BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

How to analyze Ransomware with ANY.RUN

Top malware of this type

Family
Type
Trend changes
Tasks overall
  • 2

    Bluesky Ransomware

    Ransomware
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,25,32,22,10
    103
    130
  • 3

    DarkSide

    Ransomware
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,2,4,8,21,18,128,30,5,15,23,6,33,33,12,11,16,15,4,2,0,5,2,5,7,49,20,11,5,6,7,4
    79
    621
  • 4

    Phobos

    Ransomware
    0,0,0,0,0,0,0,0,0,0,10,12,21,42,6,2,22,39,28,14,32,39,20,33,24,12,30,35,23,9,32,29,17,37,23,10,29,19,52,28,11,0,0,4,5,4,3,39,59,93,24,9
    59
    1455
  • 5

    REvil

    Ransomware
    0,0,0,0,0,0,0,0,0,0,10,112,207,105,70,58,113,80,76,70,110,39,86,59,66,94,68,48,28,25,29,14,23,36,71,52,32,29,46,20,5,0,13,23,25,34,41,24,48,37,46,74
    44
    2867
  • 6

    Netwalker

    Ransomware
    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48,65,39,37,38,45,6,15,2,7,1,2,3,0,2,14,3,3,5,3,3,1,3,0,0,0,2,0,5,1,0,3,0,1,0
    86
    472
  • 7

    Nemty

    Ransomware
    0,0,0,0,0,0,0,0,0,0,0,0,0,68,44,54,129,70,25,3,4,3,3,4,0,1,0,0,0,2,3,3,0,2,1,4,7,0,0,0,1,0,0,1,0,0,0,1,1,0,1,3
    82
    532
  • 8

    Ryuk

    Ransomware
    0,0,0,0,0,0,0,0,0,0,0,0,11,1,20,42,70,52,12,5,14,17,40,10,24,39,16,10,11,5,6,15,25,16,3,40,20,15,3,20,3,7,7,6,7,3,4,14,2,4,15,6
    71
    904
  • 9

    Medusa Ransomware

    Ransomware
    0,0,0,0,0,0,0,0,0,0,0,0,0,4,33,2,3,7,6,12,9,8,9,6,11,4,5,8,4,10,3,1,4,3,16,6,9,15,2,5,0,0,0,1,10,9,7,5,9,12,12,34
    88
    433
  • 10

    WannaCry

    Ransomware
    0,0,19,39,42,23,45,38,40,52,72,98,82,116,186,129,229,207,362,270,187,257,295,348,498,406,286,347,281,288,372,338,405,413,314,357,400,522,546,676,642,722,477,1073,887,854,1360,881,689,566,573,1060
    7
    28365
  • 11

    Dharma

    Ransomware
    0,0,17,12,23,7,28,19,31,68,56,60,53,47,89,87,97,43,34,68,51,41,25,74,30,17,18,11,7,15,2,19,19,24,11,10,26,9,62,37,9,0,0,1,7,5,7,0,6,36,5,4
    52
    1891
  • Last Seen at

    Recent blog posts

    post image
    How TI Feeds Support Organizational Performan...
    watchers 123
    comments 0
    post image
    Recent Cyber Attacks Discovered by ANY.RUN: O...
    watchers 407
    comments 0
    post image
    Notifications in Threat Intelligence Lookup 
    watchers 881
    comments 0

    What is Ransomware?

    Ransomware is malware that restricts access to a computer system or its data until a ransom is paid. This can be done in a variety of ways.

    For instance, screen locker ransomware blocks access to the system by overlaying the display with a ransom note window, prompting the user to make a payment to get control over the machine back.

    However, the primary type of ransomware used by attackers nowadays is crypto-ransomware, which specifically uses encryption to hold data hostage. This means that the attacker scrambles the victim's files using a strong encryption algorithm, making them unreadable without the decryption key that can be obtained only after paying a ransom.

    At the same time, some malware may employ fake encryption as a deceptive tactic to instill fear and pressure victims into paying ransoms. For example, STRRAT, a Java-based malware, is known for appending the .crimson extension to victims' files. However, this encryption is merely a superficial disguise, as users can easily restore access to their files by manually removing the added extension.

    Certain strains of wiper malware disguise themselves as ransomware, exploiting victims' desperation for data recovery. These malicious programs permanently destroy files while falsely promising decryption upon ransom payment.

    Get started today for free

    Analyze malware and phishing in a fully-interactive sandbox

    Create free account

    What is a ransomware attack?

    A ransomware attack is the process by which cybercriminals infiltrate a computer system or network and deploy malicious software that encrypts or locks critical data, rendering it inaccessible to the owner.

    Ransomware attacks can target individuals, businesses, and organizations of all sizes, causing significant disruption, financial losses, and reputational damage. The attackers often exploit vulnerabilities in software, operating systems, or human behavior.

    While attackers often promise to restore the victim’s access to their system once they pay a fee, there is never a guarantee they will do it. In many cases, attackers simply take the money and disappear. On top of that, paying criminals further encourages them to continue carrying out illicit activities.

    How does ransomware work?

    Although how ransomware works depends on particular malware families, it usually begins with system infiltration through various means, such as phishing emails, malicious links, or software vulnerabilities.

    Most frequently, once the ransomware is installed on a victim's device, it will encrypt the victim's files, making them unreadable. The attacker will then display a message, often in the form of a text file or a separate window, demanding a payment to be made in cryptocurrency or other hard-to-trace method of payment.

    Analyze malware for free in a fully interactive cloud sandbox – sign up now!

    The exact amount of the ransom demand can vary widely. For instance, the WannaCry ransomware requested $300 to be paid within 3 days, when targeting individuals, while organizations that suffered an extensive network infection had to fork out millions of dollars. In their turn, the criminals behind LostTrust require their victims to pay at least $100,000.

    Wannacry ransom note A desktop displaying the WannaCry ransom note

    Let’s use the LockBit malware family to see how a typical ransomware works:

    • Upon gaining initial access, LockBit typically operates via the command line, accepting file or directory parameters for selective encryption. It can also execute its attack through scheduled tasks or PowerShell Empire.
    • LockBit utilizes tools like Mimikatz to gather additional credentials, expanding its potential impact. To evade detection, it employs different tools to disable security software, while programs, such as Network Scanner enable it to identify Domain Controllers or Active Directory servers for ransomware deployment.
    • The ransomware spreads within the network by self-propagating via SMB connections using acquired credentials. It also exfiltrates data using cloud storage services like MEGA. Afterwards, LockBit encrypts both local and network data using AES and replaces the desktop wallpaper with a ransom note.

    LockBit process graph LockBit 1.0 process graph

    What does ransomware do to an endpoint device?

    Ransomware deals a serious blow to endpoint devices, causing several major detrimental effects:

    • Data Encryption: It encrypts critical files belonging to the user, making them impossible to open. It does by applying an encryption algorithm and changing the extensions of files.
    • System Disruption: It can disrupt normal system operations, causing crashes, performance issues, and data loss.
    • Access Denial: Infected devices may become completely unusable, preventing users from accessing their data or performing essential tasks. Attackers often limit users’ ability to interact with the system to the window with the ransom demands.
    • Data Exfiltration: Ransomware may also steal sensitive data, further compromising privacy and security. In some cases, criminals may publish the information stolen from their victims, especially high-profile organizations, if they refuse to pay. This adds another pressure point and often forces companies to comply with the demands.

    What are examples of ransomware families?

    In order to track both active and no longer operational ransomware families, use ANY.RUN’s Malware Trends Tracker.

    Here are some of the notable examples of ransomware, according to the service:

    • WannaCry: A self-propagating ransomware, exploiting the EternalBlue vulnerability to infiltrate and spread across vulnerable networks. Since its emergence in 2017, this malware has caused billions of dollars in damages and infected over 200,000 computers globally. As of 2023, the ransomware is no longer active.
    • LockBit: A prominent ransomware strain, operating under the Malware-as-a-Service model, which fuels its widespread adoption. According to some estimates, LockBit is responsible for up to 40% of all ransomware attacks. It targets organizations of all sizes, from large corporations like Royal Mail, where a $80 million ransom was demanded, to smaller businesses.
    • LostTrust: LostTrust is a relatively new ransomware strain that emerged in March 2023. It employs a multi-extortion strategy, not only encrypting data on the victim's system but also exfiltrating sensitive files for additional leverage. The perpetrators then publish the stolen data on a dedicated website, showcasing a growing list of compromised organizations.

    How does ransomware spread?

    Phishing emails serve as the primary weapon of choice for ransomware attackers. These carefully crafted messages, often disguised as legitimate communications from trusted entities like banks or online services, aim to deceive recipients into clicking malicious links or opening infected attachments.

    Ransomware can also move laterally, which is to spread across the entire network of computers, once it gains a foothold on one of them. Additionally, many malware families are distributed via file sharing services, where they can be masqueraded as legitimate software.

    Alternatively, ransomware can end up on systems through the means of loaders, special malware designs with the sole purpose of distributing other malicious programs.

    How to prevent ransomware attack

    Ransomware is an extremely widespread type of malware and knowing how to protect from ransomware is essential for every organization valuing its cybersecurity. A comprehensive defense stack against attacks consists of multiple solutions, including the malware sandbox that can be employed in different scenarios.

    For instance, infections stemming from phishing emails and websites can be avoided, if a sandbox is first used to analyze them. The ANY.RUN malware sandbox lets you quickly determine whether a file or link poses a threat by uploading it to the service. ANY.RUN produces a detailed report featuring the verdict on the sample’s maliciousness and relevant indicators of compromise (IOCs) that can be used for detection.

    WannaCry sample report ANY.RUN report on a WannaCry sample

    On top of that, the sandbox is fully interactive, meaning you can engage with malicious files and links in a safe cloud virtual machine like you would on a normal computer.

    Try ANY.RUN for free – request a demo!

    HAVE A LOOK AT

    Phobos screenshot
    Phobos
    phobos ransomware
    Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
    Read More
    Netwalker screenshot
    Netwalker
    netwalker ransomware
    Netwalker is ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.
    Read More
    Nemty screenshot
    Nemty
    nemty ransomware
    Nemty is ransomware with an unusually complex encryption algorithm. This malware encrypts user files and demands money so that they can be unlocked again. It may be connected to other famous ransomware, but we don’t know for sure.
    Read More
    Ryuk screenshot
    Ryuk
    ryuk ransomware
    Ryuk is a Ransomware — a type of malware that encrypts files of the victim and restores access in exchange for a ransom payment. Operating since 2018, Ryuk has been continually carrying out successful targeted attacks on organizations, netting operators millions of dollars throughout its lifetime.
    Read More
    DarkSide screenshot
    DarkSide
    darkside
    DarkSide ransomware is a novel ransomware strain involved in high-profile incidents. Its attacks lead to data theft and encryption, causing significant damage to victims.
    Read More
    LostTrust screenshot
    LostTrust
    losttrust
    LostTrust is a ransomware that has been active since March 2023. It is a multi-extortion malware, meaning that it not only encrypts data on the compromised system and demands a ransom, but also exfiltrates some of the critical files to the attacker. The criminals publish the stolen data on a special website, where dozens of companies are listed as victims of the malware.
    Read More