Top 10 Ransomware and Malware

Ransomware LewisR todayJuly 9, 2019 349 196 4

share close


  • Bad Rabbit follows the wider-reaching WannaCry and NotPetya strains of malicious code and has infected organizations primarily in Russia and Eastern Europe. Disguised as an Adobe Flash installer, Bad Rabbit spreads via ‘drive-by download’ on compromised websites. If a person clicks on the malicious installer, their computer locks. The ransom note demands around $280 in Bitcoin and gives a 40-hour deadline for payments to be made.


  • Cerber  is an example of evolved ransomware technology. It is distributed as ransomware-as-a-service (RaaS) which is an “affiliate program” of sorts for cybercriminals. Anyone can buy it and unleash it in exchange for 40 per cent of the profits. Targeting cloud-based Office 365 users and using an elaborate phishing campaign, Cerber has impacted millions of users worldwide, except in post-Soviet countries. Typically, the victim receives an email with an infected Microsoft Office document attached. Once opened, ransomware may run silently in the background during the encryption phase and not provide any indication of infection to the user. After the encryption is complete, users will find ransom notes in encrypted folders and often as a desktop background. At its peak in early 2017, Cerber accounted for 26% of all ransomware infections. Cerber uses strong RSA encryption, and currently, there are no free decryptors available.


  •  Dharma Dharma is a cryptovirus that uses contact email and random combinations of letters to mark encrypted files. It first struck the world in 2016 and is releasing new versions regularly. Dharma uses an AES 256 algorithm to encrypt files, while simultaneously deleting shadow copies. The latest variants of 2019 have file extensions .gif .AUF, .USA, .xwx, .best, and .heets. The proliferation of new Dharma variants indicates a broader distribution of the ransomware to new groups of hackers.


  •  GandCrab Considered to be the most popular multi-million dollar ransomware of 2018, GandCrab is one of the few widely deployed ransomware campaigns. The GandCrab team relies heavily on Microsoft Office macros, VBScript, and PowerShell to avoid detection and uses a ransomware-as-a-service (RaaS) model to maximize delivery while primarily focusing on consumer phishing emails. Ransom demands can range from $500 to $600.


  •  Jigsaw The Jigsaw ransomware attack was named after a horror movie character and it is a particularly sadistic form of ransomware. It not only encrypts user’s files but also progressively deletes them. That means victims need to react quickly – they have only 24 hours to pay the ransom of 150 USD. If they fail to meet that deadline, ransomware begins deleting files every hour and increases the number of files for deletion every time. Any funny business, including shutting down the computer, causes Jigsaw to delete up to 1,000 of the victim’s files.


  • Katyusha Katyusha is an encryption ransomware Trojan that was first observed in October 2018. It encrypts files adding extension “.katyusha” and demands 0.5 BTC within three days. Katyusha threatens to release the data to public download if the ransom is not paid. The malware package contains EternalBlue and DoublePulsar exploits which are used to spread over the network. It also deletes shadow copies from the system. Katyusha ransomware is commonly delivered to victims via malicious email attachments. Currently, there are no tools capable of cracking Katyusha’s encryption and restoring data free of charge.


  • LockerGoga Since the beginning of 2019, LockerGoga has hit several industrial and manufacturing firms, causing significant harm. After an initial infection at the French engineering consulting firm Altran, it disrupted Norsk Hydro and two major US-based chemical companies. LockerGoga is the newest, targeted, and more destructive type of ransomware. Interestingly, it appears to have both ransomware and wiper capabilities. Later versions of LockerGoga forcibly log victims off the infected device, which often results in victims not being able to see the ransom message and instructions on how to recover files. That’s a very different approach from typical ransomware that merely encrypts some files on a machine but otherwise leaves it running.


  •  PewCrypt Not every ransomware is created for financial gain purposes. Some ransomware authors have other goals in mind, like the authors of PewCrypt. This ransomware that made a lot of noise at the beginning of 2019 and it was created with one goal – the hacker only wants victims to subscribe to the popular YouTuber PewDiePie (the most subscribed-to creator on the platform for over five years) and help him reach 100m subscribers before the Indian Bollywood channel, T-Series. The competition between them has been a talking point on the internet for several months and, for some reason, PewDiePie fans seem to believe that making and releasing ransomware is a proper and acceptable method of supporting their idol. PewDiePie has made numerous videos publicly stating that he does not agree with using malicious tactics to keep him at the top. PewCrypt is typically distributed by spam email message campaigns and websites that host malware or display malicious advertisements. It is written in Java programming language and uses an advanced 256 bit AES encryption method. However, after some time the author has released the decryption tool for everybody to use for free.


  • Ryuk  is part of a fairly new ransomware family, which made its debut in August 2018 and has since produced $3.7 million in bitcoin, spread across 52 payments. Common ransomware is usually distributed via massive spam campaigns and exploit kits, but Ryuk is specifically used in targeted attacks. It mainly focuses on big targets like enterprises that can pay a lot of money to recover their files. Ryuk uses robust military algorithms such as ‘RSA4096’ and ‘AES-256’ to encrypt files and demand ransoms ranging from 15 to 50 bitcoins. When Ryuk ransomware first appeared in late 2018, many researchers assumed it was tied to North Korea as Ryuk shares much of its code base with Hermes ransomware. However, further research determined that the Ryuk authors are most likely located in Russia and they had built Ryuk ransomware using (most likely stolen) Hermes code.
  • SamSam  is a ransomware strain used most commonly in targeted ransomware attacks. SamSam has attacked a wide range of industries in the US, mainly critical infrastructure, such as hospitals, healthcare companies, and city municipalities. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. Last year, SamSam attack crippled the city of Atlanta for days and cost taxpayers close to $17 million. Unlike most ransomware campaigns which rely on phishing techniques for delivery, SamSam uses Remote Desktop Protocol (RDP) to infect victims’ networks with minimal detection. The calling card of this ransomware is renaming all infected files to “I’m sorry.” SamSam group made over $6 million in ransom payments, often demanding over $50,000 in bitcoin, and caused over $30 million in losses to victims.

TOP 10 Malware

  • Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
  • Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.
  • Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
  • Trickbot is a modular banking trojan that is known to be dropped by Emotet as well as spread via malspam campaigns. Trickbot is also known to download the IcedID banking Trojan.
  • WannaCry is a ransomware cryptoworm that uses the EternalBlue exploit to spread via SMB protocol. WannaCry has a “killswitch” domain, which stops the encryption process.
  • ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
  • CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.
  • NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  • Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network. In December 2018, Emotet was observed using a new module that exfiltrates email content
  • Qakbot is financial malware designed to target governments and businesses for financial fraud and known for its wormability on a network. Qakbot installs a keylogger to steal user credentials. It monitors network traffic, specifically traffic to online banking websites and can piggyback on a user’s active banking session by intercepting authentication tokens. It is currently being dropped by Emotet.

    Ransomware and malware is preventable!

    Even though there are ways to recover encrypted files with a decryptor in some cases, there is no silver bullet that can treat every existing variant of ransomware, and new variants are being created all the time. The best way to handle ransomware and malware is prevention – follow healthy security practices, and partner with a business willing to detect and respond to threats in real-time and can educate your company in the process


Get out of jail Free decryptor tools for ransomware available below;

Decryptor: Trend Micro Ransomware File Decryptor Tool

Decryptor: Rakhni decryptor by Kaspersky Lab is able to decrypt files with the .dharma extension





Written by: LewisR

Tagged as: , , , , , .

Rate it
Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *

  • +44 (0) 203 744 7422