CSO's guide to the worst and most notable ransomware

The ransomware gangs and their malware listed here have victimized millions of companies and caused billions of dollars in costs.

Ransomware has a long history, dating back to the late 1980s. Today, it’s generating billions of dollars in revenue for the criminal groups behind it. Victims incur recovery costs even if they pay the ransom. Sophos reports that the average cost of a ransomware attack in 2020 was nearly $1.5 million for victim organizations that paid ransoms and about $732,000 for those that didn’t.

Given the financial benefit to attackers, it’s no surprise that ransomware gangs and malware have proliferated. The number of ransomware threat actors—those capable of developing and delivering code—is likely in the hundreds. That’s not including so-called “affiliates” who buy ransomware-as-a-service (RaaS) offerings from some of these threat actors.

Below is a list of key ransomware malware and groups, selected for inclusion based on their impact or innovative features. It isn't, and isn't intended to be, an exhaustive list. While some of these ransomware groups are no longer active, that’s no guarantee they won’t reappear bigger and badder someday, as is too often the case.

Cerber 

History: Cerber is an RaaS platform that first appeared in 2016, netting attackers $200,000 in July of that year.

How it works: Cerber took advantage of a Microsoft vulnerability to infect networks. It functions similarly to other ransomware threats. It encrypts files with AES-256 algorithm and targets dozens of file types, including documents, pictures, audio files, videos, archives and backups. It can also scan for and encrypt available network shares even if they are not mapped to a drive letter in the computer. Cerber then drops three files on the victim's desktop that contain the ransom demand and instructions on how to pay it.

Targeted victims: As an RaaS platform, Cerber is a threat to anyone.

Attribution: Cerber's creators sell the platform on a private Russian-language forum.

Conti

History: First appearing in May 2020, the Conti RaaS platform is considered the successor to the Ryuk ransomware. As of January 2021, Conti is believed to have infected over 150 organizations and earned millions of dollars for its criminal developers and their affiliates. At least three new versions have been found since its inception.

How it works: Conti uses the double threat of withholding the decryption key and selling or leaking sensitive data of its victims. In fact, it runs a website, Conti News, where it lists its victims and publishes stolen data. Once the malware infects a system, it spends time moving laterally to gain access to more sensitive systems. Conti is known to encrypt files quickly through its use of multithreading.

Targeted victims: As a RaaS operation, Conti is a threat to anyone, although a round of infections in January 2021 seemed to target government organizations. The Wizard Spider group is believed to have used Conti in its ransomware attack on Ireland's national health service and at least 16 US-based healthcare and emergency networks.

Attribution: Conti is the work of a single gang whose members remain unidentified.

CryptoLocker

History: First discovered in 2013 attack, CryptoLocker launched the modern ransomware age and infected up to 500,000 Windows machines at its height. It is also known as TorrentLocker. In July 2014, the US Department of Justice declared it had “neutralized” CryptoLocker.

How it works: CryptoLocker is a Trojan that searches infected computers for files to encrypt, including any internal or network-connected storage devices. It typically is delivered through phishing emails with file attachments that contain malicious links. A downloader is activated once the file is opened, infecting the computer.

Targeted victims: CryptoLocker did not seem to target any specific entity.

Attribution: CryptoLocker was created by members of the criminal gang that developed Gameover Zeus, a banking Trojan.

CryptoWall

History: CryptoWall, also known as CryptoBit or CryptoDefense, first appeared in 2014 and became popular after the original CryptoLocker shut down. It has gone through several revisions.

How it works: CryptoWall is distributed via spam or exploit kits. Its developers appear to avoid sophisticated in favor of a simple but effective classic ransomware approach. In its first six months of operation, it infected 625,000 computers.

Targeted victims: This ransomware has victimized tens of thousands of organizations of all types worldwide but avoids Russian-speaking countries.

Attribution: The CryptoWall developer is likely a criminal gang operating from a Russian-speaking country. CryptoWall 3.0 detects if it is running on a computer in Belarus, Ukraine, Russia, Kazakhstan, Armenia or Serbia then uninstalls itself.

CTB-Locker

History: First reported in 2014, CTB-Locker is another RaaS offering known for its high infection rate. In 2016, a new version of CTB-Locker targeted web servers.

How it works: Affiliates pay a monthly fee to the CTB-Locker developers for access to the hosted ransomware code. The ransomware uses elliptic curve cryptography to encrypt data. It is also known for its multi-lingual capabilities, which increases the global pool of potential victims.

Targeted victims: Given its RaaS model, CTB-Locker is a threat to any organization, but tier 1 countries in Western Europe, North America and Australia are most commonly targeted, especially if they were known to have paid ransom fees in the past.

DarkSide

History: In operation since at least August 2020, DarkSide jumped into the public spotlight in May 2021 with the ransomware attack that crippled Colonial Pipeline.

How it works: DarkSide works on the RaaS model through an affiliate program. It uses the double-extortion threat of data encryption and data theft. It is typically deployed using manual hacking techniques.

DarkSide's operators seem media savvy. They run a website where reporters can register to receive advance information about breaches and non-public information and promises fast replies to any media questions. 

Targeted victims: The group behind DarkSide claims that it doesn't attack medical facilities, COVID vaccine research and distribution companies, funeral services, non-profit organizations, educational institutions, or government organizations. After the Colonial Pipeline attack, the group issued a statement saying it would review its affiliates' potential victims before they launced attacks. 

Attribution: The DarkSide group is believed to operate from Russia and likely former affiliates of the REvil group.

DoppelPaymer

History: DoppelPaymer first appeared in June 2019 and is still active and dangerous. The US FBI's Cyber Division issued a warning about it in December 2020. In September 2020, it was used in the first ransomware that resulted in a death when a a victimized German hospital was forced to send a patient to another facility.

How it works: The gang behind DoppelPaymer uses the unusual tactic of calling victims, using spoofed US-based phone numbers, to demand a ransom payment, which is typically around 50 bitcoins, or about $600,000 when it first appeared. They claimed to be from North Korea, and made the double threat of leaking or selling the stolen data. In some cases, they took it a step further by threatening employees at victimized companies with harm.

DoppelPaymer appears to be based on the BitPaymer ransomware, although it has some key differences such as using threaded file encryption for a better encryption rate. Also unlike BitPaymer, DoppelPaymer uses a tool called Process Hacker to terminate security, email server, backup and database processes and services to weaken defenses and avoid disrupting the encryption process.

Targeted victims: DoppelPaymer targets critical industries in healthcare, emergency services and education.

Attribution: Unclear, but some reports suggest that an offshoot of the group behind the Dridex Trojan, known as TA505, is responsible for DoppelPaymer.

Egregor

History: Egregor appeared in September 2020 and is growing rapidly. Its name comes from the occult world and is defined as “the collective energy of a group of people, especially when aligned with a common goal.” On February 9, 2021, a joint operation by US, Ukrainian and French authorities arrested a number of Egregor group members and affiliates and took their website offline.

How it works: Egregor follows the “double extortion” trend of both encrypting data and threatening to leak sensitive information if the ransom is not paid. Its codebase is relatively sophisticated and able to avoid detection by using obfuscation and anti-analysis techniques. 

Targeted victims: As of late November, Egregor victimized at least 71 organizations across 19 industries worldwide.

Attribution: Egregor’s rise coincides with the Maze ransomware gang shutting down its operations. Maze group affiliates appear to have moved on to Egregor. It is a variant of the Sekhmet ransomware family and is associated with the Qakbot malware.

FONIX

History: FONIX is an RaaS offering that was first discovered in July 2020. It quickly went through a number of code revisions, but abruptly shut down in January 2021. The FONIX gang then released its master decryption key.

How it works: The FONIX gang advertised its services on cybercrime forums and the dark web. Purchasers of FONIX would send the gang an email address and password. The gang then sends the customized ransomware payload to the buyer. The FONIX gang takes a 25% cut of any ransom fees paid.

Targeted victims: Since FONIX is RAAS, anyone could be a victim.

Attribution: An unknown cybercriminal gang

GandCrab 

History: GandCrab might be the most lucrative RaaS ever. Its developers claim more than $2 billion in victim payouts as of July 2019. GandCrab was first identified in January 2018.

How it works: GandCrab is an affiliate ransomware program for cybercriminals who pay its developers a portion of the ransom fees they collect. The malware is typically delivered through malicious Microsoft Office documents sent via phishing emails. Variations of GandCrab have exploited vulnerabilities in software such as Atlassian’s Confluence. In that case, the attackers use the flaw to inject a rogue template that enables remote code execution.

Targeted victims: GandCrab has infected systems globally across multiple industries, though it is designed to avoid systems in Russian-speaking regions.

Attribution: GandCrab has been tied to Russian national Igor Prokopenko.

GoldenEye

History: Appearing in 2016, GoldenEye appears to be based on the Petya ransomware.

How it works: GoldenEye was initially spread through a campaign targeting human resources departments with fake cover letters and resumes. Once its payload infects a computer, it executes a macro that encrypts files on the computer, adding a random 8-character extension at the end of each file. The ransomware then modifies the computer’s hard drive master boot record with a custom boot loader. 

Targeted victims: GoldenEye first targeted German-speaking users in its phishing emails.

Attribution: Unknown

Jigsaw

History: Jigsaw first appeared in 2016, but researchers released a decryption tool shortly after its discovery.

How it works: The most notable aspect of Jigsaw is that it encrypts some files, demands a ransom, and then progressively deletes files until the ransom is paid. It deletes a file per hour for 72 hours. At that point, it deletes all remaining files.

Targeted victims: Jigsaw appears not to have target any group of victims.

Attribution: Unknown

KeRanger

History: KeRanger, discovered in 2016, is believed to be the first operational ransomware designed to attack Mac OS X applications.

How it works: KeRanger was distributed through a legitimate but compromised BitTorrent client that was able to evade detection as it had a valid certificate.

Targeted victims: Mac users

Attribution: Unknown

Leatherlocker 

History: Leatherlocker was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Google removed the apps from its store shortly after discovery.

How it works: Victims download what appears to be a legitimate app. The app then asks for permissions that grant the malware access needed to execute. Rather than encrypt files, it locks the device home screen to prevent access to data.

Targeted victims: Android users who download the infected apps.

Attribution: An unknown cybercriminal group.

LockerGoga

History: LockerGoga appeared in 2019 in an attack targeting industrial companies. Although the attackers asked for a ransom, LockerGoga seemed intentially designed to make paying a ransom difficult. This led some researcher to believe its intent was disruption rather than financial gain.

How it works: LockerGoga used a phishing campaign with malicious document attachments to infect systems. The payload were signed with valid certificates, which allowed them to bypass security.

Targeted victims: LockerGoga victimized European manufacturing companies, most notably Norsk Hydro where it caused a global IT shut-down.

Attribution: Some researchers say LockerGoga was likely the work of a nation-state.

Locky

History: Locky first began spreading in 2016 and used an attack mode similar to the banking malware Dridex. Locky has inspired a number of variants including Osiris and Diablo6.