Ransomware Top 10 list of 2016


Ransomware Top 10 list of 2016

Category : Blog

Ransomware Top 10 list of 2016

Ransomware attack in corporate houses in 2016 was very common. Some ransomware attacked the critical infrastructure of organizations. Ransomware attacks panicked the entire corporate world. There are hundreds of ransomware families which came into lam light after they attacked many organizations. Some of the most dangerous ransomware of 2016 are as follows:




Cryptowall ransomware didn’t make any headlines in 2016. Cryptowall was first detected way back in 2014 . Many companies in India got attacked by this ransomware. Cyber Security Companies have gone through a series of network penetration testing and web based security testing to nullify the attack.




Researchers at Cisco Talos identified SamSam as one of the first instances of a cryptoworm. Unlike traditional ransomware, which spread primarily via phishing scams and exploit kit attacks, cryptoworms are believed to be the next generation of crypto-malware in that they mimic a computer worm’s userless distribution methods. SamSam exhibited this level of self-propagation in a March 2016 campaign when its developers partnered it with JexBoss, a tool for scanning and exploiting vulnerable JBoss application servers. That pairing allowed SamSam to scan for a weak server, establish an initial network foothold, and move laterally to other vulnerable machines while encrypting data along the way.




Jigsaw is the ransomware which particularly gives 24 hours to the victim to pay the ransom of 150 USD. If the victim fails to pay the fee Jigsaw deletes files every hour.  If the victim turn off the computer Jigsaw delete 1000 of the victims files. The ransomware carries out this scheme for 72 hours, at which point it deletes every remaining file that comes with one of its 240 targeted file extensions.




Most ransomware samples come with a standard ransom note that they display to all their victims. Not CryLocker. This malware locks a victim out of their computer and demands they pay 45 USD in 24 hours. To heap on the pressure, CryLocker customizes its ransom note with the user’s name, birthday, location, IP address, system details, Skype account details, Facebook account details, LinkedIn account details, and other data it harvests from the infected computer. The ransomware then threatens to publish all that information online unless the victim pays up.




HDDCryptor is a nasty family of ransomware. It’s capable of enumerating existing mounted drives and encrypting all files as well as finding and accessing previously connected drives and disconnected network paths. In addition, the crypto-malware uses disk-level encryption to encrypt and overwrite an infected computer’s Master Boot Record (MBR) with a new bootloader, which causes a ransom message to display instead of the login screen upon boot up.


Researchers first detected HDDCryptor in September 2016. Two months later, the ransomware made headlines when it infected 2,000 systems at the San Francisco Municipal Transport Agency (SFMTA), or “Muni,” and demanded 100 Bitcoins (approximately 70,000 USD) in ransom. Fortunately, the attack did not affect SFMTA’s rail and bus service, and the public agency said it would use its working backups to restore access to its systems.




After months of tracking TeslaCrypt across spam campaigns and exploit kit attacks, security researchers at the Slovakian IT security firm ESET learned its developers intended to abandon the ransomware. The researchers contacted the developers and requested the master decryption key. In response, TeslaCrypt’s authors published the key, which ESET used to make a free decryption utility. Victims of the ransomware can now use this tool to regain access to their files.




Researchers detected the first sample of Locky in February 2016. Shortly thereafter, it made a name for itself when it infected the computer systems at Hollywood Presbyterian Medical Center in southern California. Officials chose to temporarily shut down the hospital’s IT system while they worked to remove the ransomware, a decision which caused several departments to close and patients to be diverted elsewhere. But without working data backups, the executives at Hollywood Presbyterian ultimately decided to pay the ransom of 40 Bitcoin (70,000 USD).


In the months that followed, Locky went through at least seven different iterations: “.zepto,” “.odin,” “.shit,” “.thor,” “.aesir,” “.zzzzz,” and “.osiris.” It also leveraged unique distribution channels like SVG images in Facebook Messenger and fake Flash Player update websites.

Leave a Reply