• +86-135-5029-3426
  • sales@vinchin.com

Vinchin Blog

Vinchin Blog Reviews of Top 10 Ransomwares in 2020

Reviews of Top 10 Ransomwares in 2020


Vinchin Blog-Reviews of Top 10 Ransomwares in 2020

It's estimated by cybersecurity researchers that the number of ransomware attacks doubles in 2020 compared to 2019, a result which have shown that epidemic not only influences the health of people, but also of the network. While the increasing blackmail capacity of ransomware keeps bringing threats to banking, government, insurance and manufacturing industries, the work-from-home trend also causes more people to set private network with low security level as their first work access, which has provided ransomware a bigger chance to deploy more attacks easily.


No matter for company or personal IT environment, ransomware still stands as a huge danger. It aims to attack the network of victims and encrypt critical or sensitive data in exchange for certain amount of ransom. Besides, they also sell these data through the Internet to earn extra profits.


Vinchin, as a specialized backup solution vendor, we list top 10 most widespread ransomwares in 2020 with tips for your to effectively minimize the risk of ransomware attacks.


NO.1 REvil

As a ransomware specialized in data encryption, once it gets the chance to go deep into the system, all data will be encrypted in seconds. Usually, if victims fail to finish bitcoin payment in required time limit, hackers will immediately double the ransom.

According to the media, REvil has its way to leak private information, personal PC screenshots of files and even tour contracts of a bunch of celebrities including Drake, Rod Stewart, Elton John, Mariah Carey, Madonna, Bruce Springsteen, Bette Midler and Barbra Streisand.

data backup and restore after REvil attack


NO.2 Sodinokibi

Sodinokibi is a malware also known as Sodin. It was widely spread through the bug zero-day in Oracle Weblogic during Sep 2019. After the bug was fixed, it continues to deploy attacks through remote desktop server and bugs in other software install applications.

Some analysists found out that the codes of Sodinokibi are similar with that of GandCrab, the most well-known ransomware in 2018, making them think of the strong relationship with these two ransomwares.



NO.3 Nemty

Unlike other ransomwares, Nemty behaves more like a ransomware service provider. It was often advertised on Russian pirate forum websites and has been active from the summer of 2019 to 2020.


During its RaaS (ransomware as a service) service time, its customers can access a portal that allows them to create a special version of Nemty, and they later can spread these versions in the way they like.

Phishing emails actively participated in the spread of Nemty. When a Nemty-infected computer pays a ransom, 30% of the payment will be transferred to the Nemty developer, while the rest all belongs to the customer.

A few months ago, the developers of Nemty announced that they would no longer provide ransomware services but for self-use only. They also emphasized that if the customer does not pay within a week, the files they get from the victims will not be saved.


NO.4 Nephilim

When this kind of ransomware first appears, cybersecurity researchers found its resource code is extremely similar with Nempty, and if victims refuse to pay ransom, hackers will post their sensitive data in public.


The victims of Nephilim usually tend to be large-scale organizations and companies. In Nov 2019, hackers planned to attack government and companies through weakness they found on Citrix Gateway. Besides, they also utilize bugs in remote desktop network and VPN to encrypt victims’ data.

In the ransom letter, the hackers emphasized that these data had been encrypted by military-level algorithms and sensitive data was no longer a secret. To prove their authority, Nephilim hackers decrypted two encrypted files from the victim to make them believe that only they can decrypt the files.


NO.5 NetWalker

Netwalker, also known as Mailto, is one of the latest variants of Mailto, and one of the most destructive malicious viruses in 2020 ransomware list. Government agencies, medical organizations, enterprises and telecommuters are all Netwalker's targets.


NetWalker uses victims’ network to encrypt all Windows devices. According to the analysis of network security researchers, NetWalker usually attacks through coronavirus-related phishing email or executable file spread over the network.


NO.6 DoppelPaymer

The DoppelPaymer ransomware and its variants first appeared in April 2019 and targeted the first batch of victims in June. So far, 8 different mutant viruses have been discovered.


After encrypting victims’ files, DoppelPaymer will leave a note to them showing the amount of ransom with a link for them to pay through TOR access. It has been confirmed that cybercriminals have profited a total of 142 bitcoins, which is approximately $1.2 million from currently 3 victims.


NO.7 Ryuk

Ryuk is one of the most active ransomwares. It uses other malwares to infect the target system and can also access systems such as EMCOR and Remote Desktop Services. For each file, it uses unique military algorithms like RSA and AES to prevent victims from accessing attacked system or equipment until the ransom is paid.


Large companies and government agencies are main targets of Ryuk including EMCOR, a company ranked in Fortune 500 headquartered in the United States, was once attacked by this ransomware and caused some of their IT systems unavailable.

NO.8 Maze

The Maze ransomware was previously called ChaCha and was discovered by Jerome Segura on May 29, 2019. Maze launched attacks by using attack tools called Fallout and Spelvo to steal sensitive data, encrypt files, and demand victims’ ransom.


Maze is the most dangerous virus in the world. If the ransom requirement is not met, private data will all be released. It is said that Cognizant, Canon, Xerox and some healthcare industries are all victims of Maze ransomware.



It was discovered that hackers will use the CLOP ransomware to attack companies and organizations around the world through phishing to destroy and transfer sensitive data to their own servers. CLOP adds the ".clop" extension to every encrypted file. In addition, it creates a "ClopReadMe" .txt file. In this ransomware, the RSA algorithm is used to encrypt data, while generated key being stored in a remote server and controlled by hackers.


If the ransom negotiation fails, hackers will publish all data on a leaked website called CL0P-LEAKS on the dark web. In addition, the latest version of CLOP can disable local security systems such as Windows Defender and Microsoft security Essentials and also infect the system with Trojan horses or other malwares.


NO.10 Tycoon

Tycoon is a recently discovered type of ransomware. Many education and software companies have suffered its attack. Tycoon was added to the Trojan horse version of the Java runtime environment, and it’s the first time for a ransomware to process personalized malicious JRE compilation with JMAGE format in the Java language.


Since being discovered, Tycoon has shown its radical strategy. After infecting the victim's system, Tycoon denies to access administrator, but launched another attack on the file server and domain controller. Although this ransomware is rather aggressive, weak password has always been its weak point.


How can we avoid ransomware attack effectively?

  1.  Make a complex and long enough login password and change it regularly, adopting a combination of uppercase and lowercase letters, numbers, and special symbols.

  2. Fix system bugs in time, do not ignore security patches for common services.

  3. Close non-essential services and highly dangerous ports like 135, 139, 445, 3389 etc.

  4. Strictly manage the admin access of shared folders, use cloud collaboration as much as possible when data sharing is needed.

  5. Raise awareness of data security, do not click unfamiliar links, email attachments without credible sources, and files in instant messengers sent by strangers.

  6. Set up a backup plan for unified data center protection. Always ensure there is a regular time period for data backups.

  7. Set up a recovery plan. Arrange ransomware attack solutions in advance and deploy DR drills regularly.

  8. Utilize multiple backup plans including offsite backup, cloud backup, backup copy to fully secure backed-up data.


According to the cybersecurity professionals, a reliable backup and recovery solution is the best weapon to fight against ransomware attacks. Vinchin Backup & Recovery helps users realize all data safe with 0 ransom paid, and only the following 4 steps are required.

  1. Disable all file sharing in all devices once ransomware being detected.

  2. Search encrypted data for quick assessment.

  3.  Find out the latest available Vinchin restore point.

  4. Deploy instant restore with the latest restore point to restart business in seconds.


Learning from various ransomware incidents, we can see that data backup is the best choice to deal with ransomware. Back up important business data regularly in advance, in case any blackmail event occurs, all important data can still be quickly restored to guarantee business continuity without paying any ransom.

  • Tag:
  • Security

Interested Blogs More