to more than 230,000 devices. Infected computers spread the ransomware to other machines on the same network as well as random computers over the internet.

A security researcher discovered a kill switch which stopped the spread, but more than 300,000 computers had already been infected. Companies and organizations affected by the attack include Britain’s National Health Service, FedEx, Honda, Hitachi, Telefónica, and dozens more.

north korea flag wannacry ransomware virusWhile an unprecedented number of machines were infected, the attackers received relatively little money from ransom payments. Just $140,000 in bitcoin was withdrawn from the three accounts associated with the attack.

In the months following the attack, many pointed fingers at North Korea’s cyber unit as the originator of the attacks. Finally, in a Dec. 18 op-ed piece, a Trump adviser officially declared North Korea responsible for the attack.

Petya, NotPetya, Nyetna

Whatever you call it, this attack wreaked havoc and proved that not everyone learned a lesson from the WannaCry attack. NotPetya targeted the same Windows security flaw that Microsoft provided a patch for (and that WannaCry exploited).

Ground zero for this attack was Ukraine, where a popular piece of tax-filing software, MEDoc, spread NotPetya to businesses and government organizations. Soon, NotPetya moved beyond Ukraine’s borders and devastated international businesses, such as advertising company WPP, law firm DLA Piper, shipping giant Maersk, and FedEx. Both Maersk and FedEx estimated their losses from the attack to be around $300 million.

Initially, analysts blamed a ransomware called Petya for the cyber attack. However, security experts make a convincing case that NotPetya is a wiper (meaning the intent was to destroy files, not hold them hostage) and that the attackers could not decrypt a victim’s files even if they wanted to.

So, why would an attacker disguise a wiper as ransomware? Ukraine’s security service (SBU) blames Russia. Since the downfall of the Soviet Union in 1991, the two countries have had periods of tension. In 2014, Ukrainian voters ousted their pro-Russia president Viktor Yanukovych. Shortly after, Russia annexed Crimea, a Ukrainian peninsula, and the international community responded with heavy sanctions against Russia.

This may be more geopolitical history than you wanted to know, but the moral of the story is: cyber wars between nation-states can spill out into the general public. If NotPetya was in fact intended to cripple Ukraine’s infrastructure, then all those thousands of infected computers throughout the rest of the world were simply collateral damage. Welcome to the 21st century.

Bad Rabbit

Bad Rabbit was the ransomware used in the third major international attack of 2017. Compared to the massive disruptions and economic costs of WannaCry and NotPetya, Bad Rabbit was a mere nuisance. But for those affected, including Kiev’s metro system, Odessa’s airport, and Russian media group Interfax, the ransomware caused major disruptions. After its website went down, Interfax took to publishing news stories on Facebook until the site was restored.

Researchers believe the same attackers may be responsible for NotPetya and Bad Rabbit. There are similarities in the codes of NotPetya and Bad Rabbit, and the same web servers were used to distribute the initial software in both cases.

Bad Rabbit did not use the Eternal Blue exploit, though it used a different leaked NSA tool called Eternal Romance. Ukrainian state cyber police claimed that the ransomware attack was used as cover to steal financial information from targeted Ukrainian companies.


If 2016 put ransomware on the map, 2017 established it in the marketplace. Ransomware-as-a-service (RaaS) has existed since at least 2015, but there are now more opportunities than ever for someone with little technical skill to buy ransomware from the dark web. Here’s how it works.

A customer either pays a subscription to or agrees to share a percentage of ransom money with the ransomware developer. The customer can then launch an attack on the targets of his choosing. Slicker RaaS variants have user-friendly dashboards to allow even the most technologically novice to launch cyber attacks.

A report from Carbon Black found a 2,502 percent increase in ransomware for sale on the dark web from 2016 to 2017. The same report discovered 45,000 listings for RaaS products. With that kind of competition, expect the products to become even more sophisticated and user-friendly in the 2018.

Open Source Ransomware

Hidden Tear Ransomware GitHub info

Another cause for the proliferation of ransomware is the posting of open source code. Hidden Tear was the first such ransomware to be posted freely on the internet. The developer, Utju Sen, claimed that he shared it for educational purposes.

Sen built several backdoors into the code so that anyone affected by it could decrypt their files. Unfortunately, hackers have taken his code and closed those backdoors in order to make more functional ransomware. Hackers have since created at least a dozen ransomware families (8lock8, Blocatto, Cryptear, Fakben, GhostCrypt, Globe, Hi Buddy!, Job Crypter, KryptoLocker, MireWare, PokemonGO, and Sanction) based on Hidden Tear.

And Sen’s Hidden Tear isn’t the only example. Others have created open-source ransomware ostensibly to improve ransomware detection and prevention. However, most security professionals have more sophisticated means of understanding and detecting malware. That makes these source codes a head start for criminals and not much more.

Ransomware in the New Year

Several large security companies have released reports with their predictions for the new year, and the message is clear. If you or your business use the internet, ransomware will continue to be a threat.

One firm predicts that the combination of ransomware as a service (like Cerber) and the resurgence of worms will lead to a surge in attacks and infections. Because hackers now have access to a trove of NSA tools, expect to see attacks similar to WannaCry again in 2018.

We can also expect to see more attacks on Mac computers. Keranger was the first ransomware to target a Mac OS, and it did so with limited success. However, Mac users remain a lucrative target for hackers, who likely haven’t given up in their attempts to infect this relatively untapped group.

What You Can Do

Security experts recommend a multi-pronged approach to protecting yourself from ransomware. Most importantly, keeping multiple copies of current backups will ensure that you never have to pay a ransom.

Avoid suspicious attachments and links (and teach everyone who uses your network to do the same) to reduce the chances of downloading malware. Keep all software up to date and rely on reputable antivirus software to give you further protection.

The massive global attacks of 2017 showed that everyone from individual computer users to multi-national corporations are vulnerable. Following the above practices (and ensuring that anyone who uses your computer does too) will protect you from the costly headache of ransomware.