The most popular ransomware strains targeting UK businesses

What threats you're likely to face can significantly depend on the region in which you operate

Regardless of the type of industry you're in, the size of your workforce, the products and services you create, or the value of the data you hold, you have one thing in common with every other digital business: You are a target for ransomware.

This year alone we saw ransomware attacks on businesses surge, especially in the UK where the number of reports increased 195%. That surge has left the UK, alongside the US, as the most targetted region in the world, with some 6.4 million ransomware attacks occurring in the first half of 2019.

We all know the threat ransomware poses to business, but it's not always clear what the best defence is against such attacks. This is particularly important today as there are numerous ransomware families active across the world, each with their own methods of attack and spreading infection. The rise of ransomware as a service has only compounded the issue, with a significant number of attacks in the UK being caused by hired malware.

Cyber security firm Malwarebytes recently analysed the distribution of malware across the world, including a breakdown of the UK's most popular ransomware families, and presented its findings at London's DTX Europe in October.

As you can see from the charts above, the region in which your business operates is a significant factor in determining what ransomware you are likely to encounter. However, it's also worth pointing out that GandCrab, by far the most popular across all regions, and Cerber were both distributed as ransomware as a service.

Yet, this doesn't give the whole picture for UK businesses. In fact, in the list of the top five most targeted regions in the UK, a London borough only features twice. Manchester, Royal Kensington and Chelsea, Reading, Harrow and Leeds faced the highest number of ransomware attacks between 2018 and 2019, but the types of malware used differed drastically.

Advertisement - Article continues below
Advertisement - Article continues below

As is reflected in the European average, GandCrab made up a significant chunk of the attacks against Manchester businesses and those in the London borough of Royal Kensington and Chelsea. However, there were no GandCrab attacks recorded in Harrow, Reading or Leeds.

What's equally surprising is that a ransomware strain known as BTCWare, which was not featured in the EMEA analysis, made up 80% of the attacks against businesses in Reading.

"Reading is the only one with this big BTCware section. BTCware is ransomware that works on RDP (remote desktop protocol, see below), so is basically installed if there is an RDP breach. So the delivery method is very manual. The only thing I can think of is that in Reading there are lots of RDP servers," explained Malwarebytes sales engineer Claudio Tosi.


GandCrab's popularity has made it a best seller in the ransomware space, allowing users with very limited malware knowledge to tailor the scope of their attack and the nature of their intended campaign using an online tool, and then pay for the service on a sliding scale. This effectively removes the risk to the individual and makes it near impossible to identify the true source of an attack.

Advertisement - Article continues below

Spread through phishing emails, this strain attempts to convince users to open an attachment, often containing romantic phrases and references to Valentines Day or love letters. However, some of the more business-focused GandCrab attacks have even used fake updated emergency exit maps or similar notices that pretend to be of critical importance. These attachments contain malicious JavaScript that is automatically triggered if the file is downloaded.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

The script will then start to encrypt every file on a user's system, and those it is connected to. The victim will then be instructed to pay a ransom in order to get their files back.

Cyber security firm Avast suggests the following extensions are often used during GandCrab infections:

GDCB, .CRAB, .KRAB, .%RandomLetters% foobar.doc -> foobar.doc.GDCB document.dat -> document.dat.CRAB document.xls -> document.xls.KRAB foobar.bmp -> foobar.bmp.gcnbo

What's unusual about this ransomware is that we know its author is no longer in operation. "A fun fact about GandCrab is that its creator decided six months ago to retire," said Tosi. "They sent out a message to everybody saying 'guys I'm cashing up, I'm retiring, sorry about that, that's it, finished, I'm closing my ransomware as a service'. This guy is informing his customers."

Defending against GandCrab

The best defence is to have a robust security suite in place to prevent the ransomware from triggering if accidentally downloaded most anti-virus software will be able to detect GandCrab.

Advertisement - Article continues below
Advertisement - Article continues below

However, it's also important to be vigilant against the tell-tale signs of GandCrab, especially the distinguishable phishing emails that it favours.

As a result of hacking efforts by Europol last year, certain versions of GandCrab can be decrypted using free online tools, allowing a user to recover their files fairly quickly.

Avast also has a free GandCrab decryptor tool, available here.


A Ryuk ransomware note, courtesy of Checkpoint

Ryuk is a fairly recent entry to the ransomware industry, having emerged just last year. Although it is often spread using spam email campaigns, it's also used to target specific organisations for high payouts.

"Ryuk always for some reason spikes during the holidays," explained Tosi. "So during Christmas time usually we get some presents, well in the UK [in 2018] we got Ryuk. It [then] lay dormant for a few months, and after that it surfaced again on 13 September, which was a Friday. Friday the 13th was the day they chose to start Ryuk again. It's just fantastic."

Advertisement - Article continues below

Researchers have also discovered that the Ryuk strain shares many similarities with the Hermes ransomware, which is believed to have originated from North Korea. However, investigations seem to suggest that the Ryuk variant was a Russian creation.

The file extension of .RYK is often associated with Ryuk infections.

Defending against Ryuk

Robust security software is also highly effective at stopping Ryuk in its tracks.

However, Ryuk uses the extremely robust RSA encryption algorithm and there are currently no free online decryption tools, which makes it near-impossible for users to brute force their way to their files. This means a full system restore using a secure backup is necessary following an attack. 


First discovered in early 2018, the Rapid ransomware is unusual in that it will stay hidden on a user's system and encrypt new files as they are created, before later emerging to demand a ransom.

Advertisement - Article continues below

The ransomware has received four updates in its history, which adjusted the extensions given to encrypted files and added new email addresses to allow victims to contact the authors. Ransom notes tend to be short and concise, asking the victim to contact the attacker directly in order to recover their files.

Advertisement - Article continues below

The Rapid ransomware is normally spread through malicious emails that masquerade as official notices. Most recently the authors have used messages claiming to be from the US Inland Revenue Service (IRS), alerting users that they owe back taxes.

The ransomware usually uses changes file extensions to .rapid as part of the encryption process.

Defending against Rapid

As attackers tend to favour professional-looking emails, this makes it easier to spot errors. Messages are often not tailored for specific countries, and most official organisations will rarely contact users in this manner.

Given the slow nature of the encryption process, it's also possible to stumble upon encrypted files before a user is locked out of their system, during which time anti-malware software can be run to remove the threat.

However, once files are encrypted (even if spotted early), there are currently no decryptor tools available to recover them. Unfortunately, a full system lockout requires a full system wipe and restore to regain access.


The Cerber ransomware made up a significant chunk of attacks in Harrow and Leeds (45% and 17% respectively), and retains a healthy presence across the EMEA region.

Advertisement - Article continues below

Alongside GandCrab, it's an example of malware released as ransomware as a service, with its authors taking a 40% cut of any extorted funds.

The ransomware maintains a number of different versions that are all in operation, making it difficult to defend against. It uses elaborate phishing scams, often using infected Microsoft Word documents, to silently infect a user's machine and begin encrypting system files. Once that is complete, it will change the user's desktop wallpaper to a recognisable splash screen (above) to notify victims of an infection, providing instructions for paying the fee to unlock the files.

A Cerber infection is normally associated with files with the extension .cerber or numbered variants like .cerber1, cerber2 and so on.

Defending against Cerber

As with most other malware strains, having anti-virus software actively running on your machine should prevent Cerber from activating if a download is attempted. However, it's common for Cerber to be bundled into more malicious packages, such as rootkits, that can disable your anti-virus before attempting to run Cerber.

Advertisement - Article continues below

Unfortunately, like Ryuk Cerber also uses RSA encryption, making it incredibly difficult for users to get their files back in a timely manner.


BTCWare is one of the older ransomware families still operating in the UK, having first been discovered in 2017.

Advertisement - Article continues below

This strain exclusively targets Windows-based systems by brute-forcing weak remote desktop protocol (RDP) passwords and manually installing a malicious programme. However, the strain has been known to also use spam email campaigns, often using messages without subject lines or contents with malicious Zip files attached.

According to Avast, BTCWare infections will result in the following file extensions:

foobar.docx.[].theva foobar.docx.[].cryptobyte foobar.bmp.[].cryptowin foobar.bmp.[].btcware foobar.docx.onyon

BTCWare has received a number of updates during its lifetime, but generally speaking the encryption process has remained the same. This includes creating registry entries so that the ransomware can run each time the system is rebooted and providing an email address so the attackers can be contacted.

Related Resource

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Defending against BTCWare

As is the case with other strains, robust security suites are capable of spotting and neutralising BTCWare threats before they can activate.

If for whatever reason BTCWare ransomware has infected a system, there have been a variety of free decryptor tools released over the years to help users recover their files almost immediately.


One of the more recognisable and volatile ransomware strains is the Jigsaw variant. This family is known for adopting the fictional villain "Billy the Puppet" from the Saw film series, a picture of which is included in the ransom note.

The ransomware is also known for its aggressive and menacing approach, demanding payment within a specific time frame, generally 60 minutes, before deleting files one by one. After 72 hours, all encrypted files will be deleted. The strain will also 'punish' users by deleting large chunks of files, usually around 1,000, if the user ignores the demand by trying to reboot their system.

Advertisement - Article continues below

According to Avast, Jigsaw infections will use the following extensions:

.kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush,, or .gefickt.

The ransomware is generally spread through malicious spam email attachments and has inspired a number of variants, all of which deploy their own characters or images to play games with their victims.

Defending against Jigsaw

Despite the menacing appearance and language employed by the ransomware, Jigsaw is relatively easy to defend against.

Advertisement - Article continues below

Anti-virus software can spot Jigsaw ransomware before it's able to execute, and so this should be installed and maintained on every system.

However, Jigsaw is also one of those variants that have been cracked by security researchers, meaning there are plenty of easily accessible online decryptors available.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



How can you protect your business from crypto-ransomware?

4 Nov 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020