CSO's guide to the worst and most notable ransomware

The ransomware gangs and their malware listed here have victimized millions of companies and caused billions of dollars in costs.

1 2 3 Page 2
Page 2 of 3

How it works: Victims are usually sent an email with a Microsoft Word document purporting to be an invoice. That invoice contains malicious macro. Microsoft disables macros by default due to the security dangers. If macros are enabled, the document runs the macro, which downloads Locky. Dridex uses the same technique to steal account credentials.

Targeted victims: Early Locky attacks targeted hospitals, but subsequent campaigns were broad and untargeted.

Attribution: It's suspected that the cybercriminal group behind Locky is affiliated to one of those behind Dridex due to similarities between the two.


History: Maze is a relatively new ransomware group, discovered in May 2019. It is known for releasing stolen data to the public if the victim does not pay to decrypt it. The Maze group announced in September 2020 that it was closing its operations.

How it works: Maze attackers typically gain entry to networks remotely using valid credentials that might be guessed, default, or gained through phishing campaigns. The malware then scans the network using open-source tools to discover vulnerabilities and learn about the network. It then moves laterally throughout the network looking for more credentials that can be used for privilege escalation. Once it finds domain admin credentials, it can access and encrypt anything on the network.

Targeted victims: Maze operates on a global scale across all industries.

Attribution: The people behind Maze are believed to be multiple criminal groups that share their specialties rather than a singular gang. 

Mespinoza (a.k.a. PYSA)

History: First identified in 2019, the Mespinoza group has a reputation of being cocky and quirky. According to a report from Palo Alto Software's Unit 42, the gang refers to its victims as "partners" and provides advice to convince management to pay the ransom. Mespinoza uses its own tools with names like MagicSocks and HappyEnd.bat.

How it works: Despite its quirks, Mespinoza is quite disciplined in its approach according to Unit 42. The gang does its homework on potential victims to target those with the most valuable assets. Then they look for keywords such as SSN, driver license, or passport in documents to identify the most sensitive files. The attack uses RDP to gain network access and then use open-source and built-in system tools to move laterally and gather credentials. It installs malware called Gasket to create a backdoor. Gasket has a feature called MagicSocks that creates tunnels for remote access. The gang uses the double extortion approach that includes a threat of releasing sensitive data if the ransome is not paid.

Targeted victims: Mespinoza operates on a global scale and targets large enterprises across many industries. It recently attacked K-12 schools, universities and seminaries in the US and UK.

Attribution: Unknown


History: Active since 2019, Netwalker is another ransomware operation that uses the double threat of withholding decryption keys and selling or leaking stolen data. In late January 2021, however, the US Department of Justice announced a global action that disrupted the Netwalker operation. It's too early to know how long-lasting that disruption will be.

How it works: From a technical standpoint, Netwalker is relatively ordinary ransomware. It gains a foothold using phishing emails, encrypts and exfiltrates data, and sends a ransom demand. It's the second threat of exposing sensitive data that makes it more dangerous. It is known to have released stolen data by putting it in a password-protected fold on the dark web and then releasing the key publicly.

Targeted victims: Netwalker targets primarily healthcare and educational institutions.

Attribution: The Circus Spider gang is believed to have created Netwalker.


History: First appearing in 2016, NotPetya is actually data destroying malware, called a wiper, that masquerades as ransomware.

How it works: The NotPetya virus superficially resembles Petya in that it encrypts files and requests a ransom in Bitcoin. Petya requires the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya can spread without human intervention. The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that's used by almost every company Ukraine. Having infected computers from Medoc’s servers, NotPetya used a variety of techniques to spread to other computers, including EternalBlue and EternalRomance. It can also take advantage of Mimikatz to find network administration credentials in the infected machine's memory, and then use the Windows PsExec and WMIC tools to remotely access and infect other computers on the local network.

Targeted victims: The attack primarily focused on Ukraine.

Attribution: The Sandworm group within Russia's GRU is believed to be responsible for NotPetya.


History: The name derives from a satellite that was part of the sinister plot in the 1995 James Bond film GoldenEye. A Twitter account suspected of belonging to the malware's author used a picture of actor Alan Cumming, who played the villain, as its avatar. The initial version of the Petya malware began to spread in March 2016.

How it works: Petya arrives on the victim's computer attached to an email purporting to be a job applicant's resume. It's a package with two files: a stock image of young man and an executable file, often with "PDF" somewhere in the file name. When the victim clicks on that file, a Windows User Access Control warning tells them that the executable is going to make changes to your computer. The malware loads once the victim accepts the change and then denies access by attacking low-level structures on the storage media.

Targeted victims: Any Windows system is a potential target, but Ukraine was hardest hit by the attack.

Attribution: Unknown


History: The PureLocker RaaS platform, discovered in 2019, targets enterprise production servers running Linux or Windows. It is written in the PureBasic language, hence its name.

How it works: PureLocker relies on the more_eggs backdoor malware to gain access rather than phishing attempts. Attackers target machines that have already been compromised and they understand. PureLocker then analyzes the machines and selectively encrypts data.

Targeted victims: Researchers believe that only a few criminal gangs can afford to pay for PureLocker, to its use is limited to high-value targets.

Attribution: The malware-as-a-service (MaaS) provider behind the more_eggs backdoor is likely responsible for PureLocker.


History: RobbinHood is another ransomware variant that uses EternalBlue. It brought the city of Baltimore, Maryland, to its knees in 2019.

How it works: The most unique feature about RobbinHood is in how its payload bypasses endpoint security. It has five parts: an executable that kills processes and files of security products, code to deploy a signed third-party driver and a malicious unsigned kernel driver, an outdated Authenticode-signed driver that has a vulnerability, a malicious driver to kill processes and delete files from the kernel space, and a text file with a list of applications to kill and delete.

The outdated, signed driver has a known bug that the malware uses to avoid detection and then install its own unsigned driver on Windows 7, Windows 8 and Windows 10.

Targeted victims: Local governments such as the cities of Baltimore and Greenville, North Carolina, seem to be hardest hit by RobbinHood.

Attribution: An unidentified criminal group


History: Ryuk first appeared in August 2018 but is based on an older ransomware program called Hermes that was sold on underground cybercrime forums in 2017.

How it works: It is often used in combination with other malware like TrickBot. The Ryuk gang is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

The Ryuk attackers demand high ransom payments from their victims, typically between 15 and 50 Bitcoins (roughly $100,000 to $500,000), although higher payments have reportedly been paid.

Targeted victims: Businesses, hospitals and government organizations—often those must vulnerable—are the most common Ryuk victims. 

Attribution: First attributed to the North Korean Lazarus Group, which used Hermes in an attack against the Taiwanese Far Eastern International Bank (FEIB) in October 2017, Ryuk is now believed to be the creation of a Russian-speaking cybercriminal group that obtained access to Hermes. The Ryuk gang, sometimes called Wizard Spider or Grim Spider, also operates TrickBot. Some researchers believe that Ryuk could be the creation of the original Hermes author or authors operating under the handle CryptoTech.


History: SamSam has been around since 2015 and targeted primarily healthcare organizations and ramped up significantly in the following years.

How it works: SamSam is an RaaS operation whose controllers probe pre-selected targets for weaknesses. It has exploited a range of vulnerabilities in everything from IIS to FTP to RDP. Once inside the system, the attackers escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.

Targeted victims: Hardest hit were US-based healthcare and government organizations including the Colorado Department of Transportation and the City of Atlanta.

Attribution: Initially believed by some to have an Eastern European origin, SamSam mostly targeted US institutions. In late 2018, the US Department of Justice indicted two Iranians that they claim were behind the attacks.


History: SimpleLocker, discovered in 2014, was the first widespread ransomware attack that focused on mobile devices, specifically Android devices.

How it works: SimpleLocker infects devices when the victim downloads a malicious app. The malware then scans the device’s SD card for certain file types and encrypts them. It then displays a screen demanding a ransom and instructions on how to pay.

Targeted victims: Since the ransom note is in Russian and asks for payment in Ukrainian currency, it is assumed that the attackers originally targeted that region.

Attribution: SimpleLocker is believed to have been written by the same hackers who developed other Russian malware such as SlemBunk and GM Bot.


History: Sodinokibi, also known as REvil, is another RaaS platform that first emerged in April 2019. Apparently related to GandCrab, it also has code that prevents it from executing in Russia and several adjacent countries, as well as Syria. It was responsible for shutting down more than 22 small Texas towns, and on New Year’s Eve 2019 it took down the UK currency exchange service Travelex. Most recently, REvil ransomware was used in the attack on meat processing company JBS, temporarily disrupting meat supply in the US. It was also responsible for the attack on Kaseya, which supplies software to MSPs. Thousands of MSP customers were affected. Shortly after the Kaseya attack, REvil's websites disappeared from the internet.

How it works: Sodinokibi propagates in several ways, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN. It targets Microsoft Windows systems and encrypts all files except configuration files. Victims then receive a double threat if they don’t pay the ransom: They won’t get their data back and their sensitive data will be sold or published on underground forums.

Targeted victims: Sodinokibi has infected many different organizations globally outside the regions it excludes.

Attribution: Sodinokibi rose to prominence after GandCrab shut down. An alleged member of the group, using the handle Unknown, confirmed that the ransomware was built on top of an older codebase that the group acquired.


History: TeslaCrypt is a Windows ransomware Trojan first detected in 2015 that targets players of computer games. Several newer versions appeared in quick succession, but the developers shut down operations in May 2016 and released the master decryption key.

How it works: Once it infects a computer, typically after a victim visits a hacked website that runs an exploit kit, TeslaCrypt looks for and encrypts gaming files such as game saves, recorded replays and user profiles. It then demands a $500 fee in Bitcoin to decrypt the files.

Targeted victims: Computer gamers

Attribution: Unknown


History: The Thanos RaaS is relatively new, discovered in late 2019. It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.

How it works: Advertised in underground forums and other closed channels, Thanos is a customized tool that its affiliates use to create ransomware payloads. Many of the features it offers are designed to evade detection. The Thanos developers have released multiple versions, adding capabilities such as disabling third-party backup, removal of Windows Defender signature files, and features to make forensics more difficult for response teams.

Targeted victims: As an RaaS platform, Thanos can victimize any organization.

Attribution: Unknown         


History: The WannaCry worm spread through computer networks rapidly in May 2017 thanks to the EternalBlue exploit developed by the US National Security Agency (NSA) and then stolen by hackers. It quickly infected millions of Windows computers.

How it works: WannaCry consists of multiple components. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself including: 

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor 
1 2 3 Page 2
Page 2 of 3
How to choose a SIEM solution: 11 key features and considerations