Webroot Threat Research Reveals the Top 10 Nastiest Ransomware Attacks of 2017

Nastiest Ransomware Attacks of 2017

BROOMFIELD, Colo., Oct. 31, 2017 /PRNewswire/ — Webroot, a leader in endpoint security, network security, and threat intelligence, revealed the 10 nastiest ransomware attacks to hit within the past year. According to Webroot's threat research team, NotPetya was the most destructive ransomware of 2017, followed closely by WannaCry and Locky. The data surveyed includes all devices running windows operating systems that were infected with ransomware across the globe through September 2017.

NotPetya, WannaCry Take Top Spots

Two of the most destructive strains of ransomware ever seen exploded in 2017.

  • NotPetya is crowned No. 1 because it was engineered to do damage to a country's infrastructure.
  • NotPetya's code leveraged EternalBlue, the same exploit WannaCry used a month earlier. But NotPetya wasn't designed to extort money from its victims like most ransomware. It was created to destroy everything in its path.
  • WannaCry takes second place on the list because it took the world by storm when it infected hundreds of thousands of users across the globe.

NotPetya and WannaCry attacked in 2017, but other ransomware on the list made their first appearances in 2016. These attacks either carried into 2017 or returned aggressively.

Nastiest Ransomware – The Top 10

  1. NotPetya—Starting as a fake Ukrainian tax software update, NotPetya infected hundreds of thousands of computers in more than 100 countries within just a few days. This ransomware is a variant of an older attack dubbed Petya, except this time the attack uses the same exploit behind WannaCry.
  2. WannaCry—As the first strain of ransomware to take the world by storm, WannaCry was also the first to use EternalBlue, which exploits a vulnerability in Microsoft's Server Message Block (SMB) protocol.
  3. Locky—2016's most popular ransomware is alive and well in 2017. New variants of Locky, called Diablo and Lukitus, surfaced this year, using the same phishing email attack vector to initiate their exploits.
  4. CrySis—The king of Remote Desktop Protocol (RDP) compromise started last year in Australia and New Zealand. RDP is one of the most common ways to deploy ransomware because cybercriminals can compromise administrators and machines that control entire organizations.
  5. Nemucod—Arriving in the form of a phishing email that looks like a shipping invoice, Nemucod downloads malware and encryption components stored on compromised websites. Nemucod would have been the most malicious phishing email if Locky hadn't reignited in August.
  6. Jaff—Similar to Locky, new variants of Jaff ransomware continue to leverage phishing emails and embody characteristics associated with other successful malware.
  7. Spora—To distribute this ransomware, cybercriminals hack legitimate websites to add JavaScript code. Then, a pop-up alert prompts users to update their Chrome internet browsers to continue viewing the webpage. Once users follow the “Chrome Font Pack” download instructions, they become infected.
  8. Cerber—One of the multiple attack vectors Cerber utilizes is called RaaS (ransomware-as-a-service). Through this “service,” cybercriminals package up ransomware and then give other criminals the tools to distribute how they see fit.
  9. Cryptomix—This ransomware is one of the few that does not have a type of payment portal available on the dark web. Instead, users have to wait for the cybercriminals to email them instructions to pay a hefty amount in Bitcoin.
  10. Jigsaw—Another carryover from 2016, Jigsaw embeds an image of the clown from the “Saw” movies into a spam email. Once a user clicks, the ransomware not only encrypts files, but it also deletes files if a user takes too long to make the ransom payment of $150.

What Managed Service Providers (MSPs) and small- to medium-sized businesses can do to protect devices from ransomware:

  • Purchase and deploy a top-rated security solution. Look for cybersecurity solutions that provide protection from multiple attack vectors, without affecting user experience by slowing devices during scans.
  • Keep your security software up to date. Firmware and patches are how vendors push out important security updates. Keep both devices and operating systems up-to-date and create a process for patch management.
  • Backup and store sensitive data. Generally, ransomware only has the means to encrypt files stored locally on a user's system. Backup data to a hard, offline location. In the case of equipment failure or ransomware, you can access your backup and get back to business as usual.
  • Implement a strong password naming convention. A strong password policy limits the likelihood of Remote Desktop Protocol (RDP) breaches.

What home users can do to protect computers from ransomware:

  • Use a reliable antivirus software. A good solution should protect your data while providing a seamless user experience.
  • Back up your data. Proactively backing up your files can not only save you thousands, it can save your favorite vacation photos, videos of your kids' piano recitals, and sensitive information.
  • Use good judgement. Be extra vigilant about the websites you visit, the URLs you follow, and the applications and mobile apps you use.

Key Quotes:

Aaron Sherrill, Senior Analyst, 451 Research 

Our research shows that ransomware is a top pain point for businesses due to its infectious nature and ability to spread quickly throughout entire systems. Ransomware does not have a bias and often times small- to medium-sized businesses are the most vulnerable due to their lack of resources. SMBs need to be proactive by consulting an MSP or MSSP on how to deploy a solution that will protect their business from these malicious threats.

David Dufour, Vice President of Engineering and Cybersecurity, Webroot 

This past year was unlike anything we've ever seen. Attacks such as NotPetya and WannaCry were hijacking computers worldwide and spreading new infections through tried-and-true methods. This list is further evidence that cybercriminals will continue to exploit the same vulnerabilities in increasingly malicious ways. Although headlines have helped educate users on the devastating effects of ransomware, businesses and consumers need to follow basic cybersecurity standards to protect themselves.

Research Methodology

The figures presented are based on 2017 data collected, tracked and analyzed by the Webroot BrightCloud® Threat Intelligence Platform and threat research team.

About Webroot

Webroot delivers endpoint security, network security, threat intelligence services, and security awareness training to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world. Our award-winning SecureAnywhere® endpoint solutions, BrightCloud® Threat Intelligence Services, and FlowScape® solution protect millions of devices across businesses, home users, and the Internet of Things. Webroot is trusted and integrated by market-leading companies, including Cisco, F5 Networks, Aruba Networks, Palo Alto Networks, A10 Networks, and more. Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity® solutions at www.webroot.com.


The latest in curated technology related news collected from many of the leading news distribution, industry research and technology vendor firms on the planet.

Here you will find recent news sources from companies such as Reuters, Marketwired, IDC, Gartner or directly from cloud vendors such as Google, Microsoft or Amazon.


Digital Identity Trends 2017 – Previewing The Year Ahead

Digital Identity Trends 2017 – Previewing The Year Ahead

Digital Identity Trends 2017 The lack of security of the Internet of Things captured public attention this year as massive ...
Breakthroughs in Clinical Trials Utilizing the Power of the Cloud

Breakthroughs in Clinical Trials Utilizing the Power of the Cloud

Cloud Computing and the Medical Field Clinical trials play an essential role in the drug development process by effectively demonstrating the ...
The ID Federation: What Technology Can Displace The Password?

The ID Federation: What Technology Can Displace The Password?

The Future Password Many people shout that the password is dead or should be killed dead. The password could be ...
Cloud Communications Security: Whose Business Is It, Anyway?

Cloud Communications Security: Whose Business Is It, Anyway?

Cloud Communications Security Don’t count on cloud providers to provide all your UCaaS security It’s official: Unified Communications-as-a-Service (UCaaS) has ...
Four Cloud Security Mega Trends

Four Cloud Security Mega Trends

Cloud Security Trends Last year was a big year for the cloud. Cloud adoption continued to grow at a rapid ...
5 Basic Safety Tips For Cloud Backups

5 Basic Safety Tips For Cloud Backups

Cloud Backup Tips If you’re worried about the security of your data when it comes to cloud computing adoption, you’re ...


Dropbox heads for trading debut after upsized IPO pricing

Dropbox heads for trading debut after upsized IPO pricing

(Reuters) - Having topped expectations with the upsized price of its initial public offering, Dropbox Inc on Friday faces its next big challenge: a successful launch of trading when global stock markets are the defensive ...
IDC Report: Smart Cities Initiatives to Reach $28.3 Billion in 2018

IDC Report: Smart Cities Initiatives to Reach $28.3 Billion in 2018

First-ever IDC Smart Cities Spending Guide Expects Technologies Enabling Smart Cities Initiatives to Reach $28.3 Billion in 2018 SINGAPORE, March 23rd, 2018 – Asia/Pacific (excluding Japan) on the technologies that enable Smart Cities initiatives is expected ...
BMW delays electric car mass production until 2020 for cost reasons

BMW delays electric car mass production until 2020 for cost reasons

FRANKFURT (Reuters) - BMW has held back the mass rollout of electric cars until 2020 because current fourth generation electric car technology is not profitable enough for volume production, Chief Executive Harald Krueger said. “We ...
Rackspace Extends Managed Security to Google Cloud Platform

Rackspace Extends Managed Security to Google Cloud Platform

SAN ANTONIO, March 21, 2018 (GLOBE NEWSWIRE) -- Rackspace® announced today that Managed Security and Compliance Assistance for Google Cloud Platform (GCP) is now available for preview to new and existing customers that use Rackspace Managed Services for GCP ...
Google classroom

Helping G Suite customers stay secure with new proactive phishing protections and management controls

Security tools are only effective at stopping threats if they are deployed and managed at scale, but getting everyone in your organization to adopt these tools ultimately hinges on how easy they are to use ...
Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018

Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018

By 2021, Regulatory Compliance Will Become the Prime Influencer for IoT Security Uptake Internet of Things (IoT)-based attacks are already a reality. A recent CEB, now Gartner, survey found that nearly 20 percent of organizations ...