![""](https://www.enigmasoftware.com/threat-database/ransomware/3/"/images/2021/ransomwaretimeline_img1_small.png" "\"Phishing")
phishing remains a surprisingly effective infection vector even today</a>. The attachments can have nearly any extension and needn’t be an executable file. This allows cybercriminals to use files resembling official documents, such as PDF and Word documents.</p>
<p>Phishing emails might also contain malicious links that point to malicious files that will download and deploy after a single click, which makes them particularly high-risk.</p>
<ul>
<li style="list-style-type: none">
<ul>
<li>Exploit kits</li>
</ul>
</li>
</ul>
<p>Another effective vector that bad actors use to spread ransomware are exploit kits. Code injections into compromised web pages, redirects to harmful sites and malicious banners are just a few of the components that can work together to deliver a ransomware payload to victims’ computers.</p>
<h3>Ransomware Statistics</h3>
<p>Ransomware hit what were arguably all-time peak levels in 2017. In that year, more than half of all worldwide malicious payloads were ransomware. Ransomware also proved to be a surprisingly effective malicious tool. Statistics for business entities show that over 70% of the companies that were targeted by ransomware actually did get infected and consequently suffered various degrees of losses and issues. A success rate that high shows that those businesses were, at large, not prepared to tackle the ransomware threat effectively – a mistake that was likely rectified after the attacks.</p>
<p>Despite the increase in ransomware infections over 2017, phishing emails carrying ransomware payloads were steadily declining. However, remote desktop protocol (RDP) rose dramatically, with over 60% of ransomware infections in 2017 being carried out through RDP.</p>
<p>Cybercriminals were also getting increasingly bolder and more confident with their ransom demands. In 2017, the average ransom demanded by the ransomware makers had gone to over $1,000 – a marked increase over the past years. Of course, that does not mean cybercriminals were more willing to deliver on their part of the supposed bargain. Even though some affected businesses chose to pay the ransom, the criminals never restored their data. It is hard to tell whether this was due to simple incompetence or because it never was the plan.</p>
<p>Over the following years ransomware attacks on large corporate entities and government institutions increased dramatically. One very prominent example was the attack on Norsk Hydro, who spent over $50 million in their efforts to recover from the LockerGoga ransomware.</p>
<p>A large number of United States <a title="Massive Worldwide 'WannaCryptor or WanaCrypt0r' Ransomware Attack Hitting Tens of Thousands at Record Pace" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/worldwide-wannacry-ransomware-attack-hitting-thousands-record-pace/">government institutions</a> including municipal networks were also targeted by ransomware, with varying degrees of success and causing different degrees of service disruption. The increasing popularity of attacks on institutions and businesses in the US led to the FBI issuing official ransomware prevention and response guidance.</p>
<p>A lot of intriguing and often alarming things took place in the field of ransomware attacks in 2019. Here are a few facts and statistics:</p>
<ul>
<li>Over 500 US school networks were attacked by ransomware.</li>
<li>70 government organizations in the US suffered ransomware attacks.</li>
<li>The prevalent part of small and medium-sized businesses that got hit by ransomware decided to pay the ransom demanded.</li>
<li>The average of ransom demands grew, driven by <a title="Ryuk Ransomware Removal Report" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/ryukransomware-removal/">Ryuk campaigns</a> that demanded much more than most previous high-profile ransomware attacks. Ryuk drove the average ransom payment to over $41 thousand in late 2019.</li>
<li>Different researchers and studies indicated that between 3% and 17% of paying victims received a working decryption tool and recovered their files.</li>
</ul>
<p>The biggest ransomware payout in 2019 was the $600,000 that Riviera Beach City, Florida <a title="Paradigm Shift for Ransomware - Massive Payouts Coming from City Government Networks" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/ransomware-payouts-city-networks-florida-georgia/">chose to pay after a stray click on a phishing link</a> led to what looked like another Ryuk infection. This is not the biggest ransomware payout of all time, though. The top spot is still occupied by a South Korean web hosting company who paid around $1 million back in 2017.</p>
<p>Of course, a lot of big businesses refuse to negotiate with hackers and choose to suffer massive losses rather than pay money to cyber criminal organizations. Again, <a title="FIN6 Hacker Group Now Using Ryuk and LockerGoga Ransomware" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/fin6-hacker-group-using-ryuk-lockergoga-ransomware/">Norsk Hydro who suffered $50 million in losses over a Ryuk</a> are one very prominent example of a company who decided to roll with the punches and refused to pay.</p>
<p>Ransomware remains a very pertinent threat today and can target both corporations and home users.</p><div class="rotatead-container" data-group="location:after_content" data-title="Ransomware"></div>" />
CryptoLocker variant affected half a million systems. Malware classified as ransomware became the predominant threat in the digital landscape in recent years, despite a gradual drop in the volume of infections and victims.</p><div class="rotatead-container" data-group="location:p1" data-title="Ransomware"></div>
<h3>Types of Ransomware</h3>
<p>The common subdivision of ransomware is into two groups − encrypting or crypto ransomware and screen-locking or locker ransomware. The two groups differ dramatically in their way of preventing access to the system and the data on it.</p><div class="rotatead-container" data-group="location:p2" data-title="Ransomware"></div>
<p><b>Encrypting Ransomware</b></p><div class="rotatead-container" data-group="location:p3" data-title="Ransomware"></div>
<p>Encrypting ransomware is the much more common variant of the malware. On the most basic level, it uses mathematical encryption algorithms to scramble the data inside a victim’s files, leaving them inaccessible. The user is then presented with a ransom note, often dropped as a plain text file on the desktop and opened automatically. The ransom note contains the exact payment details the victim is expected to use to ransom out their data, as well as the technical details related to the exchange. The most common payment method is Bitcoin or other cryptocurrencies as those are virtually impossible to trace.</p><div class="rotatead-container" data-group="location:p4" data-title="Ransomware"></div>
<p>In the most common case, ransomware uses a strong encryption algorithm that is either AES (Advanced Encryption Algorithm) – the U.S. government standard in encryption, or RSA (Rivest, Shamir, Adleman). It is possible to also use a combination of the two methods. Examples of hybrid encryption ransomwares are notirions names like WannaCry, Petya and its follow-up called NotPetya.</p><div class="rotatead-container" data-group="location:p5" data-title="Ransomware"></div>
<p>Encryption uses what is called a ‘key pair’ − two separate alphanumeric strings that are used for encrypting and decrypting the data. The public key is the string that will usually appear in the ransom note. The private key is commonly generated and immediately sent to a server operated by the cybercriminals. The decryption process requires the private key to be matched with its public pairing stored on the victim’s machine.</p><div class="rotatead-container" data-group="location:p6" data-title="Ransomware"></div>
<p>Over time, encrypting ransomware attempted many ways to store and distribute the key pairs. To circumvent the need for an active Internet connection at the time of encryption, cybercriminals resorted to a hybrid technique combining server and client (victim) asymmetric encryption, in conjunction with symmetric encryption. In this method, both the ransomware on the infected system and the server will generate their respective key pairs. This approach involves the encryption of one key string using another key string, which makes the whole process a lot more complicated and a lot more difficult to reverse-engineer and battle.</p><div class="rotatead-container" data-group="location:p7" data-title="Ransomware"></div>
<p>Notorious examples of encrypting ransomware include the CryptoLocker family, <a title="CryptoWall Ransomware Removal Report" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/cryptowallransomware-removal/">CryptoWall, <a title="TorrentLocker Ransomware Removal Report" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/torrentlockerransomware-removal/">TorrentLocker, as well as the later <a title=".locky File Extension Ransomware Removal Report" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/lockyfileextensionransomware-removal/">Locky and <a title="WannaCry Ransomware Removal Report" href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/wannacryptorransomware-removal/">WannaCry ransomware threats.</p><div class="rotatead-container" data-group="location:p8" data-title="Ransomware"></div>
<p><b>Screen-Locking Ransomware</b></p>
<p>Locker ransomware is a far less destructive type of ransomware that restricts usage of the infected system by locking up the screen and displaying an alarming message. In the general case, screen-locking ransomware never bothers with encrypting the victim’s files and relies solely on scare tactics and sheer bullying to get its victims to pay the ransom. Common motifs encountered among screen locker ransomware strains are messages that the FBI or the police have found illegal materials on the victim’s system and that a fine should be paid to avoid prosecution.</p>
<p>Screen lockers tend to scare people into believing that the authorities discovered either illegal pornographic images on the victim’s computer, or large amounts of pirated digital media. The on-screen ransom demand is usually also much smaller than the sort of money crypto-ransomware demands. This is in part due to the fact that the claims screen-lockers make are so outlandish and absurd that the payment has to be made impulsively, before the victim has had time to assess the situation.</p>
<p>Obviously, the Federal government and the local police will never attempt to get in your home computer and lock it up, no matter how many mp3 files you may have on it. The notion that anyone can buy their way out of owning illegal adult imagery is also ludicrous. However, this vector of attack relies on scaring the victim enough to make the payment without thinking, acting out of irrational fear. This approach is just one of several social engineering attacks that cybercriminals resort to.</p>
<p>The fact that screen-locking ransomware does not encrypt files means more experienced users can manually get rid of the issue, use an anti-malware program to clean it or simply relocate the affected hard-drive to another system and clean and salvage the data there.</p>
<p><a href=https://www.enigmasoftware.com/threat-database/ransomware/3/"/images/2021/ransomwaretimeline_img1.png">Are You Sure You’re NOT Infected with Malware?
Don’t Fall Victim to Malware or Ransomware Attacks!
Detect and remove malware, viruses, ransomware & other threats for FREE! Get Protected with SpyHunter.
Download SpyHunter (FREE Trial!)*
Malware Research
Threat Database
Ransomware
Ransomware
Most Trending Ransomware in the Last 2 Weeks
| # | Threat Name |
Severity Level
Severity Level: The determined severity level of an object, represented
numerically, based on our risk modeling process and research, as explained in our
Threat Assessment Criteria.
|
Alias(es) |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|---|
| 1. | Netlock Ransomware | |||
| 2. | 'ponce.lorena@aol.com' Ransomware | |||
| 3. | Clop Ransomware | |||
| 4. | CashCat Ransomware | |||
| 5. | Rever Ransomware | |||
| 6. | Aamv Ransomware | |||
| 7. | Lucky Ransomware | |||
| 8. | 'SimpleLocker' Ransomware | |||
| 9. | '.exx File Extension' Ransomware | 80 % (High) | 1 | |
| 10. | BTCamant Ransomware | 80 % (High) | 3 | |
| 11. | C0hen Locker Ransomware | 100 % (High) | 1 | |
| 12. | Zorab Ransomware | |||
| 13. | Qdla Ransomware | 100 % (High) | 3,664 | |
| 14. | Steriok Ransomware | |||
| 15. | Errz Ransomware | 100 % (High) | 6,912 | |
| 16. | Solidbit Ransomware | |||
| 17. | Isal Ransomware | |||
| 18. | CLock.Win32 Ransomware | 100 % (High) | ||
| 19. | Ehiz Ransomware | |||
| 20. | Ahtw Ransomware | |||
| 21. | State of Qatar Ministry of Interior Virus | |||
| 22. | Polizja Biuro Służby Kryminalnej Ransomware | |||
| 23. | Cryptorbit Ransomware | 10 % (Normal) | 10 | |
| 24. | XZZX Ransomware | 80 % (High) | 14 | |
| 25. | Rapid 2.0 Ransomware | 20 % (Normal) | 5 | |
| 26. | Ghost Ransomware | 100 % (High) | 329 | |
| 27. | Delphimorix Ransomware | 100 % (High) | 3 | |
| 28. | Pysa Ransomware | |||
| 29. | Ragnar Locker Ransomware | |||
| 30. | JackSparrow Ransomware |
Last updated: 2023-07-03