The most popular ransomware strains targeting UK businesses

What threats you're likely to face can significantly depend on the region in which you operate

Regardless of the type of industry you're in, the size of your workforce, the products and services you create, or the value of the data you hold, you have one thing in common with every other digital business: You are a target for ransomware.

In 2019 we saw a surge in the number of ransomware attacks against businesses. The UK alone saw a 195% increase in reported incidents, reflected in an estimated 6.4 million ransomware attacks in the first of half 2019 - which makes it the most targeted region in the world behind the US. This issue has been compounded further by the rise of ransomware as a service, with a significant proportion of attacks in the UK now being launched by hired malware.

You don't need us to tell you how serious a threat ransomware poses to business, nor how damaging it can be if an attack is successful. However, while it's easy to spot, it's not always clear precisely what ransomware is likely to target your business, and given that many hundreds, potentially thousands of strains exist in the world, deciding on what preventative measures to take can feel a little like guess work.

The good news is that we now have some idea what ransomware is becoming popular among hackers targeting the UK. Cyber security firm Malwarebytes recently analysed the distribution of malware across the world, including a breakdown of the UK's most popular ransomware families, and presented its findings at London's DTX Europe in October 2019.

As you can see from the charts above, the region in which your business operates is a significant factor in determining what ransomware you are likely to encounter. However, it's also worth pointing out that GandCrab, by far the most popular across all regions, and Cerber were both distributed as ransomware as a service.

Yet, this doesn't give the whole picture for UK businesses. In fact, in the list of the top five most targeted regions in the UK, a London borough only features twice. Manchester, Royal Kensington and Chelsea, Reading, Harrow and Leeds faced the highest number of ransomware attacks between 2018 and 2019, but the types of malware used differed drastically.

As is reflected in the European average, GandCrab made up a significant chunk of the attacks against Manchester businesses and those in the London borough of Royal Kensington and Chelsea. However, there were no GandCrab attacks recorded in Harrow, Reading or Leeds.

What's equally surprising is that a ransomware strain known as BTCWare, which was not featured in the EMEA analysis, made up 80% of the attacks against businesses in Reading.

"Reading is the only one with this big BTCware section. BTCware is ransomware that works on RDP (remote desktop protocol, see below), so is basically installed if there is an RDP breach. So the delivery method is very manual. The only thing I can think of is that in Reading there are lots of RDP servers," explained Malwarebytes sales engineer Claudio Tosi.


GandCrab's popularity has made it a best seller in the ransomware space, allowing users with very limited malware knowledge to tailor the scope of their attack and the nature of their intended campaign using an online tool, and then pay for the service on a sliding scale. This effectively removes the risk to the individual and makes it near impossible to identify the true source of an attack.

Spread through phishing emails, this strain attempts to convince users to open an attachment, often containing romantic phrases and references to Valentines Day or love letters. However, some of the more business-focused GandCrab attacks have even used fake updated emergency exit maps or similar notices that pretend to be of critical importance. These attachments contain malicious JavaScript that is automatically triggered if the file is downloaded.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

The script will then start to encrypt every file on a user's system, and those it is connected to. The victim will then be instructed to pay a ransom in order to get their files back.

Cyber security firm Avast suggests the following extensions are often used during GandCrab infections:

GDCB, .CRAB, .KRAB, .%RandomLetters% foobar.doc -> foobar.doc.GDCB document.dat -> document.dat.CRAB document.xls -> document.xls.KRAB foobar.bmp -> foobar.bmp.gcnbo

What's unusual about this ransomware is that we know its author is no longer in operation. "A fun fact about GandCrab is that its creator decided six months ago to retire," said Tosi. "They sent out a message to everybody saying 'guys I'm cashing up, I'm retiring, sorry about that, that's it, finished, I'm closing my ransomware as a service'. This guy is informing his customers."

Defending against GandCrab

The best defence is to have a robust security suite in place to prevent the ransomware from triggering if accidentally downloaded most anti-virus software will be able to detect GandCrab.

However, it's also important to be vigilant against the tell-tale signs of GandCrab, especially the distinguishable phishing emails that it favours.

As a result of hacking efforts by Europol last year, certain versions of GandCrab can be decrypted using free online tools, allowing a user to recover their files fairly quickly.

Avast also has a free GandCrab decryptor tool, available here.


A Ryuk ransomware note, courtesy of Checkpoint

Ryuk is a fairly recent entry to the ransomware industry, having emerged just last year. Although it is often spread using spam email campaigns, it's also used to target specific organisations for high payouts.

"Ryuk always for some reason spikes during the holidays," explained Tosi. "So during Christmas time usually we get some presents, well in the UK [in 2018] we got Ryuk. It [then] lay dormant for a few months, and after that it surfaced again on 13 September, which was a Friday. Friday the 13th was the day they chose to start Ryuk again. It's just fantastic."

Researchers have also discovered that the Ryuk strain shares many similarities with the Hermes ransomware, which is believed to have originated from North Korea. However, investigations seem to suggest that the Ryuk variant was a Russian creation.

The file extension of .RYK is often associated with Ryuk infections.

Defending against Ryuk

Robust security software is also highly effective at stopping Ryuk in its tracks.

However, Ryuk uses the extremely robust RSA encryption algorithm and there are currently no free online decryption tools, which makes it near-impossible for users to brute force their way to their files. This means a full system restore using a secure backup is necessary following an attack. 


First discovered in early 2018, the Rapid ransomware is unusual in that it will stay hidden on a user's system and encrypt new files as they are created, before later emerging to demand a ransom.

The ransomware has received four updates in its history, which adjusted the extensions given to encrypted files and added new email addresses to allow victims to contact the authors. Ransom notes tend to be short and concise, asking the victim to contact the attacker directly in order to recover their files.

The Rapid ransomware is normally spread through malicious emails that masquerade as official notices. Most recently the authors have used messages claiming to be from the US Inland Revenue Service (IRS), alerting users that they owe back taxes.

The ransomware usually uses changes file extensions to .rapid as part of the encryption process.

Defending against Rapid

As attackers tend to favour professional-looking emails, this makes it easier to spot errors. Messages are often not tailored for specific countries, and most official organisations will rarely contact users in this manner.

Given the slow nature of the encryption process, it's also possible to stumble upon encrypted files before a user is locked out of their system, during which time anti-malware software can be run to remove the threat.

However, once files are encrypted (even if spotted early), there are currently no decryptor tools available to recover them. Unfortunately, a full system lockout requires a full system wipe and restore to regain access.


The Cerber ransomware made up a significant chunk of attacks in Harrow and Leeds (45% and 17% respectively), and retains a healthy presence across the EMEA region.

Alongside GandCrab, it's an example of malware released as ransomware as a service, with its authors taking a 40% cut of any extorted funds.

The ransomware maintains a number of different versions that are all in operation, making it difficult to defend against. It uses elaborate phishing scams, often using infected Microsoft Word documents, to silently infect a user's machine and begin encrypting system files. Once that is complete, it will change the user's desktop wallpaper to a recognisable splash screen (above) to notify victims of an infection, providing instructions for paying the fee to unlock the files.

A Cerber infection is normally associated with files with the extension .cerber or numbered variants like .cerber1, cerber2 and so on.

Defending against Cerber

As with most other malware strains, having anti-virus software actively running on your machine should prevent Cerber from activating if a download is attempted. However, it's common for Cerber to be bundled into more malicious packages, such as rootkits, that can disable your anti-virus before attempting to run Cerber.

Unfortunately, like Ryuk Cerber also uses RSA encryption, making it incredibly difficult for users to get their files back in a timely manner.


BTCWare is one of the older ransomware families still operating in the UK, having first been discovered in 2017.

This strain exclusively targets Windows-based systems by brute-forcing weak remote desktop protocol (RDP) passwords and manually installing a malicious programme. However, the strain has been known to also use spam email campaigns, often using messages without subject lines or contents with malicious Zip files attached.

According to Avast, BTCWare infections will result in the following file extensions:

foobar.docx.[].theva foobar.docx.[].cryptobyte foobar.bmp.[].cryptowin foobar.bmp.[].btcware foobar.docx.onyon

BTCWare has received a number of updates during its lifetime, but generally speaking the encryption process has remained the same. This includes creating registry entries so that the ransomware can run each time the system is rebooted and providing an email address so the attackers can be contacted.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Defending against BTCWare

As is the case with other strains, robust security suites are capable of spotting and neutralising BTCWare threats before they can activate.

If for whatever reason BTCWare ransomware has infected a system, there have been a variety of free decryptor tools released over the years to help users recover their files almost immediately.


One of the more recognisable and volatile ransomware strains is the Jigsaw variant. This family is known for adopting the fictional villain "Billy the Puppet" from the Saw film series, a picture of which is included in the ransom note.

The ransomware is also known for its aggressive and menacing approach, demanding payment within a specific time frame, generally 60 minutes, before deleting files one by one. After 72 hours, all encrypted files will be deleted. The strain will also 'punish' users by deleting large chunks of files, usually around 1,000, if the user ignores the demand by trying to reboot their system.

According to Avast, Jigsaw infections will use the following extensions:

.kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush,, or .gefickt.

The ransomware is generally spread through malicious spam email attachments and has inspired a number of variants, all of which deploy their own characters or images to play games with their victims.

Defending against Jigsaw

Despite the menacing appearance and language employed by the ransomware, Jigsaw is relatively easy to defend against.

Anti-virus software can spot Jigsaw ransomware before it's able to execute, and so this should be installed and maintained on every system.

However, Jigsaw is also one of those variants that have been cracked by security researchers, meaning there are plenty of easily accessible online decryptors available.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now


How can you protect your business from crypto-ransomware?

How can you protect your business from crypto-ransomware?

4 Nov 2019
8 of the most secure web browsers
web browser

8 of the most secure web browsers

25 Sep 2020
Your essential guide to internet security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device

How to enable private browsing on any device

22 Sep 2020

Most Popular

16 ways to speed up your laptop

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop

16 ways to speed up your laptop

16 Sep 2020
The Xbox Series X shows how far the cloud still has to go

The Xbox Series X shows how far the cloud still has to go

25 Sep 2020