Common Ransomware Types

Ransomware is a huge and growing problem for businesses, and organizations of all sizes need to devote considerable resources to preventing infections or recovering their data if they fall victim to a ransomware attack. It’s a problem that shows no signs of going away. That’s because ransomware is easy to produce, difficult to defend against, and it’s a lucrative criminal activity.

What are the most popular types of Ransomware now?

While there are some very prevalent ransomware variants, with the increase of services offering ransomware as a service (RaaS) and allowing for customization the overall number of possible variations has seen a steep increase. Some of the most “popular” variants at the time of writing this include:
• Dharma/Crysis and now Phobos a variant of Dharma
• RYUK
• LockerGoga
• Sodinokibi
• MAZE

The above variants are seeing to collaborate with other malware families such as:
• Emotet
• Trickbot
• Dridex

Common Ransomware Types

Some additional common ransomware variants seen historically, are constantly being reprogrammed and often copied into a different variant to mislead and slow down response:

Bad Rabbit: A strain of ransomware that has infected organizations in Russia and Eastern Europe. Bad Rabbit spreads through a fake Adobe Flash update on compromised websites. When the ransomware infects a machine, users are directed to a payment page demanding a certain bitcoin amount.

Cerber: Cerber targets cloud-based Office 365 users globally utilizing an elaborate phishing campaign.
Typically, the victim receives an email with an infected Microsoft Office document attached. Once opened, Cerber encrypts the files of infected users and demands money in exchange for giving access to their files back.

CryptoLocker: CryptoLocker is a ransomware targeting Microsoft Windows devices. The malware selectively encrypts data, making it impossible for users to access files. Once encrypted, data is held ransom by the attacker, who holds the encryption key. The victim must pay a ransom within 72 hours to gain files back from CryptoLocker. Coined as the most prolific type sof ransomware, CryptoLocker has since become a blueprint for  other types of ransomware attacks.

CryptoWall: CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early 2014, and variants have appeared with a variety of names, including CryptoBit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. Like CryptoLocker, CryptoWall is distributed via spam or via emails with ZIP attachments where the virus is hidden as PDF files. The PDF files often disguise themselves as bills, purchase orders, invoices, etc. When victims open the malicious PDF files, they infect the computer.

CrySIS/Dharma: Dharma, is a family of ransomware that has been evolving since 2016.  CrySIS ransomware targets Windows systems, and this family primarily targets businesses. It uses several methods of distribution:

  • It’s typically spread via emails containing attachments with double-file extension.
  • CrySIS can also arrive disguised as installation files for legitimate software.
  • CrySIS/Dharma can also be is delivered manually in targeted attacks by exploiting leaked or weak RDP credentials.

Once CrySIS has completed its encryption routine, a ransom note on the desktop for the victim is left. The ransom demand is 1 Bitcoin or more.

CTB-Locker: The criminals behind CTB-Locker take a different approach to malware distribution. The hackers outsource the infection process to partners in exchange for a cut of the profits. This is a proven strategy for achieving large volumes of malware infections at a faster rate.

GoldenEye: GoldenEye is like the prolific Petya ransomware. Hackers spread GoldenEye ransomware through a massive campaign targeting human resources departments. After the file is downloaded, a macro is launched which encrypts files on the computer. For each file it encrypts, GoldenEye adds a random 8-character extension at the end. The ransomware then also modifies the user’s hard drive MBR (Master Boot Record) with a custom boot loader.

Jigsaw: Named after the character that appears on the ransomware note, Jigsaw encrypts and progressively deletes files until a ransom is paid. Setting a timer, the ransomware deletes a single file after the first hour, then deletes more and more per hour until the 72-hour mark, when all remaining files are deleted.

LockerGoga: The new kid on the block having just been reported in January 2019, LockerGoga is still a bit of a mystery. From what we’ve seen, LockerGoga behaves much like any other ransomware, encrypting files on an infected machine and displaying a message warning the victim that only the attackers have the key to unlock the files. The only way to get the key is to pay a ransom in Bitcoin.

Locky: Don’t let its cheery name fool you, Locky’s approach is like many other types of ransomware. The malware is spread in an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document.

Petya: Discovered in March 2016 but globally took down several companies in June 2017, Petya is unlike some other types of ransomware by encrypting the entire computer systems Petya overwrites the master boot record, rendering the operating system unbootable.

Spider: A form of ransomware spread via spam emails across Europe. Spider ransomware is hidden in Microsoft Word documents that install the malware on a victim’s computer when downloaded. The Word document, which is disguised as a debt collection notice, contains malicious macros. When these macros are executed, the ransomware begins to download and encrypt the victim’s data. The Spider ransomware is unique in that attackers are given a 96-hour deadline to pay. Attackers also attempt to calm victims, by assuring them the ransom payment and file recovery process will be “really easy.” Attackers go one step further and provide a link to a video tutorial on how the Spider ransomware payment and file recovery process works.

WannaCry: WannaCry is a widespread ransomware campaign that affected organizations across the globe. The ransomware has hit over 125,000 organizations in over 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue. Still very much active, like its name – you will want to cry if you are infected.

ZCryptor: ZCryptor is a self-propagating malware strain that exhibits worm-like behavior, encrypting files and infecting external drives and flash drives so it can be distributed to other computers.

The Cytelligence Advantage

Today’s ransomware, ransomware programmers and threat actors are innovating at a rapid pace. Going beyond simple file encryption, ransomware increasingly leverages unknown variants and file-less techniques.

At Cytelligence, our team of experts understand the attacker mentality and can help your organization avoid disruption, help you recover with our extended on-site incident experts, minimize possible liabilities and ensure downtime and future costs are kept to a minimum. You need cybersecurity experts that have a track record of dealing with thousands of similar incidents working along-side your team to get you back to business. Contact us today to learn how you can be ready.

Cytelligence understands the mindset of a cyber attacker. Our ransomware investigation services can help protect or recover your business. Learn more about how we can help.