Other ransomware threats
While WannaCry is the most widespread ransomware outbreak so far, there have been several other nasty attacks over the past year, including some that are still active.
Believed to be a derivative of the original CryptoLocker ransomware, TeslaCrypt uses super-strong, "uncrackable" encryption to lock a user's files. According to Kaspersky's report, it is by far the number-one ransomware family, responsible for 58% of infections. It tends to be spread via phishing and spam emails.
However, there's some great news for anyone infected by it. In a highly unusual move, the creators behind it have shut down their operations and released a free decryption key on the website that was previously used to accept the ransom in Bitcoin. You can use this key to unlock encrypted files, or download the recently updated TeslaDecoder.
CTB-Locker – also known as Onion Ransomware – is, according to Kaspersky Lab, the second-worst ransomware family in existence and responsible for 23.5% of infections. It uses the Tor Project's anonymous network to evade detection and even offers an affiliate programme, which lets anyone spreading it take a cut of the profits. A new variant specifically targets web servers.
This ransomware family is the third most prevalent according to Kaspersky, and is typically spread through spam messages. It encrypts files using AES-265 and RSA encryption, which makes it impossible to crack, and it is regularly updated to add new features that make it harder to circumvent.
The latest version, CryptoWall 4, renames files as it encrypts them, while another variant encrypts files over several weeks to prevent recovery from backups.
CryptoWall may target outdated versions of Flash Player, so make sure you keep Adobe's plugin up to date on your PC.
Arguably the most aggressive type of ransomware, Locky encrypts files across any drive, including Bitcoin wallets, and attacks Windows, Mac OS X and Linux. It spreads through macros in Word documents that purport to be invoices, by persuading users to enable the edit function. While Kaspersky only ranks it at number seven in its latest report, Locky has been spreading like wildfire and, in March, infected the IT systems of at least one of three US hospitals hit by ransomware.
Malwarebytes and Bitdefender both offer free anti-ransomware tools that can protect against Locky.
This recently detected ransomware attacks Android phones and is installed via a malicious advert that the victim encounters on the web. It requires no user interaction to install and, once infected, the phone is locked and a ransom request displayed. This is payable not in Bitcoin, but iTunes cards. To remove it, you will need to perform a factory reset of your phone. The process will vary depending on the device type and version of Android that it's running.
This ransomware mostly targets small companies (primarily in Germany, so far, although it has spread beyond) through fake business offers and job applications. Once it has encrypted the files, it requests a ransom in Bitcoin and, for an extra kicker, threatens to publish the victim's data online if the demand is not met (there's no proof it can do this, however). To add insult to injury, the ransom note also invites Chimera's victims to sign up for its affiliate programme.
At the time of writing, it looks as if Chimera has died out, although a new ransomware threat called Rokku shares similarities with it, suggesting it may come from the same developers.
What sets KeRanger apart from other ransomware is that it targets Apple Macs rather than Windows PCs. It encrypts files on a Mac three days after infecting it and was initially spread via the Transmission BitTorrent client installer for OS X.
Transmission removed the infected files and Apple revoked the certificate that allowed the malware to bypass its Gatekeeper protection, so Mac users should hopefully now be safe from the KeRanger threat, provided they are using the most up-to-date version of the software.
This ransomware not only demands a fee to unlock encrypted files, but also attempts to copy personal data and steal any Bitcoins stored on a user's hard drive. It targets both local and connected drives, and to avoid detection, waits a brief while after infection before going to work.
Kaspersky Lab managed to crack CryptXXX very quickly and released a tool that allowed victims to decrypt their files for free. Unfortunately, the ransomware developers have since updated CryptXXX, rendering the company's decryption tool useless.
Alpha is a new strain of ransomware that uses AES-256 encryption to lock all the files stored on fixed drives.
Oddly, on your system drive (the one with Windows installed), it will only encrypt files on the Desktop and in the My Pictures and Cookies folders. Like Dogspectus, Alpha requests its ransom in iTunes gift cards. A decryptor for Alpha has been developed that you can use to free your files. You can download it here using the password 'false-positive'.
Despite the name, this ransomware has nothing whatsoever to do with BitTorrent and is simply named after a Registry key generated by the earliest versions. TorrentLocker is spread through spam emails and, as well as encrypting files, it attempts to steal email addresses from your system so it can spread. To safeguard your system against TorrentLocker, avoid opening emails from unknown sources, and use an anti-ransomware program.