Ransomware Hall of Inframy

Infraplex in association with Sophos brings you the Ransomware Hall of Infamy, a collective case study of the most controversial and fascinating Ransomware cases in history. Infraplex as a telecommunications provider has embarked on a mission to educate and grow with the modern users of the day, not to only provide quality products and services, but to teach our audience about online safety.

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. This is a collection of the most infamous cases in ransomware history.

Case 1: The AIDS Information Trojan.

The AIDS Trojan, also known as the PC Cyborg virus, was the first ever ransomware virus documented. … The AIDS trojan was created by a biologist Joseph Popp who handed out 20,000 infected disks to attendees of the World Health Organization’s AIDS conference.
“Popp’s malware was delivered in a fairly unorthodox manner, with the internet still being in its infancy. Popp mailed every victim an infected floppy disc, labeled as “AIDS Information Introductory Diskette,” using hijacked mail subscriber lists to the World Health Organization AIDS conference and PC Business World magazine in December 1989.
The software contained a questionnaire about the AIDS virus, disguising itself as a survey. The disc was stamped with a logo for the “PC Cyborg Corporation.”
In reality, the floppy disk would deliver its payload of encryption malware onto the computer, making it one of the earliest pieces of Trojan malware.” -Lessing
(for more on the case study for this case visit https://www.sdxcentral.com/security/definitions/case-study-aids-trojan-ransomware)

Case 2: Cryptolocker

Cryptolocker is a type of ransomware virus that infects your computer and secretly encrypts office documents, images, and other important files. Once the files are infected, you will receive a message, or “ransom note,” explaining you cannot access your files unless you pay a “fine.”

The files become encrypted and not even an antivirus software can help. Once the files are locked, it’s impossible to recover them.

” The most common method of infection is via emails with unknown attachments. Although the attachments often appear to be familiar file types such as *.doc or *.pdf, they in fact contain a double extension — a hidden executable (*.exe).

Once opened, the attachment creates a window and activates a downloader, which infects your computer. Because the program is a Trojan, it cannot self-replicate, meaning it must be downloaded to infect your computer. In addition to malicious email attachments, this malware may also come from websites that prompt you download a plug-in or video player. Typically, you will see nothing wrong with your computer until all files have been encrypted. Then, a warning will pop up indicating that you have been infected and showing a countdown timer until all your data is destroyed.

Many antivirus programs can remove this Trojan, but are unable to decrypt your data. In some cases, users have re-installed the Trojan after removal in order to pay the ransom and unlock their data. ” – Kapersky

Technopedia discusses how malware itself is not difficult to remove, the affected files remain encrypted. At the time of the initial outbreak, users without reliable backups had the choice of paying the ransom — and hoping that those behind the infection were honest enough to actually decrypt the affected files — or simply accepting their data as lost. However, there are now online tools that claim to have the ability to decrypt files that have been encrypted by CryptoLocker.

Case 3: Reveton

The Troj/Reveton-Ransomware family consists of computer infections that lock you out of computer unless you pay a ransom.  It does this by displaying a lock screen when you login to Windows that pretends to be from a law enforcement agency in your country.  For example, if you are in the United States of America the message may be from the FBI and if you are in the United Kingdom the message would pretend to be from the Metropolitan Police Service. In order to access your computer you must submit a MoneyPak voucher, or other payment coupon, to the malware developers and they will then unlock your computer so you can access your Windows desktop again.


The lock screens that will be displayed state that your computer was detected as having broken various laws regarding pornographic material, download copyrighted programs, or the distribution of copyrighted programs.  They will then state that you need to pay a fine or the government will prosecute you and that you may have to pay a fine or will be jailed. In order to pay a fine you will typically need to purchase a MoneyPak voucher and submit the voucher identification number into the lock screen.  It is important to remember that these messages are fake and you have not actually been locked out of your computer by the government.


When infected with a variant of the Troj/Reveton-Ransomware family, your computer wil perform the following behavior:

  • When you login to Windows you will be shown a screenlocker that pretends to be from a government agency. This screenlocker will state that you must pay a fine in order to gain access to your computer.
  • The screen locker will pretend to be from a government agency from the country that corresponds to the geographic region of your computer IP Address. Therefore, if your IP Address is located in the United States you may be shown a message from the FBI, while if you are in Argentina it would be from Police Federal Argentine.

Information provided by Bleeping Computer.

Case 4: Ryuk


The operators of Ryuk ransomware are at it again. After a long period of quiet, we identified a new spam campaign linked to the Ryuk actors—part of a new wave of attacks. And in late September, Sophos’ Managed Threat Response team assisted an organization in mitigating a Ryuk attack—providing insight into how the Ryuk actors’ tools, techniques and practices have evolved. The attack is part of a recent wave of Ryuk incidents tied to recent phishing campaigns.

First spotted in August of 2018, the Ryuk gang gained notoriety in 2019, demanding multi-million-dollar ransoms from companies, hospitals, and local governments. In the process, the operators of the ransomware pulled in over $61 million just in the US, according to figures from the Federal Bureau of Investigation. And that’s just what was reported—other estimates place Ryuk’s take in 2019 in the hundreds of millions of dollars.

Starting around the beginning of the worldwide COVID-19 pandemic, we saw a lull in Ryuk activity. There was speculation that the Ryuk actors had moved on to a rebranded version of the ransomware, called Conti. The campaign and attack we investigated was interesting both because it marked the return of Ryuk with some minor modifications, but also showed an evolution of the tools used to compromise targeted networks and deploy the ransomware.

The attack was also notable because of how quickly the attacks can move from initial compromise to ransomware deployment. Within three and a half hours of a target opening a phishing email attachment, attackers were already conducting network reconnaissance. Within a day, they had gained access to a domain controller, and were in the early stages of an attempt to deploy ransomware.

The attackers were persistent as well. As attempts to launch the attack failed, the Ryuk actors attempted multiple times over the next week to install new malware and ransomware, including renewed phishing attempts to re-establish a foothold. Before the attack had concluded, over 90 servers and other systems were involved in the attack, though ransomware was blocked from full execution.

Information sourced from Sophos.

Case 5: SamSam

As the year 2016 began, a ransomware threat appeared that attacked its victims unlike any previous ransomware attack. SamSam, named after the filename of the earliest sample we uncovered, uses a brutally minimalist, manual approach to target and compromise victims.
The attacker or attackers use a variety of built-in Windows tools to escalate their own privileges, then scan the network for valuable targets. They want credentials whose privileges will let them copy their ransomware payload to every machine – servers, endpoints, or whatever else they can get their hands on.
Once in, the attacker(s) spread a payload laterally across the network; a sleeper cell that lays in wait for instructions to begin encrypting. Ever a predator, the attacker waits until late at night, when the target organization is least well equipped to deal with it, before the final blow is struck. A sneak attack while the target literally sleeps, SamSam encrypts a prioritized list of files and directories first, and then everything else.
Unlike virtually every other ransomware attack, the entire attack process is manual. No badly worded spam email with an attachment is the culprit. The attacker breaks in the old fashioned way: using tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit, and exploits operating system vulnerabilities, though not as many as you’d think. SamSam usually succeeds when the victim chooses a weak, easily guessed password.
In this report, we’ll cover the anatomy of a SamSam attack, and why it isn’t necessarily hard to defend against. We also took a deep dive into the ransomware payload, tracing its evolution from an early beta through its (so far) third major revision, with no sign of a slowdown in sight, and an ever-increasing ransom demand with each subsequent attack. Partnering with the cryptocurrency monitoring firm Neutrino, we traced the money trail and discovered far more victims – and funds – than had been previously reported.

Information provided by Sophos.

Case 6: Satan

Cybercriminals have long used themes like the devil, the occult and what you might rather loosely call “the dark arts” as inspiration for malware names: Dark Avenger, Necropolis, Mydoom, Natas (which is Satan backwards) and SatanBug are just a few examples

But there’s one aspect of the Satan ransomware that isn’t old-school, and that’s what we’re looking at in this article: its business model.

Satan is a ransomware, a malicious software that once opened in a Windows system, encrypts all the files, and demands a ransom for the decryption tools.

But Satan is also an online crimeware service:

As you can see from the welcome screen on Satan’s website, which you access using Tor via a .onion address on the dark web, this ransomware is backed by a cloud service you sign up for.

Satan has brazenly copied the business model of many legitimate online services such as iTunes and eBay: joining up is free, but you pay-as-you-go on a percentage basis when you put business through the site.

The Satan service claims to:

  • Generate a working ransomware sample and let you download it for free.
  • Allow you to set your own price and payment conditions.
  • Collect the ransom on your behalf.
  • Provide a decryption tool to victims who pay up.
  • Pay out 70% of the proceeds via Bitcoin.

The service (we’ll use that word without quotation marks, but you may infer them if you wish) even supports optional two-factor authentication based on a public-private key pair, just like SSH, and a CAPTCHA to make automatic mass signups more difficult:

Once you have a login, you can begin to generate ransomware samples, tailored to your own price point.

Information provided by Sophos.

Case 7: WannaCry

We’re aware of a widespread ransomware attack that is affecting several IT organizations in multiple countries. A new ransomware attack called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r, and Wana DeCrypt0r) is encrypting files and changing the extensions to .wnry.wcry.wncry, and .wncrypt.  The malware then presents a window to the user with a ransom demand.

The ransomware spreads rapidly, like a worm, by exploiting a Windows vulnerability in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

The analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). It uses strong encryption on files such as documents, images, and videos.

There were three key factors that caused this attack to spread so quickly:

  1. The inclusion of code that caused the threat to spread across networks as a worm quickly without needing further user action after the initial infection had taken place.
  2. It exploited a vulnerability that many organizations had not patched against. Patching operating systems is the first line of a security strategy, yet many still struggle to achieve regular updates across their environments.
  3. Organizations are still running Windows XP. Microsoft had discontinued support for Windows XP and not issued a patch for this system, but subsequently issued a patch for Windows XP in light of this attack. Microsoft does support legacy versions of Windows, but at extra cost.

Information provided by Sophos.

Case 8: GP – Code

The GPcode ransomware was released in June 2006 infecting PCs through spear phishing scams.  The GPcode was spread via email attachments that looked to be a job application.

GPcode Ransomware Message

GPcode Ransomware Instructions Example

The first versions of GPcode was easily broken because it wrote the encrypted file to a new location, and deletes the unencrypted file, and this allows an undeletion utility to recover some of the files. This sometimes gives enough information to decrypt other files. Other variants or GPCode ransomware use symmetric encryption, which made key recovery very easy.

How It Works 

Using a 660-Bit RSA public key to encrypt or lock victims files, GPCode ransomware would prevent victims from accessing everything in the MyDocuments directory.  GPCode required victims to pay a fee or ransom and in return a code or key would be delivered to the victims; which they would used to unlock their files.

This version of ransomware is especially nasty because it can leave a backdoor open to other hackers. Furthermore, this gateway allows hackers to access important information such as secure documents, social security number, bank account numbers and credit card information.

In late November 2010, a new version of GPCode was discovered that uses stronger encryption (RSA-1024 and AES-256) and physically overwrites the encrypted file, making recovery nearly impossible.

Information provided by KnowB4.