ARN

CSO's guide to the worst and most notable ransomware attacks

The ransomware gangs and malware listed here have victimised millions of companies and caused billions of dollars in costs

Ransomware has a long history, dating back to the late 1980s. Today, it’s generating billions of dollars in revenue for the criminal groups behind it. Victims incur recovery costs even if they pay the ransom.

Sophos reports that the average cost of a ransomware attack in 2020 was nearly $1.5 million for victim organisations that paid ransoms and about $732,000 for those that didn’t.

Given the financial benefit to attackers, it’s no surprise that ransomware gangs and malware have proliferated. The number of ransomware threat actors—those capable of developing and delivering code—is likely in the hundreds. That’s not including so-called “affiliates” who buy ransomware-as-a-service (RaaS) offerings from some of these threat actors.

Below is a list of key ransomware malware and groups, selected for inclusion based on their impact or innovative features. It isn't, and isn't intended to be, an exhaustive list. And while some of these ransomware groups are no longer active, that’s no guarantee they won’t reappear bigger and badder someday, as is too often the case.


Cerber

History: Cerber is an RaaS platform that first appeared in 2016, netting attackers $200,000 in July of that year.

How it works: Cerber took advantage of a Microsoft vulnerability to infect networks. It functions similarly to other ransomware threats. It encrypts files with AES-256 algorithm and targets dozens of file types, including documents, pictures, audio files, videos, archives and backups. It can also scan for and encrypt available network shares even if they are not mapped to a drive letter in the computer. Cerber then drops three files on the victim's desktop that contain the ransom demand and instructions on how to pay it.

Targeted victims: As an RaaS platform, Cerber is a threat to anyone.

Attribution: Cerber's creators sell the platform on a private Russian-language forum.


Conti

History: First appearing in May 2020, the Conti RaaS platform is considered the successor to the Ryuk ransomware. As of January 2021, Conti is believed to have infected over 150 organisations and earned millions of dollars for its criminal developers and their affiliates. At least three new versions have been found since its inception.

How it works: The Conti gang uses the double threat of withholding the decryption key and selling or leaking sensitive data of its victims. In fact, it runs a website, Conti News, where it lists its victims and publishes stolen data. Once the malware infects a system, it spends time moving laterally to gain access to more sensitive systems. Conti is known to encrypt files quickly through its use of multithreading.

Targeted victims: As a RaaS operation, Conti is a threat to anyone, although the latest round of infections in January 2021 seemed to target government organisations.

Attribution: Conti is the work of a single gang whose members remain unidentified.


CryptoLocker

History: First discovered in 2013 attack, CryptoLocker launched the modern ransomware age and infected up to 500,000 Windows machines at its height. It is also known as TorrentLocker. In July 2014, the US Department of Justice declared it had “neutralised” CryptoLocker.

How it works: CryptoLocker is a Trojan that searches infected computers for files to encrypt, including any internal or network-connected storage devices. It typically is delivered through phishing emails with file attachments that contain malicious links. A downloader is activated once the file is opened, infecting the computer.

Targeted victims: CryptoLocker did not seem to target any specific entity.

Attribution: CryptoLocker was created by members of the criminal gang that developed Gameover Zeus, a banking Trojan.


CryptoWall

History: CryptoWall, also known as CryptoBit or CryptoDefense, first appeared in 2014 and became popular after the original CryptoLocker shut down. It has gone through several revisions.

How it works: CryptoWall is distributed via spam or exploit kits. Its developers appear to avoid sophisticated in favour of a simple but effective classic ransomware approach. In its first six months of operation, it infected 625,000 computers.

Targeted victims: This ransomware has victimised tens of thousands of organisations of all types worldwide but avoids Russian-speaking countries.

Attribution: The CryptoWall developer is likely a criminal gang operating from a Russian-speaking country. CryptoWall 3.0 detects if it is running on a computer in Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia then uninstalls itself.


CTB-Locker

History: First reported in 2014, CTB-Locker is another RaaS offering known for its high infection rate. In 2016, a new version of CTB-Locker targeted web servers.

How it works: Affiliates pay a monthly fee to the CTB-Locker developers for access to the hosted ransomware code. The ransomware uses elliptic curve cryptography to encrypt data. It is also known for its multi-lingual capabilities, which increases the global pool of potential victims.

Targeted victims: Given its RaaS model, CTB-Locker is a threat to any organisation, but tier 1 countries in Western Europe, North America and Australia are most commonly targeted, especially if they were known to have paid ransom fees in the past.


DoppelPaymer

History: DoppelPaymer first appeared in June 2019 and is still active and dangerous. The US FBI's Cyber Division issued a warning about it in December 2020. In September 2020, it was used in the first ransomware that resulted in a death when a a victimised German hospital was forced to send a patient to another facility.

How it works: The gang behind DoppelPaymer uses the unusual tactic of calling victims, using spoofed US-based phone numbers, to demand a ransom payment, which is typically around 50 bitcoins, or about $600,000 when it first appeared. They claimed to be from North Korea, and made the double threat of leaking or selling the stolen data. In some cases, they took it a step further by threatening employees at victimised companies with harm.

DoppelPaymer appears to be based on the BitPaymer ransomware, although it has some key differences such as using threaded file encryption for a better encryption rate. Also unlike BitPaymer, DoppelPaymer uses a tool called Process Hacker to terminate security, email server, backup and database processes and services to weaken defences and avoid disrupting the encryption process.

Targeted victims: DoppelPaymer targets critical industries in healthcare, emergency services and education.

Attribution: Unclear, but some reports suggest that an offshoot of the group behind the Dridex Trojan, known as TA505, is responsible for DoppelPaymer.


Egregor

History: Egregor appeared in September 2020 and is growing rapidly. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal.”

How it works: Egregor follows the “double extortion” trend of both encrypting data and threatening to leak sensitive information if the ransom is not paid. Its codebase is relatively sophisticated and able to avoid detection by using obfuscation and anti-analysis techniques.

Targeted victims: As of late November, Egregor victimised at least 71 organisations across 19 industries worldwide.

Attribution: Egregor’s rise coincides with the Maze ransomware gang shutting down its operations. Maze group affiliates appear to have moved on to Egregor. It is a variant of the Sekhmet ransomware family and is associated with the Qakbot malware.


FONIX

History: FONIX is an RaaS offering that was first discovered in July 2020. It quickly went through a number of code revisions, but abruptly shut down in January 2021. The FONIX gang then released its master decryption key.

How it works: The FONIX gang advertised its services on cybercrime forums and the dark web. Purchasers of FONIX would send the gang an email address and password. The gang then sends the customised ransomware payload to the buyer. The FONIX gang takes a 25 per cent cut of any ransom fees paid.

Targeted victims: Since FONIX is RAAS, anyone could be a victim.

Attribution: An unknown cybercriminal gang


GandCrab

History: GandCrab might be the most lucrative RaaS ever. Its developers claim more than $2 billion in victim payouts as of July 2019. GandCrab was first identified in January 2018.

How it works: GandCrab is an affiliate ransomware program for cybercriminals who pay its developers a portion of the ransom fees they collect. The malware is typically delivered through malicious Microsoft Office documents sent via phishing emails. Variations of GandCrab have exploited vulnerabilities in software such as Atlassian’s Confluence. In that case, the attackers use the flaw to inject a rogue template that enables remote code execution.

Targeted victims: GandCrab has infected systems globally across multiple industries, though it is designed to avoid systems in Russian-speaking regions.

Attribution: GandCrab has been tied to Russian national Igor Prokopenko.


GoldenEye

History: Appearing in 2016, GoldenEye appears to be based on the Petya ransomware.

How it works: GoldenEye was initially spread through a campaign targeting human resources departments with fake cover letters and resumes. Once its payload infects a computer, it executes a macro that encrypts files on the computer, adding a random eight-character extension at the end of each file. The ransomware then modifies the computer’s hard drive master boot record with a custom boot loader. 

Targeted victims: GoldenEye first targeted German-speaking users in its phishing emails.

Attribution: Unknown


Jigsaw

History: Jigsaw first appeared in 2016, but researchers released a decryption tool shortly after its discovery.

How it works: The most notable aspect of Jigsaw is that it encrypts some files, demands a ransom, and then progressively deletes files until the ransom is paid. It deletes a file per hour for 72 hours. At that point, it deletes all remaining files.

Targeted victims: Jigsaw appears not to have target any group of victims.

Attribution: Unknown

Read more on the next page...

Page Break

KeRanger

History: KeRanger, discovered in 2016, is believed to be the first operational ransomware designed to attack Mac OS X applications.

How it works: KeRanger was distributed through a legitimate but compromised BitTorrent client that was able to evade detection as it had a valid certificate.

Targeted victims: Mac users

Attribution: Unknown


Leatherlocker

History: Leatherlocker was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Google removed the apps from its store shortly after discovery.

How it works: Victims download what appears to be a legitimate app. The app then asks for permissions that grant the malware access needed to execute. Rather than encrypt files, it locks the device home screen to prevent access to data.

Targeted victims: Android users who download the infected apps.

Attribution: An unknown cybercriminal group.


LockerGoga

History: LockerGoga appeared in 2019 in an attack targeting industrial companies. Although the attackers asked for a ransom, LockerGoga seemed intentially designed to make paying a ransom difficult. This led some researcher to believe its intent was disruption rather than financial gain.

How it works: LockerGoga used a phishing campaign with malicious document attachments to infect systems. The payload were signed with valid certificates, which allowed them to bypass security.

Targeted victims: LockerGoga victimised European manufacturing companies, most notably Norsk Hydro where it caused a global IT shut-down.

Attribution: Some researchers say LockerGoga was likely the work of a nation-state.


Locky

History: Locky first began spreading in 2016 and used an attack mode similar to the banking malware Dridex. Locky has inspired a number of variants including Osiris and Diablo6.

How it works: Victims are usually sent an email with a Microsoft Word document purporting to be an invoice. That invoice contains malicious macro. Microsoft disables macros by default due to the security dangers. If macros are enabled, the document runs the macro, which downloads Locky. Dridex uses the same technique to steal account credentials.

Targeted victims: Early Locky attacks targeted hospitals, but subsequent campaigns were broad and untargeted.

Attribution: It's suspected that the cybercriminal group behind Locky is affiliated to one of those behind Dridex due to similarities between the two.


Maze 

History: Maze is a relatively new ransomware group, discovered in May 2019. It is known for releasing stolen data to the public if the victim does not pay to decrypt it. The Maze group announced in September 2020 that it was closing its operations.

How it works: Maze attackers typically gain entry to networks remotely using valid credentials that might be guessed, default, or gained through phishing campaigns. The malware then scans the network using open-source tools to discover vulnerabilities and learn about the network. It then moves laterally throughout the network looking for more credentials that can be used for privilege escalation. Once it finds domain admin credentials, it can access and encrypt anything on the network.

Targeted victims: Maze operates on a global scale across all industries.

Attribution: The people behind Maze are believed to be multiple criminal groups that share their specialties rather than a singular gang.


Netwalker

History: Active since 2019, Netwalker is another ransomware operation that uses the double threat of withholding decryption keys and selling or leaking stolen data. In late January 2021, however, the US Department of Justice announced a global action that disrupted the Netwalker operation. It's too early to know how long-lasting that disruption will be.

How it works: From a technical standpoint, Netwalker is relatively ordinary ransomware. It gains a foothold using phishing emails, encrypts and exfiltrates data, and sends a ransom demand. It's the second threat of exposing sensitive data that makes it more dangerous. It is known to have released stolen data by putting it in a password-protected fold on the dark web and then releasing the key publicly.

Targeted victims: Netwalker targets primarily healthcare and educational institutions.

Attribution: The Circus Spider gang is believed to have created Netwalker.


NotPetya 

History: First appearing in 2016, NotPetya is actually data destroying malware, called a wiper, that masquerades as ransomware.

How it works: The NotPetya virus superficially resembles Petya in that it encrypts files and requests a ransom in Bitcoin. Petya requires the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya can spread without human intervention.

The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that's used by almost every company Ukraine. Having infected computers from Medoc’s servers, NotPetya used a variety of techniques to spread to other computers, including EternalBlue and EternalRomance. It can also take advantage of Mimikatz to find network administration credentials in the infected machine's memory, and then use the Windows PsExec and WMIC tools to remotely access and infect other computers on the local network.

Targeted victims: The attack primarily focused on Ukraine.

Attribution: The Sandworm group within Russia's GRU is believed to be responsible for NotPetya.


Petya

History: The name derives from a satellite that was part of the sinister plot in the 1995 James Bond film GoldenEye. A Twitter account suspected of belonging to the malware's author used a picture of actor Alan Cumming, who played the villain, as its avatar. The initial version of the Petya malware began to spread in March 2016.

How it works: Petya arrives on the victim's computer attached to an email purporting to be a job applicant's resume. It's a package with two files: a stock image of young man and an executable file, often with "PDF" somewhere in the file name. When the victim clicks on that file, a Windows User Access Control warning tells them that the executable is going to make changes to your computer. The malware loads once the victim accepts the change and then denies access by attacking low-level structures on the storage media.

Targeted victims: Any Windows system is a potential target, but Ukraine was hardest hit by the attack.

Attribution: Unknown


Purelocker

History: The PureLocker RaaS platform, discovered in 2019, targets enterprise production servers running Linux or Windows. It is written in the PureBasic language, hence its name.

How it works: PureLocker relies on the more_eggs backdoor malware to gain access rather than phishing attempts. Attackers target machines that have already been compromised and they understand. PureLocker then analyses the machines and selectively encrypts data.

Targeted victims: Researchers believe that only a few criminal gangs can afford to pay for PureLocker, to its use is limited to high-value targets.

Attribution: The malware-as-a-service (MaaS) provider behind the more_eggs backdoor is likely responsible for PureLocker.


RobbinHood 

History: RobbinHood is another ransomware variant that uses EternalBlue. It brought the city of Baltimore, Maryland, to its knees in 2019.

How it works: The most unique feature about RobbinHood is in how its payload bypasses endpoint security. It has five parts: an executable that kills processes and files of security products, code to deploy a signed third-party driver and a malicious unsigned kernel driver, an outdated Authenticode-signed driver that has a vulnerability, a malicious driver to kill processes and delete files from the kernel space, and a text file with a list of applications to kill and delete.

The outdated, signed driver has a known bug that the malware uses to avoid detection and then install its own unsigned driver on Windows 7, Windows 8 and Windows 10.

Targeted victims: Local governments such as the cities of Baltimore and Greenville, North Carolina, seem to be hardest hit by RobbinHood.

Attribution: An unidentified criminal group

Read more on the next page...

Page Break

Ryuk 

History: Ryuk first appeared in August 2018 but is based on an older ransomware program called Hermes that was sold on underground cybercrime forums in 2017.

How it works: It is often used in combination with other malware like TrickBot. The Ryuk gang is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

The Ryuk attackers demand high ransom payments from their victims, typically between 15 and 50 Bitcoins (roughly $100,000 to $500,000), although higher payments have reportedly been paid.

Targeted victims: Businesses, hospitals and government organisations—often those must vulnerable—are the most common Ryuk victims.

Attribution: First attributed to the North Korean Lazarus Group, which used Hermes in an attack against the Taiwanese Far Eastern International Bank (FEIB) in October 2017, Ryuk is now believed to be the creation of a Russian-speaking cybercriminal group that obtained access to Hermes. The Ryuk gang, sometimes called Wizard Spider or Grim Spider, also operates TrickBot. Some researchers believe that Ryuk could be the creation of the original Hermes author or authors operating under the handle CryptoTech.


SamSam

History: SamSam has been around since 2015 and targeted primarily healthcare organisations and ramped up significantly in the following years.

How it works: SamSam is an RaaS operation whose controllers probe pre-selected targets for weaknesses. It has exploited a range of vulnerabilities in everything from IIS to FTP to RDP. Once inside the system, the attackers escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.

Targeted victims: Hardest hit were US-based healthcare and government organisations including the Colorado Department of Transportation and the City of Atlanta.

Attribution: Initially believed by some to have an Eastern European origin, SamSam mostly targeted US institutions. In late 2018, the US Department of Justice indicted two Iranians that they claim were behind the attacks.


SimpleLocker 

History: SimpleLocker, discovered in 2014, was the first widespread ransomware attack that focused on mobile devices, specifically Android devices.

How it works: SimpleLocker infects devices when the victim downloads a malicious app. The malware then scans the device’s SD card for certain file types and encrypts them. It then displays a screen demanding a ransom and instructions on how to pay.

Targeted victims: Since the ransom note is in Russian and asks for payment in Ukrainian currency, it is assumed that the attackers originally targeted that region.

Attribution: SimpleLocker is believed to have been written by the same hackers who developed other Russian malware such as SlemBunk and GM Bot.


Sodinokibi/REvil

History: Sodinokibi, also known as REvil, is another RaaS platform that first emerged in April 2019. Apparently related to GandCrab, it also has code that prevents it from executing in Russia and several adjacent countries, as well as Syria. It was responsible for shutting down more than 22 small Texas towns, and on New Year’s Eve 2019 it took down the UK currency exchange service Travelex.

How it works: Sodinokibi propagates in several ways, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN. It targets Microsoft Windows systems and encrypts all files except configuration files. Victims then receive a double threat if they don’t pay the ransom: They won’t get their data back and their sensitive data will be sold or published on underground forums.

Targeted victims: Sodinokibi has infected many different organisations globally outside the regions it excludes.

Attribution: Sodinokibi rose to prominence after GandCrab shut down. An alleged member of the group, using the handle Unknown, confirmed that the ransomware was built on top of an older codebase that the group acquired.


TeslaCrypt

History: TeslaCrypt is a Windows ransomware Trojan first detected in 2015 that targets players of computer games. Several newer versions appeared in quick succession, but the developers shut down operations in May 2016 and released the master decryption key.

How it works: Once it infects a computer, typically after a victim visits a hacked website that runs an exploit kit, TeslaCrypt looks for and encrypts gaming files such as game saves, recorded replays and user profiles. It then demands a $500 fee in Bitcoin to decrypt the files.

Targeted victims: Computer gamers

Attribution: Unknown


Thanos

History: The Thanos RaaS is relatively new, discovered in late 2019. It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.

How it works: Advertised in underground forums and other closed channels, Thanos is a customised tool that its affiliates use to create ransomware payloads. Many of the features it offers are designed to evade detection. The Thanos developers have released multiple versions, adding capabilities such as disabling third-party backup, removal of Windows Defender signature files, and features to make forensics more difficult for response teams.

Targeted victims: As an RaaS platform, Thanos can victimise any organisation.

Attribution: Unknown


Wannacry

History: The WannaCry worm spread through computer networks rapidly in May 2017 thanks to the EternalBlue exploit developed by the US National Security Agency (NSA) and then stolen by hackers. It quickly infected millions of Windows computers.

How it works: WannaCry consists of multiple components. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself including: 

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor 

Once launched, WannaCry tries to access a hard-coded URL. If it can't, it proceeds to search for and encrypt files in important formats, ranging from Microsoft Office files to MP3s and MKVs. It then displays a ransom notice demanding Bitcoin to decrypt the files.

Targeted victims: The WannaCry attack affected companies globally, but high-profile enterprises in healthcare, energy, transportation and communications were particularly hard hit.

Attribution: North Korea’s Lazarus Group is believed to be behind WannaCry.


WastedLocker

History: One of the more recent to appear, the WastedLocker ransomware began victimising organisations in May 2020. It is one of the more sophisticated examples of ransomware, and its creators are known for asking high ransom fees.

How it works: The malware uses a JavaScript-based attack framework calle SocGholish that is distributed in ZIP file form via a fake browser update that appear on legitimate but compromised websites. Once activated WastedLocker then downloads and executes PowerShell scripts and a backdoor called Cobalt Strike. The malware then explores the network and deploys "living off the land" tools to steal credentials and gain access to high-value systems. It then encrypts data using a combination of AES and RSA cryptography.

Targeted victims: WastedLocker focuses on high-value targets most likely to pay high ransoms, mainly in North America and Western Europe.

Attribution: A known criminal gang, Evil Corp, is responsible for WastedLocker. The group is also known for operating the Dridex malware and botnet.


WYSIWYE

History: Discovered in 2017, WYSIWYE (What You See Is What You Encrypt) is an RaaS platform that targets Windows systems.

How it works: scans the web for open Remote Desktop Protocol (RDP) servers. It then executes sign-in attempts using default or weak credentials to access systems and spread across the network. Criminals who purchase WYSIWYE services can choose what types of files to encrypt and whether to delete the original files after encryption.

Targeted victims: WYSIWYE attacks first appeared in Germany, Belgium, Sweden and Spain.

Attribution: Unknown


Zeppelin

History: Zeppelin first appeared in November 2019 and is a descendent of Vega or VegasLocker RaaS offering that victimised accounting firms in Russia and Eastern Europe.

How it works: Zeppelin has more capabilities than its ancestors, especially when it comes to configurability. Zeppelin can be deployed in multiple ways, including as an EXE, a DLL, or a PowerShell loader, but it some of its attacks came via compromised managed security service providers.

Targeted victims: Zeppelin is much more targeted than Vega, which spread somewhat indiscriminately and mostly operated in the Russian-speaking world. Zeppelin is designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Most of its victims were healthcare and technology companies in North America and Europe.

Attribution: Security experts believe that a new threat actor, likely in Russia, is using Vega's codebase to develop Zeppelin.

Attribution: Unknown