Ransomware Examples: Most Famous Ransomware Attacks

Ransomware Attack Examples

From the AIDS Trojan, distributed on floppy disks, to the audacious Petya, we will cover the technical and operational characteristics of these ransomware strains. But first, let us cover essential ransomware concepts needed to understand the examples:

Encryption:

Encryption is the process of converting data into a coded form that you can only decipher with a unique decryption key. Ransomware uses strong encryption algorithms to lock files and make them unreadable. Hackers typically ask for payments to be made in anonymous cryptocurrencies such as Bitcoin or Monero, which are difficult to trace. The attackers may not release your files or provide you with the decryption keys if you pay the ransom. Therefore, the best course of action is to report the incident to law enforcement and seek assistance from cybersecurity professionals who may be able to help with recovery options.

• Exploitation: Ransomware often exploits vulnerabilities in software or operating systems to gain unauthorized access. Cyber attacks can be launched through phishing emails, exploit kits, malicious attachments and other methods. Ransomware also often takes advantage of vulnerabilities in outdated software or uses social engineering to trick users into executing the payload.
• Propagation: Once ransomware infects a system, it can spread within a network or to other connected devices. Some ransomware types have worm-like capabilities that allow them to autonomously move through vulnerable systems without requiring user interaction.
• Ransomware as a Service: Given the widespread adoption of Software as a Service, it is no surprise that the concept has made its way into the realm of malware. Ransomware as Service (RaaS), is a model in which cybercriminals create and distribute ransomware, then pass it on to others, known as partners or affiliates, who will conduct the actual attack. The creators of ransomware act as service providers in this model. They offer the malware and infrastructure to others, for a fee, or a percentage of profits. WannaCry
• WannaCry, released in May 2017, was one of the most widespread and damaging ransomware attacks. It was also known as WannaCrypt and Wanna Decryptor. This encrypting virus targeted computers running outdated versions of Windows. The attack was global, affecting 200,000 computers in 150 countries. It caused billions of dollars worth of damage. Some of the hardest-hit victims included government agencies and large corporations.WannaCry had the exceptional ability to spread without victim participation by leveraging the
• EternalBlue vulnerability. The United States National Security Agency discovered the exploit, but did not disclose it to Microsoft and the public. Many criticized this action because a patch could have been developed before WannaCry appeared if they had uncovered the vulnerability.

BitPaymer

BitPaymer emerged in August 2017 as a virus that encrypts a wide range of stored files and appends the “.locked” extension to their filenames, immediately rendering the compromised data unusable. It specifically, using email-related methods and exploiting vulnerabilities in remote desktop protocol.

BitPaymer creates a separate text file for each encrypted file, exemplified by the generation of a “sample.jpg.readme_txt” file corresponding to the original “sample.jpg” file. These text files contain messages that inform victims about the encryption and urge them to contact BitPaymer’s developers to obtain decryption instructions.Healthcare is one of the sectors most vulnerable to ransomware attacks. To learn why, read our article on ransomware in healthcare.3. DoppelPaymer

Most experts believe that DoppelPaymer is based on BitPaymer due to similarities in code, ransom notes, and payment portals. However, DoppelPaymer surpasses BitPaymer’s encryption rate and employs more sophisticated network infiltration techniques.

Once downloaded, it installs additional malware onto the victim’s system. It uses a tool named Process Hacker, which disables security, backup, database, and email server software. This prevents access and hinders defenses during encryption. Since its inception in 2019, DoppelPaymer’s attacks have continued throughout 2020. Europol reported on March 6, 2023 that the German and Ukrainian Police have targeted medical institutions although it’s unclear if the individuals apprehended were the group founders. Hive

First appearing in June 2021, Hive is an affiliate-based Ransomware-as-a-Service platform. They successfully attacked Microsoft Exchange Servers in April 2022 by exploiting a vulnerability known as ProxyShell. To further intimidate the victims, Hive sent a plain text ransom note threatening to publish the victim’s information on a TOR site named ‘HiveLeaks.’ Unless they met the attacker’s demand. The United States Department of Justice seized the back-end servers of the group on January 26, 2023. Petya

In its early iterations, Petya disguised its payload as a PDF file, propagating through email attachments using various infection vectors like spear phishing emails and compromised websites.

In April 2016, an anonymous programmer published a free decryptor on the code-sharing platform Github, ending Petya’s reign of terror. He claimed that he had created the tool in order to help his father-in law decrypt his Petya locked computer. NotPetya

NotPetya, also known as Petya 2.0, ExPetr, or Nyetya, was a highly destructive ransomware attack that first emerged in June 2017 and caused over. While it initially seemed like a variant of Petya, it was more sophisticated malware that exploited the EternalBlue vulnerability. dismantled a ransomware group using DoppelPaymerNotPetya employed multiple propagation techniques, including stolen credentials and the Windows Management Instrumentation Command-line (WMIC). NotPetya’s primary goal was to destroy data and infrastructure, not make money like traditional ransomware. It encrypted the master boot records (MBR) as well as the file tables upon infection. This rendered the system unusable. The ransom demand was made in Bitcoin. But even if victims paid the ransom, decryption and data recovery were impossible.

Cybersecurity experts believe that NotPetya was a state-sponsored attack aimed at destabilizing Ukraine, as most of the initial infections occurred in that region.

REvil

REvil, also known as Sodinokibi, is a Ransomware-as-a-Service operation originating in Russia. The ransomware code used by REvil is strikingly similar to the code used DarkSide. This suggests a possible association between these hacking group. Both groups use ransom notes that have a similar format and use identical codes to verify their victim’s geographical location to avoid targeting former Soviet Union countries. REvil initially demanded a $1001010 ransom, but later increased it to $100 million. REvil’s strategy included leaking several schematics and drawings of MacBook components to their dark web leak website. However, none of these documents were related to any new or unreleased Apple product. The Russian Federal Security Service arrested 14 of the group’s members and confiscated twenty luxury cars, computers, $426 million, $600,000. and 500,000 Euros. The group has reappeared, however, three months after its arrest, and, according to all reports, is still active.shut down Hive’s operations8. DarkSide

DarkSide is a Ransomware-as-a-Service group that emerged in July 2020, most likely in Russia. They became famous for their alleged participation in the. DarkSide, unlike some other hacking groups that have been responsible for major cyberattacks in the past, is probably not state-sponsored. DarkSide ransomware checks system language settings to avoid targets in former Soviet republics and Syria. Subsequently, DarkSide ransomware checks system language settings to avoid targets in former Soviet republics and Syria.

Interestingly, DarkSide presents itself as apolitical and avoids targeting certain sectors like hospitals, schools, non-profits, and governments, instead focusing on large corporations capable of paying hefty ransoms. The U.S. Department of State is offering a $1000 bounty for information on the identity or location of this hacker group. Following the gas pipeline attack, President Joe Biden indicated that the U.S. would intensify efforts to disrupt DarkSide’s operations.

On May 14, 2021, DarkSide announced the shutdown of its operations and the closure of its affiliate program, claiming pressure from the U.S. Cybersecurity experts caution that this might be a ploy to deflect scrutiny and resume activities under a different name, as it is common for cybercriminal networks to shut down, revive, and rebrand.

SimpleLocker

With basic design and functionalities, Simple Locker, which appeared in 2015, marked the beginning of Android-based ransomware.$10 billion of damageIt used a Trojan downloader to infect and encrypt files stored on a mobile device’s SD card or internal storage, infecting an estimated 150,000 devices as of late 2016. Simple Locker, once infected, displayed a ransom note on the device screen demanding payment for the decryption keys. TeslaCrypt

TeslaCrypt was a prominent ransomware family that first emerged in early 2015. TeslaCrypt was notable for its focus on files saved from World of Warcraft and other games such as Minecraft, Call of Duty and World of Tanks. This method appealed emotionally to the gamers, which increased the likelihood that they would comply with the ransom demand. Cryptolocker

Cryptolocker is a strain that gained infamy in 2013, successfully extracting around from its victims. It used a trojan to target computers running Microsoft Windows, and spread via the Gameover ZeuS Botnet. Cryptolocker used RSA public-key encryption to encrypt files on both local and network drives. The decryption keys were stored only on the malware control servers. Although removing CryptoLocker itself was straightforward, the encrypted files remained inaccessible, as researchers deemed breaking the encryption would be impossible.

In late May 2014, an international law enforcement collaboration successfully dismantled the Gameover ZeuS botnet responsible for distributing Cryptolocker. A security firm that was involved in the operation obtained the CryptoLocker private key database. These keys were then used to create an online tool which allowed the affected individuals to retrieve their files without having to pay the ransom.

Dharma

Dharma, which is closely related to Phobos and shares much of its code with it, is likely an evolution from the Crysis family of ransomware. This similarity makes it difficult even for anti-malware systems to differentiate between them, especially considering the many variants.$50 millionIntroduced in December 2018, Dharma serves as a Ransomware-as-a-Service platform, catering to individuals or groups who lack advanced programming skills.

Targeting Windows-operated computers, Dharma primarily exploits the Remote Desktop Protocol (RDP) as its primary method of attack. The attackers use the Internet to find computers that are using RDP (commonly on TCP Port 3389) and then launch brute force password attempts to gain access to the systems. AIDS Trojan

In 1990, the AIDS Trojan (also known as the PC Cyborg) became the first ransomware. The AIDS Trojan was created by biologist Joseph Popp who distributed approximately 20,000 diskettes labeled as “AIDS Information – Introductory diskettes” at the World Health Organization AIDS Conference. The virus activates after 90 computer boot-ups. It hides directories, encrypts or locks file names in the C drive. Despite its initial impact, the AIDS Trojan’s encryption was relatively simple to overcome as decryption tools quickly became available.

1GandCrab Colonial Pipeline cyberattack

GandCrab, first appearing in January 2018, was a widespread and sophisticated Ransomware-as-a-Service operation. GandCrab’s rapid evolution and ability to bypass security made it particularly dangerous.

Its creators regularly released new versions with improved encryption techniques and anti-detection capabilities, making it challenging for security researchers to keep up. GandCrab’s ransomware campaign came to an end in June 2019 when its operators announced their cease-fire and provided decryption key for most of the victims. Reveton

The Reveton virus strain was first discovered in 2012. It gained attention for its aggressive, intimidating tactics. Namely, Reveton locks the victim’s screen and displays a fake message from law enforcement agencies claiming they have evidence of illegal activities.reward of up to $10 millionOften known as a “Police Trojan,” the deceptive message accuses the victim of various crimes, such as distributing copyrighted material or engaging in child pornography, and demands the payment of a fine to unlock the computer. The ransom note also included official logos and used language that created a sense of urgency and fear, coercing the victim into paying the ransom.

Reveton is one of the best examples of hackers leveraging social engineering to create a sense of credibility. Ransomware can also display the IP address of the computer and the webcam image, giving the impression that the activity is being recorded and monitored. Maze

Maze was first discovered in 2019. Its double-extortion technique gained it a lot of attention. Criminals encrypted files and exfiltrated data while threatening victims to release the data if they did not pay. The information provided by the victim allowed Maze operators contact them more effectively. They would send a ransom email or note, requesting a large ransom for the decryption keys and a promise to not disclose the stolen data.

MedusaLocker

Named after the mythical creature with snakes for hair, MedusaLocker originated in 2019 and mostly relied on vulnerabilities in Remote Desktop Protocol to access victims’ networks. In January 2020, a variant called Ako emerged, featuring enhancements such as integrating a Tor hidden service.

This update also enabled them to adopt a Ransomware-as-a-Service model, streamlining their malicious activities. Recent observations indicate that MedusaLocker always divides ransom payments between its affiliates, who get 55-60 percent, and developers, who claim the remainder. Bad Rabbit

Bad Rabbit is a ransomware that was first discovered in October 2017. It targeted several organizations, mostly in Russia and Ukraine. Bad Rabbit’s resemblance with the Petya and NotPetya ransomware strains was notable, both for its code and lateral movement. This connection led to speculation that Bad Rabbit may have been a variant or inspired by the same threat actors.

Unlike traditional ransomware that spreads through phishing emails, Bad Rabbit disguises itself as an Adobe Flash installer and incorporates ransomware into websites by embedding JavaScript within the HTML code. This allows ransomware activation when users visit compromised sites. In most cases, the owners of the compromised sites hosting the Bad Rabbit Ransomware do not know that it is present on their website.

Bad Rabbit became famous for. The attacks were carried out on a variety of systems, such as the payment network for the Kyiv Metro system and the flight schedules in Odesa Airport. In October 2018, the United Kingdom claimed the incidents were Russian military cyber-attacks.

NetWalker

NetWalker is a highly sophisticated variant that gained prominence in 2019 and continues to pose a significant threat worldwide. It is distinguished by its double-extortion tactics, which are also used in the notorious Maze gang. NetWalker posted a sample file on the darkweb as proof that the breach had occurred. They then give the victims an ultimatum – pay the ransom or suffer a more extensive data breach.$3 millionIn March 2020, NetWalker underwent a significant transformation, adopting a Ransomware-as-a-Service model that facilitated rapid expansion. The criminal affiliates involved in the operation receive a substantial percentage of each ransom payment, providing them with a strong incentive to quickly propagate the ransomware far and wide, leading to its proliferation.

A leaked recruitment post has revealed that NetWalker is expanding its focus beyond the ubiquitous spear phishing attack vector. The ransomware will now target Remote Desktop Protocols that are exposed on the internet, which could increase its reach. Troldesh

Troldesh, also known as Shade or Encoder.858, is a ransomware strain created in Russia in 2014. The encryptor uses the “.xtbl extension” to encrypt files. Troldesh is spread initially through spam emails. Troldesh creators, unlike many ransomware attacks that prefer to remain anonymous and avoid direct communication with their victims, provide an email to contact them directly. The attackers will demand ransom via email and provide their preferred payment method. Ryuk

Ryuk is a ransomware that was first seen in late-2018. It’s most likely a variant of Hermes, an older ransomware. Ryuk targets large companies that can pay substantial amounts of money. The U.S. Department of Health and Human Services reports that Ryuk’s attacks resulted in

in ransom payments during 2018-2019, making it one of the most dangerous and successful strains in history.

Early in 2021, a emerged, exhibiting worm-like characteristics that enable it to self-propagate and infect other devices within the local network it infiltrates.

SamSam

A unique aspect of SamSam is that it remains covert and undetected for extended periods following the initial infection, acting as a spy within the compromised system. The attackers use Remote Desktop Protocol to gain persistent access to the victim’s network and then employ brute-force attacks or stolen credentials. Detecting RDP intrusions is difficult since the malware enters through an authorized access point.

Despite the linked to the operation of SamSam and the last reported attack being in 2018, we should not consider it inactive. There is no decryption software available publicly and there’s no proof that SamSam has been completely terminated. It is therefore prudent to consider this strain still active.

Locky

Appearing in early 2016, Locky is one of the most prolific and successful ransomware families to date. The ransomware spread mainly through email phishing, which tricked unsuspecting victims into opening malicious documents, usually Microsoft Office documents. These attachments, once opened, downloaded and executed malicious payloads on the victim’s PC. In order to entice recipients to enable macros, emails would often include misleading instructions. For example, they might claim that the document contained valuable information and that macros were required to display it properly. Locky ransomware remains a threat even though its impact is less than it was in 2016 and 2017. Over time, cybersecurity researchers and law enforcement agencies have also disrupted Locky’s operations and associated infrastructure, leading to a decline in distribution.

Following email security best practices, such as strong spam filters and disabling macros in attachments, can minimize the risk of falling victim to Locky ransomware.

Jigsaw

Named for the character in the horror film “Saw”, the Jigsaw variant was released in 2016 and received attention for its unique behaviors. It deletes files at intervals of an hour, creating a psychological pressure on the victim to pay the ransom. Moreover, if the target attempts to terminate the ransomware or remove it from the system, Jigsaw threatens to delete a large number of files as punishment.

Jigsaw also displays a menacing interface on the victim’s screen, featuring pictures and audio clips from the “Saw” movie and a countdown timer. The ransom note informs victims about the encryption, and requests a Bitcoin ransom within a certain time frame. Failure to meet the deadline permanently deletes an increasing number of files.

Although it struck fear into people worldwide, it turned out that Jigsaw, written in .NET, had a fatal weakness. Experts analyzed its code to quickly develop decryption techniques, removing the need to pay a ransom. Jigsaw has been known to resurface, causing network administrators anxiety. ZCryptor

Emerging in 2016, ZCryptor became known for its ability to self-propagate rapidly across networks, demonstrating worm-like behavior. This capability posed a significant threat and was a relatively unique feature.

ZCryptor employs a clever technique to infect computers by dropping an autorun.inf file on removable drives. The autorun.inf triggers malware execution when users plug in removable drives to other computers. This facilitates its spread. It is no longer as dangerous as it once was. It does not restrict .exe files, allowing modern malware removal tools to eliminate it efficiently – a faster solution than manual removal.

Discover effective strategies and practical tips to safeguard your digital assets in our comprehensive article on how to prevent ransomware.

How Puyka Can Help You Against Ransomware

We can equip you with the tools and expertise to mitigate ransomware risks and ensure the continuity and security of your valuable data.

Here is a range of comprehensive solutions to bolster your defense against ransomware:

Veeam Backups

Our Veeam Backups add an extra layer of protection against ransomware, guaranteeing the integrity of your data and eliminating the need for ransom payments. This secure platform enables quick restoration and seamless operations in the face of data loss or system failure and minimizes downtime in your IT environment. significantly disrupting critical networks in Bulgaria, Japan, Russia, Turkey, and UkraineDisaster Recovery

We offer reliable and affordable disaster recovery solutions to swiftly restore your IT environment in the face of unexpected events. Data Security Cloud is a cloud infrastructure platform that we built from the ground-up with malware protection as a priority. Developed in partnership with Intel and VMware, this robust solution implements multiple layers of security, making it ideal for healthcare providers seeking HIPAA-compliant servers.

Discover the latest ransomware statistics in our comprehensive article that sheds light on the impact these growing threats have on individuals and organizations worldwide.

Conclusion

As we conclude our exploration of ransomware examples, one thing remains as a certainty: the threat landscape will keep changing and likely grow more dangerous. Criminals will continue to adapt their strategies and exploit vulnerabilities as they look for new and innovative ways to extort money. To win the battle against malware, it is up to us to be vigilant and keep one step ahead.

Technology will play a crucial role, with advancements in artificial intelligence and behavioral analytics offering new avenues for detection and prevention. Cyber security awareness and training are also important to equip people with the necessary knowledge to recognize and respond to threats. We must learn from the past, share information, and collectively build up our defenses to create a more resilient future.