• +86-135-5029-3426
  • sales@vinchin.com

Vinchin Blog

Vinchin Blog Review of Ransomware incidents in 2019

Review of Ransomware incidents in 2019



What is Ransomware

Ransomware is a new type of computer virus, spreads mainly in the form of emails, program Trojan horses, and webpage hanging horses. The virus is bad in nature and extremely harmful. Once infected, it will cause immeasurable losses to users.

The attacked samples are mainly exe, js, wsf, vbe and other types. After the ransomware file enters the local area, it will automatically run, and the ransomware sample will be deleted at the same time to avoid detection and analysis. Next, the ransomware will use the local Internet access authority to connect to the hacker's C&C server, upload local information and download the encrypted private key and public key, and the file will be encrypted with the AES+RSA4096-bit algorithm. Except for the virus developer, it is almost impossible for anyone else to decrypt it.


After the encryption is completed, the wallpaper will be modified, and a ransom note file will be generated on the desktop and other obvious locations to instruct the user to pay the ransom, that is, the ransom fund must be paid to get the decrypted private key or choose to lose the file. Ransomware mutates very quickly and is immune to conventional antivirus software. 

According to public records, the world's first ransomware prototype was written by Joseph Popp in 1989. The Trojan program entered the system in the form of an "AIDS information boot disk".

The first ransomware in mainland China, the Redplus Ransomware Trojan (Trojan/Win32.Pluder), appeared in 2006. It hid user documents and package files, then popped up a window asking users to pay the ransom to a designated bank account.

Global ransomware incidents in 2019

2019 was the year of the outbreak of ransomware attacks. This year, all parts of the world seem to be "blackmailed". News about different governments, enterprises, and organizations being attacked by ransomware were exposed every day, including medical information. Account credentials, company emails and confidential sensitive data were stolen etc.

Let's take a review of some global ransomware incidents in 2019.

March, Norway

One of the world’s largest aluminum product manufacturers Norsk Hydro was attacked by the ransomware LockerGoga, and their entire global IT system was down, affecting all production systems and office operations. The company was forced to shut down multiple automated production lines, shaking the global aluminum product trading market.

May, China

A certain online car-hailing platform was targeted by hacker ransomware, and the core data of the server was brutally encrypted. The attacker demanded a huge bitcoin ransom, and victim had no choice but to call the police for help.

May, Riviera, Florida, U.S.

After being attacked by ransomware, various municipal work was suspended for several weeks. The municipality held an emergency meeting and decided to pay a ransom of 600,000 US dollars.

June, ASCO, the world's largest supplier of aircraft parts

Its factory in Belgium was attacked by a ransomware virus, the production environment system was paralyzed, about 1,000 workers were forced to stop work, and factories in Germany, Canada and the United States were also forced to shut down.

October, Demand, the world's largest hearing aid manufacturer

Invaded by ransomware, caused direct economic losses of up to 95 million US dollars

October, Pitney Bowes, World-renowned shipping giant

Suffered from ransomware attacks, the attackers encrypted the company’s system data and destroyed its online service system. More than 90% of Global Fortune 500 cooperative companies were affected.

October, M6 Group, The largest commercial television station in France

After being ransacked by ransomware, the company's phone calls, emails, office and management tools were all interrupted, and all employees were forced to "stop work".

Five Ransomware viruses of 2019



GandCrab appeared for the first time in 2018. After 5 iterations, it has spread to dozens of countries and regions including Romania, Brazil, India, and more than 1.5 million users worldwide have been infected. In the eyes of many people, GandCrab ransomware is definitely the most legendary character of 2019.

In June of this year, the GandCrab ransomware team announced with a high profile that in just one and a half years, they had earned more than 2 billion U.S. dollars, with an average annual income of 150 million U.S. dollars per person, so they decided to stop updating this malware and retired. 



Sodinokibi, also known as REvil ransomware, has obvious code overlap with GandCrab. Therefore, many people speculate that some members of GandCrab were reluctant to quit and started Sodinokibi from scratch.

Some variants of Sodinokibi will turn the victim's screen into dark blue and cast a net globally with a ransom ranging from 2500-5000 US dollars. In less than half a year, the ransomware has illegally profited millions of dollars.



When it comes to ransomware in 2019, GlobeImposter must be mentioned. The ransomware is also known as the Zodiac virus because it breaks into computers and encrypted files with the suffix "zodiac +4444". GlobeImposter has gone through eight iterations since its release in May 2017, and the suffix has also changed from "Zodiac" to "Twelve Gods" in Greece.

When talking about the ransomware in 2019, we must mention GlobeImposter. The ransomware virus was also known as the Chinese Zodiac virus, because after it penetrates into the computer, it will encrypt the file with the file suffix of "Zodiac sign+4444” (i.e. .Dragon444, .Pig4444, .Tiger4444, .Snake4444, .Rooster4444, .Rat4444, .Horse4444, .Dog4444, .Monkey4444, .Rabit4444 and .Goat4444) ". GlobeImposter has gone through eight iterations since its launch in May 2017, and the suffix has also changed from "Zodiac sign+4444" to "Twelve Gods in Greece + 666" (i.e. Ares666, Zues666, Aphrodite666 and and Apollon666).

GlobeImposter virus mainly attacks through RDP remote desktop weak password. Last year, the real estate system in 10 cities of Shandong, china was attacked by GlobeImposter. This year, many enterprises, hospitals, and other institutions in China were attacked by GlobeImposter as well.



Stop ransomware, also known as Djvu ransomware, was one of the most active virus families in 2019. Compared with millions and tens of millions of dollars of ransomware, Stop takes the path of making small profits but quick turnover. The decryption ransom requires a ransom of US$980, and you can get a 50% discount by contacting the software author within 72 hours.

The virus mainly uses Trojan horse sites to spread by disguising as software cracking tools or bundling with activated software, and the rate of recruitment among users is extremely high.



Phobos is a very tricky ransomware. It uses RDP brute force cracking + manual placement to spread, and can easily encrypt every file on the victim's PC, turning them all into unopenable “.phobos”.

The Phobos virus may belong to the same organization as the Dharma virus (also known as CrySis), and the virus will self-replicate during operation and add a self-starting item to the registry. If the residual virus body of the system is not cleaned up, it is likely to be Encountered secondary encryption.

Ransomware has become the biggest threat to cybersecurity. Cybercriminals that use ransomware to carry out attacks are also the most harmful cybercriminal organization activities in the world. Ransomware has become the most popular and discussed malware in underground hacker forums.

  • Tag:
  • Security

Interested Blogs More