Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Dharma - Ransomware The ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
Ryuk - Ransomware The ransomware uses AES and RSA encryption and demands between 15 and 50 Bitcoin for the decryption key. The malicious software kills hundreds of processes and services and also encrypts not only local drives but also network drives. The attacks are reported to be targeted at organizations that are capable of paying the large ransom demanded.
Maze - Ransomware The ransomware uses RSA-2048 and ChaCha20 encryption and requires the victim to contact the threat actor by email for the decryption key. The threat actors behind the malware are known to have attacked multiple sectors including government and manufacturing and threaten to release the company's data if the ransom is not paid.
Nemty - Ransomware The ransomware drops a ransom note labeled "NEMTY-random characters-DECRYPT.txt" and requires the victim to open the threat actors .onion site for instructions on how to obtain the decryption key. A decryption tool has been released for victims who are infected by the malicious software.
Ragnar Locker - Ransomware The ransomware will perform reconnaissance on the targeted network, exfiltrate sensitive information, and then notify the victim the files will be released to the public if the ransom is not paid. The threat actor behind the malware is known to demand hundreds of thousands of dollars and creates a ransom note that includes the company name. The ransomware targets remote management software used by managed service providers and enumerates all running services on the infected host and stop service...
Mailto - Ransomware The ransomware, also known as Netwalker, targets enterprise networks and encrypts all Microsoft Windows systems found. The malware was detected in August 2019 with new variants discovered throughout the year including into 2020. The ransomware appends a random extension to infected files and uses Salsa20 encryption.
PwndLocker - Ransomware The PwndLocker ransomware was discovered in late 2019 and in addition to encrypting files on infected systems the actor behind the malware also claims to release the stolen data if the ransom is not paid. The ransom note explains the decryption fee is determined by the size of the network, the number of employed individuals, and the annual revenue of the company. The note goes on to report the ransom amount will increase by 100% if the payment is not made in two weeks and the decryption key will...
Nefilim - Ransomware The ransomware encrypts files with AES-128 encryption and appends ".NEFILIM" to infected files. The malware shares code with the Nemty ransomware family but instead of using a Tor payment site the malicious software relies on email communication for payment. The threat actor behind Nefilim threatens to release stolen data if the ransom is not paid within seven days.
CoronaVirus - Ransomware A threat actor is pretending to promote legitimate software from WiseCleaner to distribute ransomware labeled as CoronaVirus. The malware uses a fake website and takes advantage of the current COVID-19 pandemic to infect victims. Users who visit the site are also infected with the Kpot Trojan which is capable of stealing passwords from various software applications. The ransomware changes the name of encrypted files instead of the extension and demands 0.008 bitcoins for the decryption key.
IQY - Ransomware A new variant of the Paradise ransomware was discovered using weaponized Microsoft Office IQY files attached to spear-phishing emails. The IQY, or Internet Query files, used PowerShell to download and run a malicious executable which checked the victim's language and exit if Russian, Kazakh, Belarusian, Ukrainian, or Tatar is found. Multiple defense evasions are carried out by the malicious software including disabling Windows Defender, software packing, and obfuscation.