While ransomware has been around for decades, ransomware attacks are becoming more sophisticated, spreading through phishing emails, spear phishing, email attachments, vulnerability exploits, computer worms and other attack vectors.
As have its methods of payment coercion. Traditionally, ransom payments were demanded via prepaid cash services, Western Union transfers, gift cards or premium rate SMS services. Cybercriminals rely on Bitcoin and other cryptocurrencies to get paid.
In 2018, the FBI's Internet Crime Complaint Center (IC3) received 1,493 ransomware complaints that cost victims over $3.6 million. This does not account for lost business, time, wages, files, equipment or third-party remediation costs.
In many cases, victims don't report ransomware attacks to law enforcement, creating an artificially low ransomware count.
This article provides many ransomware examples from 1989 to the present and discusses the most significant ransomware attacks and their variants.
If you're infected with ransomware, read our guide on how to decrypt ransomware using free tools.
1. AIDS Trojan
One of the first known examples of ransomware was the AIDS Trojan written by evolutionary biologist Dr. Joseph Popp. Popp sent infected floppy diskettes to hundreds of victims under the heading "AIDS Information Introductory Diskette".
The Trojan replaced the AUTOEXEC.BAT file, which would then be used to count the number of times the computer has booted.
Once the boot count reached 90, the ransomware hid directories and encrypted the names of all files on the hard drive (rendering the system unusable).
The victim would then be asked to 'renew the license' and contact PC Cyborg Corporation for payment, which involved sending $189 to a P.O. box in Panama, even though the decryption key could be extracted from the code of the Trojan.
Popp was ultimately declared mentally unfit to stand trial but promised to donate the profits from the ransomware to fund AIDS research.
WannaCry, an encrypting ransomware computer worm, was initially released on 12 May 2017. The ransom demand ranged from $300 to $600 to be paid in the cryptocurrency Bitcoin. WannaCry ransomware is also known as WannaCrypt, WCry, Wana Decrypt0r 2.0, WannaCrypt0r 2.0 and Wanna Decryptor.
It targets computers running outdated versions of the Microsoft Windows operating systems by exploiting the EternalBlue vulnerability in the Server Message Block (SMB) protocol.
This allowed the ransomware to spread without victim participation.
The EternalBlue exploit was discovered, but not disclosed, by the NSA prior to the attack. The NSA has since been criticized for not disclosing the exploit to Microsoft or the public on CVE, which may have allowed it to be patched prior to WannaCry.
Despite quick patching and the discovery of a kill switch domain, WannaCry was able to spread to an estimated 200,000 computers across 150 countries, causing hundreds of millions to billions of dollars in damages.
Much of WannaCry's success was due to poor patching cadence.
Security experts, the United States, United Kingdom, Canada, Japan, New Zealand and Australia have formally asserted North Korea was behind the attack.
CryptoLocker, an encrypting Trojan horse, occured from 5 September 2013 to late May 2014.
The Trojan targeted computers running Microsoft Windows, propagating via infected email attachments and via an existing Gameover ZeuS botnet.
CryptoLocker then displayed a ransom message offering to decrypt the data if a Bitcoin or prepaid cash voucher payment was made by a stated deadline. It employed social engineering to create a sense of urgency, threatening to delete the decryption key if the deadline passed.
If the deadline passed, CryptoLocker would offer to decrypt data via an online service provided by its operators for a significantly higher price in Bitcoin.
As with many types of ransomware, there was no guarantee the payment would release the encrypted content.
While CryptoLocker itself was easily removed, the affected files remained encrypted in a way which was unfeasible to break.
In late May 2014, Operation Tovar took down the Gameover ZeuS botnet which had been used to distributed the ransomware.
During the operation, the database of private keys used by CryptoLocker was obtained and used to build an online tool to recover the files without paying the ransom.
That said, CryptoLocker was a successful cybercrime. It is believed the operators successfully extorted around $3 million.
Petya is a ransomware family first discovered in 2016. Petya infects the computer's master boot record (MBR), overwrites the Windows bootloader and triggers a restart.
Upon startup, the payload encrypts the Master File Table of the NTFS file system and then displays a ransom note demanding payment in Bitcoin. Meanwhile the computer's screen displays text purportedly output from chkdsk, Windows' file system scanner suggesting the hard drive's sectors are being repaired.
The original Petya required the user to grant it administrative privileges. Another variant bundled Petya with a second payload, Mischa, which activated if Petya failed to install.
Mischa is a more conventional ransomware, encrypting user documents and executable files without administrative privileges.
The earliest versions of Petya disguised their payload as a PDF file, spreading through email attachments.
By June 2017, a new variant known as NotPetya was discovered spreading, like WannaCry, through EternalBlue. EternalBlue is an exploit that takes advantage of a vulnerability in the Server Message Block (SMB) protocol.
5. Bad Rabbit
Bad Rabbit was discovered by users in Russia and Ukraine on 24 October 2017. It follows similar patterns to WannaCry and Petya by encrypting the user's file tables, demanding a Bitcoin payment to decrypt them.
Bad Rabbit spread through a bogus update to Adobe Flash and infected Interfax, Odessa International Airport, Kiev Metro and the Ministry of Infrastructure of Ukraine.
Ransomware infections spread to other countries including Turkey, Germany, Poland, Japan, South Korea and the United States by piggybacking corporate network structures.
Experts believe the ransomware is tied to the Petya attack in the Ukraine, due to Bad Rabbit's code having many overlapping and analogical elements to the code of Petya/NotPetya.
Unlike Petya, the ransomware did not use EternalBlue to spread and a simple method to stop the spread was found by 24 October 2017. Further, the sites that had been used to spread the bogus update had gone offline or removed the problematic files within a few days, effectively killing the spread of Bad Rabbit.
TeslaCrypt is a now defunct ransomware trojan spread through the Angler Adobe Flash exploit.
In its early forms, TeslaCrypt searched for 185 file extensions related to 40 different games including Call of Duty, World of Warcraft, Minecraft and World of Tanks and encrypted the files.
These files involved save data, player profiles, custom maps and game mods stored on the victim's hard drive.
Newer variants of TeslaCrypt also encrypted Word, PDF, JPEG and other file extensions, prompting the victim to pay a ransom of $500 in Bitcoin to decrypt the files.
Early variants claimed to use asymmetric encryption, however security researchers found that symmetric encryption was used and developed a decryption tool. This was changed in version 2.0, rendering it impossible to decrypt files affected by TeslaCrypt-2.0.
By November 2015, security researchers had been quietly circulating a new weakness in version 2.0 which was fixed in a new version 3.0 in January 2016.
In May 2016, the developers of TeslaCrypt shut down the ransomware and released the master decryption key, thus bringing an end to the ransomware.
Locky was released in 2016 and spread by email (allegedly an invoice requiring payment) with an infected Microsoft Word document containing malicious macros.
When the user opens the document, it appears to be full of garbage except the phrase "Enable macro if data encoding is incorrect", a form of social engineering.
If the user enables macros, the Word document saves and runs a binary file that downloads the actual encryption Trojan which encrypts all files with a particular extension.
Filenames are then converted to unique 16 character letter and number combinations with the .locky file extension.
Subsequent versions used other file extensions including .zepto, .odin, .aesir, .thor, and .zzzzz. The current version, released in December 2016, utilizes the .osiris extension for encrypted files.
After encryption, a message would be displayed on the user's desktop instructing them to download Tor and visit a dark web website for further information.
The site contained instructions to pay between 0.5 and 1 Bitcoin.
Locky's decryption keys are generated server side, making manual decryption impossible.
Jigsaw is a n encryption ransomware variant created in 2016. It was initially titled 'BitcoinBlackmailer' but later came to be known as Jigsaw due to featuring Billy the Puppet from the Saw film franchise.
It spread through malicious attachments in spam emails.
Once activated Jigsaw encrypts all user files and master boot record (MBR).
Following this, a popup featuring Billy the Puppet appears with a ransom demand in the style of Saw's Jigsaw for Bitcoin in exchange for decrypting files.
The victim has one hour to pay or one file will be deleted. Each hour the ransom is not paid the number of files deleted increases exponentially until the computer is wiped after 72 hours.
Any attempt to reboot the computer or terminate the process results in 1,000 files being deleted.
Jigsaw can be reverse engineered to remove the encryption without paying ransom.
Cerber is an example of evolving ransomware threats. It is distributed as Ransomware-as-a-Service (RaaS), where cybercriminals can use it in exchange for 40 per cent of profits.
Cerber targets cloud-based Office 365 users and using an elaborate phishing campaign to infect anyone outside of post-Soviet countries. If the malware detects your computer is from Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine or Uzbekistan, it will deactivate itself.
Typically, victims receive an email with an infected Microsoft Office document attached. Once opened, the ransomware runs in the background during the encryption phase and doesn't provide any indication of infection.
After the encryption is complete, the user finds ransom notes in encrypted folders and often as their desktop background.
CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early 2014 and other variants have appeared including CryptoBit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0.
The ransomware upon installation encrypts files and scrambles names to make it hard for victims to know which files were affected, system restore points are deleted to remove the option of returning to a previously saved state.
The ransomware demands payment in Bitcoin and uses a command-and-control server to store decryption keys, making local decryption impossible.
Ryuk is a sophisticated ransomware run by WIZARD SPIDER, a cybercrime group, who targets large enterprises for high ransom payments.
Once infected, a ransom note named RyukReadMe.txt is displayed containing a static template except for a changing email address and Bitcoin wallet.
The email addresses usually contain one email at protonmail.com and another at tutanota.com, typically esoteric actors, directors or Instagram models' names are used.
Based on observed transitions to known Ryuk BTC wallets, the ransom demand varies significantly depending on the size and value of the victim's organization.
The Russia-based group has made roughly $3.7 million off 52 known transactions.
As more users and valuable files migrate to mobile devices, so too are ransomware creators.
Android is particularly popular due to its open ecosystem and ability to actually encrypt files.
SimpleLocker was the first Android-based ransomware attack that delivered its payload via a Trojan downloader which made it more difficult for countermeasures to catch up.
That said, the overall numbers are still low at an estimated 150,000 as of late 2016. The good news is by downloading apps from the Google Play store, you're much less likely to be infected by ransomware or another type of malware.
Troldesh, also known as Encoder.858 and Shade, targets Windows systems and is distributed via the Axpergle and Nuclear exploit kits.
When first discovered in 2015, Troldesh provided an email address for victims to contact the attack to negotiate ransom payment.
Newer versions use a payment portal located on the dark web, requiring victims to use Tor to visit the site and submit their payment. It also comes bundled additional malware named Mexar, which downloads the Teamspy bot for remote access to the victim's computer, and requests malicious URLs from its C2 server.
GandCrab was first observed in January 2018, GandCrab was an encrypting ransomware that targeted PCs running Microsoft Windows.
Like Cerber, GandCrab does not infect machines in Russia or the former Soviet Union and is run as a Ransomware-as-a-Service (RaaS).
GandCrab splits ransom payments between the user and the GandCrab creator(s) 60/40 or 70/30 for its best users.
Payments are made through a privacy focused cryptocurrency called Dash, with payments set between $600 and $600,000.
SamSam emerged in 2016 and targets JBoss servers.
Notable victims include the town of Farmington in New Mexico, the Colorado Department of Transportation, Davidson County in North Carolina and the infrastructure of Atlanta.
Two Iranians are wanted by the FBI for allegedly launching SamSam, with estimates of $6 million from extortion and over $30 million in damages caused.
ZCryptor is a ransomware cryptoworm that encrypts files and self-propagates to other computers and network devices.
The first victim on the network is infected by common techniques, masquerading as an installer of a popular program or malicious macros in Microsoft Office files.
Once inside, the cryptoworm infects external drives and flash drives to distribute itself to other computers, then starts to encrypt files.
ZCryptor encrypts more than 80 file formats by adding a .zcrypt extension to the name of the file.
After that, the victim is shown a ransom note informing them their files have been encrypted. The ransom demand starts at 1.2 Bitcoin and increases to 5 Bitcoin after four days.
Reveton uses social engineering, pretending to be the police preventing the user from accessing their computer, claiming the computer has been locked by local law enforcement.
This is commonly referred to as the "Police Trojan", informing users they must pay a fine to unlock their system.
To increase the illusion that the computer is being tracked, the screen displays the computer's IP address and webcam, giving the illusion of the user being recorded.
How UpGuard Can Help Protect Your Organization from Ransomware
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each vendor is rated against 70+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing. Each day, our platform scores your vendors with a Security Rating out of 950 and alert you if their score drops.