Types of Ransomware


Appeared on May 12, 2017

Within a day was reported to have infected more than 230,000 computers in over 150 countries. Parts of the United Kingdom’s National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack. Spain’s Telefónica, FedEx and Deutsche Bahn were also hit, along with many other countries and companies worldwide. Overall, WannaCry had over 200,000 victims and had infected more than 300,000 computers.

WannaCry propagates using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work rather than report it to Microsoft.


Appeared on September 5, 2013

CryptoLocker is typically propagated as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by a legitimate company. A ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF file, taking advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension. CryptoLocker was also propagated using the Gameover ZeuS Trojan and botnet.


Appeared in early 2016

The Cerber ransomware service infected 150,000 devices and extracted $195,000 in ransom payments in July 2016, according to the security company Check Point. The group behind Cerber is estimated to make around $78,000 per month from their illegal activity, which adds up to around $946,000 per year.

Cerber is the world’s biggest ransomware as a service scheme, according to Check Point researchers, who compiled a report on its operations. The ransomware developer appears to recruit affiliates that spread the malware in return for a 60% cut of the profits and an additional 5% for recruiting a new member. The Cerber operation uses a “maze” of thousands of Bitcoin accounts that allow its franchisees to launder the ransom money they receive.


Appeared on June 27, 2017

On 27 June 2017, a major global cyberattack began utilizing a new variant of Petya, now called NotPetya. During the attack, the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline. Several Ukrainian ministries, banks and metro systems were also affected. Researchers estimate that the June attack has cost companies an estimated $592.5 million. That total includes money lost in quarterly and yearly revenue as well as financial and operational losses brought on by the attack. And this number is expected to grow as companies continue to calculate NotPetya’s fiscal impact.

The “NotPetya” variant utilized in the 2017 attack uses EternalBlue, an exploit that takes advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol. NotPetya utilizes a payload that infects the computer’s master boot record (MBR), overwriting the Windows bootloader, and then triggering a restart. On the next startup, the payload is executed, which encrypts the Master File Table of the NTFS file system, and then displays the ransom message demanding a payment made in Bitcoin. During this process, text purportedly output by chkdsk, Windows’ file system scanner, is displayed on-screen, suggesting that the hard drive’s sectors are being repaired.


Locky appeared in February 2016.

When first released, Locky was infecting approximately 90,000 systems per day. It is delivered by email (that was allegedly an invoice requiring payment) with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of garbage, and it includes the phrase “Enable macro if data encoding is incorrect,” a social engineering technique. If the user does enable macros, the macros then save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. After encryption, a message (displayed on the user’s desktop) instructs them to download the Tor browser and visit a specific criminal-operated website for further information. The website contains instructions that demand a payment of between 0.5 and 1 Bitcoin (one Bitcoin varies in value between 500-1000 Euros via a Bitcoin exchange). Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files.


Appeared in 2014

CryptoWall is a Trojan that encrypts files on the compromised computer. The threat typically arrives on the affected computer through spam emails; exploit kits hosted through malicious ads or compromised sites, or other malware.  Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key.

FBI virus

AKA Trojan Reveton first appeared in 2012

Once installed on your computer, the FBI virus will display a bogus notification that pretends to be from the Federal Bureau of Investigation, and states that your computer has been blocked due to it being involved with the distribution of pornographic material, SPAM and copyrighted content. The FBI virus will lock you out of your computer and applications, so whenever you try to log on into your Windows operating system or Safe Mode with Networking, it will display a screen asking you to pay a non-existing fine in the form of a MoneyPak code. Furthermore, to make this alert seem more authentic, this virus also has the ability to access your installed webcam, so that the bogus FBI notification shows what is happening in the room. The FBI virus locks the computer and, depending on the user’s current location, displays a localized webpage that covers the entire desktop of the infected computer and demands payment for the supposed possession of illicit material.


First appeared in 2015

This Trojan compromised PCs of certain groups of gamers encrypting their files. It asked for about $500 for bringing data back to the owners. In 2016, the ransomware developers shutdown and released a decryption key.


First appeared in 2016

This Ransomware not only encrypts your files, but also deletes them if you take too long to make the ransom payment of $150 USD.  The Jigsaw Ransomware, named after the iconic character that appears in the ransom note, will delete files every hour and each time the infection starts until you pay the ransom.