Ransomware has a long history, dating back to the late 1980s. Today, it’s generating billions of dollars in revenue for the criminal groups behind it. Victims incur recovery costs even if they pay the ransom. Sophos reports that the average cost of a ransomware attack in 2020 was nearly $1.5 million for victim organizations that paid ransoms and about $732,000 for those that didn’t.
Given the financial benefit to attackers, it’s no surprise that ransomware gangs and malware have proliferated. The number of ransomware threat actors—those capable of developing and delivering code—is likely in the hundreds. That’s not including so-called “affiliates” who buy ransomware-as-a-service (RaaS) offerings from some of these threat actors.
Below is a list of key ransomware malware and groups, selected for inclusion based on their impact or innovative features. It isn't, and isn't intended to be, an exhaustive list. While some of these ransomware groups are no longer active, that’s no guarantee they won’t reappear bigger and badder someday, as is too often the case.
Cerber
History: Cerber is an RaaS platform that first appeared in 2016, netting attackers $200,000 in July of that year.
How it works: Cerber took advantage of a Microsoft vulnerability to infect networks. It functions similarly to other ransomware threats. It encrypts files with AES-256 algorithm and targets dozens of file types, including documents, pictures, audio files, videos, archives and backups. It can also scan for and encrypt available network shares even if they are not mapped to a drive letter in the computer. Cerber then drops three files on the victim's desktop that contain the ransom demand and instructions on how to pay it.
Targeted victims: As an RaaS platform, Cerber is a threat to anyone.
Attribution: Cerber's creators sell the platform on a private Russian-language forum.
Conti
History: First appearing in May 2020, the Conti RaaS platform is considered the successor to the Ryuk ransomware. As of January 2021, Conti is believed to have infected over 150 organizations and earned millions of dollars for its criminal developers and their affiliates. At least three new versions have been found since its inception.
How it works: Conti uses the double threat of withholding the decryption key and selling or leaking sensitive data of its victims. In fact, it runs a website, Conti News, where it lists its victims and publishes stolen data. Once the malware infects a system, it spends time moving laterally to gain access to more sensitive systems. Conti is known to encrypt files quickly through its use of multithreading.
Targeted victims: As a RaaS operation, Conti is a threat to anyone, although a round of infections in January 2021 seemed to target government organizations. The Wizard Spider group is believed to have used Conti in its ransomware attack on Ireland's national health service and at least 16 US-based healthcare and emergency networks.
Attribution: Conti is the work of a single gang whose members remain unidentified.
CryptoLocker
History: First discovered in 2013 attack, CryptoLocker launched the modern ransomware age and infected up to 500,000 Windows machines at its height. It is also known as TorrentLocker. In July 2014, the US Department of Justice declared it had “neutralized” CryptoLocker.
How it works: CryptoLocker is a Trojan that searches infected computers for files to encrypt, including any internal or network-connected storage devices. It typically is delivered through phishing emails with file attachments that contain malicious links. A downloader is activated once the file is opened, infecting the computer.
Targeted victims: CryptoLocker did not seem to target any specific entity.
Attribution: CryptoLocker was created by members of the criminal gang that developed Gameover Zeus, a banking Trojan.
CryptoWall
History: CryptoWall, also known as CryptoBit or CryptoDefense, first appeared in 2014 and became popular after the original CryptoLocker shut down. It has gone through several revisions.
How it works: CryptoWall is distributed via spam or exploit kits. Its developers appear to avoid sophisticated in favor of a simple but effective classic ransomware approach. In its first six months of operation, it infected 625,000 computers.
Targeted victims: This ransomware has victimized tens of thousands of organizations of all types worldwide but avoids Russian-speaking countries.
Attribution: The CryptoWall developer is likely a criminal gang operating from a Russian-speaking country. CryptoWall 3.0 detects if it is running on a computer in Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia then uninstalls itself.
CTB-Locker
History: First reported in 2014, CTB-Locker is another RaaS offering known for its high infection rate. In 2016, a new version of CTB-Locker targeted web servers.
How it works: Affiliates pay a monthly fee to the CTB-Locker developers for access to the hosted ransomware code. The ransomware uses elliptic curve cryptography to encrypt data. It is also known for its multi-lingual capabilities, which increases the global pool of potential victims.
Targeted victims: Given its RaaS model, CTB-Locker is a threat to any organization, but tier 1 countries in Western Europe, North America and Australia are most commonly targeted, especially if they were known to have paid ransom fees in the past.
DarkSide
History: In operation since at least August 2020, DarkSide jumped into the public spotlight in May 2021 with the ransomware attack that crippled Colonial Pipeline.
How it works: DarkSide works on the RaaS model through an affiliate program. It uses the double-extortion threat of data encryption and data theft. It is typically deployed using manual hacking techniques.
DarkSide's operators seem media savvy. They run a website where reporters can register to receive advance information about breaches and non-public information and promises fast replies to any media questions.
Targeted victims: The group behind DarkSide claims that it doesn't attack medical facilities, COVID vaccine research and distribution companies, funeral services, non-profit organizations, educational institutions, or government organizations. After the Colonial Pipeline attack, the group issued a statement saying it would review its affiliates' potential victims before they launced attacks.
Attribution: The DarkSide group is believed to operate from Russia and likely former affiliates of the REvil group.
DoppelPaymer
History: DoppelPaymer first appeared in June 2019 and is still active and dangerous. The US FBI's Cyber Division issued a warning about it in December 2020. In September 2020, it was used in the first ransomware that resulted in a death when a a victimized German hospital was forced to send a patient to another facility.
How it works: The gang behind DoppelPaymer uses the unusual tactic of calling victims, using spoofed US-based phone numbers, to demand a ransom payment, which is typically around 50 bitcoins, or about $600,000 when it first appeared. They claimed to be from North Korea, and made the double threat of leaking or selling the stolen data. In some cases, they took it a step further by threatening employees at victimized companies with harm.
DoppelPaymer appears to be based on the BitPaymer ransomware, although it has some key differences such as using threaded file encryption for a better encryption rate. Also unlike BitPaymer, DoppelPaymer uses a tool called Process Hacker to terminate security, email server, backup and database processes and services to weaken defenses and avoid disrupting the encryption process.
Targeted victims: DoppelPaymer targets critical industries in healthcare, emergency services and education.
Attribution: Unclear, but some reports suggest that an offshoot of the group behind the Dridex Trojan, known as TA505, is responsible for DoppelPaymer.
Egregor
History: Egregor appeared in September 2020 and is growing rapidly. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal.” On February 9, 2021, a joint operation by US, Ukrainian and French authorities arrested a number of Egregor group members and affiliates and took their website offline.
How it works: Egregor follows the “double extortion” trend of both encrypting data and threatening to leak sensitive information if the ransom is not paid. Its codebase is relatively sophisticated and able to avoid detection by using obfuscation and anti-analysis techniques.
Targeted victims: As of late November, Egregor victimized at least 71 organizations across 19 industries worldwide.
Attribution: Egregor’s rise coincides with the Maze ransomware gang shutting down its operations. Maze group affiliates appear to have moved on to Egregor. It is a variant of the Sekhmet ransomware family and is associated with the Qakbot malware.
FONIX
History: FONIX is an RaaS offering that was first discovered in July 2020. It quickly went through a number of code revisions, but abruptly shut down in January 2021. The FONIX gang then released its master decryption key.
How it works: The FONIX gang advertised its services on cybercrime forums and the dark web. Purchasers of FONIX would send the gang an email address and password. The gang then sends the customized ransomware payload to the buyer. The FONIX gang takes a 25% cut of any ransom fees paid.
Targeted victims: Since FONIX is RAAS, anyone could be a victim.
Attribution: An unknown cybercriminal gang
GandCrab
History: GandCrab might be the most lucrative RaaS ever. Its developers claim more than $2 billion in victim payouts as of July 2019. GandCrab was first identified in January 2018.
How it works: GandCrab is an affiliate ransomware program for cybercriminals who pay its developers a portion of the ransom fees they collect. The malware is typically delivered through malicious Microsoft Office documents sent via phishing emails. Variations of GandCrab have exploited vulnerabilities in software such as Atlassian’s Confluence. In that case, the attackers use the flaw to inject a rogue template that enables remote code execution.
Targeted victims: GandCrab has infected systems globally across multiple industries, though it is designed to avoid systems in Russian-speaking regions.
Attribution: GandCrab has been tied to Russian national Igor Prokopenko.
GoldenEye
History: Appearing in 2016, GoldenEye appears to be based on the Petya ransomware.
How it works: GoldenEye was initially spread through a campaign targeting human resources departments with fake cover letters and resumes. Once its payload infects a computer, it executes a macro that encrypts files on the computer, adding a random 8-character extension at the end of each file. The ransomware then modifies the computer’s hard drive master boot record with a custom boot loader.
Targeted victims: GoldenEye first targeted German-speaking users in its phishing emails.
Attribution: Unknown
Grief
History: The Grief ransomware, also known as "Pay or Grief", is considered the successor of DoppelPaymer and appeared in May 2021. Between May and October, the group claimed to have compromised 41 companies and other organizations, the majority of them in Europe and the U.K. It's estimated that the group made over $11 million in that time frame. In late October, the group claimed it compromised the US National Rifle Association (NRA) and stole data that it held for ransom.
How it works: Grief is an RaaS operation working with affiliates who perform the intrusions and installation of the ransomware program in exchange for a commission from the ransom payment. The group engages in double extortion by stealing data from compromised organizations and threatening to release it if the victim doesn't pay. Grief maintains a leak site where it publishes information about the victims and more recently, it has started warning victims that if they contact law enforcement, ransomware negotiators or data recovery specialists, they will wipe the systems they have access to, leaving victims unable to recover their files even if they're willing to pay for the decryption key.
The code differences between DoppelPaymer and Grief are minor. The embedded ProcessHacker binaries, which DoppelPaymer used to terminate various processes, have been removed and the RC4 key used in the encryption routine has been increased from 40 to 48 bytes. Otherwise, the encryption algorithms remain the same: 2048-bit RSA and 256-bit AES.
Targeted victims: Grief has compromised various manufacturers, pharmacies, food services and hospitality providers, educational institutions, as well as municipalities and at least one government district. The group has not published the identities of all the victims it claims to have made on its leak site.
Attribution: The Grief ransomware is believed to be operated by Evil Corp, a cybercriminal group previously known for running the Dridex botnet as well as the WastedLocker and DoppelPaymer ransomware operations. Evil Corp is one of the cybercriminal groups on the Department of Treasury's sanctions list and two individuals associated with it are on the FBI's most wanted list.
Jigsaw
History: Jigsaw first appeared in 2016, but researchers released a decryption tool shortly after its discovery.