A Guide To The Worst And Most Notable Ransomware

Given the financial benefit to attackers, it’s no surprise that ransomware gangs and malware have proliferated. The number of ransomware threat actors—those capable of developing and delivering code—is likely in the hundreds. That’s not including so-called “affiliates” who buy ransomware-as-a-service (RaaS) offerings from some of these threat actors.

Below is a list of key ransomware malware and groups, selected for inclusion based on their impact or innovative features. It isn’t, and isn’t intended to be, an exhaustive list. While some of these ransomware groups are no longer active, that’s no guarantee they won’t reappear bigger and badder someday, as is too often the case.

Cerber

History: Cerber is an RaaS platform that first appeared in 2016.

How it works: Cerber took advantage of a Microsoft vulnerability to infect networks. It functions similarly to other ransomware threats. It encrypts files with AES-256 algorithm and targets dozens of file types, including documents, pictures, audio files, videos, archives and backups. It can also scan for and encrypt available network shares even if they are not mapped to a drive letter in the computer. Cerber then drops three files on the victim’s desktop that contain the ransom demand and instructions on how to pay it.

Targeted victims: As an RaaS platform, Cerber is a threat to anyone.

Attribution: Cerber’s creators sell the platform on a private Russian-language forum.

Conti

History: First appearing in May 2020, the Conti RaaS platform is considered the successor to the Ryuk ransomware. As of January 2021, Conti is believed to have infected over 150 organizations and earned millions for its criminal developers and their affiliates. At least three new versions have been found since its inception.

How it works: Conti uses the double threat of withholding the decryption key and selling or leaking sensitive data of its victims. In fact, it runs a website, Conti News, where it lists its victims and publishes stolen data. Once the malware infects a system, it spends time moving laterally to gain access to more sensitive systems. Conti is known to encrypt files quickly through its use of multithreading.

Targeted victims: As a RaaS operation, Conti is a threat to anyone, although a round of infections in January 2021 seemed to target government organizations. The Wizard Spider group is believed to have used Conti in its ransomware attack on Ireland’s national health service and at least 16 US-based healthcare and emergency networks.

Attribution: Conti is the work of a single gang whose members remain unidentified.

CryptoLocker

History: First discovered in 2013 attack, CryptoLocker launched the modern ransomware age and infected up to 500,000 Windows machines at its height. It is also known as TorrentLocker.

How it works: CryptoLocker is a Trojan that searches infected computers for files to encrypt, including any internal or network-connected storage devices. It typically is delivered through phishing emails with file attachments that contain malicious links. A downloader is activated once the file is opened, infecting the computer.

Targeted victims: CryptoLocker did not seem to target any specific entity.

Attribution: CryptoLocker was created by members of the criminal gang that developed Gameover Zeus, a banking Trojan.

CryptoWall

History: CryptoWall, also known as CryptoBit or CryptoDefense, first appeared in 2014 and became popular after the original CryptoLocker shut down. It has gone through several revisions.

How it works: CryptoWall is distributed via spam or exploit kits. Its developers appear to avoid sophisticated in favor of a simple but effective classic ransomware approach. In its first six months of operation, it infected 625,000 computers.

Targeted victims: This ransomware has victimized tens of thousands of organizations of all types worldwide but avoids Russian-speaking countries.

Attribution: The CryptoWall developer is likely a criminal gang operating from a Russian-speaking country. CryptoWall 3.0 detects if it is running on a computer in Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia then uninstalls itself.

A Guide To The Worst And Most Notable Ransomware

CTB-Locker

History: First reported in 2014, CTB-Locker is another RaaS offering known for its high infection rate. In 2016, a new version of CTB-Locker targeted web servers.

How it works: Affiliates pay a monthly fee to the CTB-Locker developers for access to the hosted ransomware code. The ransomware uses elliptic curve cryptography to encrypt data. It is also known for its multi-lingual capabilities, which increases the global pool of potential victims.

Targeted victims: Given its RaaS model, CTB-Locker is a threat to any organization, but tier 1 countries in Western Europe, North America and Australia are most commonly targeted, especially if they were known to have paid ransom fees in the past.

DarkSide

History: In operation since at least August 2020, DarkSide jumped into the public spotlight in May 2021 with the ransomware attack that crippled Colonial Pipeline.

How it works: DarkSide works on the RaaS model through an affiliate program. It uses the double-extortion threat of data encryption and data theft. It is typically deployed using manual hacking techniques.

DarkSide’s operators seem media savvy. They run a website where reporters can register to receive advance information about breaches and non-public information and promises fast replies to any media questions.

Targeted victims: The group behind DarkSide claims that it doesn’t attack medical facilities, COVID vaccine research and distribution companies, funeral services, non-profit organizations, educational institutions, or government organizations. After the Colonial Pipeline attack, the group issued a statement saying it would review its affiliates’ potential victims before they launced attacks.

Attribution: The DarkSide group is believed to operate from Russia and likely former affiliates of the REvil group.

DoppelPaymer

History: DoppelPaymer first appeared in June 2019 and is still active and dangerous.  In September 2020, it was used in the first ransomware that resulted in a death when a victimized German hospital was forced to send a patient to another facility.

How it works: The gang behind DoppelPaymer uses the unusual tactic of calling victims, using spoofed US-based phone numbers, to demand a ransom payment, which is typically around 50 bitcoins, or about $600,000 when it first appeared. They claimed to be from North Korea, and made the double threat of leaking or selling the stolen data. In some cases, they took it a step further by threatening employees at victimized companies with harm.

DoppelPaymer appears to be based on the BitPaymer ransomware, although it has some key differences such as using threaded file encryption for a better encryption rate. Also unlike BitPaymer, DoppelPaymer uses a tool called Process Hacker to terminate security, email server, backup and database processes and services to weaken defenses and avoid disrupting the encryption process.

Targeted victims: DoppelPaymer targets critical industries in healthcare, emergency services and education.

Attribution: Unclear, but some reports suggest that an offshoot of the group behind the Dridex Trojan, known as TA505, is responsible for DoppelPaymer.

Egregor

History: Egregor appeared in September 2020 and is growing rapidly. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal.”

How it works: Egregor follows the “double extortion” trend of both encrypting data and threatening to leak sensitive information if the ransom is not paid. Its codebase is relatively sophisticated and able to avoid detection by using obfuscation and anti-analysis techniques.

Targeted victims: As of late November, Egregor victimized at least 71 organizations across 19 industries worldwide.

Attribution: Egregor’s rise coincides with the Maze ransomware gang shutting down its operations. Maze group affiliates appear to have moved on to Egregor. It is a variant of the Sekhmet ransomware family and is associated with the Qakbot malware.

FONIX

History: FONIX is an RaaS offering that was first discovered in July 2020. It quickly went through a number of code revisions, but abruptly shut down in January 2021. The FONIX gang then released its master decryption key.

How it works: The FONIX gang advertised its services on cybercrime forums and the dark web. Purchasers of FONIX would send the gang an email address and password. The gang then sends the customized ransomware payload to the buyer. The FONIX gang takes a 25% cut of any ransom fees paid.

Targeted victims: Since FONIX is RAAS, anyone could be a victim.

Attribution: An unknown cybercriminal gang

GandCrab 

History: GandCrab might be the most lucrative RaaS ever. Its developers claim more than $2 billion in victim payouts as of July 2019. GandCrab was first identified in January 2018.

How it works: GandCrab is an affiliate ransomware program for cybercriminals who pay its developers a portion of the ransom fees they collect. The malware is typically delivered through malicious Microsoft Office documents sent via phishing emails. Variations of GandCrab have exploited vulnerabilities in software such as Atlassian’s Confluence. In that case, the attackers use the flaw to inject a rogue template that enables remote code execution.

Targeted victims: GandCrab has infected systems globally across multiple industries, though it is designed to avoid systems in Russian-speaking regions.

Attribution: GandCrab has been tied to Russian national Igor Prokopenko.