Threat Landscape Dashboard

Assessing today's threats and the relationships between them

Top 10 Ransomware

Ransomware Description
Dharma - Ransomware The ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.
Phobos - Ransomware The ransomware uses AES encryption and adds various extensions to infected files. The malware was discovered in late 2017 with new variants being discovered throughout early 2019. The victim is required to email the threat actor at one of many email addresses for the decryption key.
Snatch - Ransomware Snatch ransomware has been identified using brute force tactics over RDP to gain access to Domain Administrator accounts. Once compromised a reverse shell is setup on a Domain Controller to maintain persistence and allow the encryption of domain joined machines. Additionally in an attempt to evade detection the ransomware reboots the machine into safe mode before encrypting the device.
Maze - Ransomware The ransomware uses RSA-2048 and ChaCha20 encryption and requires the victim to contact the threat actor by email for the decryption key. The threat actors behind the malware are known to have attacked multiple sectors including government and manufacturing and threaten to release the company's data if the ransom is not paid.
Hakbit - Ransomware The ransomware was discovered in late 2019 with new variants appearing on the threat landscape into mid-2020. The malicious software, also known as Horse, Abarcy, Corona, and Ravack, uses AES encryption and demands up to 3 Bitcoin for the decryption key. The malware has targeted multiple sectors including pharmaceutical, legal, financial, retail, healthcare, information technology, manufacturing, and insurance. Some variants use GuLoader to drop the ransomware onto systems after users are convin...
Nefilim - Ransomware The ransomware encrypts files with AES-128 encryption and appends ".NEFILIM" to infected files. The malware shares code with the Nemty ransomware family but instead of using a Tor payment site the malicious software relies on email communication for payment. The threat actor behind Nefilim threatens to release stolen data if the ransom is not paid within seven days.
Conti - Ransomware A new ransomware family known as Conti was discovered using multiple techniques to find files to attack and how the encryption process is carried out. The malware uses multiple threads to encrypt files at a faster rate compared to other ransomware families and contains command-line options to scan for local files as well as remote files over SMB shares. Conti also uses the Windows Restart Manager to free up files that are open by various applications. The ransomware uses AES-256 encryption and r...
EvilQuest - Ransomware A new ransomware family was discovered targeting MacIntosh users and is packaged inside legitimate software hosted on torrent sites. The malicious software, known as ThiefQuest or EvilQuest, uses a keylogger to steal credentials and other sensitive information, exfiltrate files and cryptocurrency wallet data, and installs a backdoor to stay persistence across reboots. The malware drops a ransom note demanding payment but does not include contact information and only includes a bitcoin address to...
WastedLocker - Ransomware The Evil Corp eCrime group, also known as Indrik Spider, released a new ransomware family known as WastedLocker which uses AES and RSA encryption. A customized string is appended to encrypted files consisting of the company's name and the word "wasted". A ransom note is dropped next to each infected file and states the victim must contact the threat actor at one of two email addresses. The ransom demand can reach into the millions of dollars. The group behind WastedLocker are known...
Exorcist - Ransomware The ransomware appends a random extension to infected files and uses AES and RSA encryption. The malware drops a ransom note directing victims to a website instead of providing an email address to gain access to the decryption key. Before encryption the malicious software checks the keyboard layout and exists if it belongs to any country part of the Commonwealth of Independent States.