IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

The most popular ransomware strains targeting UK businesses

What threats you're likely to face can significantly depend on the region in which you operate

Regardless of the type of industry you're in, the size of your workforce, the products and services you create, or the value of the data you hold, you have one thing in common with every other digital business: You are a target for ransomware.

In 2019 we saw a surge in the number of ransomware attacks against businesses. The UK alone saw a 195% increase in reported incidents, reflected in an estimated 6.4 million ransomware attacks in the first of half 2019 - which makes it the most targeted region in the world behind the US. This issue has been compounded further by the rise of ransomware as a service, with a significant proportion of attacks in the UK now being launched by hired malware.

You don't need us to tell you how serious a threat ransomware poses to business, nor how damaging it can be if an attack is successful. However, while it's easy to spot, it's not always clear precisely what ransomware is likely to target your business, and given that many hundreds, potentially thousands of strains exist in the world, deciding on what preventative measures to take can feel a little like guess work.

The good news is that we now have some idea what ransomware is becoming popular among hackers targeting the UK. Cyber security firm Malwarebytes recently analysed the distribution of malware across the world, including a breakdown of the UK's most popular ransomware families, and presented its findings at London's DTX Europe in October 2019.

As you can see from the charts above, the region in which your business operates is a significant factor in determining what ransomware you are likely to encounter. However, it's also worth pointing out that GandCrab, by far the most popular across all regions, and Cerber were both distributed as ransomware as a service.

Yet, this doesn't give the whole picture for UK businesses. In fact, in the list of the top five most targeted regions in the UK, a London borough only features twice. Manchester, Royal Kensington and Chelsea, Reading, Harrow and Leeds faced the highest number of ransomware attacks between 2018 and 2019, but the types of malware used differed drastically.

As is reflected in the European average, GandCrab made up a significant chunk of the attacks against Manchester businesses and those in the London borough of Royal Kensington and Chelsea. However, there were no GandCrab attacks recorded in Harrow, Reading or Leeds.

What's equally surprising is that a ransomware strain known as BTCWare, which was not featured in the EMEA analysis, made up 80% of the attacks against businesses in Reading.

"Reading is the only one with this big BTCware section. BTCware is ransomware that works on RDP (remote desktop protocol, see below), so is basically installed if there is an RDP breach. So the delivery method is very manual. The only thing I can think of is that in Reading there are lots of RDP servers," explained Malwarebytes sales engineer Claudio Tosi.


GandCrab's popularity has made it a best seller in the ransomware space, allowing users with very limited malware knowledge to tailor the scope of their attack and the nature of their intended campaign using an online tool, and then pay for the service on a sliding scale. This effectively removes the risk to the individual and makes it near impossible to identify the true source of an attack.

Spread through phishing emails, this strain attempts to convince users to open an attachment, often containing romantic phrases and references to Valentines Day or love letters. However, some of the more business-focused GandCrab attacks have even used fake updated emergency exit maps or similar notices that pretend to be of critical importance. These attachments contain malicious JavaScript that is automatically triggered if the file is downloaded.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

The script will then start to encrypt every file on a user's system, and those it is connected to. The victim will then be instructed to pay a ransom in order to get their files back.

Cyber security firm Avast suggests the following extensions are often used during GandCrab infections:

GDCB, .CRAB, .KRAB, .%RandomLetters% foobar.doc -> foobar.doc.GDCB document.dat -> document.dat.CRAB document.xls -> document.xls.KRAB foobar.bmp -> foobar.bmp.gcnbo

What's unusual about this ransomware is that we know its author is no longer in operation. "A fun fact about GandCrab is that its creator decided six months ago to retire," said Tosi. "They sent out a message to everybody saying 'guys I'm cashing up, I'm retiring, sorry about that, that's it, finished, I'm closing my ransomware as a service'. This guy is informing his customers."

Defending against GandCrab

The best defence is to have a robust security suite in place to prevent the ransomware from triggering if accidentally downloaded most anti-virus software will be able to detect GandCrab.

However, it's also important to be vigilant against the tell-tale signs of GandCrab, especially the distinguishable phishing emails that it favours.

As a result of hacking efforts by Europol last year, certain versions of GandCrab can be decrypted using free online tools, allowing a user to recover their files fairly quickly.

Avast also has a free GandCrab decryptor tool, available here.


A Ryuk ransomware note, courtesy of Checkpoint

Ryuk is a fairly recent entry to the ransomware industry, having emerged just last year. Although it is often spread using spam email campaigns, it's also used to target specific organisations for high payouts.

"Ryuk always for some reason spikes during the holidays," explained Tosi. "So during Christmas time usually we get some presents, well in the UK [in 2018] we got Ryuk. It [then] lay dormant for a few months, and after that it surfaced again on 13 September, which was a Friday. Friday the 13th was the day they chose to start Ryuk again. It's just fantastic."

Researchers have also discovered that the Ryuk strain shares many similarities with the Hermes ransomware, which is believed to have originated from North Korea. However, investigations seem to suggest that the Ryuk variant was a Russian creation.

The file extension of .RYK is often associated with Ryuk infections.

Defending against Ryuk

Robust security software is also highly effective at stopping Ryuk in its tracks.

However, Ryuk uses the extremely robust RSA encryption algorithm and there are currently no free online decryption tools, which makes it near-impossible for users to brute force their way to their files. This means a full system restore using a secure backup is necessary following an attack. 


"IRS" scam written on a keyboard

First discovered in early 2018, the Rapid ransomware is unusual in that it will stay hidden on a user's system and encrypt new files as they are created, before later emerging to demand a ransom.

The ransomware has received four updates in its history, which adjusted the extensions given to encrypted files and added new email addresses to allow victims to contact the authors. Ransom notes tend to be short and concise, asking the victim to contact the attacker directly in order to recover their files.

The Rapid ransomware is normally spread through malicious emails that masquerade as official notices. Most recently the authors have used messages claiming to be from the US Inland Revenue Service (IRS), alerting users that they owe back taxes.

The ransomware usually uses changes file extensions to .rapid as part of the encryption process.

Defending against Rapid

As attackers tend to favour professional-looking emails, this makes it easier to spot errors. Messages are often not tailored for specific countries, and most official organisations will rarely contact users in this manner.

Given the slow nature of the encryption process, it's also possible to stumble upon encrypted files before a user is locked out of their system, during which time anti-malware software can be run to remove the threat.

However, once files are encrypted (even if spotted early), there are currently no decryptor tools available to recover them. Unfortunately, a full system lockout requires a full system wipe and restore to regain access.


The Cerber ransomware made up a significant chunk of attacks in Harrow and Leeds (45% and 17% respectively), and retains a healthy presence across the EMEA region.

Alongside GandCrab, it's an example of malware released as ransomware as a service, with its authors taking a 40% cut of any extorted funds.

The ransomware maintains a number of different versions that are all in operation, making it difficult to defend against. It uses elaborate phishing scams, often using infected Microsoft Word documents, to silently infect a user's machine and begin encrypting system files. Once that is complete, it will change the user's desktop wallpaper to a recognisable splash screen (above) to notify victims of an infection, providing instructions for paying the fee to unlock the files.

A Cerber infection is normally associated with files with the extension .cerber or numbered variants like .cerber1, cerber2 and so on.

Defending against Cerber

As with most other malware strains, having anti-virus software actively running on your machine should prevent Cerber from activating if a download is attempted. However, it's common for Cerber to be bundled into more malicious packages, such as rootkits, that can disable your anti-virus before attempting to run Cerber.

Unfortunately, like Ryuk Cerber also uses RSA encryption, making it incredibly difficult for users to get their files back in a timely manner.


BTCWare is one of the older ransomware families still operating in the UK, having first been discovered in 2017.

This strain exclusively targets Windows-based systems by brute-forcing weak remote desktop protocol (RDP) passwords and manually installing a malicious programme. However, the strain has been known to also use spam email campaigns, often using messages without subject lines or contents with malicious Zip files attached.

According to Avast, BTCWare infections will result in the following file extensions:

foobar.docx.[].theva foobar.docx.[].cryptobyte foobar.bmp.[].cryptowin foobar.bmp.[].btcware foobar.docx.onyon

BTCWare has received a number of updates during its lifetime, but generally speaking the encryption process has remained the same. This includes creating registry entries so that the ransomware can run each time the system is rebooted and providing an email address so the attackers can be contacted.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Defending against BTCWare

As is the case with other strains, robust security suites are capable of spotting and neutralising BTCWare threats before they can activate.

If for whatever reason BTCWare ransomware has infected a system, there have been a variety of free decryptor tools released over the years to help users recover their files almost immediately.


Ransomware code on a computer screen with a count down

One of the more recognisable and volatile ransomware strains is the Jigsaw variant. This family is known for adopting the fictional villain "Billy the Puppet" from the Saw film series, a picture of which is included in the ransom note.

The ransomware is also known for its aggressive and menacing approach, demanding payment within a specific time frame, generally 60 minutes, before deleting files one by one. After 72 hours, all encrypted files will be deleted. The strain will also 'punish' users by deleting large chunks of files, usually around 1,000, if the user ignores the demand by trying to reboot their system.

According to Avast, Jigsaw infections will use the following extensions:

.kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush,, or .gefickt.

The ransomware is generally spread through malicious spam email attachments and has inspired a number of variants, all of which deploy their own characters or images to play games with their victims.

Defending against Jigsaw

Despite the menacing appearance and language employed by the ransomware, Jigsaw is relatively easy to defend against.

Anti-virus software can spot Jigsaw ransomware before it's able to execute, and so this should be installed and maintained on every system.

However, Jigsaw is also one of those variants that have been cracked by security researchers, meaning there are plenty of easily accessible online decryptors available.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download


What is phishing?

What is phishing?

29 Apr 2022
Enabling the future of work with embedded real-time communication

Enabling the future of work with embedded real-time communication

26 Apr 2022
LTE vs 5G: What's the difference?
Network & Internet

LTE vs 5G: What's the difference?

22 Apr 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022