The past year was unlike anything we’ve seen ever in terms of ransomware and the technology evolving to deploy it.

The distribution methods and attack methodologies have expanded massively in the last few years alone.WYSIWYE

As ransomware is one of the key cyber-threats of our age it’s now high time for companies of all shapes and sizes to wake up to this threat.

From all objective observation, it appears like no one is immune to the nuisance.

Ransomware attacks are now getting easier to launch as more hardware/firmware and IoT(Internet Of Things) devices connects directly to the internet. There are even ransomeware-as-service providers that can help young hackers get off the ground. Major threat culprits have already started to use botnets to distribute massive attacks on ISPs and email gateways.

Below we are sharing the Top 15 Ransomware attacks of 2017 to help you make better decisions about how to protect your organization as well as your data.



Crysis initiated by hacking into Remote Desktop Services and then manually installing ransomware in over twenty-two countries using brute force password tools. First appearing in February 2016 using Remote Desktop Protocol (RDP). As of May 2017 two hundred master keys were released allowing victims to decrypt their systems.

Ransom: $450 – $1,021


Cerber ransomware first appeared on the scene in March 2016. It distributed ransomware-as-a-service (aka RaaS) by packaging itself and allows non-tech savvy cybercriminals to decrypt it to use it as a tool and get paid from victims while the developers of the malware took a cut of the funds. It has hit more than twenty countries as of this writing. Attack vectors are Remote Desktop Protocol (RDP), RaaS, and spam email. Cerber is estimated to generate over $2.3 million a year and garnered attackers roughly $195,000 in July of 2016.

Ransom: $200 – $700


CryptoMix first arrived in March of 2016 and distributed through the Remote Desktop Protocol (RDP) as well as exploit kits such as malvertising. Also known to hide on flash drives. Cryptomix does not have a payment portal available on the darknet, rather, victims must wait patiently for the email from the cyber swindlers to get the instructions for payment in BTC(Bitcoin). It has hit nearly thirty countries.

Ransom: $2,000


Named after the infamous character from “Saw” movies this ransomware appeared first in April of 2016 as a spam email with an embedded image of the clown from the Saw film. It starts the payload when users click and then encrypts the files and deletes them every hour until ransom is paid.

Ransom: $10 – $300


In Jan of last year Spora appeared with a campaign that used a fake font pack update in a web browser message. Spora is unique in that it hacks legitimate websites (watering hole) and adds JavaScripts which then prompt users to update their Chrome browsers to continue viewing that webpage. They get infected once they download it.

Ransom: $30 – $89


Nemucod ransomware family has been seen since at least 2015 with Teslacrypt. It arrives in the form of a phishing email with an attached zip file containing a malicious JavaScript that downloads the payload. It hit more than 26 countries.

Ransom: $300


Ransomware “Locky” debuted as a fake shipping invoice spam email. Once it was opened, it downloads malware and encrypts all components on the computer in question.  New versions of the ransoware are called “Lukitus” and “DIablo” which have also appeared this year using the same attack vectors.

Ransom: $500 – $900


WannaCry was innovative in that it was the first ransomware of its kind to spread through an SMB exploit in March 2017. It spread to well over a hundred and fifty countries, infecting over 200,000 gadgets in its first day alone. Hackers have apparently only made fifty thousand worth of Bitcoin from those infected 200,000 machines, however.

Ransom: $400 – $900



NotPetya came initially as a fake Ukranian tax software update in June 2017. It then spread through the network like a using an SMB exploit and infected hundreds of thousands of computers in more than a hundred countries in only a few days. This ransomware is a variant of Petya, however it uses the same exploit as in WannaCry ransomware. Attack Vectors used were Supply Chain ME.doc, EthernalRomance Exploit, and EthernalBlue. Hackers have since collected twenty nine payments in aggregate, for a total of 3.15 Bitcoin, or $7,000

Ransom: $320



LeakerLocker was detected by McAfee’s research team back in July of last year. Also known as “Android/Ransom.LeakerLocker.A!Pkg,” they found the ransomware hiding inside of two Android apps: Wallpapers Blur HD & Booster & Cleaner Pro. The ransomware doesn’t encrypt an infected device’s files rather it locks the home screen and then claims to access the device’s email addresses, contacts, text messages, Chrome browser history, as well as calls, pictures, and even device information. It then displays this information in a WebView and demands payment if the victim doesn’t want the data shared with all of their contacts.

Ransom: $55


WYSIWYE was discovered in April of 2017 by a team of Panda Security’s researchers. They nicknamed it, for better or worse, as “What You See Is What You Encrypt (WYSIWYE)”. It comes with a user interface that an attacker/hacker can use to configure preferences including the email address that will appear in the ransom note under the “from” label that is sent to the unsuspecting victim. They can then go after networked computers, enter stealth mode, and target specific files from this user interface as well. It attacks these computers via Remote Desktop Protocol (RDP) brute force attack and then finally deploys WYSIWYE onto the targeted network computer.

12. JAFF

Jaff ransomware appeared in mid-May of last year in the form of spam email. It heavily mimics the tactics seen by Locky ransomware, containing known traits related to other forms of malware. It used Necurs botnet and hit over twenty countries.

Ransom: $3750


Arkansas Oral & Facial Surgery Center suffered an attack at the hands of an unknown ransomware on the 26th of July in 2017. It effected imaging files like X-rays as well as other documents such as email attachments. It then made patient data relating to appointments that occurred three weeks prior to the attack inaccessible.


Reyptson ransomware was detected by a security researcher of Emsisoft back in early July of 2017. After the infection, Reyptson checks to see if Mozillas Thunderbird email client is installed on the computer. If its installed, the ransomware then attempts to read the victim’s email credentials as well as contacts list. It uses those contacts to then conduct a spam distribution campaign from the victim’s computer. Each mail contains a fake invoice doc that contains an executable file responsible for uploading – and thus perpetuating – the ransomware.


In October of last year Kaspersky Lab said that it had received notifications of mass alerts of a new type of ransomware targeting organizations in Russia and the Ukraine. Some of the victims were Russian news media outlets such as Interfax and Fontanka.ru as well as Kiev’s metro system and even an airport in Odessa, Ukraine. ESET researchers claimed the ransomware also hit targets in Poland, the United States, and S. Korea. BadRabbit used “drive-by attacks” to deliver the ransomware dropper, which was seen as a smaller-scale operation.

Ransom: 0.5 Of Bitcoin


Olé Crypto,



Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.