What is ransomware?
Ransomware is a type of computer virus (or malware) that takes advantage of a computer’s security vulnerabilities to restrict access to a computer system. Some forms of ransomware encrypt files on the system's hard drive whilst others lock the system and display a message designed to lure the victim into paying a ransom in exchange for a decrypt tool and private key. Typically, the ransomware then demands a ransom be paid (usually in Bitcoins) with an offer to decrypt the data or restore the system to its previous working state. Put simply, ransomware is a sophisticated form of computer extortion and is a global epidemic.
Common Types of Ransomware
Ransomware comes in many forms and is constantly evolving and adapting to take advantage of the latest security vulnerabilities. Some of the more common recent strains are Locky, Cerber, CryptoLocker, DMA Locker, Dharma, Troldesh, XTBL, Globe and CTB Locker. Most ransomware takes the form of a Trojan virus spread through an infected attachment in spam email (usually targeting Microsoft Windows).
The following provides more information on the common types of Ransomware currently in circulation:
Ransomware Name: Locky
Variants: Locky, Zepto, Thor, Odin, Osiris, ZZZZZ, Aesir ransomware
Description: Locky is particularly aggressive and targets a very large number of file types on both local and mapped drives. Locky renames file name (to be unrecognisable) and changes file extension to the variant name (e.g. .aesir). Locky is primarily distributed by scattergun approach via attachments within spam email (usually in the form of a Trojan virus lurking in a Macro within a Microsoft Office document, often masquerading as an invoice or urgent advice notice). Once data is encrypted, a ransom note is usually placed within encrypted folders asking for payment in bitcoins in exchange for a Locky decrypt tool.
Distribution: Locky ransomware (and its variants) is primarily distributed via Trojan spam email attachments.
Ransomware Name: Cerber
Variants: 5 known versions, named sequentially from Cerber 1 to Cerber 5.
Description: This Cerber ransomware variant encrypts files with the RSA or AES ciphers. Cerber typically adds four randomly generated A-Z 0-9 characters (eg. .c34f) as a file extension to the encrypted files and asks a ransom payoff in exchange for a Cerber decrypt tool. Older versions change the file extension to .cerber. As with many of the other ransomware listed here, most Cerber ransomware strains delete all Windows shadow copies and turn off Windows Startup Repair. They can also target external USB drives (often infecting data backup stores).
Distribution: Spam Emails, Email Attachments, File Sharing Networks, Malicious Executable in Torrent Trackers.
Ransomware Name: DMA Locker
Variants: 5 known versions, named sequentially from DMA Locker 1 to DMA Locker 5.
Description: DMA is very aggressive and attacks a large number of file types and apps (including Microsoft Exchange and SQL Server). Normally identifiable from a red splash screen (with padlock image) appearing on desktop requesting a ransom payoff in exchange for a DMA Locker decrypt tool and decryption key file. Encrypted files will be locked and may open single line of text identifying DMA virus type. File names may have appended IDs but usually remain intact. File extensions remain intact across variants.
Distribution: Direct Hack via RDP vulnerability, Trojan spam email attachment and malicious website URLs.
Ransomware Name: CrySiS
Variants: Dharma, XTBL, .Wallet
Description: First detected in February 2016, CrySiS ransomware is capable of encrypting 185 different file types and targets both local and network drives. CriSiS usually changes the victim’s desktop wallpaper to a notice and ransom demand. Encrypted data is usually appended with .crisis extension and file names may be renamed (sometimes with a contact email address of the hacker). The XTBL variant usually renames file extensions to ‘.XTBL’. A ransom note usually accompanies requesting a pay out to purchase a CrySiS decrypt tool or XTBL ransomware decryption software. Email addresses tend use @india.com, @aol.com or @mail.ru domains. If your files fail to open and have an email address inserted into the filename and/or extension appended, please get in touch and we can advise if decryption is possible.
Distribution: Crysis is mainly distributed via RDP attack spam emails.
Ransomware Name: CryptXXX
Variants: CryptXXX, CryptXXX 2.0, CryptXXX 3.0, Troldesh, CryptoWall, CryptoWall 2.0, CryptoWall 3.0
Description: Renames files with extension .crypt or .crypz (version 3). Encrypts and renames large number of files on local and network mapped drives rendering them unable to be opened. A ransom note usually accompanies requesting a pay out to purchase a CryptXXX decrypt tool and key or Crypt XXX decryption software. Sometimes CryptXXX is referred to as Microsoft Decryptor (or decrypter). CryptXXX is derived from CryptoWall and a decrypt tool and master key is publically available for some CrytpoWall ransomware strains, please contact us for further advice.
Distribution: CryptXXX is primarily distributed via Trojan spam email attachments.
Ransomware Name: CryptoLocker (aka Crypto Locker, Crypt0L0cker)
Variants: PCLock, PCLock 2, Crypt Locker, Crypto Lock, Torrent Locker and many ‘copycat’ crypto variants.
Description: CryptoLocker is a ransomware Trojan that targets computers running Microsoft Windows and was first noticed back in September 2013. Although the original CryptoLocker is now considered ‘extinct’, many copycat forms now exist.
Distribution: CryptXXX (and other variants) is primarily distributed via Trojan spam email attachments and fake downloads.
Ransomware Name: Globe
Variants: Globe2, Globe3, BlackBlock, Kyra, x3m, ‘copycat’ Globe variants
Description: The Globe virus can affect approximately 995 types of files. The virus is fairly aggressive as it may also corrupt the files located in Program Files or local drives. In addition, the virus seems to behave quite aggressively as it encrypts more and more files after each system reboot. Globe malware deletes all shadow copies and turns off Windows Startup Repair. Files are typically renamed and can include a contact email address (e.g. email@example.com).
Distribution: Globe and is variants are primarily distributed via RDP attack and trojan email attachments.
Ransomware Name: Troldesh
Variants: Encoder.858, Shade ransomware
Description: The original version of Troldesh appended ‘.xbtl’ or ‘.cbtl’ to encrypted files. Troldesh ransomware, is an extremely aggressive crypto ransomware that and typically requests payment of a ransom in exchange for a Troldesh ransomware decryption software and decryption key. Files are typically renamed and can include a contact email address (e.g. firstname.lastname@example.org). Email may alos use @india.com, @aol.com or @mail.ru domains. If your files fail to open and have an email address inserted into the filename and/or extension appended, please get in touch and we can advise if decryption is possible.Distribution: Troldesh and is variants are primarily distributed via spam emails and fake downloads.
Ransomware Name: CTB Locker
Variants: CTB-Locker, various re-releases
Description: CTB Locker encrypts documents with .ctbl files extension. It attacks common file types and typically places a ransom demand (with unique decryption key) requesting payment in exchange for ransomware decryption software and private decrypt key.
Distribution: CTB Locker is primarily distributed via Trojan email attachments and fake downloads.
Ransomware Name: Dharma
Variants: CrySiS, .Wallet, .XTBL, ARROW, ARENA, CESAR, JAVA, BIP, COMBO
Description: Dharma ransomware attacks key folders, encrypts files, adds an email address to each filename and changes the extension (e.g. to .bip or .combo or .arrow or random alphanumeric characters). Email addresses tend use @india.com, @aol.com or @mail.ru domains. If your files fail to open and have an email address inserted into the filename and/or extension appended, please get in touch and we can advise if decryption is possible.
Distribution: Dharma ransomware is primarily distributed via RDP hack or trojan email attachments.
Whatever type of ransomware virus or malware you are experiencing, the team at RM Data Recovery can provide knowledgeable, friendly and honest decrypt advice. For a free evaluation, please click the button below and complete the simple form: