Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Dharma - Ransomware The ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
Phobos - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. The malware was discovered in late 2017 with new variants being discovered throughout early 2019. The victim is required to email the threat actor at one of many email addresses for the decryption key.
Maze - Ransomware The ransomware uses RSA-2048 and ChaCha20 encryption and requires the victim to contact the threat actor by email for the decryption key. The threat actors behind the malware are known to have attacked multiple sectors including government and manufacturing and threaten to release the company's data if the ransom is not paid.
Ragnar Locker - Ransomware The ransomware will perform reconnaissance on the targeted network, exfiltrate sensitive information, and then notify the victim the files will be released to the public if the ransom is not paid. The threat actor behind the malware is known to demand hundreds of thousands of dollars and creates a ransom note that includes the company name. The ransomware targets remote management software used by managed service providers and enumerates all running services on the infected host and stop service...
Mailto - Ransomware The ransomware, also known as Netwalker, targets enterprise networks and encrypts all Microsoft Windows systems found. The malware was detected in August 2019 with new variants discovered throughout the year including into 2020. The ransomware appends a random extension to infected files and uses Salsa20 encryption. The ransomware added a new defense evasion techinque known as reflective DLL loading to inject a DLL from memory.
Nefilim - Ransomware The ransomware encrypts files with AES-128 encryption and appends ".NEFILIM" to infected files. The malware shares code with the Nemty ransomware family but instead of using a Tor payment site the malicious software relies on email communication for payment. The threat actor behind Nefilim threatens to release stolen data if the ransom is not paid within seven days.
Lockbit - Ransomware The Ransomware-as-a-Service (RaaS) hit the threat landscape in September 2019 and was discovered to have breached a company and encrypt the entire network in a few hours. The attacker performed a brute force attack on a web server containing an outdated VPN service. The operation used SMB to perform network reconnaissance and then used the internal Microsoft Remote Access Server to gain access to remote systems. Lockbit attempts to stop multiple services including those belonging to anti-virus, ...
Black Kingdom - Ransomware The ransomware, also known as GAmmAWare or DemonWare, demands up to $10,000.00 for the decryption key and gives the victim a time limit to respond to the ransom demand. In 2020 the malware was discovered taking advantage of a critical flaw in unpatched Pulse Secure VPN software classified under CVE-2019-11510.
Tycoon - Ransomware A new ransomware family known as Tycoon was discovered in late 2019 and continues to evolve into mid-2020. The malware appends various extensions to infected files including thanos, grinch, and redrum and uses RSA and AES encryption. Victims are required to email the threat actor and threatens to delete the encrypted files or increase the ransom amount if not paid within 24 hours. The initial infection vector is over insecure RDP and targets both Microsoft Windows and Linux endpoints.
Avaddo - Ransomware The Avaddon Ransomware-as-a-Service (RaaS) program was discovered being advertised on underground forums in mid-2020. Affiliates are required to follow a set of rules including not distributing the address of the admin panel to third parties and targeting users in the Commonwealth of Independent States (CIS). The malware is distributed through email spam campaigns containing a JavaScript downloader disguised as a JPG photo. Various techniques are used for execution and persistence including Powe...