{
	"id": "15a75566-af4a-4536-bd04-7f22590727d2",
	"created_at": "2026-04-06T00:12:19.26394Z",
	"updated_at": "2026-04-10T13:12:48.407558Z",
	"deleted_at": null,
	"sha1_hash": "f65010f8aea5e13ff75149c4d65309af029c5a7e",
	"title": "Ransomware and Recent Variants | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64148,
	"plain_text": "Ransomware and Recent Variants | CISA\r\nPublished: 2016-09-29 · Archived: 2026-04-05 22:38:39 UTC\r\nSystems Affected\r\nNetworked Systems\r\nOverview\r\nIn early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers\r\nbelonging to individuals and businesses, which included healthcare facilities and hospitals worldwide.\r\nRansomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom\r\nis paid to unlock it.\r\nThe United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident\r\nResponse Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its\r\nmain characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate\r\nagainst ransomware.\r\nWHAT IS RANSOMWARE?\r\nRansomware is a type of malware that infects computer systems, restricting users’ access to the infected systems.\r\nRansomware variants have been observed for several years and often attempt to extort money from victims by\r\ndisplaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the\r\nuser’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The\r\nransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual\r\ncurrency, such as Bitcoin.\r\nRansomware is often spread through phishing emails that contain malicious attachments or through drive-by\r\ndownloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware\r\nis downloaded and installed without the user’s knowledge.\r\nCrypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been\r\nspread through social media, such as Web-based instant messaging applications. Additionally, newer methods of\r\nransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry\r\npoint to gain access into an organization’s network.\r\nWHY IS IT SO EFFECTIVE?\r\nThe authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a\r\nransom, and users systems can become infected with additional malware. Ransomware displays intimidating\r\nmessages similar to those below:\r\nhttps://www.us-cert.gov/ncas/alerts/TA16-091A\r\nPage 1 of 4\n\n“Your computer has been infected with a virus. Click here to resolve the issue.”\r\n“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a\r\n$100 fine.”\r\n“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain\r\naccess to your data.”\r\nPROLIFERATION OF VARIANTS\r\nIn 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one\r\nday, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average\r\nransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2\r\nserver. These rough estimates demonstrate how profitable ransomware can be for malicious actors.\r\nThis financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and\r\nlucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants\r\nencrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants\r\nare considered destructive because they encrypt users’ and organizations’ files, and render them useless until\r\ncriminals receive a ransom.\r\nIn early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare\r\nfacilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that\r\ninclude malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious\r\nattachments contain macros or JavaScript files to download Ransomware-Locky files.\r\nSamas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in\r\n2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised,\r\nuploaded Ransomware-Samas files were used to infect the organization’s networks.\r\nLINKS TO OTHER TYPES OF MALWARE\r\nSystems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user\r\ntypically becomes infected by opening a malicious attachment from an email. This malicious attachment contains\r\nUpatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus\r\nTrojan that steals banking information and is also used to steal other types of data. Once a system is infected with\r\nGameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected\r\nsystem, and requests that a ransom be paid.\r\nThe close ties between ransomware and other types of malware were demonstrated through the recent botnet\r\ndisruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an\r\ninternational law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and\r\nCryptoLocker.\r\nImpact\r\nhttps://www.us-cert.gov/ncas/alerts/TA16-091A\r\nPage 2 of 4\n\nRansomware not only targets home users; businesses can also become infected with ransomware, leading to\r\nnegative consequences, including\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nPaying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious\r\nactors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does\r\nnot mean the malware infection itself has been removed.\r\nSolution\r\nInfections can be devastating to an individual or organization, and recovery can be a difficult process that may\r\nrequire the services of a reputable data recovery specialist.\r\nUS-CERT recommends that users and administrators take the following preventive measures to protect their\r\ncomputer networks from ransomware infection:\r\nEmploy a data backup and recovery plan for all critical information. Perform and test regular backups to\r\nlimit the impact of data or system loss and to expedite the recovery process. Note that network-connected\r\nbackups can also be affected by ransomware; critical backups should be isolated from the network for\r\noptimum protection.\r\nUse application whitelisting to help prevent malicious software and unapproved programs from running.\r\nApplication whitelisting is one of the best security strategies as it allows only specified programs to run,\r\nwhile blocking all others, including malicious software.\r\nKeep your operating system and software up-to-date with the latest patches. Vulnerable applications and\r\noperating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly\r\nreduces the number of exploitable entry points available to an attacker.\r\nMaintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to\r\nexecuting.\r\nRestrict users’ ability (permissions) to install and run unwanted software applications, and apply the\r\nprinciple of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware\r\nfrom running or limit its capability to spread through the network.\r\nAvoid enabling macros from email attachments. If a user opens the attachment and enables macros,\r\nembedded code will execute the malware on the machine. For enterprises or organizations, it may be best\r\nto block email messages with attachments from suspicious sources. For information on safely handling\r\nemail attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the\r\nWeb. See Good Security Habits and Safeguarding Your Data for additional details.\r\nDo not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social\r\nEngineering and Phishing Attacks or the Security Publication on Ransomware for more information.\r\nIndividuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be\r\nreleased. Report instances of fraud to the FBI at the Internet Crime Complaint Center.\r\nhttps://www.us-cert.gov/ncas/alerts/TA16-091A\r\nPage 3 of 4\n\nReferences\r\nKaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities\r\nnow targeting U.S.\r\nSophos / Naked Security, What’s next for ransomware? CryptoWall picks up where CryptoLocker left off\r\nSymantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One Month\r\nSymantec, Cryptolocker: A Thriving Menace\r\nSymantec, Cryptolocker Q\u0026A: Menace of the Year\r\nSymantec, International Takedown Wounds Gameover Zeus Cybercrime Network\r\nSophos / Naked Security, “Locky” ransomware – what you need to know\r\nMcAfee Labs Threat Advisory: Ransomware-Locky. March 9, 2016\r\nSamSam: The Doctor Will See You, After He Pays The Ransom\r\nRevisions\r\nMarch 31, 2016: Initial publication|May 6, 2016: Clarified guidance on offline backups|July 11, 2016: Added link\r\nto governmental interagency guidance on ransomware\r\nSource: https://www.us-cert.gov/ncas/alerts/TA16-091A\r\nhttps://www.us-cert.gov/ncas/alerts/TA16-091A\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA16-091A"
	],
	"report_names": [
		"TA16-091A"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f65010f8aea5e13ff75149c4d65309af029c5a7e.pdf",
		"text": "https://archive.orkl.eu/f65010f8aea5e13ff75149c4d65309af029c5a7e.txt",
		"img": "https://archive.orkl.eu/f65010f8aea5e13ff75149c4d65309af029c5a7e.jpg"
	}
}