The rundown on ransomware

Learn about current ransomware strains and how they operate

by Alex Cherones

Ransomware is shaping up to be “public enemy number one” in cybersecurity circles – reports of attacks have more than quadrupled since 2015.

Ransomware is a type of malware that either encrypts or quarantines files until a ransom is paid for the files to be restored. Here are some of the current ransomware strains and how they operate.


Named for a character in the “Saw” horror movie franchise, this ransomware variant uses a countdown clock and images from the slasher flicks in its on-screen ransom demand. Usually, a countdown clock is displayed, and the virus will destroy some of the encrypted files every hour that the ransom goes unpaid. Attempts to stop the process or reboot the system result in the deletion of 1,000 files. 


This strain gets its access by exploiting vulnerabilities in servers, like an out-of-date patch, then infects all devices connected to the network. Samsam encrypts data, files, and even backups until the ransom is paid and the files are released.

Maktub Locker

The malicious code in Maktub enters through spam or phishing emails that contain an attachment with a camouflaged virus. If the attachment is opened, a rich text file invades the entire system, locking up all data and systems connected to the network. Reports on Maktub indicate that the malicious emails are sometimes disguised as “terms of service” or “terms of use” updates.

Maktub and Samsam are unique in that they’re both a sort of “one-stop shop” for cyberattacks – while other ransomware can require a downloaded decryption key, Maktub has the tools locally to unlock the hostage files. 


This species of ransomware is delivered as an email attachment that is disguised as a Microsoft Word invoice. If opened, the document looks garbled and requests that users enable macros to make the text legible. Once enabled the malware encrypts all files until the ransom is paid. Locky is known for its countdown screen, which notifies the victims how much time is left to pay the ransom and save their files.



This ransomware strain targets a key Windows system file called the Master Boot Record that helps a PC start up. Peyta overwrites this file, which blocks users from getting into their PC until they pay the requested ransom. 


This strain of ransomware encrypts data across an entire network, as opposed to individual computers. The malicious program scans networks looking for vulnerabilities, then attacks. The malware scrambles data on servers, then finds and deletes the backup files firms use to restore their data. 


This virus strikes by hiding inside of a document generated by Microsoft Word, burying malicious code in attached Word documents that are emailed. When the harmless-looking Word document is opened, the ransomware attack code is launched. It’s considered dangerous because its unique delivery system indicates some “outside the box” thinking by ransomware coders. 

Another growing trend in ransomware is the dwindling use of Bitcoin as the payoff. Cybercriminals have begun requesting gift cards and other pre-paid cards. Since gift cards are relatively easy to track, it is suspected that the cards are resold online.

If your system is attacked by ransomware, the recommended course of action is to contact the authorities – some of the viruses have known decryption keys. In some reported cases, though, law enforcement will inform victims that paying the ransom is the best course of action.