Ransomware Attacks

Click on a state to see detailed information regarding all attacks in that state.
Only Application Allowlisting can stop Ransomware. There is still time.
Under Cyber Attack? Get Help Now!
How to Prevent Ransomware?
Attacks Since 2016
What is a Ransomware Attack?

What is Ransomware?

Ransomware is a type of malware that locks, or encrypts, what is deemed to be the user's most important data. Then, the cyber criminals hold this data hostage, demanding a ransom payment in order for the user to retrieve access to their files again. Don't let hackers encrypt or steal your data.

Consult with a Ransomware Specialist.

Ransomware Identifiers:

Recover Ransomware Encrypted Files Users are no longer able to access their files
Help fixing Ransomware files. The file extensions have changed
Malware Ransom Screen Alert A ransom note is displayed on the user's screen

Ransomware is Spreading Across the U.S.

There is a rash of ransomware hitting the United States. These attacks will only continue to grow in intensity and frequency. It's not just consumers being attacked. Corporations, small businesses and even government agencies are having their computer files held ransom. Read more about the best Ransomware Protection for Business.

Behind Every Attack is a Failed Antivirus

Ransomware and cyber security have an inverse relationship. The better the security, the less likely the ransomware will be able to execute. Unfortunately, many of today's antivirus solutions are based on out-dated technology, only blocking files that are known to be bad. With cyber criminals creating new strains of malware every day, waiting for a "bad file" classification is not feasible.

The best ransomware protection uses application allowlisting that completely blocks malware from infecting your computer, mobile device or network. Learn more about how PC Matic's patented application allowlisting security solutions can keep you safe from ransomware attacks. PC Matic's Anti-Ransomware Software Solution is the best cyber defense providing comprehensive virus, malware and ransomware protection.

"Ask yourself, will regular antivirus software keep you safe from hackers intruding into your device? Will it stop Cryptowall or Cryptolocker malware?
Will it prevent GoldenEye, Petya, Bad Rabbit, Jigsaw, Locky, Maze or LockBit ransomware?" See the anti-malware comparison chart below to see how well other antivirus software products perform at preventing data breaches and cyber attacks.

This graph shows you how many times each security solution failed, thus allowing ransomware to infiltrate its customers' networks
This information was obtained through the submission of FOIA requests, as well as government contracts. As additional information is received, this graph will be updated.
Computer and Laptop Ransomware Protection

Fight Back Against Ransomware with PC Matic

PC Matic protects all of your devices from modern security threats and cybercrime.

History of Ransomware

Ransomware originated in 1989; however it wasn't until 2008 that the trend began to truly expand. It was then that the hackers were falsifying their identities as the FBI demanding payment for a "fine" for "illegal activities". Unfortunately, the hackers learned how lucrative ransomware could potentially be and has been on the rise since. The last twelve months have shown the most growth in ransomware since origination in 1989.

Ransomware Attacks continue to increase in popularity for two reasons; victims are paying ransoms and advances in technology are making malware attacks easier. Regardless of the type of ransomware, the overall concept remains consistent - extort the user by encrypting their most important data. Another emerging ransom threat is the exfiltration of sensitive data and threatening to release it if a ransom is not paid.

Types of Ransomware

What types of Ransomware Attack are there? There are two main types of ransomware attack, Crypto-Ransomware and Locker-Ransomware.

Crypto-Ransomware Attacks. Crypto-Ransomware encrypts important, critical or sensitive data files on a computer system or network making them unavailable to view or use until a ransom is paid for the decryption key. A deadline for paying the ransom is usually set. Once the ransom demand is met, the victim can obtain the key and decrypt their files. Locky, Cryptolocker, WannaCry, Ryuk, LockBit are examples of this type of attack.

Locker-Ransomware Attacks. Locker-Ransomware locks access to a device, computer system or network until a ransom is paid. Once the ransom demand is met, the victim can regain access to their device or network system. Locker Ransomware is also known as Screen-Locking which locks the user's screen or desktop. Another strain of this type of malware attack is MBR Locking Ransomware (Master Boot Record) or Master File Table (MFT) Locking, which holds a computer, laptop or mobile device hostage by blocking a victim's access to the operating system. In this type of cyber-attack malware infects the master boot record preventing the operating system as well as any antivirus or ransomware tools from loading. Petya and GoldenEye are an examples of locker ransomware.

How to Protect Yourself from Ransomware

Only Application Allowlisting can prevent both types of attack. The best ransomware protection is using a whitelisting anti-ransomware software solution to prevent unauthorized system access and falling victim to cybercriminals.

What are The Latest Ransomware Threats?

Trickbot, Dridex, Qbot (QuakBot), IcedID, FiveHands, Maze, Egregor, Conti, Sodinokibi, DoppelPaymer, Khonsari which targets Windows servers, and NetWalker - are among the most recent ransom variants gaining in popularity. Emerging new threat actors include AvosLocker, Hive Ransomware, and HelloKitty. Emotet is also experiencing a resurgence. Cybersecurity firms suggest these are the most dangerous emerging ransomware threat gangs to watch in 2022.

Karakurt Hacking Group Karakurt is a new cybercriminal gang engaging in data theft and cyber-extortion. The threat group is connected to over 40 cyber-attacks between September 2021 and November 2021 alone.

Ransomware Attacks have increased 65% Year-Over-Year from August 2020 to August 2021 with ransomware gangs Revil and Darkside having been particularly active launching almost 1/3 of the cyber-attacks. Cybercriminals are increasingly exploiting application vulnerabilities to gain access and control of a network's application infrastructure to encrypt sensitive, critical, and valuable data.

Ransomware Group Threat Schemes continue to entice disenfranchised employees to deploy malicious scripts. In additon to Lockbit 2.0, Black Kingdom Ransomware is offering one million dollars, or 40% of a $2.5 million ransom as an enticement to employees who help deploy the ransomware known as DemonWare, either remotely or on premises. Insider cyber-threat schemes against corporations and their networks are expected to increase.

Microsoft Windows Tech Support Scam. Using email messages, hackers trick end-users into calling a fraudulent call center or downloading a malicious PDF file with the moniker BazaLoader which installs a backdoor on their computer for hacking into network systems. The malware gives a hacker hands-on-keyboard control of the victim computer leading to the installation of ransomware.

LockFile Windows Exchange Ransomware. LockFile encrypts Windows domains using the recently disclosed ProxyShell and PetitPotam vulnerabilities using unauthenticated, remote code execution to hack into and encrypt devices. (LockFile exploit by the Conti ransomware operation.)

Karma Ransomware Data Leak Cyber Threat. Karma ransomware data breach threatens to release exfiltrated, encrypted data to journalists and publish the data to their website if the ransom isn't paid.

Triple Threat Extortion Schemes. In addition to the targeted victim, Triple Extortion Ransomware demands payments from a victim's customers, vendors, partners and other third party contacts. Data encrytion, (DDoS) denial of service attacks which prevent systems from responding, and data exfiltration (leakage) are three attack methods used in combination to extort funds. Leakware or Doxware is used by cybercriminals for data exfiltration and blackmail by threatening to publicize confidential data, embarassing information, or images stolen from a victim's computer or network unless ransom is paid.

QuakBot aka PinkSlipBot Banking Trojan QakBot is the creation of the cybercriminal gang Gold Lagoon. QuakBot is a data-stealing malware that is used as a precursor to ransomware attacks. The hacker group Gold Lagoon offers QuakBot as a (MaaS) malware installation-as-a-service that affiliate hackers use to launch ransomware attacks against financial institutions. QuakBot is insidious in that it gains access to a target's system through the Geodo/Emotet botnet, and then uses a variety of tools to cover its tracks and conceal itself in order to steal user credentials. To establish a foothold on a system it replaces the original binary of a legitimate Windows app with an undetectable malicious copy disguising itself in the form of a signed valid app certificate.

Ryuk, a targeted ransomware, is designed to penetrate and encrypt a company's servers in order to disrupt business until the ransom is paid. The focus is on financial extortion by crippling systems and operations rather than to exfiltrate sensitive data. Ryuk is an APT (Advanced Persistent Threat) which specifically targets enterprise that will experience major disruption due to down time. Cyber-gangs use ATPs to implement complex cybersecurity attacks on vulnerable companies, organizations, infrastructure, and government agencies which possess highly critical information and data. As with other strains of malware, cybercriminals launch Ryuk ransomware attacks through phishing emails that contain links to malicious websites or email attachments that contain the viral payload.

PureLocker is designed to penetrate and encrypt large enterprise servers, particularly IBM servers, and to demand a ransom to regain full access to the server and its data. Purelocker is written in PureBasic programming language disguising itself as normal functions making the malicious code especially difficult to detect. More insidiously, after the malicious script executes, it then deletes itself. PureLocker is a Ransomware-as-a-Service (RaaS) similar to REvil (GandCrab & Sodinokibi), Ranzy Locker, Cerber Trojan, and others.

Noberus, also known as BlackCat and ALPHV, is the first ransomware variation written in the Rust programming language. Noberus is a sophisticated ransomware cybercriminals are using to exfiltrate sensitive data which they then use to extort victims into paying their ransom demand. The principal means of deployment is via the legitimate remote access program ConnectWise which allows hackers to access and control devices once they penetrate a network. Noberus is an ATP - Advanced Targeted Persistent threat ransomware which has the ability to gain higher administrative privileges. With higher privileges Noberus can run PowerShell commands to disable Windows Defender, delete shadow copies, add an executable *.exe to the system's antivirus scanning exclusion list, and launch numerous variations to regain network control post-remediation.

Echelon, is a credential-stealing malware with anti-malware-analysis capabilities. Echelon malware is using the encryption Telegram messaging service to target credentials and crypto wallets to steal digital currency funds. BHUNT is a new malicious cryptocurrency Password Stealer malware also targeting digital wallets. These credential stealing threats also include CryptBot, WeSteal, and Redline Stealer which can exfiltrate digital wallet data and content including passwords from a browser or copied to the clipboard. Cryptostealers can also be stealthily downloaded via vulnerable software installers. Crypto-wallets particularly at risk include Bitcoin, Ethereum, Exodus, Electrum, Atomic, Lightcon, and Jaxx.

New macOS Malware includes MacMa (CDDS), ElectroRAT, ElectrumStealer, SilverSparrow, WildPressure, XcodeSpy, XLoader, and ZuRu. Cybercriminals are delivering these new strains of macOS malware via Trojans, malicious ads and spyware applications. The malicious payloads allow intruders to execute commands, steal credentials, download keyloggers, take screenshots, upload and download malicious files.

How Ransomware Infects a System

Malicious Script Infections are typically spread through phishing emails and highly targeted spear-phishing emails that contain malicious PDF, document, image attachments, smishing using fraudulent SMS text message links, or through malicious drive-by downloads. Drive-by download cyber-attacks are conducted via deceptive, unintentional download of malicious code to a computer system or mobile phone. Malicious script downloads occur when visiting a malicious website, clicking on a link, opening an e-mail attachment or clicking on a fraudulent, deceptive pop-up ad. Drive-by infections are one of the most common methods used by hackers to install malware on a device without consent to gain unauthorized access in order to launch a cyber-attack.

Fileless Malware Infection. Fileless malware operates in system memory (RAM Random-Access Memory). Memory code-injection malware techniques involve hiding malicious code in the memory of legitimate programs. Malicious script code executes from within the device's memory without being stored or downloaded directly onto a system's hard drive. These types of cyber-attack are designed to masquerade and "piggyback" on legitimate program scripts by executing their malicious code undetected while the legitimate program continues to run. Fileless malware remains undetected because it is memory-based, not file-based, and therefore has no signature "footprint" for antivirus software to detect.

Windows PowerShell and Server Message Block (SMB) Vulnerability. Fileless cyber-threats, LockBit and other crypto-attacks use PowerShell and SMB to self-propagate with automated scripting processes. Ransomware and Trojans use vulnerabilities in the Windows Server Message Block to gain unauthorized access to a system and infect an entire network. Windows SMB is used for file and printer sharing, and for access to remote services which allows for lateral viral spread through connected systems.

Encoded Mimikatz Binary. Mimikatz is a credential-stealing tool used by cybersecurity professionals to test antivirus software capabilities. Mimikatz is abused by cybercriminals to perform pass the hash, ticket, and cache attacks to steal authentication credentials, dump passwords from memory, gather critical system information and steal certificates. Mimikatz provides hackers with additional lateral attack capabilities across networks.

Zero-Day Attacks. Vulnerable software allows hackers to exploit a security hole before the release of a security patch can be developed to fix the vulnerability.

Living off the Land Attacks (LotL). A type of fileless cyber-attack where hackers use legitimate software programs and system tools to penetrate and attack a system without leaving a trace or artifact. Cyber intruders use software tools such as WMI (Windows Management Instrumentation) to access credentials, bypass system security, and avoid antivirus detection to steal sensitive data and move laterally across a network. Many cybercriminals engaged in Living off the Land attacks use Mimikatz security credential scanner, PowerShell to run malicious scripts and obtain unauthorized privileges, and PsExec a remote command tool to insert malware and gain undetected access.

HTML and Javascript Smuggling HTML5 smuggling attacks enable a threat actor to smuggle maliciously coded script within an HTML email attachment, a DLL (Dynamic-link library) or Javascript on an HTML web page. Hackers use HTML5 software features to bypass content filters to deliver malware payloads to a user's device. The cyberattack tactic deploys obfuscated files, data URLs, JavaScript Blobs and HTML5 download features on Windows, macOS and Linux platforms to penetrate antivirus, web content filters and static file analysis defenses.

Social Engineering Techniques. Phishing, Vishing, Smishing, Whaling, Pretexting (Impersonation), Quid pro Quo, Tailgating, Piggybacking, and Baiting are effective techniques cybercriminals use to deceive, trick, extort, and steal from cyber-victims.

Malicious email spam campaigns can deploy a loader called SquirrelWaffle that enables an attacker to gain a foothold into enterprise networks by inserting malicious payloads containing Qakbot or Cobalt Strike onto infected systems. QakBot comprises several building blocks or attack stages to distribute and activate the malware. A spam email typically contains links, document attachments with macros, or embedded images to deliver the viral payload before cyberciminals start engaging in hacking activities such as data and financial theft, extortion and exfiltration, credential and certificate theft, email exfiltration, lateral movement across the network, and the deployment of Cobalt Strike beacons for Advanced Persistent Threats to activate ransomware.

QakBot E-mail Thread Hijacking. QakBot uses malicious email message insertion with links into email threads to target new victims' machines. Qakbot is quickly evolving to collect system info including user account information, software installed on a system, running services, and permissions from infected computers. This type of system data theft affords hackers an even greater capability of stealthy cyber-surveillance in order to monitor financial operations, launch ransomware, install backdoors, and keystroke loggers while evading detection. Once a foothold is acquired, hackers can infuse password-stealing code, network scans, and connect to email servers to harvest email addresses and send phishing emails to unsuspecting users.

GootLoader Access Malware is a stealth initial access malware. The infection gets an initial foothold onto the target's computer system and proceeds to infect the system with ransomware or other malicious payload.

OT Infrastructure Ransomware Threats. Operational Technology physical assets are now becoming more susceptible to cyber physical attacks due to ransomware attacks involving critical infrastructure and industrial organizations. Cyber incidents and breaches allow hackers to gain access to confidential infrastructure data that can enable a future physical cyber-attack on critical assets. Unlike IT data alone, operational plant, (ICS) Industrial Control System, and process data leaks can impact critical physical processes or personnel which could potentially put lives at risk.

How Hackers Prepare Cyber Attacks

Hacker Reconnaissance. Before initiating a ransomware attack, hackers typically use reconnaissance techniques. This is very similar to spies probing for intelligence regarding vulnerabilities and weaknesses in a system or network's defenses.

How are Ransomware Attackers Paid?

Ransomware Demand Payments are typically paid by anonymous cryptocurrency in Bitcoin, Ethereum, Venmo, Monero, or by wire-transfer through Western Union. The "digital ransom note" is either a file, pop-up window, or text message providing payment instructions. Some cybercriminals may also demand payment in the form of gift cards.

Emerging Threat Landscape 2022

SaaS Security Challenges SaaS applications such as GitHub, Google 360, Microsoft 365, Microsoft Teams, Slack, Salesforce, Zoom, Atlassian, AWS and other Software as a Service app providers face surmounting security risks from threat actors in 2022. Combining Application Allowlisting techniques with strict Application Control is the best way to defend against ransom attacks.

Double-Extortion Ransomware Leak Threats Double Cyber Extortion Ransomware is on the rise. Cybercriminals are more frequently taking the additional step of exfiltrating sensitive, confidential data in order to extort victims of the initial encryption ransom attack. Frequently, even after receiving the ransom payment, hackers will post exfiltrated confidential data on the web so paying cybercriminals doesn't always result in preventing a data leak.

Best Ransomware Attack Protection for 2022

Under Ransom Attack? Get help from PC Matic Anti-Ransomware Solutions. PC Matic is the pioneer in implementing Whitelisting Technology in small business and enterprise organizations, local and federal governments, K-12 schools districts, colleges, universities and educational institutions, hospitals and healthcare facilities, financial institutions, non-profits, critical infrastructure, and industry of all sizes. The main goal of whitelisting is to protect devices, computers, servers, and networks from harmful applications. PC Matic has the best cybersecurity solution for preventing ransomware with Application Allowlisting in on-premises, cloud, dynamic and hybrid computing environments. Read more about Ransomware Cybersecurity

What Should You Do If Infected By Ransomware?

Bitcoin Ransomware Attacks

Do Not Pay the Ransom

Do not pay the ransom. When the ransom is paid, it feeds the ecosystem almost guaranteeing that the attacks will increase in frequency and severity. One of the reasons that you have become infected is because someone before you paid a ransom. Preventing ransomware attacks through better cybersecurity is much better than rewarding hackers and cybercriminals.

Who do I contact for Ransomware Attack Recovery?

Contact the FBI

The FBI is the center point for ransomware infections and they need to understand how many people and organizations are being infected and the impact on our country. Reporting computer hacking or cyber-intrusion incidents helps in the fight against cybercrime.

My computer is infected with a Ransomware.

Get the Sample

Have a computer professional find the sample and give it to your AV vendor. They can add this sample to their blacklist so others can avoid being infected with this strain. Almost all antivirus vendors have sample sharing arrangements, so once you report it, it is their responsibility to disseminate the sample to the other blacklists.

Secure Your Family’s Devices

Millions of families around the world trust PC Matic to protect their home devices.

Business & Government Security

PC Matic Pro provides security and device management for public and private organizations of any size.

All Ransomware Attacks by State