large-logo-mcafee-dark

Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Phobos - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. The malware was discovered in late 2017 with new variants being discovered throughout 2019. The victim is required to email the threat actor at one of many email addresses for the decryption key.
Scarab - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. In November 2017 it was discovered the Necurs botnet was used to spread the malicious software. Multiple variants of the ransomware continue to appear on the threat landscape.
Stop - Ransomware The ransomware, also known as Djvu, used AES encryption and added one of more than 100 different extensions to infected files. The malicious software was discovered at the end of 2017 with new variants appearing on the threat landscape throughout 2018 and 2019. The ransom note for some variants report to give the victim a 50% discount if the threat actor is contacted via email within 72 hours. The threat is no longer active, and a decryption tool has been released for those that are affected.
Ryuk - Ransomware The ransomware uses AES and RSA encryption and demands between 15 and 50 Bitcoin for the decryption key. The malicious software kills hundreds of processes and services and also encrypts not only local drives but also network drives. The attacks are reported to be targeted at organizations that are capable of paying the large ransom demanded. Variants found in mid 2019 will not infect the system if the computers IP address or computer name is part of a blacklist.
Sodinokibi - Ransomware The ransomware appends a random extension to encrypted files and reports to double the price of the ransom if not paid on time. The malware is actively being distributed in the wild through Managed Service Providers, taking advantage of server flaws, spam campaigns, and through exploit kits.
Maze - Ransomware The ransomware uses RSA-2048 and ChaCha20 encryption and requires the victim to contact the threat actor by email for the decryption key. The threat actors behind the malware are known to have attacked multiple sectors including government and manufacturing and threaten to release the company's data if the ransom is not paid.
Nemty - Ransomware The ransomware drops a ransom note labeled "NEMTY-random characters-DECRYPT.txt" and requires the victim to open the threat actors .onion site for instructions on how to obtain the decryption key. A decryption tool has been released for victims who are infected by the malicious software.
Snake - Ransomware The ransomware uses AES-256 and RSA-2048 encryption and requires the victim to email the threat actor for the decryption key. Snake uses a high level of obfuscation and is written in the Golang programming language. The malware kills many processes including those related to SCADA and ICS systems, VMs, and various network and remote administration tools.
Ako - Ransomware The ransomware, also known as MedusaReborn, appends a random extension to infected files. The malware uses AES encryption and either deletes or encrypts backups and shadow copies. Ako scans the local network and encrypts any network shares that are discovered.
5ss5c - Ransomware The ransomware demands 1 Bitcoin for the decryption key and appends ".5ss5c" to encrypted files. The malware, also known as 5ss5cCrypt, shares similar code with the Satan ransomware.