Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Dharma - Ransomware The ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
Matrix - Ransomware The ransomware appeared on the threat landscape two years ago with new variants still being discovered in 2019. Recent variants of Matrix append various extensions including .eman, .itlock, .kok08, and .fastbob. Victims are given 7 days to reach the threat actor by email or bit-message or their decryption key will be deleted.
Scarab - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. In November 2017 it was discovered the Necurs botnet was used to spread the malicious software. Multiple variants of the ransomware continue to appear on the threat landscape.
Stop - Ransomware The ransomware uses AES encryption and adds one of more than 20 different extensions to infected files. The malicious software was discovered at the end of 2017 with new variants appearing on the threat landscape throughout 2018 and into 2019. The ransom note for some variants report to give the victim a 50% discount if the threat actor is contacted via email within 72 hours.
Ryuk - Ransomware The ransomware uses AES and RSA encryption and demands between 15 and 50 Bitcoin for the decryption key. The malicious software kills hundreds of processes and services and also encrypts not only local drives but also network drives. The attacks are reported to be targeted at organizations that are capable of paying the large ransom demanded.
GandCrab 5 - Ransomware The ransomware appends random extensions to encrypted files and directs the victim to an html file for instructions on how to decrypt infected files. The threat actor demands the ransom be paid in either Bitcoin or DASH. GandCrab 5 also scans network shares and mapped drives to find files to encrypt. The threat actors behind the ransomware use a variety of infection vectors including PowerShell, Botnets, Exploit Kits, Trojanized Programs, SpearPhishing, and Remote Desktop.
Anatova - Ransomware The ransomware uses AES encryption and demands 10 Dash for the decryption key. Anatova also checks if network-shares are connected and will encrypt the files on these shares too. Newer variants of the malicious software demand 20 Dash to unlock infected files.
LockerGoga - Ransomware The ransomware, also known as Worker32, uses both AES and RSA encryption and appends ".locked" to infected files. The ransom note dropped by the malware reports to decrypt 2-3 random files for free and requires the victim to contact the threat actor by email. The note goes on to say the price to decrypt all encrypted files is determined by how fast the victim contacts the ransomware author.
Clop - Ransomware The ransomware appends ".CLOP" or ".CIOP" to infected files and some variants claim all encrypted data will be deleted if the ransom is not paid within two weeks. The ransom note states the malware infects the entire network instead of individual computers.
JNEC - Ransomware The ransomware demands 0.05 Bitcoin for the decryption key and takes advantage of a remote code execution flaw in WinRAR to infect victims. The malware is written in .NET and creates a start up task to execute at next login.