Let’s learn 12 Ransomware Examples with this article. Ransomware attacks can wreak havoc across every sector – from hospitals to city government entities – so understanding the various types, targets, and motivations behind ransomware attacks is critical for increasing security against this threat.
Ransomware is an increasingly prevalent threat that encrypts files and blocks access until a payment, usually in Bitcoin, is received. This type of attack can have serious repercussions for businesses, healthcare facilities and homes alike.
Home users are vulnerable to ransomware attacks because they often don’t invest in cybersecurity solutions or maintain up-to-date systems, lack backups and are willing to pay ransom to recover their data.
12 Ransomware Examples
Crypto ransomware encrypts files on computers and network drives, requiring payment in exchange for decryption keys. Some variants even utilize worm-like techniques to spread to connected systems.
1. Cryptolocker
Cryptolocker ransomware uses an asymmetric encryption method with both public and private keys – the latter belonging to cybercriminals who send their victims messages demanding payment by a certain deadline or their files will be permanently lost. It works through file encryption followed by display of a screen demanding a fee in order to decrypt them.
Spread via email attachments, phishing attacks and botnet infiltration, Gameover ZeuS enacted malware that scanned local and network drives looking for file types to encrypt. In addition, personal documents and pictures were searched for during activation.
If the malware found a match, it would create a ZIP archive with an EXE extension and random alphanumeric filename, and install this executable executable into their system folder. Otherwise, it downloaded a file from its C&C server instead. According to NCA reports, Cryptolocker central servers used by Cryptolocker to activate its malware have been shut down, giving victims two weeks’ window in which to recover their data from them.
2. DarkSide
DarkSide ransomware utilizes various time-tested techniques to achieve its goals. Threat actors behind this ransomware family rely on Tor as an anonymising network; files to encrypt are chosen based on file directories or names; they encrypt with base64 encryption methods or embed strings within code to avoid detection.
Once the hackers gained entry to their target environment through exploiting RDP weaknesses and other software vulnerabilities, they started taking data. Once in, they used this data for double extortion purposes: by threatening to publish victims’ personal details on Darkside Leaks website.
Mandiant’s analysis revealed that DarkSide operates as ransomware-as-a-service (RaaS), with profits shared among both owners and affiliates who deploy the malware into organizations.
3. BitPaymer
Like its predecessors, BitPaymer encrypts files on victim devices or networks and then demands payment in exchange for decryption keys. Depending on its variant, it may also display a lock screen warning them they must pay up or risk losing key information or having to shut down their business.
The latest variant of this malware family employs sophisticated obfuscation techniques that enable it to evade detection and analysis, using encrypted strings and string hashes as well as dynamic API resolution to avoid static tools analysis.
BitPaymer goes beyond simply obfuscation by bypassing User Account Control (UAC) settings, elevating its privileges, and wiping shadow copies from compromised systems – functions which make recovering from ransomware attacks much harder.
Researchers have connected BitPaymer, Emotet, Ursnif and Dridex through similarities in internal data structures as well as how these ransomware programs decrypt payloads. Attackers usually target large companies located in wealthy regions or countries for larger payoffs for any stolen data they obtain from those companies.
4. DoppelPaymer
DoppelPaymer ransomware family is a ransomware family that attacks critical industries such as healthcare, schools and law enforcement. First spotted in 2019 but continuing attacks through 2021; disrupting emergency services at community college campuses and city police departments throughout the US.
DoppelPaymer attacks typically arrive via emails with attachments or links to malicious websites that host the malware that infiltrates computers and encrypts files on victims’ PCs, then demands payment in Bitcoin to restore access to this data.
DoppelPaymer authors attempted to prevent reverse engineering attempts with its inclusion of CRC32 checksums of blacklisted processes/services; however, experts have discovered ways around these checksums.
DoppelPaymer ransomware is linked to Russian criminal organization Evil Corp, which was sanctioned by the Treasury earlier this year. According to Europol, DoppelPaymer demands over $43 million from victims since it first appeared in 2020; unlike most ransomware families, however, DoppelPaymer doesn’t automatically restore files after paying its requested sum.
6. MedusaLocker
Like other ransomware attacks, this specific threat employs multiple TTPs and IOCs to avoid detection. These methods include network awareness to gain entry to online backup systems and shared data storage locations (ICMP and SMB). Once on a host, this malware automatically starts running at regular intervals to encrypt new files as they come.
MedusaLocker also attempts to bypass any security solutions that might impede its encryption process by terminating a list of processes identified as belonging to antivirus, database and other utility programs. Furthermore, this ransomware uses built-in Windows tools to delete shadow copies and system backups to further limit victims’ recovery options.
Once victims are infiltrated by hackers, a ransom note is left on their system with instructions on how to reach out and contact the threat actor in order to pay for a decryption key. Ransom amounts vary between victims; once reaching out they must wait for an email response in order to acquire this key.
7. NetWalker
NetWalker ransomware was discovered in September 2019, and harvests data from compromised environments before encrypting those files, before displaying a ransom note demanding payment for decrypting stolen files.
NetWalker attackers employ obfuscated loaders, post-exploit tools and Living-off-the-Land (LOTL) tactics to explore target environments and gather as much data as possible from them. Common utilities and trojanized applications like Mimikatz, PowerShell tools such as AnyDesk and NLBrute may also be deployed to gain privileged access.
In most instances, cybercriminal groups gain unauthorised entry to victim networks days or weeks before sending ransom demands and using NetWalker ransomware to spread from workstation to workstation.
The group responsible for this ransomware also advertises on dark market Russian forums in order to recruit affiliates who will help spread it further. They prefer those with prior cybercrime experience and access into corporate networks. Prevention procedures such as patching, secure Wi-Fi networks, multifactor authentication systems and using up-to-date antivirus software can reduce the impact of attacks like these.
8. NotPetya
In June 2017 was NotPetya, a virus known as ransomware which struck global organisations and caused massive disruption and file deletion. NotPetya taught us a valuable lesson about ransomware attacks: not all are the same; NotPetya differed significantly as it initially wiped your files before demanding payment from you; making it “wiperware”, rather than ransomware; many speculated this attack might have been carried out as part of Russian government attacks against Ukraine.
Petya spread through email attachments disguised as job applications that contained executable files or links to Dropbox files. EternalBlue was also employed, although not as effectively, to spread within networks, utilising remote access vulnerabilities and credential theft techniques to move laterally within them. One key distinction between Petya and NotPetya was their encryption methods – Petya only encrypted Master File Table data while NotPetya encrypted everything allowing faster movement between systems; cybersecurity experts at Kaspersky Lab coined this variant NotPetya; thus sticking with it’s moniker even today.
9. Petya
Petya made headlines around the world in 2017 following an attack that struck businesses across Ukraine. The malware spreads via emails containing PDFs which serve as Trojan horses; once inside a host system it overwrites the MBR and encrypts files before demanding payment in Bitcoin to decrypt them.
This malware also reboots hosts, showing what appears to be the Windows CHKDSK screen in response to system crashes, before prompting victims to pay a ransom fee.
NotPetya stands out because its payment mechanism, consisting of an ineffective identifying number, was ineffective to the point that experts believed attackers couldn’t unlock data files.
10. REvil
REvil/Sodinokibi is a ransomware-as-a-service (RaaS) threat which targets various industries and organizations, spreading through spear phishing attacks or via malware such as Qakbot or IcedID.
REvil has been linked with GandCrab, which recently saw its authors retire, sharing characteristics such as country whitelists, language translations, and URL generation. Furthermore, Coveware notes that REvil attackers may engage in double extortion tactics by threatening to publish stolen data from victims who don’t pay their ransom demands.
Cyberattacks like REvil can have disastrous repercussions, making cybersecurity an absolute requirement of every business. You can bolster your defenses by implementing suitable security controls and offering employees security awareness training – giving your team the protection it needs from even the worst cyberattacks.
11. SamSam
SamSam ransomware targets organizations from various sectors including healthcare and public service. It encrypts data files and applications, making recovery through partial backups difficult and time consuming.
Attackers use various tools to gain entry to networks and plant ransomware executables, including leaked NSA exploit EternalBlue. Furthermore, attackers use RDP brute force attacks and administrative privileges gained via RDP brute force to gain lateral proliferation as well as administrative privileges that allow them to disable anti-virus protection, bypass two-factor authentication measures and wipe or encrypt backups.
SamSam first came into prominence with its attack against Atlanta and subsequent indictment of two Iranian hackers, leading to widespread disruption for various organisations. It’s best known for targeting large networks in healthcare and demanding payment in bitcoin in order to decrypt data – usually using compromised JBOSS systems or stolen credentials bought on underground forums as entryways into attacks.
12. WannaCry
WannaCry ransomware spread via traditional malware delivery vectors such as malicious emails, credential compromise and botnets; however, WannaCry took an unconventional route by employing EternalBlue exploit developed by the National Security Agency and later leaked by hackers known as The Shadow Brokers.
At launch, the malware begins its search for files to encrypt, selecting those with certain extensions such as Microsoft Office files and MP3 and MKV videos to render unusable. Furthermore, it attempts to access a hard-coded URL containing an “off switch” which stops its attack process.
At its height in May 2017, WannaCry had an enormous global reach, impacting businesses and individuals from 150 nations. The cryptovirus encrypted data before demanding payment in cryptocurrency which is much harder to track than electronic money transfers or checks.