Anatomy of a Ransomware Attack – Part 3

March 18, 2017 | Views: 2644

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


3.1 CryptoLocker

Ransomware has been around in some form for over a decade, but came to prominence in 2013, with the rise of the original CryptoLocker malware. While the original was shut down in 2014, the approach has been widely copied. So much so, in fact, that the word CryptoLocker has become nearly synonymous with ransomware.

3.2 Cerber

Cerber targets cloud-based Office 365 users and is assumed to have impacted millions of users using an elaborate phishing campaign. This type of malware emphasizes the growing need for SaaS backup in addition to on-premises.

3.3 CryptoWall

CryptoWall first appeared in early 2014, and variants have appeared with a variety of names, including Cryptorbit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0, among others.

3.4 Crysis

Crysis can encrypt files on fixed, removable, and network drives and it uses strong encryption algorithms and a scheme that makes it difficult to crack within a reasonable amount of time.

3.5 CTB-Locker

The criminals behind this strain take a different approach to virus distribution, outsourcing the infection process to partners in exchange for a cut of the profits. This strategy allows the malware to achieve large volumes of infections and generate huge profits for the hackers.

3.6 Jigsaw

Jigsaw encrypts then progressively deletes files until ransom is paid. The ransomware deletes a single file after the first hour, then deletes more and more per hour until the 72-hour mark, when all remaining files are deleted.

3.7 KeRanger

KeRanger is not widely distributed at this point, but it is worth noting because it is known as the first fully functioning ransomware designed to lock Mac OS X applications.

3.8 LeChiffre

“Le Chiffre”, which comes from the French noun “chiffrement” meaning “encryption”, is the main villain from James Bond’s Casino Royale novel who kidnaps Bond’s love interest to lure him into a trap and steal his money. GREAT name. Unlike other variants, LeChiffre needs to be run manually on the compromised system. Cyber criminals automatically scan networks in search of poorly secured remote desktops, logging into them remotely and manually running an instance of the virus.

3.9 Locky

Locky is typically spread via an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption. The spam campaigns spreading Locky are operating on a massive scale. One company reported blocking 5 million emails associated with Locky campaigns over the course of two days.

3.10 TeslaCrypt

TeslaCrypt also uses an AES algorithm to encrypt files.Typically distributed via the Angler exploit kit, this ransomware targets Adobe vulnerabilities. TeslaCrypt installs itself in the Microsoft temp folder. When the time comes for victims to pay up, victims are given options for payment: Bitcoin, PaySafeCard and Ukash. And who doesn’t love options?

3.11 TorrentLocker

TorrentLocker isn’t new to the malware scene but the 2016 version is more destructive than ever. Like the mononucleosis of ransomware, TorrentLocker, in addition to encrypting files, collects email addresses from the victim’s address book to spread malware beyond the initially infected computer/ network.

3.12 ZCryptor

ZCryptor is a self-propagating malware strain that exhibits worm-like behavior, encrypting files and also infecting external drives and flash drives so it can be distributed to other computers.

3.13 Reveton

Reveton was introduced in 2012. This ransomware sends a warning that is supposed to emanate from a known law enforcement agency. The warning will claim that the victim is guilty of child pornography or has broken the Copyrights law of some company when he or she downloaded unlicensed software.

Hackers to present the attack as legitimate from a law enforcement agency. To achieve this, the hackers require that the user pays a fine via anonymous prepaid service like Ukash. The hackers also display their IP address to convince victims of the attack the credibility of their claims.


[1]     B. Fraga. Swansea police pay $750 “ransom” after        computer virus strikes. The Herald News, 2013.

[2]     G. O’Gorman and G. McDonald. Ransomware: A growing   menace. Technical report, Symantec Corporation, 2012.

[3]     Anatomy of a Crypto Ransomware Attack attack-cryptolocker-cryptowall-and-how-to-stay-safe-infographic/

[4]     E. Arnold. Tennessee sheriff pays ransom to cybercriminals ,in bitcoin., 2014.

[5]     Common type of Ransomware

[6]     N. Andronio, S. Zanero, and F. Maggi. HelDroid: Dissecting and detecting mobile ransomware. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2015.

[7]     A. Viswanathan, K. Tan, and C. Neuman. Deconstructing the assessment of anomaly-based intrusion detectors. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID), 2013.

[8]     R. Perdisci, A. Lanzi, and W. Lee. Classification of packed executables for accurate computer virus detection. Pattern recognition letters, 29(14), 2008.

[9]     V. Roussev. Data fingerprinting with similarity digests. In Advances in Digital Forensics VI, IFIP Advances in Information and Communication Technology.Springer Berlin Heidelberg, 2010.

[10]  N. Scaife, H. Carter, and P. Traynor. OnionDNS: A seizure-resistant top-level domain. In In IEEE Conference on Communications and Network Security (CNS), 2015.

  1. Tang, S. Sethumadhavan, and S. Stolfo. Unsupervised Anomaly-based Malware Detection using Hardware Features. In Proceedings of the International Symposium on Research in Attacks, Intrusion and Detection (RAID)
Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 295 / December 14, 2019
How do I Get MTA Certified?
Views: 893 / December 12, 2019
How much does your PAM software really cost?
Views: 1344 / December 10, 2019
How Do I Get into Android Development?
Views: 1723 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?