Locky and beyond: The biggest Ransomware threats of 2016

Ransomware is nothing new, but it’s a topic that has forced itself upon us with a new vengeance this year; we’ve seen a 3,500% increase in attacks in 2016 alone. Ransomware is a particularly dangerous form of malware which, once it has infected your computer, locks down your files and orders you to pay a ransom in order to get them back – hence the name.

Ransomware usually infiltrates your system via an email attachment in the form of a .zip or .docm file. In the past, cyber criminals would send these files to anyone and everyone in a ‘spray and pray’ attack, and hope that a few technophobes opened it. Now Ransomware is more intelligent and more targeted. Hackers will pose as CEOs or Directors, monitoring their online presence in order to convincingly pose as them. Ransomware emails now might look like a business update from your Chief Executive with a not-so-innocent file attachment. This technique is known as spoofing, and it’s becoming a common practice on the underbelly of the internet. Check out our blog on spoofing.

We’ve spoken at length on the TSG blog about the Locky, Zepto and Odin strains of Ransomware, but there’s actually over 120 ‘families’ of Ransomware. Here we take you through some of the other biggest strains of the Ransomware virus in 2016, and how you can prevent them.


Locky is now a well-known and established family of Ransomware. It’s the third most common malware virus, accounting for 6% of all malware attacks in 2015. Its name derives from the file extension attached to encrypted files: .locky.

Locky is clever in its nature, hiding its malicious malware in a .docm file, and telling you to enable the macros if the document’s encoding is “incorrect” – which it always is, or at least appears to be. The wingdings-style text in the document tricks users into thinking that enabling macros will unscramble the text; in fact, the code in the document saves a malicious file to the disk, which acts as a downloader for the final part of the Ransomware programme.

How do I prevent Locky?

First and foremost, don’t open any suspicious email attachments. Many of us in the technology industry know how to spot a dodgy email or attachment – but just because we’re familiar with them, doesn’t mean everyone is. Hackers are now favouring the spoofing technique, posing as employees, CEOs or someone you know and trust. Ask yourself, were you expecting this email? Is that their correct email address? (Often hackers will create an email address that, at a glance, looks like your company domain.) Is the file extension familiar? You should never download .zip or .docm files unless you were expecting them.

In the same vein, never enable macros in a document unless it’s from a trusted source. Hackers rely on the macro-enabled content to execute the Ransomware download. Microsoft disabled macro content by default for this very reason.


Petya ushered in a new, more insidious type of Ransomware that’s harder to eradicate. Instead of just encrypting files one by one, Petya overwrites the Master Boot Record (MBR). The MBR is the information on the hard drive or the hard disk that identifies the operating system (i.e. Windows, macOS) so it can start. By overwriting the MBR, Petya prevents infected devices from booting up. It’s certainly more likely to bring businesses to a halt than simple file encryption. Petya is the first known strain of Ransomware that goes beyond simple file encryption, and could pave the way for more MBR-encrypting Ransomware viruses.

According to Trend Micro, Petya is distributed in emails purporting to be job applications. But rather than attaching a .docm file with malicious macros, Petya emails often contain a link to a shared Dropbox folder containing a self-extracting archive that looks like a candidate application and photo. Once downloaded, the Ransomware is executed and installed. Users then see what has been dubbed the Blue Screen of Death (BSOD) – a critical Windows error that forces the PC to reboot. Users will then see a familiar screen: the check disk operation that is triggered when a computer reboots. But this is a fake screen that distracts from the Ransomware operation that is encrypting the Master File Table (MFT – there’s a lot of acronyms, isn’t there?)

Disk check screen

This is essentially a shortcut to encrypting your files. Instead of doing it one-by-one, Petya scrambles the MFT so that it can’t locate your files – much like the MBR that now can’t locate your operating system.

How do I prevent Petya?

Many Ransomware strains are delivered through email attachments, but Petya has brought to light the dangers associated with file-sharing platforms. Be vigilant: if you wouldn’t open a file attachment from an unknown source, don’t click a link – Dropbox or otherwise.

You can also prevent Petya from carrying out stage 2 of its attack – encrypting the MFT – by turning off the ‘automatic restart after a system failure’ option on your computer.

If you’re unlucky enough to be infected with Petya, there is a solution.


Aptly named after the devil, this Windows-specific strain of Ransomware evolved from Petya, and is the second known Ransomware virus to encrypt the MBR. Unlike Petya, that’s where it stops, rather than continuing to encrypt the MTF. Satana also combines typical Ransomware file encryption with an encrypted MBR, and doesn’t allow users to pay the ransom on the infected PC – you’ve got to use another computer. Not exactly making it easy to receive payment are you, cyber criminals?

It’s not clear how Satana presents itself to users – it’s most likely via an email, but there’s no specific type of message, persona or target.

When it was released in June 2016, Satana was still in its infancy. It’s received little coverage since the summer, but many in the security industry fear it could have evolved into a new strain, or is being amended before cyber criminals use it to attack again.

How do I prevent Satana?

Again, be vigilant. While we might not know who cyber criminals using Satana are posing as, you should still never open an attachment or click on a link from an unfamiliar source. Even with familiar sources, like colleagues or friends, check the email content. If it doesn’t sound like them, don’t open anything.

Constant vigilance

Because, like most Ransomware, Satana encrypts users’ files, it’s a good idea to regularly back up your data.


Emerging in summer 2016, Ranscam is particularly malevolent form of Ransomware. Rather than encrypting files, it destroys them and still demands a ransom, leading the user to believe there’s a possibility they’ll get their files back.

Ranscam hammers home the important message that paying the ransom does not guarantee you’ll get your files back. In the case of Ranscam, there’s no chance at all you’ll be given an encryption key, because your files are already gone. Ranscam uses cruel scaremongering tactics by telling the victim that, if they click the button to confirm they’ve paid and the payment comes back ‘unverified’, they’ll delete one file. Ranscam is one of the few Ransomwares that doesn’t take users to an external location to verify payment – their button, however, doesn’t verify payments at all but rather flashes up a ‘payment not made’ image file. So even if you’ve caved and paid these particularly nasty hackers, you’ll be told you haven’t. And you’ll never get your precious files back.

How do I prevent Ranscam?

At the risk of sounding repetitive, be vigilant. Ranscam highlights the necessity of backing up your files regularly and securely. Should you have the misfortune of being infected by Ranscam and you lose your precious files (remember these hackers actually have no way of recovering your files), you can restore them to your PC. Preventative measures should also be taken, so get your hands on a good anti-virus solution; we recommend Sophos Intercept X, which has been designed specifically to stop Ransomware. Many argue Ranscam’s malware isn’t as sophisticated as its competitors, but its scare tactics and deletion of your files means you should take it seriously.


Again this Ransomware virus first appeared in summer 2016 (we’re sensing a theme here…) and like Ranscam, threatens to delete random files. But this time it’s more than an empty threat. Stampado gives users 96 hours to pay up, deleting random files every 6 hours until the payment is made.

Victims must email the hackers in order to receive instructions on how to make payment, and in turn provide hackers with their email address. The hackers also advise the victim to send one encrypted file, which will be decrypted and sent back to the user; this ‘proves’ that they do have the ability to decrypt files. How kind of them.

You can breathe a small sigh of relief, as developers have released multiple decryptors for Stampado. The worrying part is how vociferously malware creators are marketing Stampado – it’s available for only $39; tuppence compared to the usual charges for Ransomware distributors. The kind (ahem) creators even released a video showing Stampado in action, from file creation, to encryption and decryption. Stampado could signal the beginning of an era where Ransomware is available to the masses.

How do I prevent Stampado?

Aside from treating all unknown or unexpected emails suspiciously, there are decryption keys available for Stampado. But that doesn’t mean you can rest on your laurels – for every decryptor or anti-virus solution that prevents or removes Ransomware, another stronger and harder to remove strain appears.

Again, the best way to prevent Stampado and other forms of Ransomware is to install a robust anti-virus programme. The new Sophos Intercept X anti-virus prevents all known strains of Ransomware at the point of contact, and puts security measures in place following the attack to bolster your system in the future.


By now, you should be familiar with the Locky Ransomware virus. We’ve detailed it above, and it’s actually the most recognised and problematic strain of Ransomware. The latest version of PowerWare uses Locky’s status to bully victims into paying, by pretending to be Locky. By mimicking the established Ransomware’s tactics, PowerWare tricks users into believing they’re dealing with a sophisticated threat, rather than one that’s undeveloped.

Like Locky, PowerWare infects machines through malicious macros in macro-enabled Word documents. It hides its virus using Microsoft PowerShell, Windows’ automation and scripting language tool. Once the malicious macros are enabled, they prompt PowerShell to download the ransomware script. PowerWare then commands PowerShell to encrypt the user’s files.

How do I prevent PowerWare?

You know what I’m going to say, don’t you?

Because PowerWare isn’t as vicious or as sophisticated as Locky, it’s easier to remove – for now. PowerWare only encrypts the first 2048 bytes of files, and uses AES-128 encryption. A Python script has been created that extracts the decryption key from the Ransomware, allowing you to decrypt your precious files.

But of course, prevention is better than cure. So follow our recurrent advice: back up your data, use the best anti-virus solution you can get your hands on, and be suspicious of email links and attachments.

And the rest…

There are so many new strains of Ransomware popping up that it would be impossible to mention them all in this blog. But there’s some more noticeable strains; Cerber, a sophisticated family which forces PCs to reboot before starting the encryption process; CryptoMix, a ‘bare bones’ Ransomware variant that keeps victims waiting for email instructions, and charges an eye-watering 5 BTC (roughly £2500) for the decryption key; Fantom mimics the infamous automatic updates from Windows 10 and gives users warnings that they have a one-week time limit, and that attempts to return their files themselves will destroy them; Nemucod, an ever-evolving strain which reaches users through fake invoicing emails.

How to prevent Ransomware

Here’s our top tips for preventing Ransomware:

Look out for suspicious emails

The first step in avoiding a Ransomware attack is to not allow it to infect your machine. The favourite method of hackers is sending an email with a malicious attachment or link. If you have even a shred of doubt, don’t open or download anything. Remember: hackers are now more likely to pose as someone you know rather than sending out hopeful nonsensical emails.

Back up your files

I can’t stress how important this is. Not only is it prudent full stop – because there’s other ways of losing your files, like a crashed PC or a fire, for example – but it means if you’ve fallen victim to Ransomware, you’ve got a copy of your precious files and it negates any need to pay the ransom. You can back them up on an on-premise server, in the cloud, or on hardware devices like USB sticks or external hard drives. It’s good to back up in a variety of ways to fully cover yourself.

Use a Ransomware-specific anti-virus solution

Sophos Intercept X

Ransomware is growing at an alarming pace, getting more intelligent and harder to shift. But as Ransomware gets cleverer, so do anti-virus solutions, which are designed to stop Ransomware at the point of infiltration. You can use email filters to stop Ransomware emails reaching you in the first place, but because hackers are doing a good job of imitating someone you know, some might slip through.

Sophos Intercept X has been designed specifically to deal with Ransomware. Using its innovative Cryptoguard feature, Sophos Intercept X blocks the Ransomware from encrypting your files. What’s more, following the unsuccessful attack, Sophos Intercept X’s Root Cause Analysis (RCA) tool will identify the point of entry and make improvements to your system that will prevent more attacks in the future. Finally, the Sophos Clean tool trawls your system and removes any trace of spyware and malware that has embedded itself deep in your system. This cleanses your entire system of corrupt and dormant malware threats.

You can read our blog on Sophos Intercept X, or sign up to our webinars to see it in action.

Keep your systems up-to-date

While keeping your anti-virus solution up-to-date is obvious, you should keep your operating system and programmes up-to-date too. While it might seem like a hassle to install an update every so often, updates often serve the purpose of making the products more robust against evolving malware.

Keep up-to-date on Ransomware

Keeping abreast of the latest evolutions in Ransomware is key to staying safe. Subscribe to TSG’s blog below to never miss another update. You can also get in touch with our specialist security team if you’ve got any questions about Ransomware.