The Complete Ransomware Guide

The Complete Ransomware Guide

Table of Contents


If ransomware defense and recovery isn’t on your infosec shortlist, it’s time to put it there. According to McAfee Labs, in Q1 of 2015, organizations experienced a 165% rise in ransomware, attributing much of its growth because it is hard to detect. 1

Because of its stealthy nature and disastrous effects (i.e., losing your data forever, or worse, having it leaked publicly) ransomware is perceived by many as a sophisticated, hard-to-prevent attack.

However, Northeastern University’s latest ransomware research paper, Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, offers a different perspective. Between 2006 and 2014, this research team analyzed 1,359 ransomware samples and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”2

In the end, like all challenges, education is key. Defense is not possible without understanding. In this guide, we’ll help you better understand the role that bitcoin plays in ransomware, various types of ransomware, specific variants, and cover a few mitigation methods.

What Bitcoin Has to Do With Ransomware

Bitcoin is digital currency that lets you anonymously buy goods and services. You can send bitcoins digitally using a mobile phone app or computer. It’s as easy as swiping a credit card.

Bitcoins are stored in a digital wallet, which resides in the cloud or on a user’s computer. It’s similar to a bank account, but they’re not insured by the FDIC. Also, bitcoins aren’t tied to any country, subject to regulation, and there are no credit card fees.

Each bitcoin transaction is on a public log. Names of buyers and sellers are anonymous – only their wallet IDs are revealed. And it allows buyers or sellers do business without easily tracing it back to them. As a result, it’s become a popular choice for cybercriminals to choose bitcoin as a form of payment. To evade identification, many bitcoin addresses used by cybercriminals have no more than 6 transactions.3

To make a bitcoin payment, victims are often alerted to download anonymous browsers, such as Tor2web or Torproject, in order to visit a URL hosted on anonymous servers. Tor (The Onion Router) makes it difficult to trace the location of the server or the identity of its operators.

Should You Pay?

In October, at a Cybersecurity Summit, Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program, said, “The ransomware is that good… To be honest, we often advise people just to pay the ransom.”

He explained, “The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word. You do get your access back.”

And if you pay, the FBI stated that most ransomware payments are typically between $200 and $10,0004. But there have been instances where the payment has been much higher. In 2014, the City of Detroit’s files were encrypted and the attackers demanded a ransom of 2,000 bitcoins, worth about $800,000.5  Besides the ransom, there can be additional costs such as mitigation, loss of productivity, legal fees, etc.

There might be times when you’re faced with other considerations. In November 2014, the Tennessee Dickson County Sheriff’s Office paid $622.00 in bitcoin to hackers who encrypted the department’s criminal case files, making them inaccessible to investigators.6 Detective Jeff McCliss said, “It really came down to a choice between losing all of that data – and being unable to provide the vital services that that data would’ve assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data.” The department was lucky; it got back access to its files.7

Some security experts disagree with Mr. Bonavolonta’s remarks and urge you not to pay the ransom because there’s no guarantee that you’ll get your files back. Paying perpetuates an ongoing problem and make you a target for more malware.

The Department of Homeland Security also advises victims not to negotiate with the hackers.

Conflicting advice has prompted a debate about whether the FBI is encouraging behavior that will lead to more hacking.

In a November Wall Street Journal interview, FBI spokeswoman Kristen Setera declined to say if FBI officials recommend paying a ransom to hackers, as Mr. Bonavolonta stated.8

When deciding whether or not to pay, know that you should go online to see if a decryption tool exists. If you’re able to find the keys, there’s no reason to pay! Sometimes, when the police and security experts investigate cybercriminal activity, they can potentially obtain decryption keys from malicious servers and share them online, like for CoinVault, TeslaCrypt, or the popular CryptoLocker.

By the way, according to a survey conducted by Interdisciplinary Research Centre in Cyber Security at the University of Kent in February 2014, more than 40 percent of CryptoLocker victims agreed to pay.9  Before the FBI and Justice Department disrupted the CryptoLocker operation, cybercriminals extorted over $30 million in the first 100 days10.

Another reason not to pay is if the ransomware author is a bad programmer. Power Worm, a defective ransomware product, ended up destroying the victim’s data. Don’t pay the ransom if it won’t help you recover your files!

In short, there are no simple answers. Perhaps another way that might help you decide is to understand the type of ransomware you’re dealing with.

Major Ransomware Types

Let’s get started. In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, researchers identified three major types: encryption, deletion, and locking.


CryptoLocker and CryptoWall have a reputation for being strong encryption ransomware. Encryption is the process of applying an algorithm (also known as ciphers) to data so it is unintelligible to anyone. And to decrypt the data, you’ll need keys. There are two types: symmetric and public.

Symmetric Keys

Advanced Encryption Standard (AES), Rivest Cipher 4 (RC4), and Data Standard Encryption Standard (DES) are examples of a symmetric-key algorithm. With symmetric, the same key is used for both encryption and decryption. It’s only effective when the symmetric key is kept secret by the two parties involved.


Public Keys (Asymmetrical Key)

Rivest, Shamir, & Aldeman use two different keys in their famous RSA algorithm. A public key that everyone has access to, and  a private key that is controlled by the person who you wish to communicate with.


Strength of an Encryption

To understand the strength of the encryption, you have to look at both the type of encryption being used –whether symmetric or public/asymmetric – and the key length.

Two important facts: the longer the key, the stronger the encryption,  and key length is measured in bits.

Breaking an Encryption

For a symmetric algorithm, you’ll need a couple of hours of computer time for something like a 20-bit key or years for a 128-bit key (2128 = 340282366920938463463374607431768211456 possible keys of 128-bits)

For a public key algorithm, a key length of 32-bits would only require 232 combinations.  Even a 512-bit can be easily broken (within a few months), but 2,048-bit is far harder.

Comparing public and symmetric keys can be confusing. Here’s a rough benchmark:  a 350-bit RSA key is roughly considered the same strength to 40-bit RC4, and 512-bit AES.

The wonky reasons for these differences in key-breaking speeds has to do with the fact that in RSA, you have to factor a number—don’t ask!

Ransomware Encryptions

The first ransomware variants used a symmetric-key algorithm and eventually upgraded to public-keys. Today, more advanced ransomware use a combination of symmetric and public.

Most cybercriminals probably wouldn’t use a public key to encrypt large file system because it is much slower than a symmetric key encryption. And taking too long to encrypt files could thwart the ransomware operation before the encryption process is fully completed.

So a better idea is to use symmetric techniques to quickly encode the file data, and asymmetric to encode the key.  In CryptoLocker, for example, AES (symmetric) was used for file encryption, and RSA (public) for AES key encryption.

Another blend you might see in the near future is elliptical curve cryptography (ECC) and RSA. ECC is described as the next generation of public key, in which you can create faster, smaller, and more efficient cryptographic keys. Some researchers say that ECC can yield a level of security with a 164-bit key that other systems require a 1,024-bit key to achieve.11


In this variant, the attackers threaten you by saying that if you attempt to decrypt anything yourself, it would only result in “irrevocable loss of your data.”12 Or if you don’t pay, the files get deleted. Popular examples of deletion include Gpcode and FileCoder

Typically when we delete something, we wipe it off the disk. But in analyzing all the samples, the researchers learned that lots of data remained on disk because attackers were lazy, often choosing the easiest path. However, they’re also very clever. The researchers found that while the NTFS Master File Table indicated that files were deleted, the files were actually still on disk, so recovery is potentially possible.


With locking, attackers create a new login screen or html page that makes it appear as though a law enforcement agency has taken over the computer. They display a warning pertaining to laws such as copyrighted materials or child pornography. Or they might disable other components, typically keyboard shortcuts. Examples include: Winlock and Urausy. It’s a nuisance, but the data is usually still there.

Future Ransomware

The goal of cybercriminals isn’t to create the best and beautiful software, but to get funds as fast as possible, from anyone who is willing to pay. Because ransomware has been so lucrative, the hackers are getting even more creative in their marketing. Lately, we’ve been seeing ransomware-as-a-service, such as Ransom32, where hackers sell their malware to other cybercriminals. Their 30 second pitch is, “Join us! Together, we can make more money!”

What to Do After You’ve Been Infected

Most people don’t realize they’ve been infected until it displays the ransom note, notifying that your files have been encrypted. If you discover that your computer has been infected, shutdown your computer or disconnect from the network.

If you’ve decided against paying the ransom, scan your computer with an anti-virus or anti-malware program and let it remove everything. You can potentially use PowerShell or other tools to identify encrypted files, but with a new ransomware variant popping up every week, there isn’t a one size fits all identification and decryption tool. What most experts recommend is to restore from a backup.

If you’ve decided to pay the ransom. First we empathize and understand what a pain it must have been. Don’t forget to scan your computer with an anti-virus or anti-malware program and let it remove everything. Also review the mitigation methods below!

Mitigation Methods

Monitor File System Activity

After looking at 1,359 ransomware samples, the Northeastern University researchers learned that it is possible to stop a large number of ransomware attacks, even those using deletion and encryption capabilities.

Significant changes occur in the file system (i.e., large number of deletions in the log) when the system is under attack. By closely monitoring the file system logs and configuring your monitoring solution to trigger an alert when this behavior is observed, you can detect the creation, encryption, or deletion of files.

Try User Behavior Analytics

User Behavior Analytics (UBA) has become an essential ransomware prevention measure.

Defending the inside from legitimate users is just not part of the equation for perimeter-based security, and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gain access as users.

Once in, cybercriminals have become clever at implementing a ransomware attack that isn’t spotted by anti-virus software.

In fact, to an IT admin who is just monitoring their system activity, the attackers appear as just another user.

And that’s why you need UBA!

UBA really excels at handling the unknown.  In the background, the UBA engine can baseline each user’s normal activity, and then spot variances and report in real time – in whatever form they reveal themselves.  For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows.

Think of UBA as File System Monitoring 2.0.

Create Honeypots

Cybercriminal may avoid encrypting all files and start by encrypting recently accessed files. Create a decoy by creating fake files and folders and monitor regularly.

This is also a good method for organizations that don’t have an automated solution to monitor file access activity. That also means you might be forced to enable file system native auditing. However, it unfortunately taxes your monitored systems. Instead, prioritize sensitive areas and set up a file share honeypot.

A file share honeypot is an accessible file share that contains files that look normal or valuable, but in reality are fake. As no legitimate user activity should be associated with a honeypot file share, any activity observed should be scrutinized carefully. If you’re stuck with manual methods, you’ll need to enable native auditing to record access activity, and create a script to alert you when events are written to the security event log (e.g. using dumpel.exe).

Least Privilege Model

Another approach is to control access to data and work towards achieving a least privilege model.  Your goal is to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups such as “Everyone,” “Authenticated Users,” and “Domain Users” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company.  In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares”—where  both file system and sharing permissions are accessible via a global access group.

And lastly, a few reminders:

  • Make sure your software is up-to-date so that your security updates are also up-to-date!
  • Beware of Phishing – don’t click on links or open attachments or emails from people you don’t know or companies you don’t do business with.
  • Back up, back up, back up your important files, especially files with sensitive data.
  • And educate!

Click here to see how Varonis solutions can help you prevent ransomware!




Ransomware Variants:

Here are a few ransomware variants you should be aware of (guide first published: December 17, 2015, last updated: April 14, 2016):

CryptoLocker – released in the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.13

  • File types targeted: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.14
  • Encryption algorithm: AES for file encryption, RSA for AES key encryption15
  • Decryption tool available? Yes16
  • How you get infected: an attachment in a phishing message17
  • Will paying decrypt files? Yes, but can take 3-4 hours. It’s been reported that the decryption process may give an error, stating they can’t decrypt a file. However, it will continue to decrypt files. 18
  • Click here for more support

CryptoWall – released at end of April 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.19

  • File types targeted: .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt20
  • Encryption algorithm: RSA for file encryption21
  • Decryption tool Available? Not yet.
  • How you get infected: most typically spread through email as an attachment and from infected websites that pass on the virus22
  • Will paying decrypt files? Yes, but decryption process will take awhile.
  • Click here for more support

OphionLocker – emerged in December 2014. 23

  • How you get infected: believed to spread via online advertising campaigns that fool users into clicking on an area of a website that then takes over their computer.24
  • How they evade detection: uses Tor to disguise the communications between itself and its command-and-control servers.
  • File types targeted: *.3fr, *.accdb, *.arw, *.bay, *.cdr, *. cer, *.cr2, *.crt, *.crw, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, *.indd, *.jpe, *.jpg, *.kdc, *.mdb, *.mdf, *.mef, *.mp3, *.mp4, *.mrw, *.nef, *.nrw, *.odb, *.odm, *.odp, *.ods, *.odt, *.orf, *.p12, *.p7b, *.p7c, *.pdd, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rwl, *.srf, *.srw, *.txt, *.wb2, *.wpd, *.wps, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx
  • Decryption tool available? Not yet.
  • Encryption algorithm: ECC
  • Ransom: vary from country to country. Most sites say 1 BTC
  • Click here to see what happens when you’re infected (screenshots)
  • Delete data? does not securely delete your files or remove the shadow volume copies

CTB Locker (Curve-Tor-Bitcoin Locker): Also known as Critroni or Onion. Released in the middle of July 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.25

  • Encryption algorithm: ECC
  • Decryption tool available? Not yet.
  • Ransom amount: 3 BTC (approx. $630)
  • How you get infected: spread via email. When opened, the attached file drops a payload which performs encryption routines on all the computer’s files.
  • Click here and here for more support

VaultCrypt – released around February 2015, it features of this ransomware are its use of Windows batch files and the open source GnuPG privacy software to power a very effective file encryption technique26

  • File types targeted: .cd, .mdb, .1cd, .dbf, .sqlite, .jpg, .zip, .7z, .psd, .dwg, .cdr, .pdf, .rtf, .xls, .doc27
  • Decryption tool available? Not yet.
  • Encryption algorithm: RSA-1024 public and private key pair to encrypt files28
  • Click here and here to for more support

TeslaCrypt – will target all version of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. TeslaCrypt was first released around the end of February 2015.29

  • File types targeted by TeslaCrypt: .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .sc2save, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mcgame, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .001, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .DayZProfile, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .unity3d, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbfv, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
  • Decryption tool available? Yes, check out Cisco’s Talos Teslacrypt tool
  • Encryption Algorithm: AES encryption
  • Click here for more support

Alphacrypt: Looks like TeslaCrypt, Behaves like CryptoWall30

  • File types targeted by alpha crypt: .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
  • Encryption Algorithm: AES encryption
  • Decryption tool available? Not yet.
  • Click here for more support

LowLevel04 – first spotted in October 2015

  • How you get infected: brute force attacks on machines that have Remote Desktop or Terminal Services installed and have weak passwords31
  • File types targeted: .3fr, .dbf, .dcr, .dwg, .doc, .der, .erf, .eps, .jpg, .mp3, .mp4, .mef, .mrw, .mdf, .bay, .bck, .bkp, .bcp, .cdr, .mid, .nef, .nrw, .dat, .dxg, .dng, .pptx, .pptm, .jpe, .kdc, .mdb, .jpeg, .indd, .docx, .docm, .pfx, .raw, .rwl, .opd, .odm, .odc, .orf, .odb, .pdd, .pdf, .pst, .ppt, .rtf, .rw2, .odt, .ods, .pem, .sql, .xls, .xml, .xlk, .wpd, .wav, .wb2, .wps, .x3f, .zip, .xlsb, .arw, .bmp, .cer, .crw, .cr2, .crt, .dxf, .r3d, .srf, .sr2, .srw, .p12, .p7b, .p7c, .ptx, .pef, .png, .psd, .php, .rar, .raf, .xlsx, .xlsm, .exe, .bad, .lpa, .sys, .dll, .msi, .ie5, .ie6, .ie7, .ie8, .ie9, .ini, .inf, .lnk, .scr, .com, .ico, .desklink, .mapimail, .search-ms, .automaticDestinations-ms, .bkup, .database, .backup, .zip
  • Encryption Algorithm: AES32 and RSA-2048 encryption33
  • Ransom amount: ransom demanded is double the ‘normal’ $500, and demands 4 Bitcoin34
  • Decryption tool available? Not yet
  • How to recover files: only way to recover your files is from a backup, by trying Shadow Volume Copies, or by paying the ransom.  It is believed that this ransomware is part of an affiliate based ransomware family that commonly changes the emails associated with the ransom notes.35

Chimera – In November, a new ransomware variant, Chimera In addition to encrypting files and demanding a ransom to release the decryption key, this new malware model involves publishing those files on the Internet, if the ransom remains unpaid.36 However, according to the Anti Botnet Advisory Center, there is no indication to date that anyone’s details have been made public.37

  • File types targeted: .jpg, .jpeg, .vmx, .txt, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .ini, .cdr, .svg, .conf, .cfg, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .cs, .asp, .aspx, .cgi, .h, .cpp, .php, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .js, .jar, .py, .wpd, .crt, .csv, .prf, .cnf, .indd, .number, .pages, .lnk, .po, .dcu, .pas, .dfm, .directory, .pbk, .yml, .dtd, .rll, .lib, .cert, .p12, .cat, .inf, .mui, .props, .idl, .result, .localstorage, .ost, .default, .json, .db, .sqlite, .log, .bat, .ico, .dll, .exe, .x3f, .srw, .pef, .raf, .orf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .raw, .rwl, .rw2, .r3d, .3fr, .ai, .eps, .pdd, .dng, .dxf, .dwg, .psd, .ps, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .zip, .rar, .gzip, .vmdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi, .ptx, .ape, .aif, .wav, .ram, .ra, .m3u, .movie, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa, .aa3, .amr, .mkv, .dvd, .mts, .qt, .vob, .3ga, .ts, .m4v, .rm, .srt, .aepx, .camproj, .dash, .txt, .doc, .docx, .docm, .odt, .ods, .odp, .odf, .odc, .odm, .odb, .rtf, .xlsm, .xlsb, .xlk, .xls, .xlsx, .pps, .ppt, .pptm, .pptx, .pub, .epub, .pdf
  • Decryption tool available? Not yet
  • Ransom amount: 4 bitcoins ($865) to decrypt the files38
  • Communication method: Chimera uses the Bitmessage peer-to-peer messaging application to communicate between the victim’s computer and the malware developer’s command and control server. This creates a decryption service that is incredibly portable, secure, and difficult, if not impossible, to take down as all the peers in the network are helping to distribute the keys.39
  • Click here and here for more support

Torrentlocker – released around the end of August 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8.40

  • File types targeted: *.wb2, *.psd, *.p7c, *.p7b, *.p12, *.pfx, *.pem, *.crt, *.cer, *.der, *.pl, *.py, *.lua, *.css, *.js, *.asp, *.php, *.incpas, *.asm, *.hpp, *.h, *.cpp, *.c, *.7z, *.zip, *.rar, *.drf, *.blend, *.apj, *.3ds, *.dwg, *.sda, *.ps, *.pat, *.fxg, *.fhd, *.fh, *.dxb, *.drw, *.design, *.ddrw, *.ddoc, *.dcs, *.csl, *.csh, *.cpi, *.cgm, *.cdx, *.cdrw, *.cdr6, *.cdr5, *.cdr4, *.cdr3, *.cdr, *.awg, *.ait, *.ai, *.agd1, *.ycbcra, *.x3f, *.stx, *.st8, *.st7, *.st6, *.st5, *.st4, *.srw, *.srf, *.sr2, *.sd1, *.sd0, *.rwz, *.rwl, *.rw2, *.raw, *.raf, *.ra2, *.ptx, *.pef, *.pcd, *.orf, *.nwb, *.nrw, *.nop, *.nef, *.ndd, *.mrw, *.mos, *.mfw, *.mef, *.mdc, *.kdc, *.kc2, *.iiq, *.gry, *.grey, *.gray, *.fpx, *.fff, *.exf, *.erf, *.dng, *.dcr, *.dc2, *.crw, *.craw, *.cr2, *.cmt, *.cib, *.ce2, *.ce1, *.arw, *.3pr, *.3fr, *.mpg, *.jpeg, *.jpg, *.mdb, *.sqlitedb, *.sqlite3, *.sqlite, *.sql, *.sdf, *.sav, *.sas7bdat, *.s3db, *.rdb, *.psafe3, *.nyf, *.nx2, *.nx1, *.nsh, *.nsg, *.nsf, *.nsd, *.ns4, *.ns3, *.ns2, *.myd, *.kpdx, *.kdbx, *.idx, *.ibz, *.ibd, *.fdb, *.erbsql, *.db3, *.dbf, *.db-journal, *.db, *.cls, *.bdb, *.al, *.adb, *.backupdb, *.bik, *.backup, *.bak, *.bkp, *.moneywell, *.mmw, *.ibank, *.hbk, *.ffd, *.dgc, *.ddd, *.dac, *.cfp, *.cdf, *.bpw, *.bgt, *.acr, *.ac2, *.ab4, *.djvu, *.pdf, *.sxm, *.odf, *.std, *.sxd, *.otg, *.sti, *.sxi, *.otp, *.odg, *.odp, *.stc, *.sxc, *.ots, *.ods, *.sxg, *.stw, *.sxw, *.odm, *.oth, *.ott, *.odt, *.odb, *.csv, *.rtf, *.accdr, *.accdt, *.accde, *.accdb, *.sldm, *.sldx, *.ppsm, *.ppsx, *.ppam, *.potm, *.potx, *.pptm, *.pptx, *.pps, *.pot, *.ppt, *.xlw, *.xll, *.xlam, *.xla, *.xlsb, *.xltm, *.xltx, *.xlsm, *.xlsx, *.xlm, *.xlt, *.xls, *.xml, *.dotm, *.dotx, *.docm, *.docx, *.dot, *.doc, *.txt
  • How do you get infected? Via emails that pretend to be shipping notifications, driving or speeding violations, or other corporate/government correspondence.
  • Ransom amount: starts at around $550 USD – to be paid in bitcoins and goes up after about 3 days
  • Encryption Algorithm:  AES to encrypt the victim’s files and an asymmetric cipher RSA to encrypt the AES key.
  • Decryption tool available? Not yet
  • Click here for more support

Ransom32 – the first ransomware written in Javascript. And even though we’ve only seen Ransom32 in a Windows format, it could easily be packaged to impact Mac and Linux operating systems. It is also being offered as a Ransomware-as-a-Service (RaaS). Located on TOR, anyone can download and distribute his or her own copy of the ransomware. It’s very easy to join as an affiliate of this RaaS – all that’s needed is a bitcoin address.

  • File types targeted: .jpg ,.jpeg ,.raw ,.tif ,.gif ,.png ,.bmp ,.3dm ,.max ,.accdb ,.db ,.dbf ,.mdb ,.pdb ,.sql ,.*sav* ,.*spv* ,.*grle* ,.*mlx* ,.*sv5* ,.*game* ,.*slot* ,.dwg ,.dxf ,.c ,.cpp ,.cs ,.h ,.php ,.asp ,.rb ,.java ,.jar ,.class ,.aaf ,.aep ,.aepx ,.plb ,.prel ,.prproj ,.aet ,.ppj ,.psd ,.indd ,.indl ,.indt ,.indb ,.inx ,.idml ,.pmd ,.xqx ,.xqx ,.ai ,.eps ,.ps ,.svg ,.swf ,.fla ,.as3 ,.as ,.txt ,.doc ,.dot ,.docx ,.docm ,.dotx ,.dotm ,.docb ,.rtf ,.wpd ,.wps ,.msg ,.pdf ,.xls ,.xlt ,.xlm ,.xlsx ,.xlsm ,.xltx ,.xltm ,.xlsb ,.xla ,.xlam ,.xll ,.xlw ,.ppt ,.pot ,.pps ,.pptx ,.pptm ,.potx ,.potm ,.ppam ,.ppsx ,.ppsm ,.sldx ,.sldm ,.wav ,.mp3 ,.aif ,.iff ,.m3u ,.m4u ,.mid ,.mpa ,.wma ,.ra ,.avi ,.mov ,.mp4 ,.3gp ,.mpeg ,.3g2 ,.asf ,.asx ,.flv ,.mpg ,.wmv ,.vob ,.m3u8 ,.csv ,.efx ,.sdf ,.vcf ,.xml ,.ses ,.dat
  • Will paying the ransom decrypt files? Yes. Another interesting and novel feature of Ransom32 is that there is a “proof of life” feature. Before you pay the ransom, the attacker proves to victims that after the ransom is paid, files can be decrypted
  • Click here to learn more


  • How much is the ransom: 13 bitcoins (or approximately $5,000 USD)
  • File types affected: dbf, arw, txt, doc, docm, docx, zip, rar, xlsx, xlsb, xlsm, pdf, jpg, jpe, jpeg, sql, mdf, accdb, mdb, odb, odm, odp, ods41


  • How much is the ransom: half or one bitcoin (or about $400USD)
  • How you get infected: you receive an email, containing an attachment and the document/attachment asks you to enable the macro, and also removes your shadow copies, too.
  • Type of encryption: AES encryption
  • File types affected : .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

Samas Ransomware

  • How much is the ransom: currently testing the market, the hackers are asking a ransom from one bitcoin to 1.7 bitcoins. Or, for a real “bargain,” victimized organizations can buy in bulk, decrypting all of their infected systems at once for 22 bitcoins (approximately $9,160).42
  • Encryption algorithm: RSA-2048 bit encryption43
  • How you get infected: starts with a pen-test attack on your server and searches for potential vulnerable networks to exploit44
  • File types targeted: Samas is an attack that attempts to encrypt an organization’s entire network
  • Click here for more information

Cerber Ransomware

  • How much is the ransom: 1.24 bitcoins or about $500 USD.45
  • Encryption algorithm: uses an AES-256 algorithm46
  • How you get infected: researchers currently aren’t sure how it’s being distributed, but it is offered as a ransomware-as-a-service. Affiliates can join to distribute the ransomware, enabling Cerber authors to earn a commission from each ransom payment.

By the way, it does not attack your computer if you live in one of these countries – Azerbaijan, Armenia, Georgia, Belarus, Kyrgyzstan, Kazahstan, Moldova, Turkmenistan, Tajikistan, Russia, Uzbekistan, Ukraine. Coincidence?47

After your files get encrypted, you’ll get three files notifying you that your own files have been encrypted –  TXT, HTML, and a VBS. These files  convert the  ransom text into an audio message . Yes, like a bad movie, it speaks to you in a monotone, robotic-like voice, “Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!”

  • Click here for more information
  • File types targeted: .contact, .dbx, .doc, .docx, .jnt, .jpg, .mapimail, .msg, .oab, .ods, .pdf, .pps, .ppsm, .ppt, .pptm, .prf, .pst, .rar, .rtf, .txt, .wab, .xls, .xlsx, .xml, .zip, .1cd, .3ds, .3g2, .3gp, .7z, .7zip, .accdb, .aoi, .asf, .asp, .aspx, .asx, .avi, .bak, .cer, .cfg, .class, .config, .css, .csv, .db, .dds, .dwg, .dxf, .flf, .flv, .html, .idx, .js, .key, .kwm, .laccdb, .ldf, .lit, .m3u, .mbx, .md, .mdf, .mid, .mlb, .mov, .mp3, .mp4, .mpg, .obj, .odt, .pages, .php, .psd, .pwm, .rm, .safe, .sav, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb, .3dm, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dot, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .max, .mdb, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .ps, .pspimage, .r3d, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xlr, .xlsm, .xlt, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .blend, .cdf, .cdx, .cgm, .cr2, .crt, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .pfx, .ptx, .qbb, .qbm, .sas7bdat, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .flvv, .gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .mpeg, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .png, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdr, .accdt, .ach, .acr, .adb, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .bank, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .dc2, .dcs, .ddoc, .ddrw, .der, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erf, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibank, .ibd, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .moneywell, .mrw, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pot, .pptx, .psafe3, .py, .qba, .qbr, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, .rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .yuv48

Surprise Ransomware 

  • How much is the ransom: range from 0.5 BTC to as much as 25 BTC.49 If it hits an enterprise network consisting of multiple machines, the ransom will be much higher than for a single PC.
  • Encryption algorithm: a mix of RSA-2048 and AES-256 to encrypt files50
  • How you get infected: enters via TeamViewer, a platform with over 1 billion users uses this software for remote computer access, enabling customers to get tech support, set up meetings and interact with partners. 51  It infected users who had TeamViewer v10.0.47484 installed.

Like ransom32, you get a “proof of life” where they decrypt one file for free. Before you pay the ransom, the attacker proves to victims that after the ransom is paid, files can be decrypted.

  • Click here for more information
  • File Types Targeted: .asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd, .wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif, .rar





















































Get the latest security news in your inbox.