Ransomware has a long history, dating back to the late 1980s. Today, it’s generating billions of dollars in revenue for the criminal groups behind it. Victims incur recovery costs even if they pay the ransom.
Given the financial benefit to attackers, it’s no surprise that ransomware gangs and malware have proliferated. The number of ransomware threat actors—those capable of developing and delivering code—is likely in the hundreds. That’s not including so-called “affiliates” who buy ransomware-as-a-service (RaaS) offerings from some of these threat actors.
Below is a list of key ransomware malware and groups, selected for inclusion based on their impact or innovative features. It isn't, and isn't intended to be, an exhaustive list. And while some of these ransomware groups are no longer active, that’s no guarantee they won’t reappear bigger and badder someday, as is too often the case.
History: Cerber is an RaaS platform that first appeared in 2016, netting attackers $200,000 in July of that year.
How it works: Cerber took advantage of a Microsoft vulnerability to infect networks. It functions similarly to other ransomware threats. It encrypts files with AES-256 algorithm and targets dozens of file types, including documents, pictures, audio files, videos, archives and backups. It can also scan for and encrypt available network shares even if they are not mapped to a drive letter in the computer. Cerber then drops three files on the victim's desktop that contain the ransom demand and instructions on how to pay it.
Targeted victims: As an RaaS platform, Cerber is a threat to anyone.
Attribution: Cerber's creators sell the platform on a private Russian-language forum.
History: First appearing in May 2020, the Conti RaaS platform is considered the successor to the Ryuk ransomware. As of January 2021, Conti is believed to have infected over 150 organisations and earned millions of dollars for its criminal developers and their affiliates. At least three new versions have been found since its inception.
How it works: The Conti gang uses the double threat of withholding the decryption key and selling or leaking sensitive data of its victims. In fact, it runs a website, Conti News, where it lists its victims and publishes stolen data. Once the malware infects a system, it spends time moving laterally to gain access to more sensitive systems. Conti is known to encrypt files quickly through its use of multithreading.
Targeted victims: As a RaaS operation, Conti is a threat to anyone, although the latest round of infections in January 2021 seemed to target government organisations.
Attribution: Conti is the work of a single gang whose members remain unidentified.
History: First discovered in 2013 attack, CryptoLocker launched the modern ransomware age and infected up to 500,000 Windows machines at its height. It is also known as TorrentLocker. In July 2014, the US Department of Justice declared it had “neutralised” CryptoLocker.
How it works: CryptoLocker is a Trojan that searches infected computers for files to encrypt, including any internal or network-connected storage devices. It typically is delivered through phishing emails with file attachments that contain malicious links. A downloader is activated once the file is opened, infecting the computer.
Targeted victims: CryptoLocker did not seem to target any specific entity.
Attribution: CryptoLocker was created by members of the criminal gang that developed Gameover Zeus, a banking Trojan.
History: CryptoWall, also known as CryptoBit or CryptoDefense, first appeared in 2014 and became popular after the original CryptoLocker shut down. It has gone through several revisions.
How it works: CryptoWall is distributed via spam or exploit kits. Its developers appear to avoid sophisticated in favour of a simple but effective classic ransomware approach. In its first six months of operation, it infected 625,000 computers.
Targeted victims: This ransomware has victimised tens of thousands of organisations of all types worldwide but avoids Russian-speaking countries.
Attribution: The CryptoWall developer is likely a criminal gang operating from a Russian-speaking country. CryptoWall 3.0 detects if it is running on a computer in Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia then uninstalls itself.
History: First reported in 2014, CTB-Locker is another RaaS offering known for its high infection rate. In 2016, a new version of CTB-Locker targeted web servers.
How it works: Affiliates pay a monthly fee to the CTB-Locker developers for access to the hosted ransomware code. The ransomware uses elliptic curve cryptography to encrypt data. It is also known for its multi-lingual capabilities, which increases the global pool of potential victims.
Targeted victims: Given its RaaS model, CTB-Locker is a threat to any organisation, but tier 1 countries in Western Europe, North America and Australia are most commonly targeted, especially if they were known to have paid ransom fees in the past.
History: DoppelPaymer first appeared in June 2019 and is still active and dangerous. The US FBI's Cyber Division issued a warning about it in December 2020. In September 2020, it was used in the first ransomware that resulted in a death when a a victimised German hospital was forced to send a patient to another facility.
How it works: The gang behind DoppelPaymer uses the unusual tactic of calling victims, using spoofed US-based phone numbers, to demand a ransom payment, which is typically around 50 bitcoins, or about $600,000 when it first appeared. They claimed to be from North Korea, and made the double threat of leaking or selling the stolen data. In some cases, they took it a step further by threatening employees at victimised companies with harm.
DoppelPaymer appears to be based on the BitPaymer ransomware, although it has some key differences such as using threaded file encryption for a better encryption rate. Also unlike BitPaymer, DoppelPaymer uses a tool called Process Hacker to terminate security, email server, backup and database processes and services to weaken defences and avoid disrupting the encryption process.
Targeted victims: DoppelPaymer targets critical industries in healthcare, emergency services and education.
Attribution: Unclear, but some reports suggest that an offshoot of the group behind the Dridex Trojan, known as TA505, is responsible for DoppelPaymer.
History: Egregor appeared in September 2020 and is growing rapidly. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal.”
How it works: Egregor follows the “double extortion” trend of both encrypting data and threatening to leak sensitive information if the ransom is not paid. Its codebase is relatively sophisticated and able to avoid detection by using obfuscation and anti-analysis techniques.
Targeted victims: As of late November, Egregor victimised at least 71 organisations across 19 industries worldwide.
Attribution: Egregor’s rise coincides with the Maze ransomware gang shutting down its operations. Maze group affiliates appear to have moved on to Egregor. It is a variant of the Sekhmet ransomware family and is associated with the Qakbot malware.
History: FONIX is an RaaS offering that was first discovered in July 2020. It quickly went through a number of code revisions, but abruptly shut down in January 2021. The FONIX gang then released its master decryption key.
How it works: The FONIX gang advertised its services on cybercrime forums and the dark web. Purchasers of FONIX would send the gang an email address and password. The gang then sends the customised ransomware payload to the buyer. The FONIX gang takes a 25 per cent cut of any ransom fees paid.
Targeted victims: Since FONIX is RAAS, anyone could be a victim.
Attribution: An unknown cybercriminal gang
History: GandCrab might be the most lucrative RaaS ever. Its developers claim more than $2 billion in victim payouts as of July 2019. GandCrab was first identified in January 2018.
How it works: GandCrab is an affiliate ransomware program for cybercriminals who pay its developers a portion of the ransom fees they collect. The malware is typically delivered through malicious Microsoft Office documents sent via phishing emails. Variations of GandCrab have exploited vulnerabilities in software such as Atlassian’s Confluence. In that case, the attackers use the flaw to inject a rogue template that enables remote code execution.
Targeted victims: GandCrab has infected systems globally across multiple industries, though it is designed to avoid systems in Russian-speaking regions.
Attribution: GandCrab has been tied to Russian national Igor Prokopenko.
How it works: GoldenEye was initially spread through a campaign targeting human resources departments with fake cover letters and resumes. Once its payload infects a computer, it executes a macro that encrypts files on the computer, adding a random eight-character extension at the end of each file. The ransomware then modifies the computer’s hard drive master boot record with a custom boot loader.
Targeted victims: GoldenEye first targeted German-speaking users in its phishing emails.
History: Jigsaw first appeared in 2016, but researchers released a decryption tool shortly after its discovery.
How it works: The most notable aspect of Jigsaw is that it encrypts some files, demands a ransom, and then progressively deletes files until the ransom is paid. It deletes a file per hour for 72 hours. At that point, it deletes all remaining files.
Targeted victims: Jigsaw appears not to have target any group of victims.
Read more on the next page...