Most Common Forms of Ransomware

Most Common Forms of Ransomware

Some recent analysis done by the folks at Emisoft this last year gives us additional data about the current evolving state of ransomware threats.  They looked at 230,000 submissions between April and September of 2019 and gathered data on the different strains of ransomware.  The results help us to see which are the most common forms of ransomware and how they typically get in.  Knowledge of the most common threats can help us develop a plan to stay safe.

Stop or DJVU

The number one offender found in Emisoft’s survey was known as Stop or DJVU.  Frequently distributed by torrent websites where users are downloading content illegally.  This accounts for around 56% of reported ransomware incidents.  This strain of ransomware typically targets individual computers and is not built to spread throughout a network.  It asks for a ransom of $490 in bitcoin and threatens that the ransom will double after 72 hours to scare users into paying.


For business owners the most common network encrypting ransomware is called Dharma.  This strain accounts for 12% of all reported ransomware attacks and has been on the rise.  Most businesses fall victim to a phishing email where the user clicks on a fraudulent link.  This link delivers a payload that gives the hackers access to the network.  They can also gain access with weak or leaked RDP credentials.  They then move throughout the network infecting as many devices as they can and encrypting them. Dharma does not have a set ransom.  It directs the affected party to contact the hackers to negotiate a ransom.  The larger the organization the larger the ransom they demand.  It has infected several major companies such as Altus Baytown Hospital in Texas.  It encrypted all the hospital’s patient records.


Phobos was the next most common variant of ransomware with 8.9% of reported cases.  The typical point of entry for this threat is open or poorly secured RDP ports.  Once access is gained they infect the network.  They then set their ransom price based on the size of the organization.  The larger you are the more money they’re likely try to extort.  Primary targets for Phobos are businesses and public entities.

Globelmposter 2.0

Globelmposter accounted for 6.5% of reported ransomware attacks.  This strain is built to spread across business networks.  It recently infected the Auburn Food Bank and encrypted almost all their computers.  They elected to wipe the drives and recover data from a backup, but the recovery cost was significant.


Sodinokibi rounds out the top 5 of our ransomware variants.  It is also known as REevil and represented 4.5% of attacks.  This is a new strain that emerged this year that is being referred to as ransomware as a service.  It relies on affiliates to distribute and market the ransomware.  It is extremely evasive and uses advanced techniques to avoid detection by security software. This threat can be delivered in several ways.  They use a vulnerability in Oracle WebLogic, phishing campaigns, and compromised managed service providers.  Most of the attacks have been concentrated in Asia to this point.  However, it has been making its way to the US and hit the Texas government demanding a ransom of $2.5 Million.  The refused to pay the ransom and were forced to recover their data and rebuild from scratch.

Lessons Learned

When protecting against the most common forms of ransomware backups will save your bacon every time with ransomware.  It makes a lot of sense to keep both a local and an offsite backup of your data.  Your local backups should not be connected to the domain if possible because this is how most ransomware spreads.  Be vigilant and monitor your backups for success and failure.  Correct failures when they happen to ensure you always have a healthy current backup.  You should also test your backups regularly. Phishing emails are one of the most common ways that ransomware attacks infiltrate your network.  Take the time to educate your people on what these attacks look like and how to avoid them.  If they have a question about an email that looks suspicious have them send it to IT to ask.  Its better to be safe.  There are also tools you can use such as KnowBe4 that can help to train your employees on how to avoid these threats. Open RDP ports are another source of ransomware.  We’ve seen it time and time again.  Somebody wants easy access to the network from home or somewhere else.  Instead of taking the time to research and set up one of the MANY secure remote access solutions available, they simply open a gaping hole in their firewall and leave RDP open to the world.  If your organization does this, you will likely get ransomware.  Its foolish and an open invitation to hackers. Spam filters that can catch those phishing emails are helpful.  Proper antivirus that can detect and eradicate ransomware can offer another layer of protection.  Common sense security measures such as strong firewalls, gateway antivirus and anti-malware, intrusion prevention services, and network vulnerability scanning may all help to sure up your security stance.

Get Help

It’s time that we started taking these very real threats to our businesses seriously and got the proper security and solutions in place.  i.t.NOW is here to help.  With years of experience setting up secure networks and helping our clients meet their compliance needs we can ensure your data is protected.  If you find yourself overwhelmed by network security give us a call.  We’ll do our best to make it easy.