The most notorious and damaging ransomware of all time

FONIX

Historical past: FONIX is an RaaS providing that was first found in July 2020. It shortly went by way of a variety of code revisions, however abruptly shut down in January 2021. The FONIX gang then launched its grasp decryption key.

The way it works: The FONIX gang marketed its providers on cybercrime boards and the darkish net. Purchasers of FONIX would ship the gang an e-mail deal with and password. The gang then sends the custom-made ransomware payload to the customer. The FONIX gang takes a 25% reduce of any ransom charges paid.

Focused victims: Since FONIX is RAAS, anybody could possibly be a sufferer.

Attribution: An unknown cybercriminal gang

Present standing: By no means reaching the heights of a significant participant, FONIX has been defunct since 2021.

GandCrab 

Historical past: GandCrab is perhaps essentially the most profitable RaaS ever. Its builders declare greater than $2 billion in sufferer payouts as of July 2019. GandCrab was first recognized in January 2018.

The way it works: GandCrab is an affiliate ransomware program for cybercriminals who pay its builders a portion of the ransom charges they gather. The malware is usually delivered by way of malicious Microsoft Workplace paperwork despatched through phishing emails. Variations of GandCrab have exploited vulnerabilities in software program equivalent to Atlassian’s Confluence. In that case, the attackers use the flaw to inject a rogue template that allows distant code execution.

Focused victims: GandCrab has contaminated methods globally throughout a number of industries, although it’s designed to keep away from methods in Russian-speaking areas.

Attribution: GandCrab has been tied to Russian nationwide Igor Prokopenko.

Present standing: GandCrab was a dominant ransomware risk between January 2018 to Might 2019. Researchers suspect the group behind it shifted its focus to creating a ransomware pressure referred to as REvil or Sodinokibi. Sodinokibi/Revil stays lively.

GoldenEye

Historical past: Showing in 2016, GoldenEye seems to be primarily based on the Petya ransomware.

The way it works: GoldenEye was initially unfold by way of a marketing campaign concentrating on human assets departments with faux cowl letters and resumes. As soon as its payload infects a pc, it executes a macro that encrypts recordsdata on the pc, including a random 8-character extension on the finish of every file. The ransomware then modifies the pc’s laborious drive grasp boot file with a customized boot loader. 

Focused victims: GoldenEye first focused German-speaking customers in its phishing emails.

Attribution: Unknown

Grief

Historical past: The Grief ransomware, also referred to as “Pay or Grief”, is taken into account the successor of DoppelPaymer and appeared in Might 2021. Between Might and October, the group claimed to have compromised 41 firms and different organizations, the vast majority of them in Europe and the U.Ok. It’s estimated that the group remodeled $11 million in that time-frame. In late October, the group claimed it compromised the US Nationwide Rifle Affiliation (NRA) and stole knowledge that it held for ransom.

The way it works: Grief is an RaaS operation working with associates who carry out the intrusions and set up of the ransomware program in change for a fee from the ransom cost. The group engages in double extortion by stealing knowledge from compromised organizations and threatening to launch it if the sufferer doesn’t pay. Grief maintains a leak website the place it publishes details about the victims and extra lately, it has began warning victims that in the event that they contact legislation enforcement, ransomware negotiators or knowledge restoration specialists, they may wipe the methods they’ve entry to, leaving victims unable to recuperate their recordsdata even when they’re keen to pay for the decryption key.

The code variations between DoppelPaymer and Grief are minor. The embedded ProcessHacker binaries, which DoppelPaymer used to terminate varied processes, have been eliminated and the RC4 key used within the encryption routine has been elevated from 40 to 48 bytes. In any other case, the encryption algorithms stay the identical: 2048-bit RSA and 256-bit AES.

Focused victims: Grief has compromised varied producers, pharmacies, meals providers and hospitality suppliers, academic establishments, in addition to municipalities and at the least one authorities district. The group has not revealed the identities of all of the victims it claims to have made on its leak website.

Attribution: The Grief ransomware is believed to be operated by Evil Corp, a cybercriminal group beforehand recognized for working the Dridex botnet in addition to the WastedLocker and DoppelPaymer ransomware operations. Evil Corp is likely one of the cybercriminal teams on the Division of Treasury’s sanctions listing and two people related to it are on the FBI’s most needed listing.

Present standing: Grief stays lively to at the present time.

Jigsaw

Historical past: Jigsaw first appeared in 2016, however researchers launched a decryption device shortly after its discovery.

The way it works: Essentially the most notable facet of Jigsaw is that it encrypts some recordsdata, calls for a ransom, after which progressively deletes recordsdata till the ransom is paid. It deletes a file per hour for 72 hours. At that time, it deletes all remaining recordsdata.

Focused victims: Jigsaw seems to not have goal any group of victims.

Attribution: Unknown

KeRanger

Historical past: KeRanger, found in 2016, is believed to be the primary operational ransomware designed to assault Mac OS X functions.

The way it works: KeRanger was distributed by way of a respectable however compromised BitTorrent shopper that was capable of evade detection because it had a legitimate certificates.

Focused victims: Mac customers

Attribution: Unknown

Present standing: KeRanger is now not believed to be lively.

Leatherlocker 

Historical past: Leatherlocker was first found in 2017 in two Android functions: Booster & Cleaner and Wallpaper Blur HD. Google eliminated the apps from its retailer shortly after discovery.

The way it works: Victims obtain what seems to be a respectable app. The app then asks for permissions that grant the malware entry wanted to execute. Slightly than encrypt recordsdata, it locks the machine residence display screen to forestall entry to knowledge.

Focused victims: Android customers who obtain the contaminated apps.

Attribution: An unknown cybercriminal group.

LockerGoga

Historical past: LockerGoga appeared in 2019 in an assault concentrating on industrial firms. Though the attackers requested for a ransom, LockerGoga appeared intentially designed to make paying a ransom troublesome. This led some researcher to imagine its intent was disruption somewhat than monetary achieve.

The way it works: LockerGoga used a phishing marketing campaign with malicious doc attachments to contaminate methods. The payload had been signed with legitimate certificates, which allowed them to bypass safety.

Focused victims: LockerGoga victimized European manufacturing firms, most notably Norsk Hydro the place it brought about a world IT shut-down.

Attribution: Some researchers say LockerGoga was doubtless the work of a nation-state.

Present standing: LockerGoga brought about extreme disruption and monetary losses for industrial firms, together with an assault on Norsk Hydro in March 2019. Europol’s arrest of suspects behind the LockerGoga, MegaCortex, and Dharma ransomware assaults curtailed the risk.

Locky

Historical past: Locky first started spreading in 2016 and used an assault mode much like the banking malware Dridex. Locky has impressed a variety of variants together with Osiris and Diablo6.

The way it works: Victims are often despatched an e-mail with a Microsoft Phrase doc purporting to be an bill. That bill comprises malicious macro. Microsoft disables macros by default because of the safety risks. If macros are enabled, the doc runs the macro, which downloads Locky. Dridex makes use of the identical approach to steal account credentials.

Focused victims: Early Locky assaults focused hospitals, however subsequent campaigns had been broad and untargeted.

Attribution: It’s suspected that the cybercriminal group behind Locky is affiliated to a type of behind Dridex because of similarities between the 2.

Present standing: Locky was a big risk between 2016 and 2017 however is now not lively.

Maze 

Historical past: Maze is a comparatively new ransomware group, found in Might 2019. It’s recognized for releasing stolen knowledge to the general public if the sufferer doesn’t pay to decrypt it. The Maze group introduced in September 2020 that it was closing its operations.

The way it works: Maze attackers sometimes achieve entry to networks remotely utilizing legitimate credentials that is perhaps guessed, default, or gained by way of phishing campaigns. The malware then scans the community utilizing open-source instruments to find vulnerabilities and study in regards to the community. It then strikes laterally all through the community on the lookout for extra credentials that can be utilized for privilege escalation. As soon as it finds area admin credentials, it may possibly entry and encrypt something on the community.

Focused victims: Maze operates on a world scale throughout all industries.

Attribution: The folks behind Maze are believed to be a number of legal teams that share their specialties somewhat than a singular gang. 

Present standing: Maze shuttered its operations in 2020.

Mespinoza (a.okay.a. PYSA)

Historical past: First recognized in 2019, the Mespinoza group has a popularity of being cocky and quirky. In keeping with a report from Palo Alto Software program’s Unit 42, the gang refers to its victims as “companions” and gives recommendation to persuade administration to pay the ransom. Mespinoza makes use of its personal instruments with names like MagicSocks and HappyEnd.bat.

The way it works: Regardless of its quirks, Mespinoza is sort of disciplined in its method in line with Unit 42. The gang does its homework on potential victims to focus on these with essentially the most helpful belongings. Then they search for key phrases equivalent to SSN, driver license, or passport in paperwork to determine essentially the most delicate recordsdata. The assault makes use of RDP to realize community entry after which use open-source and built-in system instruments to maneuver laterally and collect credentials. It installs malware referred to as Gasket to create a backdoor. Gasket has a characteristic referred to as MagicSocks that creates tunnels for distant entry. The gang makes use of the double extortion method that features a risk of releasing delicate knowledge if the ransome will not be paid.

Focused victims: Mespinoza operates on a world scale and targets massive enterprises throughout many industries. It lately attacked Ok-12 faculties, universities and seminaries within the US and UK.

Attribution: Unknown

Present standing: Mespinoza seems to nonetheless be lively however its stage of exercise is way diminished from its 2020-21 peak.

Netwalker

Historical past: Lively since 2019, Netwalker is one other ransomware operation that makes use of the double risk of withholding decryption keys and promoting or leaking stolen knowledge. In late January 2021, nevertheless, the US Division of Justice introduced a world motion that disrupted the Netwalker operation.

The way it works: From a technical standpoint, Netwalker is comparatively peculiar ransomware. It good points a foothold utilizing phishing emails, encrypts and exfiltrates knowledge, and sends a ransom demand. It’s the second risk of exposing delicate knowledge that makes it extra harmful. It’s recognized to have launched stolen knowledge by placing it in a password-protected fold on the darkish net after which releasing the important thing publicly.

Focused victims: Netwalker targets primarily healthcare and academic establishments.

Attribution: The Circus Spider gang is believed to have created Netwalker.

Present standing: Netwalker gained notoriety throughout the COVID-19 pandemic after assaults concentrating on healthcare, training, and authorities organizations. A legislation enforcement operation in January 2021 disrupted Netwalker’s infrastructure, resulting in arrests and seizures of cryptocurrency. A brand new ransomware variant referred to as Alpha, displaying marked technical similarities to Netwalker, surfaced in February 2023.

NotPetya 

Historical past: First showing in 2016, NotPetya is definitely knowledge destroying malware, referred to as a wiper, that masquerades as ransomware.

The way it works: The NotPetya virus superficially resembles Petya in that it encrypts recordsdata and requests a ransom in Bitcoin. Petya requires the sufferer to obtain it from a spam e-mail, launch it, and provides it admin permissions. NotPetya can unfold with out human intervention. The unique an infection vector seems to be through a backdoor planted in M.E.Doc, an accounting software program bundle that’s utilized by virtually each firm Ukraine. Having contaminated computer systems from Medoc’s servers, NotPetya used a wide range of strategies to unfold to different computer systems, together with EternalBlue and EternalRomance. It may well additionally reap the benefits of Mimikatz to seek out community administration credentials within the contaminated machine’s reminiscence, after which use the Home windows PsExec and WMIC instruments to remotely entry and infect different computer systems on the native community.

Focused victims: The assault primarily targeted on Ukraine.

Attribution: The Sandworm group inside Russia’s GRU is believed to be liable for NotPetya.

Present standing: After launching essentially the most harmful cyber assault so far, NotPetya seems now not to be lively.

Petya

Historical past: The identify derives from a satellite tv for pc that was a part of the sinister plot within the 1995 James Bond movie GoldenEye. A Twitter account suspected of belonging to the malware’s writer used an image of actor Alan Cumming, who performed the villain, as its avatar. The preliminary model of the Petya malware started to unfold in March 2016.

The way it works: Petya arrives on the sufferer’s pc connected to an e-mail purporting to be a job applicant’s resume. It’s a bundle with two recordsdata: a inventory picture of younger man and an executable file, usually with “PDF” someplace within the file identify. When the sufferer clicks on that file, a Home windows Person Entry Management warning tells them that the executable goes to make modifications to your pc. The malware masses as soon as the sufferer accepts the change after which denies entry by attacking low-level buildings on the storage media.

Focused victims: Any Home windows system is a possible goal, however Ukraine was hardest hit by the assault.

Attribution: Unknown

Present standing: Most noteworthy for its similarities to the way more harmful NotPetya wiper, Petya is now not lively in the present day.

Purelocker

Historical past: The PureLocker RaaS platform, found in 2019, targets enterprise manufacturing servers working Linux or Home windows. It’s written within the PureBasic language, therefore its identify.

The way it works: PureLocker depends on the more_eggs backdoor malware to realize entry somewhat than phishing makes an attempt. Attackers goal machines which have already been compromised they usually perceive. PureLocker then analyzes the machines and selectively encrypts knowledge.

Focused victims: Researchers imagine that just a few legal gangs can afford to pay for PureLocker, to its use is proscribed to high-value targets.

Attribution: The malware-as-a-service (MaaS) supplier behind the more_eggs backdoor is probably going liable for PureLocker.

Present standing: Little or no reported assaults linked to Purelocker have appeared during the last 5 years.

RobbinHood

Historical past: RobbinHood is one other ransomware variant that makes use of EternalBlue. It introduced the town of Baltimore, Maryland, to its knees in 2019.

The way it works: Essentially the most distinctive characteristic about RobbinHood is in how its payload bypasses endpoint safety. It has 5 components: an executable that kills processes and recordsdata of safety merchandise, code to deploy a signed third-party driver and a malicious unsigned kernel driver, an outdated Authenticode-signed driver that has a vulnerability, a malicious driver to kill processes and delete recordsdata from the kernel house, and a textual content file with a listing of functions to kill and delete.

The outdated, signed driver has a recognized bug that the malware makes use of to keep away from detection after which set up its personal unsigned driver on Home windows 7, Home windows 8 and Home windows 10.

Focused victims: Native governments such because the cities of Baltimore and Greenville, North Carolina, appear to be hardest hit by RobbinHood.

Attribution: An unidentified legal group

Present standing: RobbinHood gained notoriety in 2019, however little has been seen of the malware over latest years.

Ryuk 

Historical past: Ryuk first appeared in August 2018 however is predicated on an older ransomware program referred to as Hermes that was bought on underground cybercrime boards in 2017.

The way it works: It’s usually utilized in mixture with different malware like TrickBot. The Ryuk gang is thought for utilizing guide hacking strategies and open-source instruments to maneuver laterally by way of personal networks and achieve administrative entry to as many methods as potential earlier than initiating the file encryption.

The Ryuk attackers demand excessive ransom funds from their victims, sometimes between 15 and 50 Bitcoins (roughly $100,000 to $500,000), though greater funds have reportedly been paid.

Focused victims: Companies, hospitals and authorities organizations—usually these should weak—are the commonest Ryuk victims. 

Attribution: First attributed to the North Korean Lazarus Group, which used Hermes in an assault in opposition to the Taiwanese Far Japanese Worldwide Financial institution (FEIB) in October 2017, Ryuk is now believed to be the creation of a Russian-speaking cybercriminal group that obtained entry to Hermes. The Ryuk gang, typically referred to as Wizard Spider or Grim Spider, additionally operates TrickBot. Some researchers imagine that Ryuk could possibly be the creation of the unique Hermes writer or authors working below the deal with CryptoTech.

Present standing: A classy ransomware pressure, Ryuk stays lively as of February 2025.

SamSam

Historical past: SamSam has been round since 2015 and focused primarily healthcare organizations and ramped up considerably within the following years.

The way it works: SamSam is an RaaS operation whose controllers probe pre-selected targets for weaknesses. It has exploited a spread of vulnerabilities in every little thing from IIS to FTP to RDP. As soon as contained in the system, the attackers escalate privileges to make sure that once they do begin encrypting recordsdata, the assault is especially damaging.

Focused victims: Hardest hit had been US-based healthcare and authorities organizations together with the Colorado Division of Transportation and the Metropolis of Atlanta.

Attribution: Initially believed by some to have an Japanese European origin, SamSam largely focused US establishments. In late 2018, the US Division of Justice indicted two Iranians that they declare had been behind the assaults.

Present standing: SamSam first emerged in December 2015 and stays lively as of February 2025.

SimpleLocker

Historical past: SimpleLocker, found in 2014, was the primary widespread ransomware assault that targeted on cell units, particularly Android units.

The way it works: SimpleLocker infects units when the sufferer downloads a malicious app. The malware then scans the machine’s SD card for sure file sorts and encrypts them. It then shows a display screen demanding a ransom and directions on the best way to pay.

Focused victims: Because the ransom word is in Russian and asks for cost in Ukrainian foreign money, it’s assumed that the attackers initially focused that area.

Attribution: SimpleLocker is believed to have been written by the identical hackers who developed different Russian malware equivalent to SlemBunk and GM Bot.

Present standing: SimpleLocker will not be believed to be at the moment lively.

Sodinokibi/REvil

Historical past: Sodinokibi, also referred to as REvil, is one other RaaS platform that first emerged in April 2019. Apparently associated to GandCrab, it additionally has code that stops it from executing in Russia and a number of other adjoining nations, in addition to Syria. It was liable for shutting down greater than 22 small Texas cities, and on New 12 months’s Eve 2019 it took down the UK foreign money change service Travelex. Most lately, REvil ransomware was used within the assault on meat processing firm JBS, briefly disrupting meat provide within the US. It was additionally liable for the assault on Kaseya, which provides software program to MSPs. 1000’s of MSP clients had been affected. Shortly after the Kaseya assault, REvil’s web sites disappeared from the web.

The way it works: Sodinokibi propagates in a number of methods, together with exploiting holes in Oracle WebLogic servers or the Pulse Join Safe VPN. It targets Microsoft Home windows methods and encrypts all recordsdata besides configuration recordsdata. Victims then obtain a double risk in the event that they don’t pay the ransom: They received’t get their knowledge again and their delicate knowledge will likely be bought or revealed on underground boards.

Focused victims: Sodinokibi has contaminated many various organizations globally exterior the areas it excludes.

Attribution: Sodinokibi rose to prominence after GandCrab shut down. An alleged member of the group, utilizing the deal with Unknown, confirmed that the ransomware was constructed on prime of an older codebase that the group acquired.

Present standing: Sodinokibi/Revil stays lively in the present day.

TeslaCrypt

Historical past: TeslaCrypt is a Home windows ransomware Trojan first detected in 2015 that targets gamers of pc video games. A number of newer variations appeared in fast succession, however the builders shut down operations in Might 2016 and launched the grasp decryption key.

The way it works: As soon as it infects a pc, sometimes after a sufferer visits a hacked web site that runs an exploit equipment, TeslaCrypt appears for and encrypts gaming recordsdata equivalent to sport saves, recorded replays and consumer profiles. It then calls for a $500 payment in Bitcoin to decrypt the recordsdata.

Focused victims: Laptop players

Attribution: Unknown

Present standing: Now not lively as of Might 2016

Thanos

Historical past: The Thanos RaaS is comparatively new, found in late 2019. It’s the first to make use of the RIPlace approach, which may bypass most anti-ransomware strategies.

The way it works: Marketed in underground boards and different closed channels, Thanos is a custom-made device that its associates use to create ransomware payloads. Most of the options it provides are designed to evade detection. The Thanos builders have launched a number of variations, including capabilities equivalent to disabling third-party backup, removing of Home windows Defender signature recordsdata, and options to make forensics tougher for response groups.

Focused victims: As an RaaS platform, Thanos can victimize any group.

Attribution: Unknown         

Present standing: The Thanos RaaS stays lively in the present day.

Wannacry

Historical past: The WannaCry worm unfold by way of pc networks quickly in Might 2017 because of the EternalBlue exploit developed by the US Nationwide Safety Company (NSA) after which stolen by hackers. It shortly contaminated tens of millions of Home windows computer systems.

The way it works: WannaCry consists of a number of elements. It arrives on the contaminated pc within the type of a dropper, a self-contained program that extracts the opposite utility elements embedded inside itself together with: 

• An utility that encrypts and decrypts knowledge
• Recordsdata containing encryption keys
• A replica of Tor 

As soon as launched, WannaCry tries to entry a hard-coded URL. If it may possibly’t, it proceeds to seek for and encrypt recordsdata in vital codecs, starting from Microsoft Workplace recordsdata to MP3s and MKVs. It then shows a ransom discover demanding Bitcoin to decrypt the recordsdata.

Focused victims: The WannaCry assault affected firms globally, however high-profile enterprises in healthcare, vitality, transportation and communications had been significantly laborious hit.

Attribution: North Korea’s Lazarus Group is believed to be behind WannaCry.

Present standing: WannaCry’s unfold was halted when safety researcher Marcus Hutchins by accident activated a kill swap by registering a site related to the malware.

WastedLocker

Historical past: One of many newer to look, the WastedLocker ransomware started victimizing organizations in Might 2020. It is likely one of the extra refined examples of ransomware, and its creators are recognized for asking excessive ransom charges.

The way it works: The malware makes use of a JavaScript-based assault framework calle SocGholish that’s distributed in ZIP file type through a faux browser replace that seem on respectable however compromised web sites. As soon as activated WastedLocker then downloads and executes PowerShell scripts and a backdoor referred to as Cobalt Strike. The malware then explores the community and deploys “residing off the land” instruments to steal credentials and achieve entry to high-value methods. It then encrypts knowledge utilizing a mix of AES and RSA cryptography.

Focused victims: WastedLocker focuses on high-value targets more than likely to pay excessive ransoms, primarily in North America and Western Europe.

Attribution: A recognized legal gang, Evil Corp, is liable for WastedLocker. The group can be recognized for working the Dridex malware and botnet.

Present standing: WastedLocker stays lively as of February 2025.

WYSIWYE

Historical past: Found in 2017, WYSIWYE (What You See Is What You Encrypt) is an RaaS platform that targets Home windows methods.

The way it works: scans the online for open Distant Desktop Protocol (RDP) servers. It then executes sign-in makes an attempt utilizing default or weak credentials to entry methods and unfold throughout the community. Criminals who buy WYSIWYE providers can select what kinds of recordsdata to encrypt and whether or not to delete the unique recordsdata after encryption.

Focused victims: WYSIWYE assaults first appeared in Germany, Belgium, Sweden and Spain.

Attribution: Unknown

Present standing: WYSIWYE seems to bedefunct.

Zeppelin

Historical past: Zeppelin first appeared in November 2019 and is a descendent of Vega or VegasLocker RaaS providing that victimized accounting companies in Russia and Japanese Europe.

The way it works: Zeppelin has extra capabilities than its ancestors, particularly relating to configurability. Zeppelin will be deployed in a number of methods, together with as an EXE, a DLL, or a PowerShell loader, but it surely a few of its assaults got here through compromised managed safety service suppliers.

Focused victims: Zeppelin is far more focused than Vega, which unfold considerably indiscriminately and largely operated within the Russian-speaking world. Zeppelin is designed to not execute on computer systems working in Russia, Ukraine, Belarus, or Kazakhstan. Most of its victims had been healthcare and know-how firms in North America and Europe.

Attribution: Safety consultants imagine {that a} new risk actor, doubtless in Russia, is utilizing Vega’s codebase to develop Zeppelin.

Attribution: Unknown

Present standing: Zeppelin stays lively as of February 2025.

Editor’s word: This text, initially revealed on February 16, 2021, has been up to date to incorporate newer details about the listed teams, together with present standing.