October 24, 2020

The 10 most popular ransomware in 2019

5 min read

2019 should be a year when ransomware attacks on enterprises. Every day, different governments, companies, and organizations around the world are exposed to ransomware attacks. Ransomware has become the biggest threat to network security. Cybercriminals that use ransomware to attack are also the most harmful cybercriminal organizations in the world. Ransomware has become the most popular and hottest malware in underground hacker forums. Let ’s take a look: What are the 10 most popular ransomware in 2019?

PGA ransomware

  1. STOP ransomware
    STOP ransomware first appeared around February 2018 and has been active worldwide since August 2018. It mainly spreads infection through bundling other cracking software, advertising software packages, and other channels. The KMS activation tool and even bundles other antivirus software is a tool for spreading this ransomware. So far, this ransomware has more than 160 variants. Although Emsisoft has released its decryption tool, it can decrypt more than 140 variants.
  2. GandCrab ransomware
    The GandCrab ransomware was first observed to infect Korean companies in January 2018. Subsequently, GandCrab expanded rapidly worldwide, including U.S. victims in early 2018. At least 8 key infrastructure sectors were affected by this ransomware, and GandCrab also quickly became The most prevalent ransomware. It is estimated that the ransomware has occupied 50% of the ransomware market by the middle of 2018. Experts estimate that GandCrab infected more than 500,000 victims worldwide, causing more than 300 million US dollars in damages. GandCrab uses ransomware Software-as-a-Service (RaaS) business model operation. By distributing malware to partners who purchase ransomware services in exchange for 40% of the ransom, from January 2018 to June 2019, this ransomware appeared more than once with different variant versions. In January 2019, this ransomware GandCrab5.1 variant version began to spread around the world. Until June 1, 2019, the GandCrab ransomware operation team announced the closure of their website and claimed that they had made 2 billion U.S. dollar ransom, two weeks later, Bitdefender worked with Europol, the Joint Investigation Bureau, and numerous law enforcement agencies In cooperation with the NoMoreRansom organization, GandCrab ransomware decryption tool was released, which can be applied to GandCrab 1.0, 4.0, 5, 5.2 and other versions.
  3. REvil/Sodinokibi ransomware
    Sodinokibi ransomware (also known as REvil) was first discovered in Italy on May 24, 2019. It was found to spread infection using RDP attacks in Italy. This ransomware is called the successor of the GandCrab ransomware. Within a few months, it has spread worldwide. This ransomware has many associations with GandCrab ransomware. The security researchers have previously published a number of related reports on the information related to these two ransomware. Sodinokibi Ransomware is also a ransom as a service (RAAS) model for distribution and marketing and uses some anti-kill technology to avoid detection by the security software. This ransomware spreads via mainly through Oracle WebLogic vulnerabilities, Flash UAF vulnerabilities, phishing emails, RDP ports, vulnerabilities.
  4. Globelmposter ransomware
    Globelmposter ransomware first appeared in May 2017. It was mainly transmitted through phishing emails. In February 2018, the Globelmposter variant samples of version 2.0 broke out in major hospitals in China. Through traceability analysis, it was found that the ransomware may have used the RDP flaws, social engineering, etc The ransomware uses the RSA2048 encryption algorithm, which prevents encrypted files from being decrypted.
  5. CrySiS/Dharma ransomware
    The CrySiS ransomware virus, also known as Dharma, first appeared in 2016. After the ransomware master key was released in May 2017, previous samples could be decrypted, which caused the ransomware to disappear for a while, but then appeared immediately. The RDP brute force method is used to enter the victim server for encryption and ransomware. This ransomware encryption algorithm uses AES & RSA to encrypt. As a result, the encrypted file cannot be decrypted. In the past year, this ransomware was extremely active, with more than a hundred variants.
  6. Phobos ransomware
    Phobos ransomware was very active in 2019. The first appearance of this ransomware was in December 2018. The security researchers discovered a new type of ransomware at the time. The encrypted file suffix is ​​Phobos. This new type of ransomware is related to The CrySiS (Dharma) ransomware has many similarities. It also uses the RDP brute force method to spread. The two use very similar ransomware prompt information, so it is easy to get confused. It is difficult to distinguish whether the same hacking group is operating behind the two ransomware. It is necessary to capture more evidence.
  7. Ryuk ransomware
    The Ryuk ransomware was first discovered in August 2018. It was operated behind the scenes by the Russian hacker gang GrimSpider, a cybercrime group that uses Ryuk ransomware to target large enterprises and organizations. The security researcher found that Ryuk ransomware is mainly used to spread other malicious software such as Emotet or TrickBot banking Trojans through network attacks. Emotet and TrickBot Bank Trojans are mainly used to steal the login credentials of the victim’s bank website.
  8. Maze ransomware
    Maze ransomware, also known as Chacha ransomware, was first discovered by Malwarebytes security researchers as early as May 2019. This ransomware mainly uses various exploit kits Fallout and Spelevo to disguise itself as legitimate cryptocurrency exchange applications. Ransomware uses fake sites for distribution. Recently, Proofpoint’s security researchers found a new type of hacker organization TA2101, launched a cyberattack on Germany, Italy, and the United States through spam to spread Maze ransomware.
  9. Buran ransomware
    Buran ransomware first appeared in May 2019. It is a new type of ransomware that spreads based on the RaaS model. It is sold in a well-known Russian forum and receives 30% with other RaaS-based ransomware (such as GandCrab), the author of Buran ransomware virus only accounts for 25% of the income generated by the infection, security researchers believe that Buran is a variant sample of Jumper ransomware and VegaLocker ransomware. Buran ransomware was previously spread using the RIG Exploit Kit, which exploited a relatively serious vulnerability CVE-2018-8174 in Internet Explorer.
  10. MegaCortex ransomware
    MegeCortex ransomware was first discovered on Virus Total in January 2019. At that time, someone uploaded a malicious sample on Virus Total. British cybersecurity company Sophos released a related analysis report on MegaCortex ransomware in May. When they discovered that the earlier version of this ransomware was similar to last year’s very popular SamSam ransomware, both used BAT scripts, and both used password parameters. The loading methods of the two ransomware were similar, but for the time being, no more There is much evidence that the two ransomware are related. After the MegaCortex ransomware was uploaded to Virus Total in January, the number of ransomware monitored by the network security company Sophos has been increasing, and a detailed analysis of the ransomware has been performed. It is reported that the ransomware has launched ransomware attacks on multiple industries in Europe and North America, and required high ransom payments. Some corporate networks in the United States, Canada, the Netherlands, Ireland, Italy, and France have been affected by this ransomware. Attack, August 2019, MegaCortex ransomware found V2.0 version, redesigned the running process of the load, it will automatically execute the requirements that do not need to install a password. The author hard-coded the password in the binary file. At the same time, the author also added some anti-analysis, and blocked and killed various The function of security products and services. This process was completed in the previous version by manually executing the relevant batch script on each victim host.