Ransomware is a constantly evolving threat, with new variants emerging regularly. These variants use different techniques to infect systems, encrypt data, and extort victims for a ransom. Here are some of the most common ransomware variants that have caused significant damage to individuals, businesses, and governments worldwide:
1. WannaCry
- First Detected: May 2017
- Type: Cryptoworm
- Notable Characteristics:
- WannaCry exploited a vulnerability in Windows systems known as EternalBlue, which was originally a part of NSA-developed tools leaked by the Shadow Brokers hacking group.
- It spread rapidly across networks, affecting over 200,000 systems in 150+ countries.
- WannaCry demanded ransom payments in Bitcoin for decrypting the data it encrypted on infected systems.
- Impact:
- Particularly harmful to industries like healthcare (e.g., the UK’s NHS) where it disrupted critical operations and patient services.
- WannaCry spread rapidly, largely targeting unpatched Windows systems.
2. Ryuk
- First Detected: 2018
- Type: Human-operated ransomware
- Notable Characteristics:
- Ryuk is known for targeting large organizations and enterprises through spear-phishing emails and exploiting remote desktop protocol (RDP) vulnerabilities.
- It often targets victims with critical infrastructure, like hospitals and municipal systems, which are more likely to pay ransoms.
- Ryuk can also disable Windows System Restore to prevent victims from restoring files.
- Impact:
- Ryuk has caused massive financial damage, with ransom demands ranging from hundreds of thousands to millions of dollars.
- It is often used as part of multi-stage attacks, where Trojan malware like Emotet or TrickBot first infiltrates the system to deliver Ryuk.
3. REvil (Sodinokibi)
- First Detected: 2019
- Type: Ransomware-as-a-Service (RaaS)
- Notable Characteristics:
- REvil is part of the Ransomware-as-a-Service (RaaS) model, where developers sell or lease ransomware to other criminals.
- This ransomware typically encrypts files and threatens to release stolen data publicly if the ransom isn’t paid, increasing the pressure on victims.
- REvil is highly sophisticated and has targeted global corporations, managed service providers (MSPs), and critical infrastructure.
- Impact:
- REvil was behind the Kaseya attack in 2021, which affected hundreds of businesses worldwide, demanding millions in ransom.
- Known for demanding extremely high ransomsβsometimes in the tens of millions of dollars.
4. LockBit
- First Detected: 2019
- Type: Ransomware-as-a-Service (RaaS)
- Notable Characteristics:
- LockBit operates as RaaS, offering affiliates a percentage of the ransom collected.
- It is designed to encrypt files rapidly and is known for targeting large organizations.
- LockBit uses double extortion tactics, meaning it not only encrypts files but also threatens to publish stolen data.
- Impact:
- LockBit has been linked to several high-profile attacks on healthcare systems, financial institutions, and critical infrastructure.
- In 2022, LockBit 2.0 emerged with improved encryption and stealth capabilities.
5. Maze
- First Detected: 2019
- Type: Double extortion ransomware
- Notable Characteristics:
- Maze pioneered the double extortion tactic, where attackers steal data before encrypting it and threaten to release it publicly unless the ransom is paid.
- It spreads through phishing, exploit kits, or vulnerable RDP connections.
- The Maze team operates like a business, releasing victim data on a public website if ransoms arenβt paid.
- Impact:
- Maze has attacked numerous healthcare, legal, and manufacturing companies globally.
- Its operators officially announced that they were shutting down in late 2020, but its methods and infrastructure have inspired successors like Egregor.
6. Dharma (CrySiS)
- First Detected: 2016
- Type: Ransomware-as-a-Service (RaaS)
- Notable Characteristics:
- Dharma, also known as CrySiS, is another RaaS model that targets small and medium-sized businesses (SMBs) through RDP vulnerabilities.
- Dharma encrypts files using AES-256 encryption and demands ransoms in Bitcoin.
- The ransomware is distributed through a network of affiliates, similar to other RaaS operations.
- Impact:
- Dharma attacks are typically low-profile but widespread, targeting businesses that rely on RDP.
- It has affected SMBs across industries, leading to significant downtime and business disruption.
7. DarkSide
- First Detected: 2020
- Type: Ransomware-as-a-Service (RaaS)
- Notable Characteristics:
- DarkSide uses RaaS to target organizations, encrypt data, and exfiltrate it for double extortion purposes.
- It was highly selective in choosing targets, claiming to avoid healthcare and government institutions.
- DarkSide is known for offering customer support to victims to help them navigate ransom payments and data recovery.
- Impact:
- DarkSide was responsible for the Colonial Pipeline attack in 2021, which caused widespread fuel shortages across the U.S. East Coast.
- The attack demanded a ransom of approximately $4.4 million in Bitcoin, which was partially recovered by U.S. authorities.
8. Conti
- First Detected: 2020
- Type: Double extortion ransomware
- Notable Characteristics:
- Conti uses double extortion to pressure victims into paying ransoms by threatening to release stolen data.
- It is operated by a Russian-speaking group and is linked to the infamous TrickBot malware group.
- Conti is extremely fast at encrypting files, making it harder for victims to stop the attack once it begins.
- Impact:
- Conti has attacked healthcare providers, government agencies, and educational institutions.
- The HSE attack in Ireland in 2021** shut down the countryβs national healthcare services for weeks, demanding $20 million in ransom.
9. Egregor
- First Detected: 2020
- Type: Double extortion ransomware
- Notable Characteristics:
- Egregor is believed to be a successor to Maze after the Maze group claimed to shut down its operations.
- It uses double extortion, combining file encryption with the threat of releasing stolen data.
- Egregor is typically delivered via phishing emails, malicious attachments, or exploiting remote desktop vulnerabilities.
- Impact:
- Egregor has attacked major retailers, logistics companies, and service providers, including high-profile targets like Ubisoft and Crytek.
- Its rapid spread and effectiveness made it one of the most prolific ransomware strains in 2020.
10. Netwalker
- First Detected: 2019
- Type: Ransomware-as-a-Service (RaaS)
- Notable Characteristics:
- Netwalker is another RaaS variant that targets government agencies, corporations, and healthcare providers.
- The ransomware is known for exploiting vulnerabilities in VPNs, RDPs, and web servers to gain access to networks.
- Netwalker also adopted the double extortion tactic, stealing data before encrypting it.
- Impact:
- Netwalker has been responsible for numerous high-profile attacks, including the University of California, demanding multi-million-dollar ransoms.
- Its operators were disrupted in early 2021 following a takedown by law enforcement.
Conclusion
These ransomware variants have caused significant disruption across multiple industries, with attacks becoming increasingly sophisticated and impactful. Double extortion tactics, where data is both encrypted and exfiltrated, have become the norm, increasing pressure on victims to pay ransoms. As ransomware continues to evolve, organizations must adopt stronger security measures, including AI-driven defenses, multi-factor authentication (MFA), regular backups, and employee education to stay resilient against these threats.