CSO's guide to the worst and most notable ransomware

The ransomware gangs and their malware listed here have victimized millions of companies and caused billions of dollars in costs.

1 2 Page 2
Page 2 of 2

Targeted victims: Maze operates on a global scale across all industries.

Attribution: The people behind Maze are believed to be multiple criminal groups that share their specialties rather than a singular gang.


History: Active since 2019, Netwalker is another ransomware operation that uses the double threat of withholding decryption keys and selling or leaking stolen data. In late January 2021, however, the US Department of Justice announced a global action that disrupted the Netwalker operation. It's too early to know how long-lasting that disruption will be.

How it works: From a technical standpoint, Netwalker is relatively ordinary ransomware. It gains a foothold using phishing emails, encrypts and exfiltrates data, and sends a ransom demand. It's the second threat of exposing sensitive data that makes it more dangerous. It is known to have released stolen data by putting it in a password-protected fold on the dark web and then releasing the key publicly.

Targeted victims: Netwalker targets primarily healthcare and educational institutions.

Attribution: The Circus Spider gang is believed to have created Netwalker.


History: First appearing in 2016, NotPetya is actually data destroying malware, called a wiper, that masquerades as ransomware.

How it works: The NotPetya virus superficially resembles Petya in that it encrypts files and requests a ransom in Bitcoin. Petya requires the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya can spread without human intervention. The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that's used by almost every company Ukraine. Having infected computers from Medoc’s servers, NotPetya used a variety of techniques to spread to other computers, including EternalBlue and EternalRomance. It can also take advantage of Mimikatz to find network administration credentials in the infected machine's memory, and then use the Windows PsExec and WMIC tools to remotely access and infect other computers on the local network.

Targeted victims: The attack primarily focused on Ukraine.

Attribution: The Sandworm group within Russia's GRU is believed to be responsible for NotPetya.


History: The name derives from a satellite that was part of the sinister plot in the 1995 James Bond film GoldenEye. A Twitter account suspected of belonging to the malware's author used a picture of actor Alan Cumming, who played the villain, as its avatar. The initial version of the Petya malware began to spread in March 2016.

How it works: Petya arrives on the victim's computer attached to an email purporting to be a job applicant's resume. It's a package with two files: a stock image of young man and an executable file, often with "PDF" somewhere in the file name. When the victim clicks on that file, a Windows User Access Control warning tells them that the executable is going to make changes to your computer. The malware loads once the victim accepts the change and then denies access by attacking low-level structures on the storage media.

Targeted victims: Any Windows system is a potential target, but Ukraine was hardest hit by the attack.

Attribution: Unknown


History: The PureLocker RaaS platform, discovered in 2019, targets enterprise production servers running Linux or Windows. It is written in the PureBasic language, hence its name.

How it works: PureLocker relies on the more_eggs backdoor malware to gain access rather than phishing attempts. Attackers target machines that have already been compromised and they understand. PureLocker then analyzes the machines and selectively encrypts data.

Targeted victims: Researchers believe that only a few criminal gangs can afford to pay for PureLocker, to its use is limited to high-value targets.

Attribution: The malware-as-a-service (MaaS) provider behind the more_eggs backdoor is likely responsible for PureLocker.


History: RobbinHood is another ransomware variant that uses EternalBlue. It brought the city of Baltimore, Maryland, to its knees in 2019.

How it works: The most unique feature about RobbinHood is in how its payload bypasses endpoint security. It has five parts: an executable that kills processes and files of security products, code to deploy a signed third-party driver and a malicious unsigned kernel driver, an outdated Authenticode-signed driver that has a vulnerability, a malicious driver to kill processes and delete files from the kernel space, and a text file with a list of applications to kill and delete.

The outdated, signed driver has a known bug that the malware uses to avoid detection and then install its own unsigned driver on Windows 7, Windows 8 and Windows 10.

Targeted victims: Local governments such as the cities of Baltimore and Greenville, North Carolina, seem to be hardest hit by RobbinHood.

Attribution: An unidentified criminal group


History: Ryuk first appeared in August 2018 but is based on an older ransomware program called Hermes that was sold on underground cybercrime forums in 2017.

How it works: It is often used in combination with other malware like TrickBot. The Ryuk gang is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

The Ryuk attackers demand high ransom payments from their victims, typically between 15 and 50 Bitcoins (roughly $100,000 to $500,000), although higher payments have reportedly been paid.

Targeted victims: Businesses, hospitals and government organizations—often those must vulnerable—are the most common Ryuk victims.

Attribution: First attributed to the North Korean Lazarus Group, which used Hermes in an attack against the Taiwanese Far Eastern International Bank (FEIB) in October 2017, Ryuk is now believed to be the creation of a Russian-speaking cybercriminal group that obtained access to Hermes. The Ryuk gang, sometimes called Wizard Spider or Grim Spider, also operates TrickBot. Some researchers believe that Ryuk could be the creation of the original Hermes author or authors operating under the handle CryptoTech.


History: SamSam has been around since 2015 and targeted primarily healthcare organizations and ramped up significantly in the following years.

How it works: SamSam is an RaaS operation whose controllers probe pre-selected targets for weaknesses. It has exploited a range of vulnerabilities in everything from IIS to FTP to RDP. Once inside the system, the attackers escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.

Targeted victims: Hardest hit were US-based healthcare and government organizations including the Colorado Department of Transportation and the City of Atlanta.

Attribution: Initially believed by some to have an Eastern European origin, SamSam mostly targeted US institutions. In late 2018, the US Department of Justice indicted two Iranians that they claim were behind the attacks.


History: SimpleLocker, discovered in 2014, was the first widespread ransomware attack that focused on mobile devices, specifically Android devices.

How it works: SimpleLocker infects devices when the victim downloads a malicious app. The malware then scans the device’s SD card for certain file types and encrypts them. It then displays a screen demanding a ransom and instructions on how to pay.

Targeted victims: Since the ransom note is in Russian and asks for payment in Ukrainian currency, it is assumed that the attackers originally targeted that region.

Attribution: SimpleLocker is believed to have been written by the same hackers who developed other Russian malware such as SlemBunk and GM Bot.


History: Sodinokibi, also known as REvil, is another RaaS platform that first emerged in April 2019. Apparently related to GandCrab, it also has code that prevents it from executing in Russia and several adjacent countries, as well as Syria. It was responsible for shutting down more than 22 small Texas towns, and on New Year’s Eve 2019 it took down the UK currency exchange service Travelex.

How it works: Sodinokibi propagates in several ways, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN. It targets Microsoft Windows systems and encrypts all files except configuration files. Victims then receive a double threat if they don’t pay the ransom: They won’t get their data back and their sensitive data will be sold or published on underground forums.

Targeted victims: Sodinokibi has infected many different organizations globally outside the regions it excludes.

Attribution: Sodinokibi rose to prominence after GandCrab shut down. An alleged member of the group, using the handle Unknown, confirmed that the ransomware was built on top of an older codebase that the group acquired.


History: TeslaCrypt is a Windows ransomware Trojan first detected in 2015 that targets players of computer games. Several newer versions appeared in quick succession, but the developers shut down operations in May 2016 and released the master decryption key.

How it works: Once it infects a computer, typically after a victim visits a hacked website that runs an exploit kit, TeslaCrypt looks for and encrypts gaming files such as game saves, recorded replays and user profiles. It then demands a $500 fee in Bitcoin to decrypt the files.

Targeted victims: Computer gamers

Attribution: Unknown


History: The Thanos RaaS is relatively new, discovered in late 2019. It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.

How it works: Advertised in underground forums and other closed channels, Thanos is a customized tool that its affiliates use to create ransomware payloads. Many of the features it offers are designed to evade detection. The Thanos developers have released multiple versions, adding capabilities such as disabling third-party backup, removal of Windows Defender signature files, and features to make forensics more difficult for response teams.

Targeted victims: As an RaaS platform, Thanos can victimize any organization.

Attribution: Unknown         


History: The WannaCry worm spread through computer networks rapidly in May 2017 thanks to the EternalBlue exploit developed by the US National Security Agency (NSA) and then stolen by hackers. It quickly infected millions of Windows computers.

How it works: WannaCry consists of multiple components. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself including: 

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor 

Once launched, WannaCry tries to access a hard-coded URL. If it can't, it proceeds to search for and encrypt files in important formats, ranging from Microsoft Office files to MP3s and MKVs. It then displays a ransom notice demanding Bitcoin to decrypt the files.

Targeted victims: The WannaCry attack affected companies globally, but high-profile enterprises in healthcare, energy, transportation and communications were particularly hard hit.

Attribution: North Korea’s Lazarus Group is believed to be behind WannaCry.


History: One of the more recent to appear, the WastedLocker ransomware began victimizing organizations in May 2020. It is one of the more sophisticated examples of ransomware, and its creators are known for asking high ransom fees.

How it works: The malware uses a JavaScript-based attack framework calle SocGholish that is distributed in ZIP file form via a fake browser update that appear on legitimate but compromised websites. Once activated WastedLocker then downloads and executes PowerShell scripts and a backdoor called Cobalt Strike. The malware then explores the network and deploys "living off the land" tools to steal credentials and gain access to high-value systems. It then encrypts data using a combination of AES and RSA cryptography.

Targeted victims: WastedLocker focuses on high-value targets most likely to pay high ransoms, mainly in North America and Western Europe.

Attribution: A known criminal gang, Evil Corp, is responsible for WastedLocker. The group is also known for operating the Dridex malware and botnet.


History: Discovered in 2017, WYSIWYE (What You See Is What You Encrypt) is an RaaS platform that targets Windows systems.

How it works: scans the web for open Remote Desktop Protocol (RDP) servers. It then executes sign-in attempts using default or weak credentials to access systems and spread across the network. Criminals who purchase WYSIWYE services can choose what types of files to encrypt and whether to delete the original files after encryption.

Targeted victims: WYSIWYE attacks first appeared in Germany, Belgium, Sweden and Spain.

Attribution: Unknown


History: Zeppelin first appeared in November 2019 and is a descendent of Vega or VegasLocker RaaS offering that victimized accounting firms in Russia and Eastern Europe.

How it works: Zeppelin has more capabilities than its ancestors, especially when it comes to configurability. Zeppelin can be deployed in multiple ways, including as an EXE, a DLL, or a PowerShell loader, but it some of its attacks came via compromised managed security service providers.

Targeted victims: Zeppelin is much more targeted than Vega, which spread somewhat indiscriminately and mostly operated in the Russian-speaking world. Zeppelin is designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Most of its victims were healthcare and technology companies in North America and Europe.

Attribution: Security experts believe that a new threat actor, likely in Russia, is using Vega's codebase to develop Zeppelin.

Attribution: Unknown

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.