Ransomware Families & RaaS Groups

Ransomware is the type of malware that locks you out of your own computer until you pay a ransom. This digital extortion is one of the most serious security threats facing the Internet today. Ransomware not only impacts unsuspecting Internet users, but business organizations, government institutions and even critical services such as utility, healthcare and emergency facilities.

Ransomware has been around for many years. Yet the prevalence of cryptocurrencies and access to hacking services such as Ransomware as a Service (RaaS) in the Dark Web has made it accessible to more cybercriminals than ever before. In fact, the first documented case of a ransomware attack targeted the healthcare industry in 1989, the AIDS Trojan. 

In this article, we’ll look at not only ransomware, but ransomware families — one of the ways that enables ransomware to populate and attack every corner of the digital world.

What are ransomware families?

Ransomware families are the direct relative of the Ransomware as a Service model. Like Cybercrime as a Service, with RaaS, you can hire people or software to “handle” ransomware attacks for you.

Within a given family, the operators develop their own ways of gathering intelligence, possibly via spyware, and understanding the vulnerabilities, before finally delivering the ransomware to the victims. The preparation here is key, as each family has different characteristics (which we’ll describe below).

Though there are countless malware strands in the world, we can group many of them into families. Some report that just three families might comprise up to 60% of ransomware attacks globally—though that doesn’t mean they are the most vicious or biting.  

The most notable ransomware families rely on data encryption and data deletion for threatening their victims, as inability to access data or public exposure to sensitive business information pose irreversible damages.

(Read our ransomware introduction for more.)

Ransomware families trends today

Modern trends in ransomware attacks are incomprehensible considering our dependence on access to data and connected technologies:

• 1.7 million ransomware attacks are launched every day. That’s one every 19 seconds.
• The average attack demands ransom totaling $1.85 million across all targeted machines. The average cost of the resulting breach and remediation is over $4.5 million.
• The cost of ransomware can be as high as $100 million to a single entity — that’s the estimated damage of the WannaCry attack on the NHS in the U.K. in 2017.
• These attacks have increased at the annual rate of 13% over the last five years.
• The cost of ransomware incurred by U.S. government institutions is in excess of $52.88 billion.

Despite these alarming numbers, a lot of ransomware attacks are hit-and-miss. In fact, 90% of ransomware attacks don’t cause any financial loss to the target machines. So which ransomware family is the most threatening? 

Notable (notorious?) ransomware families

Here are some notable examples of ransomware families that share the same attack signatures and code, and have caused significant financial damages to affected users and institutions:

WannaCry

A true showstopper, WannaCry put modern ransomware on the global map. The crypto ransomware that emerged as a global epidemic in the digital world in 2017, affecting over 230,000 machines globally including $100 million worth of damages to NHS hospitals in the U.K.

Splunk covered WannaCry in the immediate aftermath. For a peek into what the 2017 drama was like, check out these expert resources:

• Steering Clear of the “WannaCry” or “Wanna Decryptor” Ransomware Attack

Stop/DJVU

The 2018 ransomware attack used RSA encryption techniques to compromise vulnerable Windows based systems. There are currently over 600 variations of this ransomware family, which means it’s absolutely still in effect. Unfortunately, it’s also not well-known, which means you could be at risk. (Aren’t you glad you’re reading this?)

DarkSide RaaS

This notorious Ransomware as a Service was launched in 2020 and spread across 15 countries. The notable 2021 attack caused a complete shutdown of the Colonial Pipeline, a 5,500-mile fuel pipeline on the U.S. East Coast.  See how Splunk experts detected and remediated DarkSide.

Petya/NotPetya

Initially known to the world as Petya, this ransomware propagated as a phishing attack in early 2016. The next year, NotPetya, a variant of Petya, was also used in the WannaCry attack incidents and was labeled as a “next step in ransomware evolution”.

Learn more about these attacks:

• Our strategic security team also highly recommends reading Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg

Locky

The traditional ransomware family that activates through a Microsoft Word document containing macros that activate the Locky ransomware installation, encrypt storage files and demand ransom.

Characteristics of ransomware attacks

Let’s first review the anatomy of a ransomware attack. The following characteristics can be attributed to ransomware:

Locking your device

Ransomware locks out the user from accessing the compromised devices, data and apps. The affected user may see a screen demanding ransom and instructions to restore access. It relies on vulnerabilities in the OS or installation of malware that takes control of the machine. The message overlay also disables all other functions that may be used to recourse access.

Encrypting your data

Data encryption employs cryptographic techniques to render the target data and apps unusable. These files are encrypted using a private key only available to the adversary. Without the decryption keys, it is not possible to decrypt the affected resources using any conventional computing resources in a reasonable amount of time and cost.

(Read our full cryptographic explainer.)

Last year, our strategic security research team SURGe wanted to know the answer to: “How long do you have before ransomware encrypts your systems?” The answer? Faster than you think. Read the blog or the full research.

Deleting your data

Instead of locking users out of data access, the data is simply removed from the target machines. The data may be restored if the ransom is paid. Adversaries use this tactic to gain the psychological upper hand — deleting some data assets as proof of damages in exchange for failing to pay the ransom.

Stealing your data

Cybercriminals threaten to expose sensitive information stolen from the affected machines. This information may include:

• Trade secrets and intellectual property (IP) documents
• Other sensitive customer data, subject to stringent privacy regulations

Messaging

All ransomware families communicate to the victim regarding ransomware demands. The threatening messages tend to be generic, awaiting response from affected victims.

Untraceable payment methods

Cybercriminals hide their identity and ransomware transactions by adopting cryptocurrencies as the mode of payment. Bitcoin is commonly used to achieve this goal. Hobbyist hackers also use gift cards and e-vouchers for small ransomware payments.

Backup your data to minimize ransomware risk

So how do you protect against ransomware? Ransomware is effective only as long as the compromised machine is your only means of accessing your data. Regularly backing up to different machines, encrypting sensitive data and not falling prey to social engineering attacks render most ransomware attacks ineffective.