The way it works: Egregor follows the “double extortion” pattern of each encrypting information and threatening to leak delicate info if the ransom just isn’t paid. Its codebase is comparatively subtle and in a position to keep away from detection through the use of obfuscation and anti-analysis methods.
Focused victims: As of late November, Egregor victimized at the least 71 organizations throughout 19 industries worldwide.
Attribution: Egregor’s rise coincides with the Maze ransomware gang shutting down its operations. Maze group associates seem to have moved on to Egregor. It’s a variant of the Sekhmet ransomware household and is related with the Qakbot malware.
Present standing: Egregor emerged shortly after the Maze ransomware group introduced its shutdown. The ransomware was most energetic between September 2020 to early 2021 earlier than being taken down by the FBI and Ukrainian authorities.
FONIX
Historical past: FONIX is an RaaS providing that was first found in July 2020. It shortly went via a variety of code revisions, however abruptly shut down in January 2021. The FONIX gang then launched its grasp decryption key.
The way it works: The FONIX gang marketed its providers on cybercrime boards and the darkish net. Purchasers of FONIX would ship the gang an e-mail handle and password. The gang then sends the personalized ransomware payload to the client. The FONIX gang takes a 25% lower of any ransom charges paid.
Focused victims: Since FONIX is RAAS, anybody may very well be a sufferer.
Attribution: An unknown cybercriminal gang
Present standing: By no means reaching the heights of a serious participant, FONIX has been defunct since 2021.
GandCrab
Historical past: GandCrab could be probably the most profitable RaaS ever. Its builders declare greater than $2 billion in sufferer payouts as of July 2019. GandCrab was first recognized in January 2018.
The way it works: GandCrab is an affiliate ransomware program for cybercriminals who pay its builders a portion of the ransom charges they acquire. The malware is often delivered via malicious Microsoft Workplace paperwork despatched by way of phishing emails. Variations of GandCrab have exploited vulnerabilities in software program comparable to Atlassian’s Confluence. In that case, the attackers use the flaw to inject a rogue template that allows distant code execution.
Focused victims: GandCrab has contaminated programs globally throughout a number of industries, although it’s designed to keep away from programs in Russian-speaking areas.
Attribution: GandCrab has been tied to Russian nationwide Igor Prokopenko.
Present standing: GandCrab was a dominant ransomware menace between January 2018 to Might 2019. Researchers suspect the group behind it shifted its focus to creating a ransomware pressure referred to as REvil or Sodinokibi. Sodinokibi/Revil stays energetic.
GoldenEye
Historical past: Showing in 2016, GoldenEye seems to be primarily based on the Petya ransomware.
The way it works: GoldenEye was initially unfold via a marketing campaign concentrating on human sources departments with faux cowl letters and resumes. As soon as its payload infects a pc, it executes a macro that encrypts recordsdata on the pc, including a random 8-character extension on the finish of every file. The ransomware then modifies the pc’s exhausting drive grasp boot report with a customized boot loader.
Focused victims: GoldenEye first focused German-speaking customers in its phishing emails.
Attribution: Unknown
Present standing: GoldenEye resurfaced in June 2017 with assaults within the Ukraine, however seems to be inactive at the moment.
Grief
Historical past: The Grief ransomware, also referred to as “Pay or Grief”, is taken into account the successor of DoppelPaymer and appeared in Might 2021. Between Might and October, the group claimed to have compromised 41 firms and different organizations, the vast majority of them in Europe and the U.Ok. It’s estimated that the group revamped $11 million in that timeframe. In late October, the group claimed it compromised the US Nationwide Rifle Affiliation (NRA) and stole information that it held for ransom.
The way it works: Grief is an RaaS operation working with associates who carry out the intrusions and set up of the ransomware program in change for a fee from the ransom cost. The group engages in double extortion by stealing information from compromised organizations and threatening to launch it if the sufferer doesn’t pay. Grief maintains a leak web site the place it publishes details about the victims and extra not too long ago, it has began warning victims that in the event that they contact legislation enforcement, ransomware negotiators or information restoration specialists, they are going to wipe the programs they’ve entry to, leaving victims unable to recuperate their recordsdata even when they’re prepared to pay for the decryption key.
The code variations between DoppelPaymer and Grief are minor. The embedded ProcessHacker binaries, which DoppelPaymer used to terminate numerous processes, have been eliminated and the RC4 key used within the encryption routine has been elevated from 40 to 48 bytes. In any other case, the encryption algorithms stay the identical: 2048-bit RSA and 256-bit AES.
Focused victims: Grief has compromised numerous producers, pharmacies, meals providers and hospitality suppliers, academic establishments, in addition to municipalities and at the least one authorities district. The group has not printed the identities of all of the victims it claims to have made on its leak web site.
Attribution: The Grief ransomware is believed to be operated by Evil Corp, a cybercriminal group beforehand recognized for working the Dridex botnet in addition to the WastedLocker and DoppelPaymer ransomware operations. Evil Corp is among the cybercriminal teams on the Division of Treasury’s sanctions checklist and two people related to it are on the FBI’s most needed checklist.
Present standing: Grief stays energetic to this present day.
Jigsaw
Historical past: Jigsaw first appeared in 2016, however researchers launched a decryption software shortly after its discovery.
The way it works: Probably the most notable facet of Jigsaw is that it encrypts some recordsdata, calls for a ransom, after which progressively deletes recordsdata till the ransom is paid. It deletes a file per hour for 72 hours. At that time, it deletes all remaining recordsdata.
Focused victims: Jigsaw seems to not have goal any group of victims.
Attribution: Unknown
Present standing: Jigsaw is not energetic in its authentic type however its supply code is brazenly obtainable, permitting menace actors to change and adapt the malware.
KeRanger
Historical past: KeRanger, found in 2016, is believed to be the primary operational ransomware designed to assault Mac OS X functions.
The way it works: KeRanger was distributed via a legit however compromised BitTorrent consumer that was in a position to evade detection because it had a sound certificates.
Focused victims: Mac customers
Attribution: Unknown
Present standing: KeRanger is not believed to be energetic.
Leatherlocker
Historical past: Leatherlocker was first found in 2017 in two Android functions: Booster & Cleaner and Wallpaper Blur HD. Google eliminated the apps from its retailer shortly after discovery.
The way it works: Victims obtain what seems to be a legit app. The app then asks for permissions that grant the malware entry wanted to execute. Reasonably than encrypt recordsdata, it locks the system dwelling display screen to forestall entry to information.
Focused victims: Android customers who obtain the contaminated apps.
Attribution: An unknown cybercriminal group.
Present standing: Leatherlocker seems not to be energetic.
LockerGoga
Historical past: LockerGoga appeared in 2019 in an assault concentrating on industrial firms. Though the attackers requested for a ransom, LockerGoga appeared intentially designed to make paying a ransom tough. This led some researcher to consider its intent was disruption reasonably than monetary acquire.
The way it works: LockerGoga used a phishing marketing campaign with malicious doc attachments to contaminate programs. The payload have been signed with legitimate certificates, which allowed them to bypass security.
Focused victims: LockerGoga victimized European manufacturing firms, most notably Norsk Hydro the place it triggered a world IT shut-down.
Attribution: Some researchers say LockerGoga was possible the work of a nation-state.
Present standing: LockerGoga triggered extreme disruption and monetary losses for industrial firms, together with an assault on Norsk Hydro in March 2019. Europol’s arrest of suspects behind the LockerGoga, MegaCortex, and Dharma ransomware assaults curtailed the menace.
Locky
Historical past: Locky first started spreading in 2016 and used an assault mode just like the banking malware Dridex. Locky has impressed a variety of variants together with Osiris and Diablo6.
The way it works: Victims are normally despatched an e-mail with a Microsoft Phrase doc purporting to be an bill. That bill incorporates malicious macro. Microsoft disables macros by default because of the security risks. If macros are enabled, the doc runs the macro, which downloads Locky. Dridex makes use of the identical approach to steal account credentials.
Focused victims: Early Locky assaults focused hospitals, however subsequent campaigns have been broad and untargeted.
Attribution: It’s suspected that the cybercriminal group behind Locky is affiliated to a type of behind Dridex attributable to similarities between the 2.
Present standing: Locky was a major menace between 2016 and 2017 however is not energetic.
Maze
Historical past: Maze is a comparatively new ransomware group, found in Might 2019. It’s recognized for releasing stolen information to the general public if the sufferer doesn’t pay to decrypt it. The Maze group introduced in September 2020 that it was closing its operations.
The way it works: Maze attackers usually acquire entry to networks remotely utilizing legitimate credentials that could be guessed, default, or gained via phishing campaigns. The malware then scans the community utilizing open-source instruments to find vulnerabilities and study in regards to the community. It then strikes laterally all through the community on the lookout for extra credentials that can be utilized for privilege escalation. As soon as it finds area admin credentials, it may entry and encrypt something on the community.
Focused victims: Maze operates on a world scale throughout all industries.
Attribution: The individuals behind Maze are believed to be a number of legal teams that share their specialties reasonably than a singular gang.
Present standing: Maze shuttered its operations in 2020.
Mespinoza (a.ok.a. PYSA)
Historical past: First recognized in 2019, the Mespinoza group has a status of being cocky and quirky. In response to a report from Palo Alto Software program’s Unit 42, the gang refers to its victims as “companions” and supplies recommendation to persuade administration to pay the ransom. Mespinoza makes use of its personal instruments with names like MagicSocks and HappyEnd.bat.
The way it works: Regardless of its quirks, Mespinoza is sort of disciplined in its strategy in response to Unit 42. The gang does its homework on potential victims to focus on these with probably the most useful property. Then they search for key phrases comparable to SSN, driver license, or passport in paperwork to establish probably the most delicate recordsdata. The assault makes use of RDP to realize community entry after which use open-source and built-in system instruments to maneuver laterally and collect credentials. It installs malware referred to as Gasket to create a backdoor. Gasket has a characteristic referred to as MagicSocks that creates tunnels for distant entry. The gang makes use of the double extortion strategy that features a menace of releasing delicate information if the ransome just isn’t paid.
Focused victims: Mespinoza operates on a world scale and targets massive enterprises throughout many industries. It not too long ago attacked Ok-12 colleges, universities and seminaries within the US and UK.
Attribution: Unknown
Present standing: Mespinoza seems to nonetheless be energetic however its degree of exercise is way diminished from its 2020-21 peak.
Netwalker
Historical past: Lively since 2019, Netwalker is one other ransomware operation that makes use of the double menace of withholding decryption keys and promoting or leaking stolen information. In late January 2021, nonetheless, the US Division of Justice introduced a world motion that disrupted the Netwalker operation.
The way it works: From a technical standpoint, Netwalker is comparatively extraordinary ransomware. It beneficial properties a foothold utilizing phishing emails, encrypts and exfiltrates information, and sends a ransom demand. It’s the second menace of exposing delicate information that makes it extra harmful. It’s recognized to have launched stolen information by placing it in a password-protected fold on the darkish net after which releasing the important thing publicly.
Focused victims: Netwalker targets primarily healthcare and academic establishments.
Attribution: The Circus Spider gang is believed to have created Netwalker.
Present standing: Netwalker gained notoriety in the course of the COVID-19 pandemic after assaults concentrating on healthcare, schooling, and authorities organizations. A legislation enforcement operation in January 2021 disrupted Netwalker’s infrastructure, resulting in arrests and seizures of cryptocurrency. A brand new ransomware variant referred to as Alpha, displaying marked technical similarities to Netwalker, surfaced in February 2023.
NotPetya
Historical past: First showing in 2016, NotPetya is definitely information destroying malware, referred to as a wiper, that masquerades as ransomware.
The way it works: The NotPetya virus superficially resembles Petya in that it encrypts recordsdata and requests a ransom in Bitcoin. Petya requires the sufferer to obtain it from a spam e-mail, launch it, and provides it admin permissions. NotPetya can unfold with out human intervention. The unique an infection vector seems to be by way of a backdoor planted in M.E.Doc, an accounting software program bundle that’s utilized by virtually each firm Ukraine. Having contaminated computer systems from Medoc’s servers, NotPetya used a wide range of methods to unfold to different computer systems, together with EternalBlue and EternalRomance. It could actually additionally make the most of Mimikatz to seek out community administration credentials within the contaminated machine’s reminiscence, after which use the Home windows PsExec and WMIC instruments to remotely entry and infect different computer systems on the native community.
Focused victims: The assault primarily targeted on Ukraine.
Attribution: The Sandworm group inside Russia’s GRU is believed to be liable for NotPetya.
Present standing: After launching probably the most damaging cyber assault to this point, NotPetya seems not to be energetic.
Petya
Historical past: The title derives from a satellite tv for pc that was a part of the sinister plot within the 1995 James Bond movie GoldenEye. A Twitter account suspected of belonging to the malware’s creator used an image of actor Alan Cumming, who performed the villain, as its avatar. The preliminary model of the Petya malware started to unfold in March 2016.
The way it works: Petya arrives on the sufferer’s pc connected to an e-mail purporting to be a job applicant’s resume. It’s a bundle with two recordsdata: a inventory picture of younger man and an executable file, usually with “PDF” someplace within the file title. When the sufferer clicks on that file, a Home windows Person Entry Management warning tells them that the executable goes to make modifications to your pc. The malware hundreds as soon as the sufferer accepts the change after which denies entry by attacking low-level buildings on the storage media.
Focused victims: Any Home windows system is a possible goal, however Ukraine was hardest hit by the assault.
Attribution: Unknown
Present standing: Most noteworthy for its similarities to the much more damaging NotPetya wiper, Petya is not energetic at the moment.
Purelocker
Historical past: The PureLocker RaaS platform, found in 2019, targets enterprise manufacturing servers working Linux or Home windows. It’s written within the PureBasic language, therefore its title.
The way it works: PureLocker depends on the more_eggs backdoor malware to realize entry reasonably than phishing makes an attempt. Attackers goal machines which have already been compromised and so they perceive. PureLocker then analyzes the machines and selectively encrypts information.
Focused victims: Researchers consider that only some legal gangs can afford to pay for PureLocker, to its use is restricted to high-value targets.
Attribution: The malware-as-a-service (MaaS) supplier behind the more_eggs backdoor is probably going liable for PureLocker.
Present standing: Little or no reported assaults linked to Purelocker have appeared over the past 5 years.
RobbinHood
Historical past: RobbinHood is one other ransomware variant that makes use of EternalBlue. It introduced the town of Baltimore, Maryland, to its knees in 2019.
The way it works: Probably the most distinctive characteristic about RobbinHood is in how its payload bypasses endpoint security. It has 5 components: an executable that kills processes and recordsdata of security merchandise, code to deploy a signed third-party driver and a malicious unsigned kernel driver, an outdated Authenticode-signed driver that has a vulnerability, a malicious driver to kill processes and delete recordsdata from the kernel house, and a textual content file with an inventory of functions to kill and delete.
The outdated, signed driver has a recognized bug that the malware makes use of to keep away from detection after which set up its personal unsigned driver on Home windows 7, Home windows 8 and Home windows 10.
Focused victims: Native governments such because the cities of Baltimore and Greenville, North Carolina, appear to be hardest hit by RobbinHood.
Attribution: An unidentified legal group
Present standing: RobbinHood gained notoriety in 2019, however little has been seen of the malware over latest years.
Ryuk
Historical past: Ryuk first appeared in August 2018 however relies on an older ransomware program referred to as Hermes that was offered on underground cybercrime boards in 2017.
The way it works: It’s usually utilized in mixture with different malware like TrickBot. The Ryuk gang is understood for utilizing guide hacking methods and open-source instruments to maneuver laterally via non-public networks and acquire administrative entry to as many programs as doable earlier than initiating the file encryption.
The Ryuk attackers demand excessive ransom funds from their victims, usually between 15 and 50 Bitcoins (roughly $100,000 to $500,000), though greater funds have reportedly been paid.
Focused victims: Companies, hospitals and authorities organizations—usually these should weak—are the commonest Ryuk victims.
Attribution: First attributed to the North Korean Lazarus Group, which used Hermes in an assault in opposition to the Taiwanese Far Jap Worldwide Financial institution (FEIB) in October 2017, Ryuk is now believed to be the creation of a Russian-speaking cybercriminal group that obtained entry to Hermes. The Ryuk gang, typically referred to as Wizard Spider or Grim Spider, additionally operates TrickBot. Some researchers consider that Ryuk may very well be the creation of the unique Hermes creator or authors working below the deal with CryptoTech.
Present standing: A classy ransomware pressure, Ryuk stays energetic as of February 2025.
SamSam
Historical past: SamSam has been round since 2015 and focused primarily healthcare organizations and ramped up considerably within the following years.
The way it works: SamSam is an RaaS operation whose controllers probe pre-selected targets for weaknesses. It has exploited a spread of vulnerabilities in every part from IIS to FTP to RDP. As soon as contained in the system, the attackers escalate privileges to make sure that after they do begin encrypting recordsdata, the assault is especially damaging.
Focused victims: Hardest hit have been US-based healthcare and authorities organizations together with the Colorado Division of Transportation and the Metropolis of Atlanta.
Attribution: Initially believed by some to have an Jap European origin, SamSam principally focused US establishments. In late 2018, the US Division of Justice indicted two Iranians that they declare have been behind the assaults.
Present standing: SamSam first emerged in December 2015 and stays energetic as of February 2025.
SimpleLocker
Historical past: SimpleLocker, found in 2014, was the primary widespread ransomware assault that targeted on cell gadgets, particularly Android gadgets.
The way it works: SimpleLocker infects gadgets when the sufferer downloads a malicious app. The malware then scans the system’s SD card for sure file varieties and encrypts them. It then shows a display screen demanding a ransom and directions on easy methods to pay.
Focused victims: For the reason that ransom word is in Russian and asks for cost in Ukrainian foreign money, it’s assumed that the attackers initially focused that area.
Attribution: SimpleLocker is believed to have been written by the identical hackers who developed different Russian malware comparable to SlemBunk and GM Bot.
Present standing: SimpleLocker just isn’t believed to be presently energetic.
Sodinokibi/REvil
Historical past: Sodinokibi, also referred to as REvil, is one other RaaS platform that first emerged in April 2019. Apparently associated to GandCrab, it additionally has code that stops it from executing in Russia and several other adjoining international locations, in addition to Syria. It was liable for shutting down greater than 22 small Texas cities, and on New Yr’s Eve 2019 it took down the UK foreign money change service Travelex. Most not too long ago, REvil ransomware was used within the assault on meat processing firm JBS, quickly disrupting meat provide within the US. It was additionally liable for the assault on Kaseya, which provides software program to MSPs. 1000’s of MSP prospects have been affected. Shortly after the Kaseya assault, REvil’s web sites disappeared from the web.
The way it works: Sodinokibi propagates in a number of methods, together with exploiting holes in Oracle WebLogic servers or the Pulse Join Safe VPN. It targets Microsoft Home windows programs and encrypts all recordsdata besides configuration recordsdata. Victims then obtain a double menace in the event that they don’t pay the ransom: They received’t get their information again and their delicate information can be offered or printed on underground boards.
Focused victims: Sodinokibi has contaminated many various organizations globally exterior the areas it excludes.
Attribution: Sodinokibi rose to prominence after GandCrab shut down. An alleged member of the group, utilizing the deal with Unknown, confirmed that the ransomware was constructed on high of an older codebase that the group acquired.
Present standing: Sodinokibi/Revil stays energetic at the moment.
TeslaCrypt
Historical past: TeslaCrypt is a Home windows ransomware Trojan first detected in 2015 that targets gamers of pc video games. A number of newer variations appeared in fast succession, however the builders shut down operations in Might 2016 and launched the grasp decryption key.
The way it works: As soon as it infects a pc, usually after a sufferer visits a hacked web site that runs an exploit equipment, TeslaCrypt appears for and encrypts gaming recordsdata comparable to sport saves, recorded replays and person profiles. It then calls for a $500 payment in Bitcoin to decrypt the recordsdata.
Focused victims: Pc avid gamers
Attribution: Unknown
Present standing: Now not energetic as of Might 2016
Thanos
Historical past: The Thanos RaaS is comparatively new, found in late 2019. It’s the first to make use of the RIPlace approach, which might bypass most anti-ransomware strategies.
The way it works: Marketed in underground boards and different closed channels, Thanos is a personalized software that its associates use to create ransomware payloads. Lots of the options it provides are designed to evade detection. The Thanos builders have launched a number of variations, including capabilities comparable to disabling third-party backup, elimination of Home windows Defender signature recordsdata, and options to make forensics tougher for response groups.
Focused victims: As an RaaS platform, Thanos can victimize any group.
Attribution: Unknown
Present standing: The Thanos RaaS stays energetic at the moment.
Wannacry
Historical past: The WannaCry worm unfold via pc networks quickly in Might 2017 because of the EternalBlue exploit developed by the US Nationwide Safety Company (NSA) after which stolen by hackers. It shortly contaminated thousands and thousands of Home windows computer systems.
The way it works: WannaCry consists of a number of parts. It arrives on the contaminated pc within the type of a dropper, a self-contained program that extracts the opposite utility parts embedded inside itself together with:
- An utility that encrypts and decrypts information
- Recordsdata containing encryption keys
- A replica of Tor
As soon as launched, WannaCry tries to entry a hard-coded URL. If it may’t, it proceeds to seek for and encrypt recordsdata in vital codecs, starting from Microsoft Workplace recordsdata to MP3s and MKVs. It then shows a ransom discover demanding Bitcoin to decrypt the recordsdata.
Focused victims: The WannaCry assault affected firms globally, however high-profile enterprises in healthcare, vitality, transportation and communications have been significantly exhausting hit.
Attribution: North Korea’s Lazarus Group is believed to be behind WannaCry.
Present standing: WannaCry’s unfold was halted when security researcher Marcus Hutchins by accident activated a kill swap by registering a site related to the malware.
WastedLocker
Historical past: One of many more moderen to look, the WastedLocker ransomware started victimizing organizations in Might 2020. It is among the extra subtle examples of ransomware, and its creators are recognized for asking excessive ransom charges.
The way it works: The malware makes use of a JavaScript-based assault framework calle SocGholish that’s distributed in ZIP file type by way of a faux browser replace that seem on legit however compromised web sites. As soon as activated WastedLocker then downloads and executes PowerShell scripts and a backdoor referred to as Cobalt Strike. The malware then explores the community and deploys “residing off the land” instruments to steal credentials and acquire entry to high-value programs. It then encrypts information utilizing a mix of AES and RSA cryptography.
Focused victims: WastedLocker focuses on high-value targets most definitely to pay excessive ransoms, primarily in North America and Western Europe.
Attribution: A recognized legal gang, Evil Corp, is liable for WastedLocker. The group can be recognized for working the Dridex malware and botnet.
Present standing: WastedLocker stays energetic as of February 2025.
WYSIWYE
Historical past: Found in 2017, WYSIWYE (What You See Is What You Encrypt) is an RaaS platform that targets Home windows programs.
The way it works: scans the online for open Distant Desktop Protocol (RDP) servers. It then executes sign-in makes an attempt utilizing default or weak credentials to entry programs and unfold throughout the community. Criminals who buy WYSIWYE providers can select what forms of recordsdata to encrypt and whether or not to delete the unique recordsdata after encryption.
Focused victims: WYSIWYE assaults first appeared in Germany, Belgium, Sweden and Spain.
Attribution: Unknown
Present standing: WYSIWYE seems to bedefunct.
Zeppelin
Historical past: Zeppelin first appeared in November 2019 and is a descendent of Vega or VegasLocker RaaS providing that victimized accounting corporations in Russia and Jap Europe.
The way it works: Zeppelin has extra capabilities than its ancestors, particularly in terms of configurability. Zeppelin will be deployed in a number of methods, together with as an EXE, a DLL, or a PowerShell loader, nevertheless it a few of its assaults got here by way of compromised managed security service suppliers.
Focused victims: Zeppelin is far more focused than Vega, which unfold considerably indiscriminately and principally operated within the Russian-speaking world. Zeppelin is designed to not execute on computer systems working in Russia, Ukraine, Belarus, or Kazakhstan. Most of its victims have been healthcare and expertise firms in North America and Europe.
Attribution: Safety consultants consider {that a} new menace actor, possible in Russia, is utilizing Vega’s codebase to develop Zeppelin.
Attribution: Unknown
Present standing: Zeppelin stays energetic as of February 2025.
Editor’s word: This text, initially printed on February 16, 2021, has been up to date to incorporate more moderen details about the listed teams, together with present standing.
