TYPES OF RANSOMWARE
Our laboratories are active 24/7
we identify threats and develop solutions
Phobos (from the Greek φοβος, fear) is ransomware that started infecting computers in late 2018. This type of ransomware is related to the Dharma (CrySis) strain, of which it shares part of the code, which has caused a lot of damages between 2017 and 2018.
Phobos exploits the RDP protocol putting millions of corporate servers and workstations at risk. With the proliferation of cloud services companies, many have public Internet-accessible Windows servers that are potential targets.
Sodinokibi is the family name of ransomware that targets Windows systems. This type of attack encrypts your important files and demands a ransom to decrypt them.
Hackers spread Sodinokibi ransomware by brute-force attacks, server exploits, malicious links, or phishing. Exploiting some vulnerabilities and often bypassing the antivirus software, Sodinokibi downloads a .zip file with the ransom code that moves through the infected network and encrypts the files, adding a random extension to them.
Dharma is extremely dangerous ransomware. It encrypts all files located on local drives, such as shared network directories, and deletes all shadow copies so that users cannot restore them. No mechanism has been found that could allow this malicious code to propagate to other devices.
The malware behaves like a “Trojan-ransomware”, which means that human intervention is required to activate its malicious code (therefore, manual execution is necessary).
Ryuk is a type of ransomware used in targeted attacks, where the perpetrators make sure that essential files are encrypted so that they can demand a ransom that can amount to hundreds of thousands of dollars.
This type of attack can identify and encrypt the drive and network resources and delete shadow copies on the device by disabling Windows System Restore for users, thus making data recovery nearly impossible.
Conti is relatively recent ransomware used to target large corporate or governmental business networks precisely, quickly, and effectively. This type of attack is designed to be controlled remotely rather than automatically done independently. Malware operators will hack a network and move around until they get the domain and admin credentials for admin privileges, eventually locking and encrypting the attacked user’s entire hard drive.
GlobeImposter is ransomware that first appeared in 2017 that uses various attack vectors to deliver the payload. The potential victims receive a blank email with an anonymous malicious zip file attachment with this method. The purpose is for the curious victim to open the attachment, which contains the payload. GlobeImposter installs itself during the application installation process, and victims who skip or do not read the installation process inadvertently install the payload. After successfully infecting the computer, this attack extracts the payload from the Internet. Windows hibernation modes are then disabled to prevent the computer from going in standby. The malware copies itself to all available admin shares and copies the automatic reboot information and key variables in the Windows registry.
STOP is an insidious new type of ransomware distributed in sites that promote fake software crack or free programs, which are adware packages that install it.
Some reported cracks infected with this attack include Kmspico, Cubase, Photoshop, and antivirus software.
STOP Ransomware, like the other, encrypts files on your hard disk by adding an extension .stop and issuing a ransom note.
GandCrab ransomware is malware that encrypts victims’ files and demands ransom payments to regain access to their data. GandCrab targets PCs running Microsoft Windows.
After the infection, hackers place ransom notes on the victim’s computer directed to a site on the Dark Web, where upon payment of a ransom, the victim can find its files.