AbleToTrain by Willing & Able

Examples of ransomware attacks

There are thousands of types of ransomware malware. Below are some examples of malware that have had worldwide impact and caused widespread damage. 


WannaCry is an entry-level ransomware with a self-propagating mechanism that allows it to exploit a vulnerability in the Windows SMB protocol and infect other computers. WannaCry is packaged as a dropper, a stand-alone program that extracts encryption / decryption applications, files containing encryption keys, and a Tor communication program. It’s not ambiguous and it’s relatively easy to find and remove. 


Locky is able to encrypt 160 file types, primarily files used by designers, engineers and testers. First released in 2016. It is mainly distributed via exploit kits or phishing. The attacker sends an email prompting the user to open a Microsoft Office Word or Excel file that contains malicious macros, or a ZIP file that installs the malware after extraction. 

Cryptographic Cabinet 

Cryptolocker was released in 2017 and has affected over 500,000 computers. It usually infects your computer via email, file sharing sites, and unprotected downloads. In addition to encrypting files on your local computer, you can also scan mapped network drives and encrypt files with write permissions. A new variant of Crypolocker can bypass older antivirus software and firewalls. 

Not Petya and Petya 

Petya is a ransomware that infects your computer and accesses the Master File Table (MFT) to encrypt your entire hard drive. This makes the entire disk inaccessible even if the actual file is not encrypted. Petya was first seen in 2016 and was distributed via fake application messages that primarily point to  infected files stored in Dropbox. This only affected Windows computers. 

Petya requires you to agree to give the user permission to make administrator-level changes. If the user agrees, a fake system crash screen will be displayed while the computer restarts and starts encrypting the hard drive in the background. Next, a ransom note will be displayed. The original Petya virus was less successful, but a new variant of Kaspersky Labs called NotPetya turned out to be more dangerous. NotPetya is equipped with a propagation mechanism that allows it to propagate without human intervention.

NotPetya originally spread through the backdoor of accounting software widely used in  Ukraine, and later exploited the Windows SMB protocol vulnerabilities Eternal Blue and Eternal Romance. NotPetya encrypts not only MFT, but also other files on disk. While the data is encrypted, the data is irreparably corrupted. The user who pays the ransom cannot actually get the data back. 


Ryuk infects computers via phishing emails or drive-by downloads. Use a dropper to extract the Trojan horse on the victim’s computer and establish a lasting network connection. Attackers can  use Ryuk as the basis for  Advanced Persistent Threat (APT), install additional tools such as keyloggers, and perform privilege escalation and lateral movement. Ryuk is installed on all additional systems that an attacker has access to. The attacker installs Trojan horses on as many computers as possible and then activates Locker ransomware to encrypt  files. In Ryuk attack campaigns, the ransomware aspect is only the final stage.

Grand Club 

Grand Crab was released in 2018. It has been used to launch ransomware-based blackmail attacks that encrypt files on users’ computers, demand ransom, and threaten attackers to reveal victims’ pornographic habits. There are several versions, all targeted for Windows computers. Free decryption features are currently available on most versions of GrandCrab.

How does ransomware work? 

After the device is exposed to malicious code, the ransomware attack proceeds as follows: 

  1. Ransomware can remain dormant on the device until the device is most vulnerable before launching the attack. 
  2. Infection – Ransomware is secretly downloaded and installed on your device. 
  3. Run – Ransomware maps location of the files. Some ransomware attacks also delete or encrypt backup files and folders. 
  4. Encryption – Ransomware performs a key exchange with the command and control server and uses the encryption key to encrypt all files detected during the execution step. It also blocks access to the data.
  5. Notify User – Ransomware adds instruction files detailing the Pay for decryption process and uses these files to display  ransom notes to users. 
  6. Cleanup – Ransomware usually exits and removes itself, leaving only payment instructions. 
  7. Payment – Victims gets additional information on how to pay the required ransom. 
  8. The TOR Hidden Service is often used to encapsulate these communications to avoid detection by network traffic monitors. 
  9. Decryption – After the victim pays the ransom,  the victim may receive a decryption key, usually via the attacker’s Bitcoin address.