Common Windows-based cryptographic ransomware families


In the ever-growing landscape of cyber threats, ransomware stands out as a malicious actor. These digital extortionists lock down your valuable files, rendering them inaccessible until a ransom is paid. While ransomware can target any operating system due to its widespread use, Windows has been a frequent battleground for these digital bandits. This guide delves into some of the most notorious Windows-based ransomware families.

Reveton (2012)

Reveton is a classic example of early screen locker ransomware. While some variants also encrypted files, their primary function was to lock users out of their desktops and demand a ransom to regain access. Distributed through malicious websites, Reveton would often display frightening messages or images, pressuring users into paying. Its emergence highlighted the growing threat of ransomware and the need for robust security practices.

Cryptolocker (2013)

Cryptolocker marked a turning point in ransomware by introducing widespread file encryption. Distributed via websites and emails, Cryptolocker used a strong AES-256 symmetric encryption algorithm to scramble victim’s files. Communication with the command and control server (C&C) for ransom demands and potential decryption keys relied on the anonymity of onion routing. Cryptolocker’s success, unfortunately, paved the way for a wave of more sophisticated ransomware attacks.

CryptoWall (2014)

CryptoWall represented a more insidious approach to ransomware. This variant didn’t rely solely on user interaction with malicious websites. Instead, it employed social engineering tactics to infiltrate systems and embed itself into registry keys or startup folders, ensuring persistence across reboots. CryptoWall utilized a robust 2048-bit RSA asymmetric encryption, making decryption impossible without the private key. This tactic and a focus on high-value targets made CryptoWall a significant moneymaker for its creators.

TeslaCrypt (2015)

TeslaCrypt was a Trojan horse ransomware that relied on deception to gain a foothold on victim machines. Often disguised as legitimate software, TeslaCrypt would spread through strong distribution networks. Once installed, it targeted gaming files, a niche approach likely chosen due to the sentimental value such data holds for gamers. While TeslaCrypt employed less robust symmetric encryption for smaller files, it effectively disrupted user access and demanded a ransom.

Chimera (2015)

Chimera employed phishing tactics to lure victims into downloading malicious payloads. Once installed, it used symmetric encryption to lock down local and mapped network drives, potentially causing widespread disruption within organizations. Chimera added another layer of intimidation by threatening to release stolen data (doxing) if the ransom wasn’t paid. This tactic, known as double extortion, has become increasingly common in ransomware attacks.

SamSam (2016)

Unlike many ransomware strains that relied on widespread distribution, SamSam focused on targeted attacks. Cybercriminals gained remote access through Remote Desktop Protocol (RDP) vulnerabilities and escalated privileges to encrypt files. This approach minimized the risk of detection but maximized the impact on targeted businesses. SamSam used a robust RSA-2048 asymmetric encryption algorithm, making decryption extremely difficult without the private key held by the attackers.

Locky (2016)

Locky became prominent through email campaigns containing malicious Microsoft Word documents with embedded macros. If enabled by the user, these macros would download and execute the Locky payload. The ransomware targeted specific file types that were considered valuable, encrypting them with RSA-2048 for the encryption key and AES-128 for the actual data. This two-pronged approach made decryption a complex task for victims.

Petya (2016) & NotPetya (2017)

Petya and its close relative NotPetya were particularly destructive ransomware strains. Petya leveraged a cloud-based distribution method, allowing it to infect many systems rapidly. Worse yet, it possessed worm-like capabilities, spreading laterally across networks to further amplify the damage. Petya targeted the Master Boot Record (MBR) on infected systems, effectively rendering them inoperable. NotPetya differed slightly in its distribution method, exploiting a vulnerability in the Windows SMB protocol. Both Petya and NotPetya caused significant disruption and financial losses, highlighting the potential for ransomware to transcend data encryption and cripple entire systems.

GoldenEye (2016)

Inspired by Petya, GoldenEye adopted a similar worm-like behavior and targeted executable files (.exe) on infected systems. Distributed through malicious Excel files with embedded macros, GoldenEye relied on AES asymmetric encryption to lock down critical files. Interestingly, GoldenEye was offered as part of a Ransomware-as-a-Service (RaaS) model, allowing other cybercriminals to leverage its capabilities for their attacks.

Zcryptor (2016)

Zcryptor exhibited worm-like behavior, spreading through spam emails containing infected attachments or malicious macros. Once installed, it targeted local and shared drives and USB storage devices, encrypting a wide range of file formats. This broad approach aimed to maximize the impact on victims, pressuring them to pay the ransom to regain access to their data.

REvil (2019)

REvil gained notoriety for specifically targeting managed service providers (MSPs) – companies that manage IT infrastructure for other businesses. This tactic allowed REvil to access a vast network of potential victims through a single entry point. REvil pioneered using a stream cipher encryption algorithm (RC-4) for attacks. While considered weaker than some alternatives, RC-4 offered advantages in terms of speed. Furthermore, REvil adopted the double extortion tactic, threatening to encrypt and leak stolen data if the ransom wasn’t paid. This approach significantly increased pressure on victims and highlighted the evolving sophistication of ransomware attackers.

Bad Rabbit (2compromised in 2020)

Bad Rabbit employed drive-by download attacks, leveraging compromised websites to infect unsuspecting users. Once downloaded, the ransomware targeted specific regions and used a combination of AES-128 and RSA-2048 encryption to lock down user files. Despite its regional focus, Bad Rabbit disrupted various sectors, showcasing the potential for geographically targeted ransomware attacks.

DarkSide (2020)

DarkSide operated as a cybercriminal gang offering RaaS (Ransomware-as-a-Service). Their ransomware spread across networks after gaining an initial foothold, potentially affecting entire organizations. DarkSide relied on the widely used RSA encryption for data and targeted large corporations, aiming to maximize the ransom payout. They also incorporated data exfiltration into their tactics, stealing information before encryption and threatening to release it if the ransom wasn’t met. This double extortion approach became a hallmark of many ransomware operations.

Conti (2017)

Conti evolved from another notorious ransomware strain, Ryuk. Targeting large organizations, Conti focused on disrupting critical operations and extracting significant ransoms. Their tactics involved encryption and data theft, applying double extortion pressure on victims. Conti employed various distribution methods, including phishing emails, exploited vulnerabilities, and RDP attacks. Their adaptability and focus on high-impact targets made Conti a significant threat to businesses worldwide.

Maze (2019)

Maze distinguished itself through its targeted approach and focus on data exfiltration. Attackers infiltrated victim networks, often through social engineering techniques, and stole sensitive data before encrypting it. The threat of leaked information and data encryption significantly increased pressure on victims to pay the ransom. Maze’s success, unfortunately, validated the effectiveness of double extortion tactics and fueled the rise of similar ransomware operations.

Zeoticus (2021)

Zeoticus presented a unique twist on ransomware by operating offline. This meant it didn’t rely on internet connectivity for communication or control, potentially evading detection by traditional security measures. Zeoticus also exhibited regional avoidance, seemingly targeting specific locations. Furthermore, it employed a hybrid encryption approach, combining different algorithms to potentially complicate decryption efforts. Zeoticus’ unique features highlighted the ongoing evolution of ransomware and the need for adaptable security solutions.