The Most Malicious Ransomwares Demanding Crypto to Watch Out For


As interconnectivity turns the world into a global village, cyberattacks are expectedly on the rise. According to reports, the tail end of last year saw a spike in the average amount of payments made to ransomware attackers, as several organizations were forced to pay millions of dollars to have their files released by malware attackers.

Apart from the fact that the current pandemic has left many individuals and corporations vulnerable to attacks, the notion that cryptocurrencies are an anonymous and untraceable payment method has led many ransomware attackers to demand payment in Bitcoin (BTC) and other altcoins. 

Just recently, a report published on June 23 by cybersecurity firm Fox-IT revealed a malware group named Evil Corp that has been on a rampage with new ransomware that demands its victims to pay a million dollars in Bitcoin.

The report also reveals that groups such as Evil Corp create ransomware that targets database services, cloud environments and file servers intending to disable or disrupt backup applications of a company’s infrastructure. On June 28, cybersecurity firm Symantec reported blocking a ransomware attack by Evil Corp that targeted about 30 United States firms demanding Bitcoin in payment.

These attempted attacks are just the most recent examples of the escalating threat of ransomware attacks. Below are some of the most malicious ransomware demanding payment in crypto.


WastedLocker is the latest ransomware created by Evil Corp, a group that has been active since 2007 and is regarded as one of the most lethal cybercrime teams. After the indictment of two alleged members of the group, Igor Turashev and Maksim Yakubets, in connection to the Bugat/Dridex and Zeus banking trojans, Evil Corp reportedly reduced its activity.

However, researchers now believe that as of May 2020, the group has resumed attacks once again, with the WastedLocker malware as its latest creation. The malware has been named “WastedLocker” due to the filename created by the malware, which adds an abbreviation of the victim’s name to the word “wasted.”

By disabling and disrupting backup applications, database services and cloud environments, WastedLocker prevents its victims’ ability to recover their files for a longer period of time, even if there is an offline backup setup. In cases where a company lacks offline backup systems, recovery can be prevented indefinitely. 

Researchers, however, note that unlike other ransomware operators that leak victim’s information, Evil Corp has not threatened to publish victims’ information in order to avoid attracting public attention to itself.


DoppelPaymer is ransomware designed to encrypt the files of its target, preventing them from accessing files and subsequently encouraging the victim to pay a ransom to decrypt the files. Used by an eCrime group called INDRIK SPIDER, the DoppelPaymer malware is a form of BitPaymer ransomware and was first discovered in 2019 by CrowdStrike software endpoint protection company. 

Recently, the ransomware was used in an attack against the City of Torrance in California. More than 200 GB of data was stolen, with the attackers demanding 100 Bitcoin in ransom. 

Other reports reveal that the same malware was used to attack the city of Alabama state’s information technology system. The attackers threatened to publish citizens’ private data online unless they are paid $300,000 in Bitcoin. The attack came after warnings from a cybersecurity firm based in Wisconsin. A cybersecurity specialist analyzing the case mentioned that the attack that had brought down the city’s email system was made possible through the username of a computer belonging to the city’s manager of information systems.

Data from Chainalysis shows that the DoppelPaymer malware is responsible for one of the largest payouts, one of only two to reach the $100,000 mark.


According to a report by cybersecurity provider Check Point, the Dridex malware entered the top-10 list of malware for the first time in March 2020 after an initial appearance in 2011. The malware, also known as Bugat and Cridex, specializes in stealing bank credentials using a system of macros on Microsoft Word. 

However, new variants of the malware go beyond Microsoft Word and now target the entire Windows platform. Researchers note that the malware can be lucrative for criminals thanks to its sophistication, and is now being used as a ransomware downloader.

Even though last year saw the takedown of a botnet linked to Dridex, experts believe that such successes are often short-lived, as other crime groups can pick up the malware and use it for other attacks. However, the ongoing global pandemic has further escalated the use of malware such as Dridex, easily executed through email phishing attacks, as more people are required to stay and work from home.


Another malware that has resurfaced as a result of the coronavirus pandemic is the Ryuk Ransomware, which is known for targeting hospitals. On March 27, a spokesman of a British-based IT security firm confirmed that despite the global pandemic, Ryuk ransomware is still being used to target hospitals. Like most cyberattacks, the Ryuk malware is distributed via spam emails or geo-based download functions.

The Ryuk malware is a variant of Hermes, which is linked to the SWIFT attack in October 2017. It is believed that the attackers who have been using Ryuk since August have pulled in over 700 Bitcoin across 52 transactions. 


As the ransomware landscape continues to be overcrowded by novel malicious solutions, cybercriminal groups such as the REvil (Sodinokibi) ransomware gang have seemingly evolved with the times with increased sophistication of their operation. The REvil gang operates as a RaaS (Ransomware-as-a-Service) and creates malware strains that it sells to other criminal groups. 

A report by security team KPN reveals that the REvil malware has infected more than 150,000 unique computers across the globe. Yet these infections only emerged from a sample of 148 strains of the REvil ransomware. Each strain of the REvil ransomware is deployed according to the infrastructure of the company’s network to increase chances of infection.

Recently, the notorious REvil ransomware gang launched an auction to sell off stolen data from companies unable to pay the ransom with prices starting at $50,000 payable in Monero (XMR). Out of privacy concerns, the REvil gang switched from demanding payment in Bitcoin to Monero, a privacy-centric cryptocurrency.

As one of the most active and aggressive ransomware operators, the REvil gang is primarily targeting corporations, encrypting their files and asking for astronomical fees averaging about $260,000.


On May 27, Microsoft’s security team revealed in a series of tweets information regarding a new ransomware called “Pony Final,” which uses brute force to get access to its target network infrastructure to deploy ransomware.

Unlike most malware that use phishing links and emails to trick the user into launching the payload, PonyFinal is distributed using a combination of a Java Runtime Environment and MSI files that deliver malware with a payloader that is activated manually by the attacker. Like Ryuk, PonyFinal is mainly being used to attack healthcare institutions amid the COVID-19 crisis.

Declining payouts

Despite the overall increase in the number of cyberattacks, experts believe there is a decrease in the number of successful attacks, since for most corporations, ransomware attacks amid a global pandemic are proving to be a final stroke, leaving them unable to pay the ransom. 

This is evident in a report published by malware lab Emsisoft on April 21, revealing a significant drop in the number of successful ransomware attacks in the U.S. Likewise, a Chainalysis report published in April found a significant decrease in ransomware payments since the coronavirus pandemic intensified in the U.S. and Europe. 

So it seems that despite the growing number of attacks, victims are not paying the ransoms, leaving criminal groups like REvil with no other option but to auction out the stolen data. It is also likely that a call for employees to work from home has paradoxically posed a new challenge for hackers. While speaking to Cointelegraph, Emsisoft’s threat analyst Brett Callow stated:

“It’s very obvious to ransomware attackers that they’ve got a potentially valuable target when they hit a corporate endpoint. It may however be less obvious when they hit a personal device that an employee is using while working remotely, and which is only connected to corporate resources on an intermittent basis.”