Ransomware is widely cited as the biggest cybersecurity threat that we face in the 2020s. From relatively humble origins on a floppy disk, it has evolved into a multibillion-dollar crime industry. Below we will bring you a complete guide to ransomware, including the history and evolution of this type of malware. As you will see, ransomware has evolved from lone wolf actors delivering individual viruses to complex crime organizations that offer RaaS (Ransomware as a Service) toolkits, allowing new strains to be easily developed, while offering a blueprint for carrying out attacks. However, you will also see there is a prevailing narrative that even the most potent and devastating ransomware attacks, such as Petya and WannaCry, are entirely preventable – as long as individuals and organizations take steps to heed warnings, keep systems updated, and use robust anti-ransomware software protection.
AIDs INFO DISK (1989)
Back in 1989, a Belgian working for a medical insurance company loaded a floppy disk onto his computer, thinking it contained information on the AIDs virus. Unknown to him, the disk contained a trojan horse virus, now known as the AIDs Info Disk trojan, widely regarded as the first known case of ransomware. The floppy disk encrypted the names of some files on the drive, demanding payment of $189 to be sent to a PO Box in Panama for the keys. Payment became a moot point, as the files were easily restored within 10 minutes (although it should be noted that some of those who received the ransomware infection panicked and deleted their files). By today’s standards, the Aids Info Disk ransomware is pretty rudimentary. The floppy disk in question had been distributed to around 20,000 attendees at a medical convention, but the damage was relatively minimal. Still, the AIDs Info Disk trojan is notable for being the first attempt at distributing ransomware. Its creator was reportedly Joseph Popp, an American AIDs researcher who distributed the floppy disks containing the malware. Popp was arrested in Amsterdam not long after the ransomware outbreak, but he was deemed mentally unfit for trial, and was later deported back to the United States.
| Official Name | AIDs/AIDs Info Disk |
|---|---|
| Alt Names | PC Cyborg Trojan |
| 1st Outbreak | December 1989 |
| Classification | Trojan |
| OS Impacted | Non-specific |
| Current Status | Inactive |
| Ransom | $189 |
| Infected Files | C Drive |
| Est Infected Devices | 100s |
| How It Works | Floppy Disk |
| Famous Victims | Attendees of WHO AIDS conference |
| Protected by ZoneAlarm | Yes |
Archiveus (2006)
Archiveus came around almost two decades after the AIDs Info Disk. While there were other examples of ransomware in the intervening years, including the Zippo Trojan Horse ransomware (2006) that emerged around the same time as Archiveus, it was only in the 2000s that we saw the tactics start to mature. Indeed, the term ransomware wasn’t in popular usage at the time of Archiveus, which was instead being referred to as an “extortion virus”. Archiveus would appear in the form of a pop-up message on a screen, then swap files on the My Documents section of a Windows computer, encrypting them with a 30-digit password. Victims were prompted to buy drugs from a list of websites in order to decrypt the files. As with the Aids Info Disk, Archiveus was weak and flawed compared to the ransomware of today, but it was notable for its role in defining modern ransomware threats. It was, for example, the first ransomware to use RSA encryption. The British-based IT firm Sophos eventually cracked the Archiveus ransomware code later in 2006.
| Official Name | Archiveus |
|---|---|
| 1st Outbreak | 2006 |
| Classification | Trojan |
| OS Impacted | Windows |
| Current Status | Inactive |
| Protected by ZoneAlarm | Yes |
Trojan Winlock (2011)
Trojan Winlock came about just as ransomware was going mainstream. It is one of the earliest examples of so-called locker ransomware. As the name suggests, locker ransomware is used to lock users out of a device or service, rather than focusing on encrypting files. The use of Winlock represented a paradigm shift in ransomware tactics, particularly in its ability to imitate genuine products. In addition, Trojan Winlock ransomware was notable for one of its main distribution methods – via phishing emails. Often, phishing and ransomware go hand in hand, thus it is advisable to educate yourself on phishing risks and install anti-phishing protection on personal and business devices.
| Official Name | Trojan Winlock |
|---|---|
| Alt Names | Winlock Trojan |
| 1st Outbreak | 2011 |
| Classification | Trojan |
| OS Impacted | Windows |
| Current Status | Not Active |
| Ransom | Varied |
| Protected by ZoneAlarm | Yes |
Reveton (2012)
Reveton is arguably not an example of well-known ransomware, but its importance should not be understated. It is widely cited as the first example of RaaS (Ransomware-as-a-Service), i.e., where criminals sell/lease the ransomware and the controlling infrastructure to other criminals. The cybercriminals behind Reveton were even brazen enough to have something akin to a referral program, encouraging illegal sites (such as certain pornographic websites) to distribute the malware. Reveton is also an example of scareware, as it would impersonate the FBI or other law enforcement agencies in order to spoof victims into paying fines to avoid imprisonment. This gave rise to its monikers, the FBI Virus and Police Trojan. As with many other examples on this list, Reveton evolved, starting off as a more typical malware before becoming ransomware. One of the ingenious aspects of this ransomware was its ability to adapt to different countries, posing as the Metropolitan Police when appearing to UK users, for example. At its height, the gang behind the Reveton ransomware attacks was said to be making $400,000 per month using the tactic. The alleged author of Reveton malware, known as the alias “Paunch”, was arrested in 2013. “Paunch” is said to be behind the infamous Blackhole exploit kit, a for-hire toolkit used to spread Reveton and other viruses.
| Official Name | Reveton |
|---|---|
| Alt Names | FBI Virus, Police Trojan, FBI Ransomware, Win23/Reveton.A |
| 1st Outbreak | 2012 |
| Country of Origin | Russia |
| Classification | Trojan |
| OS Impacted | Windows |
| Current Status | Inactive |
| Ransom | $100/€100 |
Svpeng (2013)
Once cited as the most dangerous mobile malware, Svpeng is the first type of ransomware specifically targeted at Android mobile devices. The key to its success is the targeting of specific sensitive applications, such as banking apps, on an Android smartphone, locking the device and demanding a ransom to open it. Svpen is a multi-purpose malware, able to do everything from track user locations to stealing bank details. Other instances of Svpeng would see victims locked out of their mobile devices and accused of accessing child pornography. It also provided the blueprint of functions and capabilities for many different types of mobile malware and ransomware types to follow.
| Official Name | Svpeng |
|---|---|
| 1st Outbreak | 2013 |
| Classification | Trojan |
| OS Impacted | Android |
CryptoLocker (2013)
CryptoLocker ransomware was used as part of a long-lasting cyberattack from September 2013 to June 2014. CryptoLocker was a trojan that targeted Microsoft Windows computers, with malicious email attachments used as the attack vector. The trojan encrypted certain files on those Windows computers, demanding a ransom (paid in Bitcoin) to decrypt them. CryptoLocker itself was relatively easy to remove from a computer, but the files were almost impossible to decrypt without the private key held by the hackers. CryptoLocker was isolated in May 2014 after authorities managed to take down the Gameover Zeus botnet, which was used to distribute the malware. One of the notable things about CryptoLocker – apart from its longevity and success – was its demand for Bitcoin as a ransom instead of fiat currency. By 2020, almost 60% of ransomware extortion demands asked for payment in cryptocurrency, and 98% of that was Bitcoin.
| Official Name | Cryptolocker |
|---|---|
| 1st Outbreak | Sept 2013 |
| Classification | Trojan |
| OS Impacted | Microsoft Windows |
| Ransom | $300 in Bitcoin |
| Est Money Paid | $27 million |
CryptoWall (2014)
One of the important elements to understand about ransomware strains is that they are often not created in isolation. When one strain is isolated and eradicated, the attackers can simply go back and remodel the strain to make it stronger. Such was the case with CryptoLocker, which had its code remodeled to become CryptoWall. Indeed, CryptoWall itself has been relaunched several times, with the latest version, CryptoWall 4.0, released in 2021. Reports claim that the original version of CryptoWall had made $325 million in ransom by 2015. One of the defining characteristics of CryptoWall is that it detects if it is running on a computer based in a Russian-speaking or former Soviet country. If so, it will uninstall itself. This gives rise to the consensus that the virus is operated from a criminal gang in Russia or neighboring country, with targets mostly based in the West.
| Official Name | CryptoWall |
|---|---|
| 1st Outbreak | 2014 |
| Classification | Trojan |
| OS Impacted | Windows |
| Current Status | Active |
| Ransom | $300 in Bitcoin |
| Est Money Paid | 625,000 |
| Protected by ZoneAlarm | Yes |
CTB Locker (2014)
Throughout this guide to the complete list of ransomware, you will notice that we hint at the fact that mainstream media often conflates and mistakes different types of ransomware. This is not a criticism, as such, as there is much overlap between the different ransomwares. However, CTB Locker is an example of that, with media reports mistakenly stating that it was CryptoLocker. There were similarities, yes, but CTB Locker seems to have been developed by a different gang. CTB Locker was developed to target all versions of Windows 7, 8, Vista, and XP. There were several characteristics of CTB Locker that made it unique, including its use of elliptical curve cryptography and the way it communicated with the Command and Control server directly through TOR (rather than over the internet). The gang behind CBT Locker released several updates for the ransomware over the following years, including a version that targets websites specifically.
| Official Name | CTB Locker |
|---|---|
| Alt Names | Critroni, Curve to Bitcoin Locker |
| 1st Outbreak | July 2014 |
| Classification | Ransomware |
| OS Impacted | Windows |
| Current Status | Inactive |
| Ransom | O.2 Bitcoin ($120 at the time) |
| How It Works | Uses elliptical curve cryptography to encrypt files |
| Protected by ZoneAlarm | Yes |
TeslaCrypt (2015)
Often when it comes to ransomware prevention, it is important to consider who is being targeted rather than how the attack comes about. In the case of TeslaCrypt, criminals took aim at a specific online demographic – gamers. TeslaCrypt targeted around 50 file extensions linked to some of the world’s most popular video games, including Call of Duty, World of Warcraft, and Minecraft. The ransomware would encrypt the game’s files, including personal data and profiles. The tactics of the hackers behind TeslaCrypt were interesting for a number of reasons. First, there was the understanding of the victim, i.e., that gamers would pay ransoms to restore files, even if those files were not deemed as valuable as, say, sensitive business data. Secondly, there was an unusual amount of correspondence between victims and the hacking group, with the latter setting up a private messaging system to offer ‘support’. Often, the hackers would restore one file to prove to the victims that they could do it. Finally, there was difference between the ransom amounts in cash and cryptocurrency. The cash amount of $1,000 was payable in PayPal My Cash Cards, whereas the cryptocurrency was less than half that amount at the time in Bitcoin. This proves the consensus that criminal gangs prefer payment in cryptocurrency as it is harder to trace.
| Official Name | TeslaCrypt |
|---|---|
| Alt Names | Ransom:Win32/Tescrypt |
| 1st Outbreak | February 2015 |
| Classification | Trojan |
| OS Impacted | Windows |
| Current Status | Shutdown |
| Ransom | $1000 or 1.5 Bitcoin (around $415 at the time). |
| Infected Files | Gameplay data from popular online games |
| Protected by ZoneAlarm | Yes |
SamSam (2015)
The SamSam ransomware family is unique in several aspects. It first surfaced in 2015, although its origins are shrouded in mystery. However, it did not start to gain traction until 2018, when the gang behind it began to capitalize on the demand for RaaS (Ransomware as a Service) solutions. Nonetheless, at its height in 2018, SamSam was noted for its bespoke capabilities. It was not sold online (or on the dark web) like other RaaS services. Instead, the gang developed tailored solutions for specific targets. Those targets included the City of Atlanta, which was one of a wave of serious SamSam ransomware attacks in 2018. For users, one of the big problems with SamSam was that it was constantly being updated with new versions. This was a nightmare for the institutions (SamSam targeted healthcare providers and government agencies in the United States) trying to take precautions in the wave of attacks. The Colorado Department of Transport, for example, was hit with two attacks in the space of a fortnight.
| Official Name | SamSam |
|---|---|
| Alt Names | Samas, SamCrypt |
| 1st Outbreak | 2015 |
| Country of Origin | Unknown; Reportedly Eastern Europe or Iran |
| Classification | Ransomware |
| OS Impacted | Windows |
| Ransom | 1-3 Bitcoin per infected system |
| How It Works | Early versions used JBoss exploits. Later, multiple exploit tactics were used. |
| Famous Victims | City of Atlanta |
| Protected by ZoneAlarm | Yes |
Cerber (2016)
2016 was a pivotal year for ransomware for a variety of reasons, including the sheer number of attacks and new ransomware variants. Cerber’s importance was due to being one of the early examples of RaaS (Ransomware as a Service). The tactic of providing ransomware toolkits for hire has ballooned ever since and is, in fact, the most common form of ransomware attack today. Offering its ransomware kit for a reported 40% cut of the ransomware, the gang behind Cerber could make money without doing any of the leg work. So successful was Cerber at its peak in 2017 that it accounted for over a quarter of all global ransomware attacks. At its height, Cerber impacted the United States more than any other country, with almost 85% of Cerber ransomware attacks concentrated in the US. Secondly, Cerber is a good example of evolutionary ransomware, with hackers providing updates to the toolkit regularly. It became less prominent in 2018 as hacker gangs moved on to new RaaS models like Gandcrab (see below).
| Official Name | Cerber Ransomware |
|---|---|
| 1st Outbreak | February 2016 |
| Country of Origin | Russia |
| Classification | RaaS |
| OS Impacted | Windows |
| Current Status | Inactive |
| Ransom | 1.2 Bitcoin |
| How It Works | Computers infected by phishing emails, malicious links, or infected websites |
| Protected by ZoneAlarm | Yes |
KeRanger (2016)
First discovered in March 2016, KeRanger is notable due to its targeting of the Apple Mac Operating System (macOS). Much is made of Apple’s walled-garden approach to security, but iPhones, iPad, and Macs can get viruses. KeRanger is but one example, but there are many more. In April 2023, for example, it was reported that the LockBit strain of ransomware had started targeting Macs for the first time. KeRanger is widely cited as the first instance of Mac-targeted ransomware.
| Official Name | KeRanger |
|---|---|
| Alt Names | OSX.KeRanger.A |
| 1st Outbreak | 2016 |
| Classification | Trojan |
| Ransom | 1 Bitcoin – roughly $400 at the time |
| Est Infected Devices | 7,000 |
Jigsaw (2016)
Originally called BitcoinBlackmailer, Jigsaw ransomware was discovered in April 2016. The Jigsaw name came about due to the puppet from the Saw horror movies being depicted in the ransom demands message. Jigsaw caught the attention of the media due to its tactic of deleting the encrypted files at set intervals (starting with one file, then increasing the rate of deletion) until the ransom was paid. Often, the deletion would begin after one hour. This, coupled with the horror movie scare-tactic, is noted for instilling a sense of panic in victims. Despite its notoriety, Jigsaw wasn’t considered revolutionary ransomware. In fact, not long after it emerged in 2016 security experts were able to release free decryptors that allowed impacted users to decrypt infected files.
| Official Name | Jigsaw |
|---|---|
| Alt Names | BitcoinBlackmailer |
| 1st Outbreak | April 2016 |
| Classification | Ransomware |
| OS Impacted | Windows |
| Current Status | Inactive |
| Ransom | Approx $150 in Bitcoin |
| How It Works | Spreads through malicious attachments in emails |
| Protected by ZoneAlarm | Yes |
ZCryptor (2016)
ZCryptor gained prominence during an explosion of ransomware threats in 2016. It is described as a hybrid malware: part worm and part pure ransomware. The attack was characterized by its time limits in the ransom demands. Initially, those attacked were asked for 1.2 Bitcoin. This would rise to 5 Bitcoin if the demands were not met within four days. After one week, the encrypted files would self-destruct. Another important aspect of ZCryptor is that it self-propagates, allowing the ransomware to spread through networks and computers without the need for an exploit kit.
| Official Name | ZCryptor |
|---|---|
| Alt Names | ZCrypt/WIN 32 |
| 1st Outbreak | June 2016 |
| Classification | Hybrid. Part worm and part ransomware. |
| OS Impacted | Windows |
| Current Status | ACTIVE |
| Ransom | 1.2 Bitcoin (Rising to 5) |
| How It Works | Spread through removable drives, copying itself into external media |
| Protected by ZoneAlarm | Yes |
Petya (2016)
Petya was discovered by researchers at Checkpoint in 2016, who quickly sounded the alarm over this new dangerous type of ransomware. The researchers pointed out that Petya did not have the impressive infection rate of previous malware strains like CryptoLocker, but was all the more dangerous due to its ability to hold an entire hard drive’s content to ransom by encrypting the MFT (Master File Table). Petya, which is now regarded as a family of ransomware (see NotPetya below), marked a sea change in ransomware tactics. It was created via an exploit, EternalBlue, that takes advantage of vulnerabilities in Windows operating systems and was developed by the United States National Security Agency (NSA). The NSA had knowledge of the exploit for several years, not alerting Microsoft to the issue. Later, the exploit was stolen by a hacker group known as The Shadow Brokers, allowing the use of the exploit for Petya (and other ransomware) to propagate. Microsoft patched the vulnerability in March 2017, but it had already ripped tens of thousands of devices. While there were many lessons learned regarding Petya, one of the main takeaways was the importance of software updates, as the devices and systems targeted were not up to date. Microsoft claimed at the time that Windows 7 devices were 3.4 times more likely to be affected by ransomware than Windows 10 devices (the latest version at the time).
| Official Name | Petya |
|---|---|
| Alt Names | GoldenEye Petrwrap |
| 1st Outbreak | March 2016 |
| Classification | Trojan |
| OS Impacted | Windows |
| Ransom | $300-600 in Bitcoin |
NotPetya (2017)
Technically, NotPetya is a variant of the Petya ransomware family. It is something of a special case, with disagreements over whether it should be termed ransomware at all. While it has many ransomware characteristics, the usage of NotPetya in several major cyberattacks in 2017 has a lot in common with a lesser-known class of malware known as wipers. The distinguishing feature between a wiper and ransomware is that the former seeks to delete or destroy the files, data, and hard drives it infects rather than encrypt them and hold the keys for ransom. Some ransoms were demanded during the NotPetya attacks of 2017, which mainly targeted Ukraine but also spread to several Western countries, yet the main focus seemed to be mass destruction. In the aftermath of the attacks, it was found that the encryption used mostly could not be reversed, hence the characterization of NotPetya as a wiper. It’s important to point out that many cybercriminals have no intention of restoring access to files after an attack, even if the ransom is paid. But true ransomware at least affords the criminals an opportunity to give the illusion that they will decrypt the files. NotPetya seemed to be a politically motivated attack with little regard for financial gain. Petya and NotPetya combined were judged to have caused around $10 billion in damage, with some citing it as the most devastating cyberattack in history.
| Official Name | NotPetya |
|---|---|
| 1st Outbreak | June 2017 |
| Country of Origin | Russia |
| Classification | Trojan |
| Ransom | $300-600 in Bitcoin |
| Famous Victims | Ukraine Government, Chernobyl Nuclear Power Plant |
WannaCry (2017)
The WannaCry Ransomware attacks of 2017 were perhaps the most well-known ransomware attacks so far. As with Petya, it used the EternalBlue exploit. However, the sophistication of WannaCry was further enhanced by the use of other exploits. Importantly, unlike Petya, WannaCry was released after Microsoft released the security patch for the exploit, targeting outdated versions of Windows and further underlying the need for organizations to update systems and use robust ransomware protection software. Many of the world’s most important businesses and organizations had not heeded that call. This caused extreme embarssment and even political fallout alongside the financial cost of WannaCry. The attack lasted four days, infecting over 300,000 computers across 150 countries. The United States and UK formally declared that they believed North Korea to be behind the attack. A report by Reuters estimated that damage caused by the WannaCry ransomare attacks in 2017 exceeded $8 billion.
| Official Name | WannaCry |
|---|---|
| 1st Outbreak | May 12th 2017 |
| Country of Origin | North Korea (alleged) |
| Classification | cryptoworm |
| Est Infected Devices | 300,000+ computers |
| Famous Victims | UK National Health Service, FedEx, Boeing, and many others |
Bad Rabbit (2017)
Yet another variant of Petya, Bad Rabbit emerged in the fall of 2017. It did not gain as much mainstream attention from Western media because it was largely concentrated on attacks in Russia, Ukraine, and other parts of Eastern Europe. It follows similar principles to WannaCry and Petya, with researchers finding that Bad Rabbit shares about two-thirds of the latter’s code. However, it does not use the Eternal Blue Exploit. In addition, Bad Rabbit shares the trait with ZCryptor of being able to spread across networks without an exploit kit or user interaction. It is not clear which group was behind the Bad Rabbit attacks of 2017, particularly given many of the targets were based in Russia.
| Official Name | Bad Rabbit |
|---|---|
| 1st Outbreak | October 2017 |
| Country of Origin | Russia |
| OS Impacted | Windows |
| Current Status | Active |
| Ransom | 0.05 Bitcoin |
| How It Works | Spread via a fake Flash update |
| Famous Victims | Interfax (Russian News Agency), Odessa International Airport |
| Protected by ZoneAlarm | Yes |
GandCrab (2018)
GandCrab is arguably the best example of Ransomware as a Service coming of age. In the 18 months from its first detection in January 2018 to July 2019, it is estimated that the gang behind it reaped around $2 billion in ransoms. At this point, we can cite one of the most important shifts in the history of ransomware. With GandGrab, we are no longer talking about singular strains of ransomware. With the RaaS approach offered by GandCrab, criminal gangs have access to a swiss-army knife of ransomware and malware strains, as well as the means to develop them. In terms of media reporting, this poses a problem, as it can lead to erroneous accounts of the type of ransomware used and the criminals behind it. In essence, the group behind GandCrab builds bespoke ransomware for other groups of criminals. Attacks carried out can use a variety of ransomwares built with the GandCrab toolkit, and those attacks may be conducted by those with direct links to GandCrab or affiliate gangs.
| Official Name | GandCrab |
|---|---|
| 1st Outbreak | January 2018 |
| Est Money Paid | $2 billion |
Ryuk (2018)
Ryuk is perhaps the most critical example to study for those who wish to understand the ransomware threat we all face in the 2020s. The reasons for this is both the sophistication of the malware and the tactics used by the gang behind Ryuk. As to the former, Ryuk ransomware is usually partnered with another type of malware, a trojan known as TrickBot. TrickBot then feeds data back to the criminals, potentially alerting them to a valuable target. As such, Ryuk is notable in its targeting of vulnerable organizations, i.e, those who are more likely to pay to encrypt the files or to stop a leak of data on the internet. It is for this reason that Ryuk ransoms are much higher than the norm, sometimes demanding the equivalent of half a million dollars in Bitcoin. Furthermore, Ryuk was cited by Microsoft as an example of a human-operated ransomware attack. What differentiates human-operated attacks from many other ransomware attacks is that they are manual and targeted – they aren’t dependent on the random spreading of the virus across multiple devices.
| Official Name | Ryuk |
|---|---|
| 1st Outbreak | 2018 |
| Ransom | $100,000-$500,000 in Bitcoin |
REvil (2018)
As we are dealing with more contemporary versions of ransomware now, it is important to clarify that there is a growing trend between the nomenclature of the ransomware itself and the gang behind it. Such is the case with REvil, a notorious criminal gang and a type of ransomware – although others are used by the gang. REvil ticks all the boxes for modern ransomware tactics. It is formed as a RaaS group, has a variety of malware in its arsenal, selects high profile targets, and is human-operated ransomware. To give you an indication of how successful REvil was at its height, consider that IBM stated in 2020 that one in four of all cyberattacks were ransomware attacks, and three in every four ransomware attacks had links to REvil. Moreover, taking its lead from Ryuk, some ransom demands seen by IBM on behalf of REvil were said to exceed $40 million. In addition, it is estimated that around one third of REvil’s victims agreed to pay the ransom. Several members of the REvil gang were arrested in 2022, with some speculation that the Russian authorities decided they had enough of their activities. However, offshoots and affiliate gangs are still active.
| Official Name | REvil |
|---|---|
| Alt Names | April 2019 |
| 1st Outbreak | 2018 |
| Ransom | $1500 - $42 million |
DoppelPaymer (2019)
DoppelPaymer is both a criminal group and ranomware family, with the main strain of the latter based on the code of the previously released BitPaymer ransomware. As we have mentioned, ransomware tends to evolve rather than be created from scratch, and normally that means each new version is more effective than the last. For instance, while DoppelPaymer and BitPaymer share similar code, the former uses a more effective threaded file encryption. DoppelPaymer was used in a wide range of attacks in 2020, notably on hospitals, police, and other emergency services (including in the US). Notably, however, there was a September 2020 attack on a German hospital, which invaded 30 servers at the insititution. As a result, a woman with life-threatening injuries had to be sent to a different hospital 20 miles away, eventually dying due to delayed treatment. The incident is considered the first death as a direct result of a cyberattack.
| Official Name | DoppelPaymer |
|---|---|
| Alt Names | BitPaymer |
| 1st Outbreak | June 2019 |
| Ransom | $25,000 to $1.2 million |
| Famous Victims | University Hospital Düsseldorf |
Netwlaker (2019)
In a sense, Netwlaker epitomizes modern ransomware threats. It is both a group (that evolved into a versatile RaaS gang) and a type of ransomware, a common trait in cybercrime in the 2020s. The group’s assuredness is also indicative of contemporary cybercriminals, brazen enough to advertise for recruits to the gang. Another modern trait exemplified by Netwlaker gangs (which sometimes goes under the moniker Circus Spider) is the targeting of healthcare institutions, including hospitals and universities. Netwlaker appeared in the fall of 2019, later adapting tactics to offer Ransomware as a Service. One of its most high-profile attacks was on the UCSF medical institution. Remarkably, an anonymous tip-off allowed the BBC to view the ransomware negotiations between the gang and UCSF in a dark web live chat. Eventually, UCSF representatives agreed to pay $1.14 million to the Netwlaker gang to decrypt the data. Netwlaker is also known for its double extortion tactics, leaking a small portion of the stolen data on the dark web as proof of them having the files and demonstrating that they can decrypt them if the ransom is paid.
| Official Name | Netwlaker |
|---|---|
| Alt Names | Circus Spider Ransomware |
| 1st Outbreak | September 2019 |
| Classification | RaaS |
| OS Impacted | Windows |
| Current Status | Active |
| Ransom | $1 million+ |
| How It Works | Attack via phishing emails. |
| Famous Victims | University of California, San Francisco |
| Protected by ZoneAlarm | Yes |
Conti (2019)
Again, when it comes to Conti, there is an overlap between the ransomware used and the group behind it. Moreover, there is fluidity between the ransomware groups and the ransomware used. For example, Conti might work with another group, such as Cozy Bear, and other groups, such as Wizard Spider, might use Conti ransomware. The overlap of gangs and tactics can sometimes cause confusion in reporting ransomware attacks in the media. One of the interesting – and worrying – characteristics of Conti ransomware is its speed of encryption – it is one of the fastest types of ransomware ever created. It achieves this by deploying 32 simultaneous CPU threads to facilitate the encryption. The Conti Group is considered one of the world’s most dangerous ransomware gangs. The most notable attack came on Ireland HSE (Ireland’s national healthcare network) in 2021, made all the more devastating as it was during the height of the Covid-19 pandemic. It has also been a vocal proponent of Russia’s invasion of Ukraine, threatening to act in retaliation if Russia is hit with cyberattacks. In May 2022, the US government put up a $15 million reward for anyone providing information that could thwart the group.
| Official Name | Conti |
|---|---|
| Alt Names | Wizard Spider |
| 1st Outbreak | December 2019 |
| Country of Origin | Russia |
| Classification | RaaS |
| OS Impacted | Windows |
| Current Status | Active |
| Ransom | Varies; up to $20 million |
| How It Works | Multiple CPU threads,Unique AES-256 encryption |
| Famous Victims | Ireland HSE (Health Service Executive) |
| Protected by ZoneAlarm | Yes |
DarkSide (2020)
DarkSide ransomware, sometimes referred to as Salsa20, is perhaps best know for the Colonial Pipeline attack in 2021. It is, among others, a type of ransomware used by the DarkSide RaaS hacking group. Darkside (the group) frames itself as a more ethical ransomware gang, claiming it won’t attack medical facilities, charitable organizations, and so on. It even claims it has a review procedure to ensure that it approves targets before allowing the leasing of the malware to other criminal gangs. In May 2021, the Darkside group announced that they would cease the RaaS program for Darkside. However, as with many other types of ransomware on this list, Darkside has evolved to create new ransomware variants. Criminal gangs often share ransomware tactics with each other, so even if the Darkside gang is now inactive – or at least claiming to be – the ransomware, its variants, and the blueprints for its success are still out there.
| Official Name | DarkSide |
|---|---|
| Alt Names | Salsa20 |
| 1st Outbreak | August 2020 |
| Country of Origin | Russia (alleged) |
| OS Impacted | Windows/Linux |
| Est Money Paid | $90 million |
Colonial Pipeline (2021)
The Colonial Pipeline Ransomware Attack of 2021 is considered one of the most impactful attacks of the 2020s (so far). It should act as an important case study of ransomware attacks, criminal gangs, and their motives. The attack, which began on May 7th, 2021, was reportedly carried out by DarkSide (see above). It compromised the computer systems managing the highly strategic oil and gas pipeline near Houston, Texas. Emergency declarations were made across 17 states. DarkSide reportedly gained access to the systems via an employee credential leak on the dark web, allowing them to paralyze the oil and gas system that provided energy to almost half of the East Coast. The Colonial Pipeline Company, working alongside the FBI, agreed to pay the ransom in Bitcoin, which was worth around $4.4 million at the time. DarkSide provided the company with an IT tool to restore their systems after the ransom was paid, although the process was cumbersome. Colonial Pipeline went back online five days after the attack. There are several lessons that we can learn from Colonial Pipeline, but perhaps most importantly it is the fact that this massive ransomware attack was caused by the compromising of a single employee password.
| Official Name | Colonial Pipeline |
|---|---|
| Alt Names | DarkSide Ransomware |
| Classification | RaaS |
| OS Impacted | Windows |
| Current Status | Active |
| Ransom | 75 Bitcoin - $4.4 million at the time |
| Est Money Paid | 75 Bitcoin Ransom Paid in Full |
| How It Works | Compromised Password |
| Famous Victims | Colonial Pipeline Company |
| Protected by ZoneAlarm | Yes |
Brenntag (2021)
On the face of it, there is little remarkable about the ransomware attack on Brenntag, a multinational chemicals company headquartered in Germany. The attack was made on the North American division of the company, which is the second-largest supplier of chemicals in the United States. However, what sticks out about the Brenntag ransomware attack is the timing. The ransom (of $4.4 million) was paid on May 11th, 2021. As you might notice, this was directly after the Colonial Pipeline Ransomware Attack. DarkSide was again said to be the perpetrator, although as a RaaS service there was speculation that it was a DarkSide affiliate. Nonetheless, the attack, which saw the DarkSide group obtain 150GB of sensitive data and threaten to leak it if the ransom was not paid, showed that major ransomware attacks could be carried out simultaneously. Reportedly, DarkSide gained access through stolen credentials, although it claims not to know how the credentials were stolen before it purchased them. Again, it is worth stressing that there is a thriving marketplace on the dark web for this kind of data. Businesses of all sizes need to take steps to protect their systems.
| Official Name | Brenntag Ransomware |
|---|---|
| Alt Names | DarkSide, DarkSide Affiliate Ransomware |
| 1st Outbreak | May 2021 |
| Classification | RaaS |
| OS Impacted | Windows |
| Current Status | Active |
| Ransom | $4.4 million |
| Est Money Paid | $4.4 million |
| How It Works | Stolen Credentials |
| Famous Victims | Brenntag Chemical Company North America Division |
| Protected by ZoneAlarm | Yes |
OnyX (2022)
As with Darkside and REvil, Onyx is both a ransomware type and a criminal gang. It emerged in the spring of 2022, using a variety of tactics that have been honed by ransomware gangs over the years. Notaby, it does not encrypt the files per se. It overrides the files with junk, making them impossible to encrypt. Thus, as with the example of NotPetya, Onyx is often considered a wiper malware due to the fact it seems that there is no intent and little ability to decrypt files, even if a ransom is paid. Again, Onyx is characterized by being developed through RaaS principles. In this case, it is a toolkit called Chaos (rebranded as Yashma). A good way to think about Chaos is as a ransomware builder. As we stated earlier, ransomware is not created in a vacuum, and each new variant is usually based on some elements of code of a predecessor. With Chaos/Yashma and other ransomware builders, criminals are given a (relatively) easy-to-use toolkit to develop new strains.
| Official Name | OnyX |
|---|---|
| 1st Outbreak | April 2022 |
| Classification | Trojan |
| Protected by ZoneAlarm | Yes |
Domino (2022)
Domino is a new family of malware, which is reportedly a collaboration between two active hacking groups, an off shoot of the Conti group and FIN7. Both groups have become infamous in contemporary cybersecurity. Conti, for example, was responsible for the Microsoft Exchange hack of 2021. Domino is considered an active or ongoing ransomware threat for 2023. As we have remarked, strains of Domino malware, attack vectors, and those behind the execution of the attacks can change in an instant, given the structure of ransomware services and toolkits for hire in the 2020s. Still, while the tactics evolve, the same rules apply for ransomware protection. Businesses, organizations, and indiviudals should ensure that they are fully educated on the threats, have taken steps to update systems and software, and are using anti-ransomware protection.
| Official Name | Domino |
|---|---|
| 1st Outbreak | October 2022 |
| Current Status | Active – Ongoing Attacks |
| Protected by ZoneAlarm | Yes |
Royal Ransomware (2022)
Royal Ransomware, also known as DEV-0569, is a new form of ransomware, administrated by a crime group that goes under the Royal Ransomware brand. It has already executed numerous cyberattacks in 2023, prompting a joint warning from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in March 2023.
| Official Name | DEV-0569 |
|---|---|
| Alt Names | Royal Ransomware |
| 1st Outbreak | September 2022 |
| Current Status | Active – Ongoing Attacks |
| Ransom | $1 million to $11 million |
| Protected by ZoneAlarm | Yes |
Important Notes on the Text
As touched upon above, the ransomware threat we face in the 2020s is no longer about specific strains of malware. The evolution of RaaS, now notable in toolkits like Chaos, has effectively led to a situation where criminals can develop bespoke ransomware with little difficulty. Criminal groups – Darkside, Conti, etc., - disband and reform, taking the toolkits and the knowledge of what worked in the past, and what didn’t work, with them. Many of those criminal gangs and the ransomware strains mentioned above here, therefore, overlap.