We’re revealing the top 10 nastiest ransomware attacks from the past year. NotPetya came in on our list as the most destructive ransomware attack of 2017, followed closely by WannaCry and Locky in the number two and three spots, respectively. NotPetya took number one because of its intent to damage a country’s infrastructure. Unlike most ransomware attacks, NotPetya’s code wasn’t designed to extort money from its victims, but to destroy everything in its path.
While NotPetya and WannaCry were first uncovered in 2017, the other ransomware attacks on our top 10 list made their debuts last year. These attacks either continued into 2017 or returned with a vengeance.
This top 10 list underscores the reality of our increasingly connected world—cybercriminals will continue to develop new infections and will capitalize on reliable, successful attack methods.
DESCRIPTION
Starting as a fake Ukrainian tax software update, this ransomware is a variant of an older attack dubbed Petya, except this version uses the same exploit behind WannaCry. Once the software update was applied to devices, hackers used the exploits to spread laterally through networks like a worm. The code used to build NotPetya was not designed to extort money from its victims, but rather to destroy everything it its path. Inception: June 2017; Attack vector: Supply Chain ME.doc and Eternal Blue & Eternal Romance Exploit
DAMAGE REPORT
The ransom originally asked for about $300 in bitcoin, but the system that collected money from victims for decryption keys quickly disintegrated. NotPetya was designed to do as much damage to the Ukrainian infrastructure as possible. Not only did it shut down Ukrainian power plants, banking services, and supermarkets, but NotPetya also infected hundreds of thousands of computers in over 100 countries. Additionally, the ransomware shut down Maersk, the largest shipping container vessel in the world, along with FedEx (causing a reported $300 million in damage). Destruction Zone: 100+ countries
DESCRIPTION
The attackers behind WannaCry used the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers. Initially, the malware propagated via spam emails—including fake invoices, job offers, and other traps—which contained a .zip file that initiated the WannaCry infection. Eternal Blue exploits an older flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution. This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy operating systems like XP. Inception: First appeared in March 2017 but spread in May 2017; Attack vector: Eternal Blue Server Message Block (SMB) Exploit Kit
DAMAGE REPORT
WannaCry was the very first ransomware to take the whole world by storm, infecting several hundred thousand people in a single day. Some reports say the damage could be up to $4 billion. Luckilym a security researcher in England managed to discover a kill switch domain, which was all anyone needed to disable it. Further analysis shows that the kill switch domain has received over 10 million different connections since it was made available, suggesting WannaCry could have been even more destructive. Destruction Zone: 150+ countries
DESCRIPTION
The most popular ransomware of 2016 is still alive and well in 2017. New variants of Locky—Diablo and Lukitus—surfaced this past August using the same the initial phishing email attack vector. The emails contain a zipped attachment with malicious JavaScript that downloads the Locky payload. Most of the emails pose as fake invoices from companies such as Amazon Marketplace and Herbalife. More recently, the ransomware has been spotted using an email distribution campaign with Game of Thrones references in its scripting variables. Inception: February 2016; Attack vector: Spam Email
DAMAGE REPORT
Crowned the king of spam emails, Locky can reach millions of users per day in campaigns. One of the first organizations hit was the Hollywood Presbyterian Medical Center in Los Angeles. The hospital paid the ransom demand of 40 bitcoins (approximately $17,000 at the time) to regain access to their systems. That’s a huge payday for a single attack. Other individual reports reveal the requested amount is typically around 0.5 to 1 bitcoin ($400 to $800). Destruction Zone: United States, United Kingdom, Ireland, Australia, New Zealand, Canada, China, Russia, Japan, Italy, Spain, France, Mexico, south Africa, Sweden, Costa Rica, Puerto Rico, Bulgaria, Serbia, Switzerland, Barbados, Turkey, India, Philippines, Malaysia, Saudi Arabia, Brazil, and more
DESCRIPTION
This attack is the ultimate form of Remote Desktop Protocol (RDP) compromise. RDP is one of the most common ways to deploy ransomware because cybercriminals can compromise administrator accounts and systems that control entire organizations. As CrySis encrypts a computer, it also removes all of the automatic backups, so users can’t use them to restore files. Inception: First detected in February 2016; took a few months to spread; Attack vector: Remote Desktop Protocol (RDP)
DAMAGE REPORT
Initially CrySis demanded between $455-$1,022 in bitcoin. On three separate occasions, verified decryption keys have been release for CrySis, most recently in May 2017. Destruction Zone: United States, Canada, France, Australia, Vietnam, Mexico, Italy, Russia, Portugal, Spain, Serbia, Puerto Rico, South Africa, India, China, Russia, Turkey, New Zealand, Philippines, Malaysia, Saudi Arabia, Brazil, and more
DESCRIPTION
Arriving via fake shipping invoice emails, Nemucod, once opened, downloads malware and encryption components stored on compromised websites. Nemucod would have been crowned most malicious spam email if Locky hadn’t reignited in August. Inception: Historically, the hackers behind Nemucod teamed up with Teslacrypt, which was huge in 2015 and 2016; in 2017, they made their own ransomware variant; Attack vector: Spam Email
DAMAGE REPORT
Those infected with Nemucod receive a ransom note demanding $300 in bitcoin in exchange for the safe return of their files. Destruction Zone: United States, United Kingdom, Ireland, France, Spain, Germany, Greece, Portugal, Poland, Belgium, Netherlands, Norway, Sweden, Japan, India, China, Russia, Turkey, Serbia, Mexico, Australia, New Zealand, Philippines, Malaysia, Saudi Arabia, Brazil, and more
DESCRIPTION
Like Locky, new variants of Jaff ransomware continue to be distributed. Jaff leverages phishing emails and bears characteristics associated with other successful malware. While Jaff may not have garnered the level of attention WannaCry received, the techniques used in its distribution put it in an exclusive club; one whose recent membership includes both Dridex and Locky. Inception: May 2017; Attack vector: Spam Email
DAMAGE REPORT
Initial bitcoin ransom payments asked for 2 bitcoins ($3,700). Destruction Zone: United States, United Kingdom, Australia, Canada, Ireland, France, Spain, Greece, Germany, Portugal, Poland, Belgium, Netherlands, Norway, Sweden, Japan, India, China, Russia, Mexico, New Zealand, and more
DESCRIPTION
To distribute this ransomware, cybercriminals hack legitimate websites to add JavaScript code. Visitors to the sites receive a pop-up prompt to update their Chrome browsers, if they want to continue viewing the page. Downloading the "Chrome Font Pack" infects the users’ system. This attack is named after the Russian word for "spore." Inception: January 2017; Attack vector: Bogus Front Pack Update in a Browser Message
DAMAGE REPORT
Unique to Spora are different purchases that can be made depending on the particular needs of the victim. Via the well-crafted ransom payment site, victims can restore their first two files (free!); restore additional files ($30); decrypt their files ($79); buy immunity from future Spora infections ($50) and remove all Spora-related files after paying the ransom ($20). Note: the prices reflected are from Spora’s inception. Destruction Zone: United States, United Kingdom, Canada, France, Italy, Poland, Mexico, Serbia, Turkey, Singapore, Japan, South Africa, Botswana, Netherlands, Niger, Bangladesh, Philippines, Malaysia, Saudi Arabia, Brazil, Portugal, Germany, Ireland, Spain, Hungary, Belarus, Vietnam, Belgium, and more
DESCRIPTION
Cerber has effectively utilized multiple attack vectors via RDP and spam emails. However, Cerber also distributes ransomware-as-a-service (RaaS). Through this “service,” cybercriminals package up ransomware and then give other criminals the tools to distribute as they see fit. The author of Cerber takes a 30% cut of the profits. Inception: March 2016; has been making several reappearances since its debut, most recently this October; Attack vector: Remote Desktop Protocol (RDP), Spam Email, RaaS
DAMAGE REPORT
One of the latest incarnations of Cerber will steal cryptocurrency and passwords from victims, providing an additional means of profit on top of the bitcoin ransom demands (between $300 and $600). Destruction Zone: United States, United Kingdom, Ireland, Canada, Singapore, South Africa, France, Italy, Japan, Chile, India, Australia, China, Germany, Malaysia, Greece, Sweden, Botswana, Turkey, Hungary, Spain, Norway, Serbia, and more
DESCRIPTION
CryptoMix is often distributed through RDP but also through exploit kits such as malvertising, in which victims click an infected ad to a hacked shopping site that attacks their device’s system. CryptoMix can also hide on flash drives, so if a user inserts a flash drive from an infected system into another, the infection spreads. Inception: March 2016; Attack vector: Remote Desktop Protocol (RDP) and Exploit Kit
DAMAGE REPORT
This ransomware is one of the few that doesn’t use payment portal on the dark web. Instead, users must wait for the cybercriminals to email them instructions, usually demanding a hefty Bitcoin ransom (5 bitcoin, or approximately $3,000). Destruction Zone: United States, United Kingdom, Ireland, New Zealand, Australia, Canada, Italy, Singapore, Turkey, Serbia, Greece, South Africa, India, Mexico, Chile, Ukraine, China, Germany, Malaysia, Japan, Sweden, Botswana, Spain, Hungary, Portugal, Norway, Iran, Russia, Israel, and more
DESCRIPTION
Jigsaw ransomware, named for the iconic character from the Saw film franchise, distributes via spam email and deletes a victim’s files every hour and each time the infection process starts until the ransom is paid. Inception: April 2016; Attack vector: Spam Email
DAMAGE REPORT
Every hour, Jigsaw Ransomware deletes victims’ files until the pay the ransom (prices ranging from $20-$200). After the initial infection, when the ransomware is restarted after process termination or a reboot, Jigsaw will delete a thousand files from the victim's computer. Destruction Zone: United States, United Kingdom, Ireland, Italy, Canada, Australia, New Zealand, Singapore, Serbia, Japan, Turkey, South Africa, Niger, France, Greece, Mexico, India Chile Bangladesh, Philippines, Malaysia, Saudi Arabia, Brazil, Botswana, Poland, Netherlands, Russia, Ukraine, and more
To view our Top 10 Nastiest Ransomware infographic, click here.
Not sure how to protect yourself online? Read our safety tips.
About the Author
Tyler Moffitt
Sr. Security Analyst
Tyler Moffitt is a Sr. Security Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.
The most effective tool to stopping malware is good user training, Webroot is a close second
I already dealt with at least 4 of these listed and I hated every one of them. Not fun at all to have to deal with.
Blessed so far not to have to deal with any of these.
Great infograf & thanks for the share Tyler.
A good summary, it shows there is a lot for people to be scared about even when it’s not Halloween.
Thanks for the summary.
Luckily haven’t had to deal with these! But we had to prep for them …
Thank goodness my own clients have been safe.. so far!
Thing swill only get worse sadly.. and all we can do is protect as best we can.
What is ransomware? I think us webroot users don’t get exposed to this stuff.
Would love to have a copy of the infographic to re-brand and to send out to clients. Awareness is key.
It has been a busy year. I’m glad webroot is part of our security stack
Hard to keep up and hope all and future are protected by Webroot!
Luckily none of our agents got touched by these attacks.
Guess we’re lucky; so far only seen the CCleaner malware this year. And phish, oh the phishing ….
Thanks for the summary
Nice! Thanks for the infographic.
Great graphics, really liked the monsters 🙂
Ive only heard of some of these before so its good to see the names and what they were to be more aware of whats going on
Cerber was one of the worst my MSP business had to deal with.
Users are the first weakness, our mission is to help user not to make mistake, or if they do we’ll make less damage
I couldn’t agree more, Matteo!! Thanks for chiming in.
~JP~
Got to see 3 of them this year. That’s why we’re now Webroot MSP
So far we have not had to fight any of these attacks. Hoping to keep it that way! Check those backups and endpoints for protection!
Education is the best prevention. However, it doesn’t fix poor decision making skills. Webroot does assist here.
Excellent advice, Jeff!
Definitely user training is a great deterrent; however, a layered approach to anti-virus built around Webroot is just as important.
Knock on wood, we haven’t had any of these!
HI
Interesting info but the white-on-black text in little bits was annoying to peruse. More info, less cute please!
Great illustrations of ransomware attacks. Love the style and creativity behind it! A+