Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Dharma - Ransomware The ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
Phobos - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. The malware was discovered in late 2017 with new variants being discovered throughout early 2019. The victim is required to email the threat actor at one of many email addresses for the decryption key.
Ryuk - Ransomware The ransomware uses AES and RSA encryption and demands between 15 and 50 Bitcoin for the decryption key. The malicious software kills hundreds of processes and services and also encrypts not only local drives but also network drives. The attacks are reported to be targeted at organizations that are capable of paying the large ransom demanded.
Sodinokibi - Ransomware The ransomware appends a random extension to encrypted files and reports to double the price of the ransom if not paid on time. The malware is actively being distributed in the wild through Managed Service Providers, taking advantage of server flaws, spam campaigns, and through exploit kits.
Maze - Ransomware The ransomware uses RSA-2048 and ChaCha20 encryption and requires the victim to contact the threat actor by email for the decryption key. The threat actors behind the malware are known to have attacked multiple sectors including government and manufacturing and threaten to release the company's data if the ransom is not paid.
SunCrypt - Ransomware The ransomware shares an IP address with Maze ransomware and uses an obfuscated PowerShell script to install the malicious software. SunCrypt appends a hexadecimal hash to encrypted files and drops a ransom note stating that not only was the victim's data encrypted it was also exfiltrated and will be published or sold if the ransom is not paid.
Mailto - Ransomware The ransomware, also known as Netwalker, targets enterprise networks and encrypts all Microsoft Windows systems found. The malware was detected in August 2019 with new variants discovered throughout the year including into 2020. The ransomware appends a random extension to infected files and uses Salsa20 encryption. The ransomware added a new defense evasion techinque known as reflective DLL loading to inject a DLL from memory.
Conti - Ransomware A new ransomware family known as Conti was discovered using multiple techniques to find files to attack and how the encryption process is carried out. The malware uses multiple threads to encrypt files at a faster rate compared to other ransomware families and contains command-line options to scan for local files as well as remote files over SMB shares. Conti also uses the Windows Restart Manager to free up files that are open by various applications. The ransomware uses AES-256 encryption and r...
Thanos - Ransomware Thanos ransomware was first discovered in February 2020 advertised on underground forums as a customizable piece of ransomware with different builds and settings. Being available on the market means that Thanos could be used by different threat actors. Thanos has been detected in multiple attacks against state-sponsored organization in the Middle East and North Africa.
Egregor - Ransomware Egregor ransomware exfiltrates sensitive information before encrypting files and gives the victim three days to contact the threat actor or the stolen data will be posted online. The malicious software is a variant of the Sekhmet ransomware family and uses multiple techniques to bypass defense measures including obfuscation, software packing, and sandbox evasion. The ransom note reports the actor is willing to provide security recommendations to the victim to avoid being breached again.