Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Dharma - Ransomware The ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
WannaCry - Ransomware The ransomware uses exploits leaked by the Shadow Brokers and has infected a large number of computers including those in the government, telecom, and educational sectors. Files are encrypted denoted by the .WNCRYT extension. The bounty for WannaCry ranges from $300 to $600 but payments may not be uniquely associated with a system.
Fake Globe - Ransomware The ransomware impersonates Globe ransomware and appends various extensions to encrypted files. The ransomware continues to evolve and multiple variants continue to appear in the wild. The malicious software is also known as Globe Imposter, Ox4444, and GUST. Victims are required to email the threat actor for the decryption key to gain access to the encrypted files.
Phobos - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. The malware was discovered in late 2017 with new variants being discovered throughout 2019. The victim is required to email the threat actor at one of many email addresses for the decryption key.
Scarab - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. In November 2017 it was discovered the Necurs botnet was used to spread the malicious software. Multiple variants of the ransomware continue to appear on the threat landscape.
Stop - Ransomware The ransomware uses AES encryption and adds one of more than 20 different extensions to infected files. The malicious software was discovered at the end of 2017 with new variants appearing on the threat landscape throughout 2018 and into 2019. The ransom note for some variants report to give the victim a 50% discount if the threat actor is contacted via email within 72 hours.
Ryuk - Ransomware The ransomware uses AES and RSA encryption and demands between 15 and 50 Bitcoin for the decryption key. The malicious software kills hundreds of processes and services and also encrypts not only local drives but also network drives. The attacks are reported to be targeted at organizations that are capable of paying the large ransom demanded. Variants found in mid 2019 will not infect the system if the computers IP address or computer name is part of a blacklist.
Sodinokibi - Ransomware The ransomware appends a random extension to encrypted files and reports to double the price of the ransom if not paid on time. The malware is actively being distributed in the wild through Managed Service Providers, taking advantage of server flaws, spam campaigns, and through exploit kits.
ERIS - Ransomware The ransomware appends ".eris" to infected files and uses both Salsa20 and RSA-1024 encryption. Variants of the malware are known to be distributed in drive-by-downloads via the RIG exploit kit. Payment instructions are sent to the victim after emailing the threat actor with one encrypted file.
Unnamed Encrypt - Ransomware The ransomware, also known as eCh0raix, appends ".encrypt" to infected files and targets QNAP Network Attached Storage (NAS) devices. The malware is written in the Go programming language and terminates the encryption process if the device is in Belarus, Ukraine, or Russia.