8 Scariest Ransomware Viruses

The first ransomware infections drew attention in 2013, and they have been steadily on the rise since then. Today, they are one of the most common online threats affecting Internet users and organizations of all sizes. According to the Verizon 2017 Data Breach Investigations Report (DBIR), ransomware was the top malware variety within Crimeware in 2016.

What Is Ransomware and How Does It Work?

Ransomware infection most commonly results in encryption of the data stored in the computer system. However, certain types of ransomware block access to the data without encrypting it or even leak it online for everyone to see. Then, the hackers demand a ransom to return everything to the way it was and give victims their data back. In most cases, the transaction is in bitcoins, wire transfers or premium-rate text messages to protect the anonymity of the attackers and make the payment hard to trace. The ransom amount varies, from $150–$500 for an individual to thousands of dollars for an organization. The worst aspect of ransomware is that a paid ransom does not guarantee that the blocked data will be unlocked by the intruders.

Security experts name four main types of ransomware:

  1. Encrypting ransomware
  2. Non-encrypting ransomware
  3. Leakware
  4. Mobile ransomware

Encrypting ransomware

Encrypting ransomware uses an RSA encryption algorithm, which encrypts victims’ data files or the entire hard drive and then demands a ransom to unlock the encrypted files. Ransomware became prominent in 2013 with a new version called Cryptolocker. The Cryptolocker was the first to demand a ransom to be paid in bitcoins to get the decryption key for the encrypted data.

The newest version of crypto-ransomware is website ransomware, which is a crypto-ransomware type of malware that targets websites. It has a limited influence as it attacks and infects the website files and doesn’t affect databases. After the attack has happened, the files on the server are inaccessible, and the homepage is defaced with a warning that the website has been held hostage.

Check out our step-by-step guide to learn how to get rid of encrypting ransomware, based on a real example.

Non-encrypting ransomware

Non-encrypting ransomware doesn’t encrypt the data files present in the system. Its methods can be different, but the most common types of non-encrypting ransomware are:

  • Ransomware that gets into the user’s computer system, displays porn images and offers to get rid of this display if the user sends a premium-rate text message. After paying the ransom, the user receives a code that can unlock the machine and stop the porn images from being displayed.
  • A ransomware worm that uses the notice of Windows Product Activation to fool computer users. This malware informs users that a system’s Windows installation should be reactivated. However, the link always remains unavailable. The user then calls the helpline number written on the notice, which claims to be free. In fact, the call is made to an international number that gets busy for a long period of time. The result is a huge money loss by the victim of the ransomware.


Leakware is a relatively recent form of ransomware. It can be thought of as the opposite of classical ransomware. Leakware doesn’t lock users out of their data but threatens to publish stolen information online. Generally, the stolen files contain information that could taint the reputation of the victim. Damage to businesses from leakware can be huge. Therefore, victims usually pay the ransom to save the sensitive data and their reputation. Because it is possible to thwart traditional ransomware by keeping backups or formatting the hard drive, hackers have started to prefer leakware more and more. Threatening to release confidential data to the public is better motivation that just encrypting the data. A typical case of Leakware is shown in one of the episodes of the TV series Black Mirror.

Mobile ransomware

Mobile ransomware is a form of malware that affects mobile devices. It locks your device screen or steals sensitive data and then demands a ransom to unlock it or return the stolen data to the user. The attack begins with a download of allegedly innocent content or critical services. After the malware is downloaded onto a device, it will show a fake message accusing the victim of a law violation (for instance, using copyrighted files) before encrypting the files and locking the phone. After the ransom is paid, commonly via Bitcoin, the ransomware will send a code to unlock the phone or decrypt the data.

Most Dangerous Ransomware Infections

 Encouraged by the profitability of ransomware, criminals have taken this threat to the next level by offering ransomware-as-a-service, which enables anyone, regardless of their skill or coding knowledge, to upgrade to an encrypting ransomware business model. This approach was followed by a variety of experiments regarding how ransomware is delivered and how much it demands. Criminals introduce time limits after which files will be deleted (e.g., Jigsaw, Koolova), ransoms that increase over time (e.g., Cerber) and even options to decrypt files for free if the victims become attackers themselves and infect other people (e.g., Popcorn Time).

These are the nine biggest and most dangerous ransomware threats that made headlines in 2016-2017:

#1 – Cerber

Having emerged in late February 2016, Cerber is a ransomware-type malware that encrypts various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber extension to each encrypted file. Following successful infiltration, Cerber demands a ransom of $499 in bitcoins to decrypt these files. The payment must fall within the given time frame (seven days), otherwise the ransom amount will double.

Having generated $2.3 million in a year, Cerber is currently one of the top crypto menaces in the world, along with its direct competitor Locky. Cerber is sold mainly on underground Russian forums and deploys the finest Advanced Encryption cryptographic standard. Cerber has spawned four editions with various improvements within the eight months of its operation. Cerber is also offered in the form of ransomware-as-a-service, which allows “affiliates” to distribute the Cerber ransomware in exchange for 40% of each ransom amount paid.

#2 – Locky

Locky ransomware was discovered in February 2016, and since that time, it has been sent to millions of users worldwide, including 30 million Amazon users attacked in May 2016. The ransomware infection is distributed via spam e-mails that contain JavaScript attachments. The malicious .doc files attached to e-mails (which are allegedly an invoice requiring payment) contain scrambled text, which appears to be macros. When users enable macro settings in the Word program, an executable file is downloaded, and the user’s files are encrypted.

Locky also changes all file names to a unique 16-letter and digit combination with an .aesir, .thor.locky.zepto or .odin file extension. Thus, it becomes virtually impossible to identify the original files. To decrypt the files, victims must pay a ransom of approximately $235–$470 in bitcoins.

#3 – KillDisk

KillDisk is a destructive data-wiping malware that has previously been used to sabotage companies by randomly deleting files from the computers. Once in the network, KillDisk targets any drive, local or network, that the user has access to, which means that infecting one user can shut down a number of others. KillDisk is able to target not only Windows systems but also Linux machines, which is something we don’t see every day.

KillDisk is possibly the most expensive type of ransomware to date – it asks for around $247,000 in bitcoins. It is important to note that the Linux variant of KillDisk does not store the encryption key anywhere, so even if you pay an extremely large ransom, the criminals cannot just supply you with the decryption key and bring your files back.

#4 –Petya

Discovered in July 2016, Petya was one of the first types of ransomware virus to gain major success by spreading via a ransomware-as-a-service scheme. Petya targets mostly business users. For example, an HR employee receives an e-mail that contains a Dropbox link, which appears to be a person’s curriculum vitae. In reality, it is an .exe file that contains a self-extracting executable file, which will later infect the system. Apart from encrypting files, Petya locks the function of the full system and replaces the reboot code of the computer with a malicious reboot code; victims are forced to pay a $400 ransom to regain access to their computers.

According to the latest news, Petya now comes in the form of a heavily modified version called PetrWrap. The PetrWrap Trojan carries a sample of the Petya ransomware inside its data section and uses Petya to infect the victim’s machine. PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution, which allows criminals to hide the fact that they are using Petya.

Popcorn Time turns victims into attackers by giving them an option to pay a ransom or to infect two other people

#5 – Popcorn Time

Popcorn Time is a type of crypto-ransomware that combines Ponzi schemes, social activism and blackmail. Initially discovered by MalwareHunterTeam in late 2016, the Popcorn Time ransomware has been designed to give the victims a criminal way of getting a free decryption key for their encrypted files and folders. In fact, Popcorn Time turns victims into attackers by giving them an option to pay a ransom or to infect two other people and have them pay the ransom to get a free decryption key.

The Popcorn Time ransomware appends the .filock extension to the encrypted files and is able to encrypt more than 500 file types using AES-256 encryption. Popcorn Time demands a payment of one bitcoin, which now equals $780.

Koolova’s victim has to read two articles about how to protect data against ransomware before the countdown reaches zero

#6 – Koolova

Koolova is perhaps the strangest thing to pop up. This ransomware claims to restore your files for free (just like Popcorn Time). The only difference is that you don’t have to infect others to get a free decryption key. Instead, the victim has to read two articles about how to protect himself or herself against ransomware attacks: Google’s ”Stay safe while browsing” and Bleeping Computer’s ”Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.”

Once the Koolova ransomware infects a machine, it encrypts the files and then displays a warning screen, where the text instructs the victim to open and read two awareness posts before giving a decryption key. It then displays a screen similar to the Jigsaw Ransomware and tells you that if you are too lazy to read two articles before the countdown reaches zero, it will delete the files, which is not a joke, as Koolova actually does delete the files.

#7 – Spora

Spora is a new ransomware that appeared in January 2017. Its most notable features are a solid encryption routine, the ability to work offline and an extremely sophisticated payment site. Spora is distributed via spam e-mails that pretend to be invoices. E-mails come with ZIP attachments, which contain HTA (HTML Application) files. These files contain double extensions such as PDF.HTA or DOC.HTA. On Windows computers, users only see the first extension and can be easily tricked into opening the malicious files.

Spora does not appear to have weaknesses in its encryption process, and it has a unique pricing model. Full decryption, which includes removal, file restoration and immunity against future versions of ransomware, is approximately $79-$280 in bitcoins. The price varies depending on what option the victims choose: They can choose only one option (either restore files, remove ransomware or receive immunity), or victims can decrypt two files free of charge. Victims have a limited time to pay the ransom, otherwise decryption keys are permanently deleted.

Unlike other ransomware, Spora does not append a file extension at the end of encrypted files. To avoid damaging computers to the point that they are inaccessible to users, Spora only encrypts the following types of files: .xls, .doc, .xlsx, .docx, .rts, .odt, .pdf, .psd, .dwg, .cdr, .cd, .mdb, .lcd, .dbf, .sqlite, .accdb, .jpg, .jpe, .jpeg, .tiff, .zip, .rar, .7z and .backup.

#8 – WannaCry

The latest and probably one of the worst digital disasters to happen in years, WannaCry (also known as WannaCrypt, WannaDecrypt, WCry and WanaCryptOr 2.0) emerged on 12 May, 2017, and has infected over 300,000 computers in 99 countries. The list of organizations affected by this attack includes well-known companies like Renault, LATAM Airlines, Deutsche Bahn, FedEx and UK’s National Health Service, as well as government organizations and departments worldwide (e.g., the Ministry of Internal Affairs of the Russian Federation and the Ministry of Foreign Affairs in Romania).

WannaCry uses ETERNALBLUE exploit, a part of the NSA’s cyber-arsenal published in April 2017 by the hacker group Shadow Brokers. WannaCry takes advantage of the vulnerability in Microsoft’s implementation of the Server Message Block file-sharing protocol to remotely target computers using unpatched or unsupported versions of Windows, and after that, it infects computers connected to the same network. After encrypting the files, WannaCry gives victims 3 days to pay the ransom of $300 in bitcoins; otherwise, the ransom amount will double, and after 7 days, all the data will be deleted.

Scared? Discover best practices to protect your data against ransomware >>.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.