CSO's guide to the worst and most notable ransomware

The ransomware gangs and their malware listed here have victimized millions of companies and caused billions of dollars in costs.

1 2 3 Page 3
Page 3 of 3

Once launched, WannaCry tries to access a hard-coded URL. If it can't, it proceeds to search for and encrypt files in important formats, ranging from Microsoft Office files to MP3s and MKVs. It then displays a ransom notice demanding Bitcoin to decrypt the files.

Targeted victims: The WannaCry attack affected companies globally, but high-profile enterprises in healthcare, energy, transportation and communications were particularly hard hit.

Attribution: North Korea’s Lazarus Group is believed to be behind WannaCry.


History: One of the more recent to appear, the WastedLocker ransomware began victimizing organizations in May 2020. It is one of the more sophisticated examples of ransomware, and its creators are known for asking high ransom fees.

How it works: The malware uses a JavaScript-based attack framework calle SocGholish that is distributed in ZIP file form via a fake browser update that appear on legitimate but compromised websites. Once activated WastedLocker then downloads and executes PowerShell scripts and a backdoor called Cobalt Strike. The malware then explores the network and deploys "living off the land" tools to steal credentials and gain access to high-value systems. It then encrypts data using a combination of AES and RSA cryptography.

Targeted victims: WastedLocker focuses on high-value targets most likely to pay high ransoms, mainly in North America and Western Europe.

Attribution: A known criminal gang, Evil Corp, is responsible for WastedLocker. The group is also known for operating the Dridex malware and botnet.


History: Discovered in 2017, WYSIWYE (What You See Is What You Encrypt) is an RaaS platform that targets Windows systems.

How it works: scans the web for open Remote Desktop Protocol (RDP) servers. It then executes sign-in attempts using default or weak credentials to access systems and spread across the network. Criminals who purchase WYSIWYE services can choose what types of files to encrypt and whether to delete the original files after encryption.

Targeted victims: WYSIWYE attacks first appeared in Germany, Belgium, Sweden and Spain.

Attribution: Unknown


History: Zeppelin first appeared in November 2019 and is a descendent of Vega or VegasLocker RaaS offering that victimized accounting firms in Russia and Eastern Europe.

How it works: Zeppelin has more capabilities than its ancestors, especially when it comes to configurability. Zeppelin can be deployed in multiple ways, including as an EXE, a DLL, or a PowerShell loader, but it some of its attacks came via compromised managed security service providers.

Targeted victims: Zeppelin is much more targeted than Vega, which spread somewhat indiscriminately and mostly operated in the Russian-speaking world. Zeppelin is designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Most of its victims were healthcare and technology companies in North America and Europe.

Attribution: Security experts believe that a new threat actor, likely in Russia, is using Vega's codebase to develop Zeppelin.

Attribution: Unknown

Editor's note: This article, originally published on February 16, 2021, has been updated to include the DarkSide group and a reference to the use of Conti in the Colonial Pipeline attack. It has also been updated with new information on the REvil and Mespinoza groups.

Copyright © 2021 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
How to choose a SIEM solution: 11 key features and considerations