PyCL targets Windows OS and is distributed via an EITest Flash-based redirection that leads to the RIG EK. The security researchers who discovered this variant observed that it was only distributed for one day and noted that it does not securely encrypt files, leading them to believe that this indicated a "test-run" conducted by the malware authors.
CryptON, also known as Nemesis or X3M, targets servers running Windows OS and is distributed and executed manually via Remote Desktop Protocol (RDP) brute force attacks. CryptON does not contain a file extension list so it encrypts any and all file types it finds on the infected server.
Unlock26 targets Windows OS and is distributed through a Ransomware-as-a-Service (Raas) portal named Dot-Ransomware. The portal contains a basic, command line interface (CLI) builder that helps users create a custom binary to infect victims.
Filecoder.E targets macOS, is written in the Swift programming language, and it is distributed via BitTorrent through a file named “Patcher,” masquerading as a software pirating application. Once opened, the Torrent contains an application bundle for the victim to install.
Hermes targets Windows OS and its method of distribution is currently unknown. Once a system is infected, Hermes copies itself to C:\Users\Public\Reload.exe, executes, and then launches system_.bat to delete the original installation file.
DynA-Crypt targets Windows OS and its method of distribution is currently unknown. This variant was developed using the Dynamite Malware Creation Kit and contains a number of individual executables and PowerShell scripts used to steal, delete, and encrypt data.
Erebus targets Windows OS and its method of distribution is currently unknown. Once a system is infected, the Erebus installer utilizes a User Account Control (UAC) bypass method to prevent the system from displaying a prompt asking for elevated privileges. It then modifies the Windows registry and changes the .msc file association to launch the Erebus executable.
Ranion targets Windows OS and is distributed through the Ransomware-as-a-Service (RaaS) business model. Although its developer claims that Ranion exists only “for educational purposes,” it is still being sold at a profit as anyone can buy into this distribution network at the cost of 0.95 Bitcoin per year or 0.6 Bitcoin every six months.
Zyka targets Windows OS and its method of distribution is currently unknown. Zyka encrypts files using AES and appends .lock to their names.
Netix, also identified as RANSOM_NETIX.A, targets Windows 7 and Windows 10 and masquerades as applications designed to access hacked Netflix accounts. One of these applications, Netflix Login Generator v1.1.exe, when launched, displays a pop-up window with a “Generate Login” button and, if clicked, displays what appears to be a username and password combination.
Satan is the name of variant produced by a ransomware-as-a-service (RaaS) platform that was discovered by security researcher Xylitol. This RaaS service, accessible only via the dark web, allows users to register an account and create ransomware campaigns.
Sage, a variant of CryLocker, was originally seen in December 2016 targeting Windows OS and being distributed via the RIG exploit kit. One month later, Sage 2.0 had been spotted being distributed via spam emails and researchers concluded that the Sage 2.0 distributor appears to be related to the Cerber, Locky, and Spora ransomware campaigns.
Spora targets Windows OS and is distributed through spam email. It is written in the C programming language and packed using the UPX executable packer. As of January 10, 2017, Spora is only affecting Russian users and masquerading as an invoice from 1C, a Russian accounting software company.
FireCrypt targets Windows OS and is distributed as a ransomware kit. It is built using a command-line application called BleedGreen that permits the creation and modification of settings, as well as the creation of executables that can be disguised as other file types.
KillDisk, originally a malware variant designed to wipe data from hard drives, now includes ransomware capabilities.
Merry X-Mas targets Windows OS and is distributed through spam emails containing a malicious link.
OpenToYou targets Windows OS and its method of distribution is currently unknown.