Laptop with Ransomware message popping out of the screen

Top 10 ransomware strains affecting organisations in 2019

Hackers continue to push ransomware attacks worldwide

Showing no signs of slowing down, anti-malware firm Emsisoft and ransomware data repository ID Ransomware have received no less than 230,000 submissions of ransomware strains between April 1 and September 30 2019.

Below are the top 10 most-reported ransomware strains so far in 2019.

What are the 10 most prevalent ransomware strains?

1. STOP (DJVU) – 56%, The undisputed champion of ransomware

Attacking home users by embedding in unsecured files found on torrent and file sharing websites, such as key generators and software cracks, STOP outnumbers the rest of the contenders by a magnitude of almost five.

Over 76,000 submissions to ID Ransomware alone, more than 56% of submissions to the site make STOP, also known as DJVU the most prevalent ransomware strain of 2019.

It encrypts files with Salsa20 encryption, then demands $490 worth of Bitcoins from the victim. If the promise of decryptor software and private decryption keys are not enough to coerce the victims into paying, the threat of doubling the ransom to $980 after 72 hours leverages urgency and increases its effectiveness.

Dozens of STOP variants exist and free decryptor software can help victims with older strains. Unfortunately, the newest versions cannot be decrypted by said software and still pose a significant threat.

2. Dharma – 12%

At just over one fifth the prevalence of the STOP ransomware, Dharma, a member of the .cezar family holds the number two spot on the list.

Beginning life in 2016, Dharma (a Buddhist term signifying “cosmic law and order”) has seen many variants and use cases in 2019, especially the latter half, is seeing a spike in its activity. This is suggested to be down to malicious actors becoming more efficient at using multiple attack vectors, including malicious email attachments, virus-laden installers or compromised RDP login information.

Rather than asking for an arbitrary figure to undo its encryption, Dharma instructs victims to manually negotiate the ransom with the attackers via email. Naturally, larger organisations find they are hit with tougher negotiations and more costly settlements.

3. Phobos – 8.9%

Closely resembling Dharma in its makeup, Phobos is closely following in its popularity.

Taking its name from the Greek God of fear, Phobos came into life in early 2019.

It spreads principally through the exploitation of open or poorly secured RDP ports. Similar again to Dharma, Phobos chooses not to ask for specific amounts but relies on opening negotiations with its victims via email. Unfortunately, there have been many cases of the ransom being paid without decryption ever resulting, poor show, even for hackers.

4. GlobeImposter 2.0 – 6.5%

Don’t confuse GlobeImposter 2.0 with Globe or its original version GlobeImposter. Accounting for 6.5 of all ransomware reports during Q2 and Q3 of 2019, it uses AES-256 cryptography to encrypt its victim’s files and demands a ransom ranging from one to ten Bitcoins.

Even after Bitcoin’s sharp decline through September and October, the higher ransoms still see a sterling value topping £50,000.

Visualised – the most reported ransomware

pie chart of top 10 most successful ransomware strains
10 most reported ransomware strains Credit: Emsisoft

5. Sodinokibi / REvil – 4.5%

First discovered in April 2019, and often referred to as Sodin or REvil, this ransomware strain began its destructive path in Asia before spreading fast to European servers and environments.

REvil follows the RaaS (Ransomware as a Service) model, relying on affiliates to distribute and market the malicious software. It is believed to come from the minds of the developers behind GandCrab, a strain that has found itself on most prevalent ransomware lists since its first discovery in January 2018.

Extremely evasive, Sodin uses advanced techniques to avoid detection from security software. Its main attack methods are via a vulnerability in Oracle WebLogic, phishing email campaigns, and compromised managed service providers (MSPs).

6. GandCrab – 3.6%

No list like this would be complete without this strain rearing its ugly head.

Since it was first discovered in January of 2018, GandCrab is thought to have infected over half a million computers, according to Europol.

Accounting for 3.6% of submissions, and another RaaS proponent, is distributed primarily through phishing emails. Once activated, it encrypts all the victim’s files and demands an arbitrary ransom, payable in Dash cryptocurrency.

The success of the GandCrab strain was, and still is, felt worldwide with a report in May 2019 stating the creators of the ransomware have earned over $2 billion in extortion since its creation.

7. Magniber – 3.3%

An incredibly resilient strain of ransomware, Magniber has surfaced repeatedly in various guises since its original discovery in 2013. Six years later it still holds a 3.3% market capitalisation, impressive.

Distributed via the Magnitude exploit kit, this strain primarily targets South Korean victims and uses AES encryption to lock files in an ever-increasingly complex way.

Global epidemic – countries affected most by ransomware

pie chart of countries that have been most badly affected by ransomware
Top 10 countries most affected by ransomware Credit: Emsisoft

8. Scarab – 2.0%

First spotted in June 2017, this variant uses AES-256 and RSA-2048 encryption algorithms to lock files on its victim’s computer.

Many of Scarab’s campaigns focus on distributing the group’s custom malware (Trojan.Scieron and Trojan.Scieron.B) through emails with malicious attachments. These files contain exploits that take advantage of older vulnerabilities that are already patched by vendors. If the attackers successfully compromise the victims’ computers, then they use a basic back door threat called Trojan.Scieron to drop Trojan.Scieron.B onto the computer.

Symantec Official Blog

9. Rapid – 1.8%

Both 9th and 10th place are taken by Trojan horses in this list.

Rapid arrived on the scene in March 2018. Removing Windows shadow copies, stopping all database processes and halting many vital services it then encrypts almost all files on the victim’s computer.

It then displays the following text:

Rapid Ransomware recovery text

Opting for negotiation rather than arbitrary sum, Rapid is still a potent cyber threat.

10. Troldesh – 1.4%

Rounding off our list is another Trojan horse accounting for 1.4% of submitted ransomware strains.

First seen in 2014, Troldesh is primarily spread through malicious email attachments in phishing emails. The files are often in .zip format with a title to incite urgency in the victim, demanding they open it immediately. Once extracted and run, the Javascript within the zip downloads the payload which encrypts any files with specific extensions, well, we say specific, the list is not overly discerning (.1cd, .3ds, .3fr, .3g2, .3gp, .7z, .accda, .accdb, .accdc, .accde, .accdt, .accdw, .adb, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .anim, .arw, .as, .asa, .asc, .ascx, .asm, .asmx, .asp, .aspx, .asr, .asx, .avi, .avs, .backup, .bak, .bay, .bd, .bin, .bmp, .bz2, .c, .cdr, .cer, .cf, .cfc, .cfm, .cfml, .cfu, .chm, .cin, .class, .clx, .config, .cpp, .cr2, .crt, .crw, .cs, .css, .csv, .cub, .dae, .dat, .db, .dbf, .dbx, .dc3, .dcm, .dcr, .der, .dib, .dic, .dif, .divx, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .dpx, .dqy, .dsn, .dt, .dtd, .dwg, .dwt, .dx, .dxf, .edml, .efd, .elf, .emf, .emz, .epf, .eps, .epsf, .epsp, .erf, .exr, .f4v, .fido, .flm, .flv, .frm, .fxg, .geo, .gif, .grs, .gz, .h, .hdr, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .indd, .ini, .iqy, .j2c, .j2k, .java, .jp2, .jpc, .jpe, .jpeg, , .jpf, .jpg, .jpx, .js, .jsf, .json, .jsp, .kdc, .kmz, .kwm, .lasso, .lbi, .lgf, .lgp, .log, .m1v, .m4a, .m4v, .max, .md, .mda, .mdb, .mde, .mdf, .mdw, .mef, .mft, .mfw, .mht, .mhtml, .mka, .mkidx, .mkv, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mpv, .mrw, .msg, .mxl, .myd, .myi, .nef, .nrw, .obj, .odb, .odc, .odm, .odp, .ods, .oft, .one, .onepkg, .onetoc2, .opt, .oqy, .orf, .p12, .p7b, .p7c, .pam, .pbm, .pct, .pcx, .pdd, .pdf, .pdp, .pef, .pem, .pff, .pfm, .pfx, .pgm, .php, .php3, .php4, .php5, .phtml, .pict, .pl, .pls, .pm, .png, .pnm, .pot, .potm, .potx, .ppa, .ppam, .ppm, .pps, .ppsm, .ppt, .pptm, .pptx, .prn, .ps, .psb, .psd, .pst, .ptx, .pub, .pwm, .pxr, .py, .qt, .r3d, .raf, .rar, .raw, .rdf, .rgbe, .rle, .rqy, .rss, .rtf, .rw2, .rwl, .safe, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql, .sr2, .srf, .srw, .ssi, .st, .stm, .svg, .svgz, .swf, .tab, .tar, .tbb, .tbi, .tbk, .tdi, .tga, .thmx, .tif, .tiff, .tld, .torrent, .tpl, .txt, .u3d, .udl, .uxdc, .vb, .vbs, .vcs, .vda, .vdr, .vdw, .vdx, .vrp, .vsd, .vss, .vst, .vsw, .vsx, .vtm, .vtml, .vtx, .wb2, .wav, .wbm, .wbmp, .wim, .wmf, .wml, .wmv, .wpd, .wps, .x3f, .xl, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xsd, .xsf, .xsl, .xslt, .xsn, .xtp, .xtp2, .xyze, .xz, and .zip)

The encryption method used is AES-256 in CBC mode and once encryption is complete, hundreds of readme#.txt files are distributed around the file system, prompting the victim with instructions of how to contact the hacker and negotiate the terms of their file decryption.

Prevention beats cure…

This global attack epidemic grows in size each day and it is up to us to educate ourselves as best we can to avoid becoming victims.

Security Awareness Training is one of the most cost-effective methods of reducing your organisation’s susceptibility to a ransomware attack.

We at Phishing Tackle believe this should not cost the earth and strongly encourage you to check out our cost-calculator to see truly how affordable we are. The cost of a successful ransomware attack puts a huge number of organisations out of business every year.

Your users are the first and last line of defence, and it’s up to you to make sure they are capable of dealing with such attacks before, not after, they happen.

Recent posts