A look at 2017’s most dangerous ransomware attacks

By Dan Slattery, Senior Information Security Analyst at Webroot

Hackers have tried – and often succeeded – to take advantage of the World Wide Web’s weaknesses and holes for decades. But in recent years, we’ve noticed a clear increase in attacks and their impact, with cyber criminals becoming more virulent, and attacks spreading at a pace never seen before.

Ransomware in particular has reached new highs in 2017, damaging thousands of organisations worldwide. In Australia, attacks such as WannaCry and NotPetya even raised concerns at a political level, with Minister Assisting the Prime Minister for Cyber Security Dan Tehan stating at the time of the attacks that he wasn’t ruling out calling in the military to help tackle the issue.   

According to Webroot’s threat research team, these are the top 10 nastiest ransomware attacks* that impacted organisations worldwide in 2017 (some of them still being active), and from which we should learn lessons. 


Starting as a fake Ukrainian tax software update, NotPetya infected hundreds of thousands of computers in more than 100 countries within just a few days. This ransomware is a variant of an older attack dubbed Petya, except this time hackers used the same exploit behind WannaCry.

As it spread, NotPetya affected several organisations in Australia, such as Cadbury’s Tasmanian factory which had to shut down its entire IT system. It also hit the world’s largest container ship and supply vessel operator, Maersk, which reportedly lost up to $300m in revenue.


As the first strain of ransomware to take the world by storm, WannaCry was also the first to use EternalBlue, which exploits a vulnerability in Microsoft's Server Message Block (SMB) protocol.

WannaCry trapped victims in 150 countries and infected over 200,000 machines only in the first day.


2016’s most popular ransomware is alive and well in 2017. New variants of Locky, called Diablo and Lukitus, surfaced this year, using the same the phishing email attack vector to initiate their exploits.

Locky was behind Australia Post’s email scams scandal, and according to The Australian Competition and Consumer Commission, Australians lost more than $80,000 to email parcel scams in 2015. 


The king of Remote Desktop Protocol (RDP) compromise started last year in Australia and New Zealand. RDP is one of the most common ways to deploy ransomware because cybercriminals can compromise administrators and machines that control entire organisations.

Victims of CrySis were forced to pay $455 - $1,022 to retrieve their files.


Arriving in the form of a phishing email that looks like a shipping invoice, Nemucod downloads malware and encryption components are stored on compromised websites. Nemucod would have been the most malicious phishing email if Locky hadn’t reignited in August.


Similar to Locky, new variants of Jaff ransomware continue to leverage phishing emails and embody characteristics associated with other successful malware.

Criminals have demanded up to $3,700 in order for victims to regain access to encrypted files.


To distribute this ransomware, cybercriminals hack legitimate websites to add JavaScript code. Then, a pop-up alert prompts users to update their Chrome internet browsers to continue viewing the webpage. Once users follow the "Chrome Font Pack" download instructions, they become infected.


One of the multiple attack vectors Cerber utilises is called RaaS (ransomware-as-a-service). Through this “service,” cybercriminals package up ransomware and then give other criminals the tools to distribute how they see fit.


This is one of the few ransomware that does not have a type of payment portal available on the dark web. Instead, users have to wait for the cybercriminals to email them instructions to pay a hefty amount in Bitcoin.

Affecting 29 countries, victims were forced to pay up to $3,000.


Another carryover from 2016, Jigsaw embeds an image of the clown from the “Saw” movies into a spam email. Once a user clicks on the image, the ransomware not only encrypts but also deletes files if a user takes too long to make the ransom payment of $150.

As the Australian Cyber Security Centre (ACSC) pointed out in its most recent Threat Report 2017, the current cyber threat landscape is ruled by two distinct trends: on one hand, increasingly sophisticated exploits are being developed and deployed against well-protected networks. On the other hand, many adversaries are compromising networks using publicly known vulnerabilities that have known mitigations.

While increased awareness has helped educate users on the devastating effects of ransomware, businesses need to go beyond the basic cybersecurity standards to protect themselves. Proactive approaches using the power of real-time machine learning-based analysis that includes an understanding of threat behaviour and context is necessary for accurate decision making and protection from today’s threats.

*The data surveyed by Webroot includes all devices running windows operating systems that were infected with ransomware across the globe through September 2017.

About Webroot

Webroot delivers endpoint security, network security, threat intelligence services, and security awareness training to protect businesses and individuals around the globe. Our smarter approach harnesses the power of cloud-based collective threat intelligence derived from millions of real-world devices to stop threats in real time and help secure the connected world.

 Our award-winning SecureAnywhere® endpoint solutions, BrightCloud® Threat Intelligence Services, and FlowScape® solution protect millions of devices across businesses, home users, and the Internet of Things. Webroot is trusted and integrated by market-leading companies, including Cisco, F5 Networks, Aruba Networks, Palo Alto Networks, A10 Networks, and more. 

Headquartered in Colorado, Webroot operates globally across North America, Europe, and Asia. Discover Smarter Cybersecurity® solutions at