ITB - IT Solutions for the next generation
linkedin logo twitter logo facebook logo google+ logo

Ransomware – The not so Good, The Bad and The Ugly

17th December 2018
Ransomware – The not so Good, The Bad and The Ugly

Ransomware is not a new phenomenon. In fact, Joseph Popp developed the first Ransomware strain back in 1989. It was written to a 5¼” floppy disk and distributed (via post) as AIDS education software. Even stranger is at the time the internet was still just an idea.

It has though now entered the mainstream in a big way.

Those who work in IT Security have been aware of Ransomware and its destructive nature for some time. However, when WannaCry brought down networks across the globe, the world sat up and took notice.

Whilst different types of Malware have different end goals, the only function of Ransomware is monetisation. Be that through denying access to a computer or device (Locker Ransomware) or denying access to files or data (Crypto Ransomware).

Despite WannaCry grabbing the headlines, there are many more forms out there. Some more dangerous than others and each with their own set of characteristics.

ITB Partner, McAfee regularly publishes it’s top 10 security threats, and Ransomware appears no less than three times.


In terms of notoriety, second only to WannaCry is the SamSam ransomware. Although discovered in 2016 it’s still doing the rounds today and makes McAfee’s top 10. SamSam it is fairly indiscriminate in who it targets, although there seems to have been more victims in Healthcare than other sectors.

It goes after vulnerable RDP connections and JBoss systems. Where SamSam differs from other Ransomware is that it doesn’t target the End User. It targets vulnerable hardware and then spreads laterally.

The most infamous victim is the City of Atlanta. However other notable businesses affected are Allscripts, a medical software provider and another hospital in the US. Again, this goes to prove that hackers don’t care who is affected. They only care about what they can extort.

According to Sophos, the developers of the SamSam ransomware have made almost £5 million since it was first released.

Fake Globe

The Fake Globe Ransomware is an offshoot of the older Globe Ransomware. There are at least another 3 variants – Globe Imposter, OX4444 and GUST. This ransomware strain makes changes to the extensions of encrypted files. It can be delivered using the Fallout and RIG exploit kits.

Fake Globe is the second most notorious infection on McAfee’s Threat Landscape list because of how widespread it is. It isn’t that the infection is particularly damaging, however, it can lead to other issues such as adware and other information stealing activity.

Fake Globe works slightly differently to other strains. Rather than encrypting files it will slow down your PC, rendering it almost unusable until you pay the ransom. To pay the ransom you will need to email the hackers for the decryption key.

Fake Globe Ransomware

There are though, some handy decryption tools that you can use to get rid of this infection. We will point you in this direction a little later.

Stop Ransomware

The STOP-Ransomware is the third strain that has made it onto McAfee’s Threat Landscape list. First appearing in late 2017 it has morphed into other variants throughout 2018.

It’s distributed in several ways. Through spam emails, hacked websites, exploits and brute force attacks.

It uses AES and RSA encryption to encrypt files using extensions such as .STOP, .SUSPENDED and more recently .puma, .pumax amongst others. If you are hit with this infection you will likely be asked to pay $600 to recover your files.

The Aftermath

It’s important to remember that if you get hit by Ransomware you can still recover your files from Back-Up. If you’ve been regularly backing up your data that is. It may be tempting to pay the hacker to restore your data, but this should only be a last resort.

If you do decide to pay there are two things you need to be aware of.

  1. There is no guarantee you will get your files back
  2. Your hackers will add you to a ‘suckers list’

In our previous post about the future of motoring – the Connected Car, we touched on how hackers are moving from threat to data to threat to life. With cars today becoming more connected than ever, protection against this threat is paramount. A car infected with Ransomware could cause all manner of problems.

Ransomware Decryptor

Earlier in this post we mentioned that there are tools available to help remove Ransomware.

The No More Ransom project is a collaboration between a number of organisations including founding partners Europol, McAfee and Politie. It provides decryption tools for some of the most common strains. These include, Annabelle, Gandcrab, Macransom and Encryptile amongst others.

You can find the various decryption tools HERE and the partners involved HERE