SamSam, Locky, Cerber: In ransomware, past strains can reveal cyberattack motives

Dive Brief:

In wake of the recent cyberattack on the city of Atlanta, familiarizing cybersecurity professionals with the most prominent strains of ransomware, including SamSam, Locky, DMA Locker, Cerber and CrySis, sets the foundation for knowing why an attack is occurring. SamSam, the hacking group reportedly behind Atlanta's ransomware attack, is known for targeting victims with the ability to pay larger ransoms and those "who cannot afford the down time," according to Sujit Raman, associate deputy attorney general in the U.S. Department of Justice, speaking at RSAC in San Francisco Monday.
Locky functions mostly under the radar but has recently made a blip in association with a botnet. It is known for targeting corporations and government entities with its attacks at about 42% and 17% respectively, according to Raman.
Cerber is still an aggressive threat, but its activity has dropped significantly since arrests were made in December 2017 of two hackers allegedly behind a ransomware attack on the Metropolitan Police Department computers, according to an announcement from the Department of Justice.

Dive Insight:

Last year gave way to a nuanced level of sophisticated attacks, liberating attackers of outdated, manual propagation tools.

However, just because hackers left a branded handprint on WannaCry and Nyetya, or NotPetya, does not mean companies should know what to expect. Instead, both campaigns should be viewed as "exceptions rather than the rules," said Raman.

WannaCry, for example, was "exposed as unreliable" by simply registering its domain, effectively creating a kill switch. This shortcoming was something most likely overlooked by the North Korean nation state actors behind the attack.

The reason for this is the unforgiving characteristics behind both attacks. Nyetya, like a lot of other malware campaigns, was designed to "make a lot of noise" while it distracted its victims from something else: encryption and data wiping.

Officials in Atlanta are still recovering from the attack, and time will tell if those behind SamSam are savoring something even more nefarious. Governments only represent about 5% of their targeted victims, but they become easy targets through phishing schemes and weak passwords in public-facing systems.