1-Ryuk
Ryuk is a sophisticated ransomware run by WIZARD SPIDER, a cybercrime group, who targets large enterprises for high ransom payments.
Rather than exploiting vulnerabilities or using a spray and pray phishing method, Ryuk is spread through spear phishing emails and an Emotet geo-based download function. Once infected, a ransom note named RyukReadMe.txt is displayed containing a static template except for a changing email address and Bitcoin wallet
The email addresses usually contain one email at protonmail.com and another at tutanota.com, typically esoteric actors, directors or Instagram models’ names are used.
Based on observed transitions to known Ryuk BTC wallets, the ransom demand varies significantly depending on the size and value of the victim’s organization.
The Russia-based group has made roughly $3.7 million off 52 known transaction
2-SimpleLocker
As more users and valuable files migrate to mobile devices, so too are ransomware creators.
Android is particularly popular due to its open ecosystem and ability to actually encrypt files.
SimpleLocker was the first Android-based ransomware attack that delivered its payload via a Trojan downloader which made it more difficult for countermeasures to catch up.
That said, the overall numbers are still low at an estimated 150,000 as of late 2016. The good news is by downloading apps from the Google Play store, you’re much less likely to be infected by ransomware or another type of malware.
3-Troldesh
Troldesh, also known as Encoder.858 and Shade, targets Windows systems and is distributed via the Axpergle and Nuclear exploit kits.
When first discovered in 2015, Troldesh provided an email address for victims to contact the attack to negotiate ransom payment.
Newer versions use a payment portal located on the dark web, requiring victims to use Tor to visit the site and submit their payment. It also comes bundled additional malware named Mexar, which downloads the Teamspy bot for remote access to the victim’s computer, and requests malicious URLs from its C2 server.
4-GandCrab
GandCrab was first observed in January 2018, GandCrab was an encrypting ransomware that targeted PCs running Microsoft Windows.
Like Cerber, GandCrab does not infect machines in Russia or the former Soviet Union and is run as a Ransomware-as-a-Service (RaaS).
GandCrab splits ransom payments between the user and the GandCrab creator(s) 60/40 or 70/30 for its best users.
Payments are made through a privacy focused cryptocurrency called Dash, with payments set between $600 and $600,000.
5-SamSam
SamSam emerged in 2016 and targets JBoss servers. It spreads by exploiting known vulnerabilities rather than through social engineering, using Remote Desktop Protocol and brute force attacks to guess weak passwords
Notable victims include the town of Farmington in New Mexico, the Colorado Department of Transportation, Davidson County in North Carolina and the infrastructure of Atlanta.
Two Iranians are wanted by the FBI for allegedly launching SamSam, with estimates of $6 million from extortion and over $30 million in damages caused.
6-ZCryptor
ZCryptor is a ransomware crypto worm that encrypts files and self-propagates to other computers and network devices.
The first victim on the network is infected by common techniques, masquerading as an installer of a popular program or malicious macros in Microsoft Office files. Once inside, the crypto worm infects external drives and flash drives to distribute itself to other computers, then starts to encrypt files
ZCryptor encrypts more than 80 file formats by adding a .zcrypt extension to the name of the file.
After that, the victim is shown a ransom note informing them their files have been encrypted. The ransom demand starts at 1.2 Bitcoin and increases to 5 Bitcoin after four days
Leave a Reply