CSO's guide to the worst and most notable ransomware attacks

CSO's guide to the worst and most notable ransomware attacks

The ransomware gangs and malware listed here have victimised millions of companies and caused billions of dollars in costs

Credit: Dreamstime


History: KeRanger, discovered in 2016, is believed to be the first operational ransomware designed to attack Mac OS X applications.

How it works: KeRanger was distributed through a legitimate but compromised BitTorrent client that was able to evade detection as it had a valid certificate.

Targeted victims: Mac users

Attribution: Unknown


History: Leatherlocker was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Google removed the apps from its store shortly after discovery.

How it works: Victims download what appears to be a legitimate app. The app then asks for permissions that grant the malware access needed to execute. Rather than encrypt files, it locks the device home screen to prevent access to data.

Targeted victims: Android users who download the infected apps.

Attribution: An unknown cybercriminal group.


History: LockerGoga appeared in 2019 in an attack targeting industrial companies. Although the attackers asked for a ransom, LockerGoga seemed intentially designed to make paying a ransom difficult. This led some researcher to believe its intent was disruption rather than financial gain.

How it works: LockerGoga used a phishing campaign with malicious document attachments to infect systems. The payload were signed with valid certificates, which allowed them to bypass security.

Targeted victims: LockerGoga victimised European manufacturing companies, most notably Norsk Hydro where it caused a global IT shut-down.

Attribution: Some researchers say LockerGoga was likely the work of a nation-state.


History: Locky first began spreading in 2016 and used an attack mode similar to the banking malware Dridex. Locky has inspired a number of variants including Osiris and Diablo6.

How it works: Victims are usually sent an email with a Microsoft Word document purporting to be an invoice. That invoice contains malicious macro. Microsoft disables macros by default due to the security dangers. If macros are enabled, the document runs the macro, which downloads Locky. Dridex uses the same technique to steal account credentials.

Targeted victims: Early Locky attacks targeted hospitals, but subsequent campaigns were broad and untargeted.

Attribution: It's suspected that the cybercriminal group behind Locky is affiliated to one of those behind Dridex due to similarities between the two.


History: Maze is a relatively new ransomware group, discovered in May 2019. It is known for releasing stolen data to the public if the victim does not pay to decrypt it. The Maze group announced in September 2020 that it was closing its operations.

How it works: Maze attackers typically gain entry to networks remotely using valid credentials that might be guessed, default, or gained through phishing campaigns. The malware then scans the network using open-source tools to discover vulnerabilities and learn about the network. It then moves laterally throughout the network looking for more credentials that can be used for privilege escalation. Once it finds domain admin credentials, it can access and encrypt anything on the network.

Targeted victims: Maze operates on a global scale across all industries.

Attribution: The people behind Maze are believed to be multiple criminal groups that share their specialties rather than a singular gang.


History: Active since 2019, Netwalker is another ransomware operation that uses the double threat of withholding decryption keys and selling or leaking stolen data. In late January 2021, however, the US Department of Justice announced a global action that disrupted the Netwalker operation. It's too early to know how long-lasting that disruption will be.

How it works: From a technical standpoint, Netwalker is relatively ordinary ransomware. It gains a foothold using phishing emails, encrypts and exfiltrates data, and sends a ransom demand. It's the second threat of exposing sensitive data that makes it more dangerous. It is known to have released stolen data by putting it in a password-protected fold on the dark web and then releasing the key publicly.

Targeted victims: Netwalker targets primarily healthcare and educational institutions.

Attribution: The Circus Spider gang is believed to have created Netwalker.


History: First appearing in 2016, NotPetya is actually data destroying malware, called a wiper, that masquerades as ransomware.

How it works: The NotPetya virus superficially resembles Petya in that it encrypts files and requests a ransom in Bitcoin. Petya requires the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya can spread without human intervention.

The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that's used by almost every company Ukraine. Having infected computers from Medoc’s servers, NotPetya used a variety of techniques to spread to other computers, including EternalBlue and EternalRomance. It can also take advantage of Mimikatz to find network administration credentials in the infected machine's memory, and then use the Windows PsExec and WMIC tools to remotely access and infect other computers on the local network.

Targeted victims: The attack primarily focused on Ukraine.

Attribution: The Sandworm group within Russia's GRU is believed to be responsible for NotPetya.


History: The name derives from a satellite that was part of the sinister plot in the 1995 James Bond film GoldenEye. A Twitter account suspected of belonging to the malware's author used a picture of actor Alan Cumming, who played the villain, as its avatar. The initial version of the Petya malware began to spread in March 2016.

How it works: Petya arrives on the victim's computer attached to an email purporting to be a job applicant's resume. It's a package with two files: a stock image of young man and an executable file, often with "PDF" somewhere in the file name. When the victim clicks on that file, a Windows User Access Control warning tells them that the executable is going to make changes to your computer. The malware loads once the victim accepts the change and then denies access by attacking low-level structures on the storage media.

Targeted victims: Any Windows system is a potential target, but Ukraine was hardest hit by the attack.

Attribution: Unknown


History: The PureLocker RaaS platform, discovered in 2019, targets enterprise production servers running Linux or Windows. It is written in the PureBasic language, hence its name.

How it works: PureLocker relies on the more_eggs backdoor malware to gain access rather than phishing attempts. Attackers target machines that have already been compromised and they understand. PureLocker then analyses the machines and selectively encrypts data.

Targeted victims: Researchers believe that only a few criminal gangs can afford to pay for PureLocker, to its use is limited to high-value targets.

Attribution: The malware-as-a-service (MaaS) provider behind the more_eggs backdoor is likely responsible for PureLocker.


History: RobbinHood is another ransomware variant that uses EternalBlue. It brought the city of Baltimore, Maryland, to its knees in 2019.

How it works: The most unique feature about RobbinHood is in how its payload bypasses endpoint security. It has five parts: an executable that kills processes and files of security products, code to deploy a signed third-party driver and a malicious unsigned kernel driver, an outdated Authenticode-signed driver that has a vulnerability, a malicious driver to kill processes and delete files from the kernel space, and a text file with a list of applications to kill and delete.

The outdated, signed driver has a known bug that the malware uses to avoid detection and then install its own unsigned driver on Windows 7, Windows 8 and Windows 10.

Targeted victims: Local governments such as the cities of Baltimore and Greenville, North Carolina, seem to be hardest hit by RobbinHood.

Attribution: An unidentified criminal group

Read more on the next page...

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


ARN Innovation Awards 2022

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

EDGE 2022

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.

Show Comments