Who doesn’t love ransomware?  Today we are going to talk about a couple of variants of ransomware that hit unsuspecting organizations in 2019.  If you haven’t heard of ransomware before, let’s start with a small reminder of what ransomware is.

What is Ransomware?

Ransomware is a type of malware that simply holds your systems ransom, usually by encrypting things.  Ransomware got its name since the creators of these malware variants often include information on how to pay their ransom, and theoretically unlock your files.  Ransomware can infect a system in any number of ways, and once it has gotten inside your network tends to propagate quickly and spread the infection.

We are going to take a look at the following three ransomware variants that were active in 2019, in no particular order:

  • Nemty
  • Gh0st
  • REvil

I picked them since they looked interesting.  Now, on with our analysis.


Nemty is a ransomware variant that is believed to spread through RDP.  This makes it particularly nasty in the enterprise because, well, who doesn’t use RDP?  You would think that organizations would have learned the dangers of RDP exposed to the Interent, but you would be surprised at how many did not even after more and more ransomware variants have begun to use this attack vector.

Nemty provides users a website to visit on the tor network to upload a file on their computer, and decrypt their files – after paying the ransom, of course.  Nemty requested a ransom payment of approximately 1000 dollars.  Of course this is an approximation since the ransom was requested in Bitcoin.


The Gh0st ransomware usually infects users via e-mail attachment, either .pdf or .docx file.  This makes Gh0st especially dangerous since these file types are so frequently used, and sent in e-mail.  It appends .ghost to the end of each file as it encrypts it, similar to Nemty.

E-mail based ransomware is especially dangerous since it can be a waypoint into an organization, or infect a personal machine of someone who isn’t very computer savvy.  With a payment of approximately 360 dollars requested in Bitcoin many may be compelled to simply pay the Gh0st ransom…if they can figure out how.


REvil is an especially nasty ransomware variant because it can propagate in so many different ways.  In particular, it can exploit Win32k if CVE-2018-8453 is not mitigated, and let’s face it.  Many ransomware attacks are successful due to lack of patching in the target environment.

What makes REvil even worse is the number of configuration parameters built into it meaning attacks may differ.  Unlike Gh0st and Nemty, a random file appendage is generated when the ransomware runs and appended to each encrypted file.  It also collects a number of statistics about the compromised system, much like many other ransomware variants.

A Ransomware Breakdown

If you explore ransomware, you will begin to see that many ransomware variants have similar behaviors.

Most ransomware will first delete shadow copies to make recovery more difficult.  Files will then be encrypted, and a new file extension applied to each encrypted file.  Of course, the ransomware will ask for its ransom, most likely in Bitcoin.

Last but certainly not least, the ransomware will propagate across the network in some method.  This is why patching becomes so critical, since ransomware will often exploit vulnerabilities.  It may be exploit a known or unknown vulnerability, which makes the patching process itself in any organization so important.

These are just three interesting ransomware variants that popped up in 2019.  Unfortunately, 2020 will undoubtably introduce even more different types and kinds of ransomware.

Be sure to let us know your favorite ransomware of 2019 in the comments!