Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Dharma - Ransomware The ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
Maze - Ransomware The ransomware uses RSA-2048 and ChaCha20 encryption and requires the victim to contact the threat actor by email for the decryption key. The threat actors behind the malware are known to have attacked multiple sectors including government and manufacturing and threaten to release the company's data if the ransom is not paid.
Ragnar Locker - Ransomware The ransomware will perform reconnaissance on the targeted network, exfiltrate sensitive information, and then notify the victim the files will be released to the public if the ransom is not paid. The threat actor behind the malware is known to demand hundreds of thousands of dollars and creates a ransom note that includes the company name. The ransomware targets remote management software used by managed service providers and enumerates all running services on the infected host and stop service...
Mailto - Ransomware The ransomware, also known as Netwalker, targets enterprise networks and encrypts all Microsoft Windows systems found. The malware was detected in August 2019 with new variants discovered throughout the year including into 2020. The ransomware appends a random extension to infected files and uses Salsa20 encryption. The ransomware added a new defense evasion techinque known as reflective DLL loading to inject a DLL from memory.
Nefilim - Ransomware The ransomware encrypts files with AES-128 encryption and appends ".NEFILIM" to infected files. The malware shares code with the Nemty ransomware family but instead of using a Tor payment site the malicious software relies on email communication for payment. The threat actor behind Nefilim threatens to release stolen data if the ransom is not paid within seven days.
ProLock - Ransomware The ransomware was discovered in mid-2020 and is a rebranded version of PwndLocker. The ransom for the decryption key depends on the size of the network and can run from $100,000.00 to over $600,000.00. ProLock attacks public facing remote desktop servers and is also distributed via the QakBot trojan as the initial infection vectors. The ransomware uses multiple techniques for deployment and lateral movement including WMI and PowerShell.
Lockbit - Ransomware The Ransomware-as-a-Service (RaaS) hit the threat landscape in September 2019 and was discovered to have breached a company and encrypt the entire network in a few hours. The attacker performed a brute force attack on a web server containing an outdated VPN service. The operation used SMB to perform network reconnaissance and then used the internal Microsoft Remote Access Server to gain access to remote systems. Lockbit attempts to stop multiple services including those belonging to anti-virus, ...
VCrypt - Ransomware The ransomware uses the 7zip command-line application to create a password protected archive of files and directories and then deletes the original data. The malware appends ".vxcrypt" to the archive and opens a ransom note named help.html with Internet Explorer. VCrypt focuses on infecting French victims and directs the user to a webpage for instructions on how to obtain the password for the locked files.
Coldlock- Ransomware Multiple entities in Taiwan were targeted with the ColdLock ransomware which focuses on encrypting databases and email servers. The malware stops a range of services before encryption including MariaDB, MSExchangeIS, MSSQL, MySQL, and Oracle. AES in CBC mode is used for encryption and the malware drops the ransom note in various locations including %Desktop%, %System Root%, and %User Startup%. ColdLock is file-less and uses a PowerShell script to load the malicious software into memory.
MilkmanVictory - Ransomware The ransomware uses both AES and RSA encryption and appends ".paradox" to infected files. A group of hackers known as CyberWare has taken credit for the malware and apparently target scam companies that offer fake loans to users. The ransom note dropped by the malicious software offers no way to pay a ransom and recover the encrypted files and reports the computer has been destroyed.