Ransomware has become one of the most significant cybersecurity threats facing individuals and organizations today. These malicious programs encrypt files on infected devices and demand ransom payments in cryptocurrency from victims to decrypt them. There are many different ransomware families with unique capabilities and targets. Understanding the most prevalent strains can help equip users and network defenders with the knowledge needed to detect potential attacks and recover from infections.
What is ransomware?
Ransomware is a form of malicious software that encrypts data on a device or network, preventing the owner from being able to access files, databases, and other important information. Once installed, ransomware displays a ransom demand, requiring payment within a short timeframe, often in cryptocurrency such as Bitcoin. Upon successful payment, cybercriminals will then provide the victim with a decryption key to unlock access to their information. If victims do not pay in time, the ransom amount increases, files may be deleted, or decryption may become impossible.
Ransomware attacks often leverage social engineering through phishing emails containing malicious attachments or links. These messages trick users into enabling the infection. Ransomware code can also find its way onto systems through unpatched software vulnerabilities or by brute-forcing weak passwords on external-facing ports or services. Once one system is compromised, ransomware can also spread laterally across networks.
Cryptolocker
First observed in 2013, Cryptolocker is often credited as one of the earliest ransomware strains to encrypt files and demand payment. It initially infected victims through malicious email attachments and used RSA public key cryptography paired with the AES algorithm to encrypt files on infected Windows machines. Due to its use of robust cryptography, infected systems often had no way to decrypt files without the private key held by the attackers.
Cryptolocker demanded payments between $300-$600 in Bitcoin within 72 hours. If victims failed to pay in time, the ransom amount increased and eventually the decryption keys would be deleted. It is estimated that Cryptolocker infected over 234,000 machines and extorted around $3 million in ransom payments.
Features
- Encrypts files with RSA-2048 and AES-256
- Demands ransom payment in Bitcoin
- Spreads via infected email attachments
- Targets Windows operating systems
CryptoWall
CryptoWall rose to prominence in 2014 as a major ransomware threat. Like Cryptolocker, it initially relied on infected email attachments to infiltrate systems and encrypt files with RSA-2048 and AES-128 algorithms. However, CryptoWall campaigns later shifted to using exploit kits and compromised sites to distribute the ransomware payload.
CryptoWall demanded ransoms between $200-$500 in Bitcoin and gave victims a limited window to pay. It had backend infrastructure to support multiple Bitcoin wallets and payment/decryption servers. CryptoWall was updated several times between 2014-2016 to add new features and exploits, with total extorted ransom estimated around $325 million.
Features
- Encrypts files with RSA-2048 and AES-128
- Spreads via email, exploit kits, compromised sites
- Backend payment infrastructure to manage ransom
- Targeted Windows operating systems
Locky
Active primarily during 2016-2017, Locky ransomware was known for its rapid spread via malicious Microsoft Office documents, often sent in phishing emails. When victims opened and enabled macros in these boobytrapped attachments, the Locky payload would download and encrypt a wide range of file types on the host Windows computer using AES encryption.
The Locky affiliate program allowed cybercriminals to customize and distribute the ransomware. Like other strains, Locky demanded ransom in Bitcoin, initially at half a Bitcoin (around $250 at the time). Researchers estimate Locky infected over 14 million systems and earned affiliates over $7 million.
Features
- Spreads via macro-enabled Microsoft Office files
- Encrypts files with AES algorithm
- Affiliate program used to widely distribute
- Originally demanded 0.5 BTC ransom
Cerber
Active since 2016, Cerber ransomware is still one of the most prolific strains, using the .cerber file extension on encrypted files. It is primarily distributed via exploit kits on compromised websites. Cerber abuses Windows Scripting engines like JavaScript and VBScript to execute and establish persistence on infected hosts.
The ransom amount demanded by Cerber ranges from $500-$1,000 in Bitcoin, depending on locale and system language. Cerber operators run an affiliate program and cryptocurrency tumblers to process payments while evading authorities. Reportedly, they have earned over $195 million in ransom payments.
Features
- Infects users via compromised sites and exploit kits
- Abuses Windows scripting for execution
- Ransom ranges from $500-$1,000 in Bitcoin
- Uses affiliate program and tumblers
WannaCry
WannaCry was a worldwide ransomware attack that affected hundreds of thousands of systems across 150 countries in May 2017. It exploited a known SMBv1 vulnerability using the EternalBlue exploit leaked from the NSA. WannaCry would scan the Internet for exposed SMB ports then use EternalBlue to gain access and execute the ransomware.
Once infected, WannaCry encrypted files and displayed ransom instructions demanding $300-$600 in Bitcoin. Due to its worm-like capabilities, WannaCry was able to rapidly spread across networks and bring down hospital systems, government agencies, telecom providers, train systems, and other critical infrastructure.
Features
- Used EternalBlue exploit to spread
- Encrypted files on Windows systems
- Demanded $300-$600 ransom in Bitcoin
- Disabled Windows SMB and security services
NotPetya
Pretending to be ransomware, NotPetya’s actual purpose was a destructive cyberattack designed to damage and disrupt systems. It initially infected networks via a trojanized software update using a supply-chain attack. Once executed, it caused an automatic reboot that overwrote the master boot record, encrypting the master file table and crashing the system.
The ransom demand displayed was a cover to masquerade as typical ransomware. Since it irreversibly destroyed data by overwriting the MBR, even if victims paid, files could not be recovered. NotPetya caused over $10 billion in damages across shipping, logistics, food, and pharmaceutical companies.
Features
- Propagated via supply chain software update
- Overwrote and encrypted MBR to destroy data
- Ransom demand used as cover
- Caused over $10 billion in damages
Ryuk
Active since 2018, Ryuk ransomware is specifically designed to target larger enterprises and government organizations. It is often manually installed by attackers who first infiltrate networks using access brokers and extensive reconnaissance. Ryuk avoids consumer systems, focusing on high-value targets that are capable of paying larger ransoms.
Ryuk encrypts files on network shares and storage using the AES-256 algorithm while also disabling Windows services related to backup and recovery. Ransom demands have been between 15-50 Bitcoin (around $100,000-$500,000). Ryuk is typically distributed and operated by experienced cybercrime groups out of Russia.
Features
- Manually installed via access brokers
- Encrypts files with AES-256 algorithm
- Disables Windows backup services
- Demands high ransom amounts in Bitcoin
Conti
Conti first appeared in 2019 and exemplifies the Ransomware-as-a-Service (RaaS) business model, where creators sell or lease ransomware to other attackers. Affiliates pay to use the Conti payload and infrastructure, then distribute and operate campaigns, splitting profits with owners.
Conti heavily utilizes the Tor anonymity network and encrypts files with an AES algorithm. Victims receive a ransom note with demands in Bitcoin to purchase a decryptor. Conti also threatens to leak stolen data. It has been used to attack over 400 US organizations, including Ireland’s healthcare system, resulting in an $800,000 ransom payment.
Features
- RaaS model used to distribute ransomware
- Encrypts files with AES algorithm
- Leverages Tor network to hide activity
- Exfiltrates and threatens to leak data
Maze
Emerging in early 2020, Maze pioneered the “quadruple extortion” ransomware tactics still used by certain strains today. In addition to encrypting data, Maze also exfiltrates sensitive information, threatens to release it publicly, and launches distributed denial-of-service (DDoS) attacks against victim organizations.
Maze uses the ChaCha20 symmetric encryption algorithm and demands ransoms based on the victim’s perceived revenue, ranging from tens to hundreds of thousands of dollars in Bitcoin. The group maintains a public-facing website where they post stolen files and shame victims who refuse to meet their demands.
Features
- Engages in quadruple extortion tactics
- Encrypts data with ChaCha20 algorithm
- Tailors ransom demands to victims
- Publicly leaks stolen data to pressure
REvil
REvil (also known as Sodinokibi) is a prolific RaaS ransomware that compromised many companies through supply-chain attacks, including software company Kaseya in July 2021. Affiliates gain access using purchased credentials or exploits then install REvil manually on systems. It uses several techniques to circumvent security tools and encrypts files with an unknown proprietary algorithm.
In addition to encryption, REvil also exfiltrates data, threatens leaks, and launches DDoS attacks to pressure victims. Ransoms depend on the size of the victim but average between $200,000-$2,000,000 paid in Monero or Bitcoin. REvil raked in over $200 million in ransom payments before it was disrupted by law enforcement.
Features
- Infects via supply-chain and with purchased access
- Custom encryption algorithm
- Employs extortion and DDoS attack
- Demands large ransoms in Monero/Bitcoin
DarkSide
DarkSide is a RaaS affiliate model that emerged in August 2020 and was behind the Colonial Pipeline attack in May 2021 that caused fuel shortages and panic buying across the southeastern US. Its creators sell access to the ransomware payload and backend infrastructure, handling cryptocurrency payments and data leaks.
DarkSide encrypts important Windows system files (to impair recovery) and data with a custom cryptographic algorithm. Affiliates break into networks then execute ransomware on critical systems and exfiltrate data. Ransoms average over $6 million. DarkSide avoids targets in former Soviet states and donates a cut to charity.
Features
- RaaS model with creator/affiliate structure
- Encrypts critical system files
- Exfiltrates data prior to encryption
- Demands multi-million dollar ransoms
Avaddon
Active between summer 2020 and June 2021, Avaddon was an affiliate-based RaaS ransomware known for using triple extortion tactics. Affiliates gained access to targets via phishing, exploits, and credential theft. In addition to encrypting data with an AES algorithm, Avaddon stole sensitive documents and threatened to auction them on its dark web portal if ransom demands were not met.
Avaddon demanded ransoms as high as $5 million from large corporations, paid in Bitcoin. The creators took a 25% cut of all ransom payments. Avaddon compromised at least 29 organizations before the operators apparently shut it down and released decryption keys to victims.
Features
- Infected networks via phishing and exploits
- Stole data and threatened auction if unpaid
- Demanded ransoms up to $5 million in Bitcoin
- Creators took 25% cut of payments
Conclusion
Ransomware remains a constantly evolving threat, with new families and variants emerging regularly even as law enforcement attempts to crack down. There are some commonalities across strains like encryption methods, ransom demands in cryptocurrency, and the use of affiliates, while certain families pioneer more elaborate extortion tactics.
Keeping software updated, securing backups offline, limiting access, and training employees to recognize social engineering can help defend against ransomware. Understanding the TTPs of prominent strains allows organizations to better detect potential infections before they occur and respond if critical systems are impacted. Ransomware shows no signs of slowing, so vigilance and preparation are key.
| Ransomware | Date of First Activity | Encryption Algorithm(s) | Notable Features |
|---|---|---|---|
| Cryptolocker | 2013 | RSA-2048 AES-256 |
Pioneered crypto ransomware |
| CryptoWall | 2014 | RSA-2048 AES-128 |
Refined extortion model |
| Locky | 2016 | AES | Rapid spread via Office docs |
| Cerber | 2016 | AES | First major RaaS variant |
| WannaCry | 2017 | AES-128 | Massive worm-like outbreak |
| NotPetya | 2017 | AES-128 | Wiper malware disguised as ransomware |
| Ryuk | 2018 | AES-256 | Targets large enterprises |
| Conti | 2019 | AES | Major RaaS operation |
| Maze | 2020 | ChaCha20 | Pioneered “quadruple extortion” |
| REvil | 2020 | Proprietary | Supply chain attacks |
| DarkSide | 2020 | Proprietary | Colonial pipeline attack |
| Avaddon | 2020 | AES | Auctioned stolen data |