The Most Popular Ransomware: A Comprehensive Ranking

Choose the ransomware you think is the most popular!

Author: Gregor Krambs
Jun 16, 2023 10:18 (Updated on Dec 2, 2023 08:58)
Welcome to StrawPoll, where opinions matter and voices are heard! Today, we're delving into the dark world of ransomware to determine which notorious variant reigns supreme in the realm of cyber threats. As ransomware continues to wreak havoc on businesses and individuals alike, it's time for you to cast your vote and help us create the ultimate ranking of the most popular ransomware. From the infamous WannaCry to the cunning Ryuk, which digital extortionist will claim the title of the most notorious? Don't see your "favorite" ransomware on the list? Fear not, for you can suggest a missing option to make this ranking as comprehensive as possible. So, join thousands of others in this intriguing poll and let's unveil the most popular ransomware lurking in the shadows of the internet!

What Is the Most Popular Ransomware?

  1. 1
    This is one of the most well-known ransomware attacks in history. It spread rapidly across the globe in 2017, infecting hundreds of thousands of computers across 150 countries. It exploited a vulnerability in Microsoft Windows, and demanded a ransom in bitcoin.
    WannaCry is a type of ransomware computer virus that spread globally in May 2017. It infected hundreds of thousands of computers by exploiting a vulnerability in the Windows operating system. The virus encrypted files on infected systems and demanded a ransom in Bitcoin cryptocurrency for their release. WannaCry caused significant disruptions across various sectors, including healthcare, government, and industries worldwide.
    • Victims: Hundreds of thousands of computers and organizations worldwide
    • Type: Ransomware
    • Release Date: May 12, 2017
    • Exploited Vulnerability: MS17-010 (EternalBlue)
    • Propagation Method: Self-propagating via network
  2. 2
    Locky is a ransomware that was first discovered in 2016. It spread through spam emails and infected Windows computers. It encrypted the victim's files and demanded a ransom in bitcoin. At its peak, Locky was responsible for over 50% of all ransomware attacks.
    Locky is a notorious strain of ransomware that first emerged in early 2016. It is known for its ability to encrypt a victim's files and demand a ransom in exchange for the decryption key. Locky spreads primarily through spam emails containing malicious attachments, such as Microsoft Word documents or JavaScript files. Once the victim clicks on the attachment, Locky is executed, encrypting files on the infected system and network shares.
    • First appearance: February 2016
    • Method of distribution: Spam emails with malicious attachments
    • File encryption: Uses AES and RSA encryption
    • File types targeted: Documents, images, videos, archives, etc.
    • Ransom payment: Demands payment in Bitcoin
  3. 3
    CryptoLocker was first discovered in 2013 and was one of the first ransomware attacks to gain widespread attention. It encrypted files on the victim's computer and demanded a ransom in bitcoin. It was estimated to have generated over $3 million in ransom payments.
    CryptoLocker is one of the most popular ransomware families known for its sophisticated encryption capabilities and widespread impact. It was first discovered in September 2013 and quickly gained notoriety due to its success in extorting money from victims.
    • Encryption Algorithm: Uses strong encryption algorithms (e.g., RSA-2048 and AES-256) to encrypt victim's files, making them inaccessible without a decryption key.
    • Propagation: Primarily propagated through email attachments, malicious links, exploit kits, and social engineering techniques.
    • Ransom Payment: Demands a ransom amount (usually in Bitcoin) to be paid within a specific timeframe, typically ranging from hundreds to thousands of dollars.
    • Exploit Kits: Known to utilize exploit kits such as Angler, Rig, and Nuclear to distribute the malware.
    • Command and Control (C&C): Relies on a command and control infrastructure to communicate with the attacker, obtain encryption keys, and facilitate ransom payment.
  4. 4
    Petya is a ransomware that was first discovered in 2016. It spread through phishing emails and exploited vulnerabilities in Windows. It encrypted the victim's files and demanded a ransom in bitcoin. Petya has been responsible for some of the largest ransomware attacks in history.
    Petya is a type of ransomware that was first discovered in 2016. Unlike other ransomware, Petya does not target individual files but instead encrypts the entire hard drive, making the infected system completely unusable. It spreads through infected email attachments, malicious websites, or by exploiting vulnerabilities in outdated software. Once activated, Petya displays a ransom note demanding payment in Bitcoin to restore the files.
    • Encryption Method: Petya uses an advanced encryption algorithm with a combination of symmetric and asymmetric encryption.
    • Propagation: Petya can spread within a network by using exploits to perform lateral movement.
    • Wiper Component: Petya has a secondary component called the wiper, which overwrites the Master Boot Record (MBR) with a custom bootloader.
    • Master Boot Record (MBR) Infection: Petya targets the MBR to execute its malicious code during the booting process.
    • Rootkit Functionality: Petya has rootkit capabilities that can help it hide from detection and undermine security measures.
  5. 5
    Jigsaw is a ransomware that was first discovered in 2016. It encrypts the victim's files and demands a ransom in bitcoin. If the victim does not pay the ransom, Jigsaw deletes files every hour.
    Jigsaw is a notorious ransomware that first emerged in April 2016. It is named after the character from the horror film series Saw, as it features a similar theme of games and puzzles. Jigsaw is known for its destructive nature, as it not only encrypts the victim's files but also starts deleting them gradually if the ransom is not paid. This ransomware also displays menacing messages and images on the victim's screen, adding to the psychological pressure. Jigsaw has been responsible for several high-profile attacks, making it one of the most notorious ransomware strains in recent years.
    • First Appearance: April 2016
    • Encryption Algorithm: AES-256
    • Ransom Payment Method: Bitcoin
    • Ransom Amount: Usually around $150-$200 worth of Bitcoin
    • Ransom Deadline: Initially 24 hours; each subsequent hour leads to deleted files
  6. 6
    Bad Rabbit is a ransomware that was first discovered in 2017. It spread through fake Adobe Flash updates and infected Windows computers. It encrypted the victim's files and demanded a ransom in bitcoin. Bad Rabbit was responsible for several high-profile attacks in Russia and Ukraine.
    Bad Rabbit is a type of ransomware that first emerged in October 2017. It quickly spread in Eastern Europe and targeted organizations, including media outlets, transportation systems, and government agencies. The ransomware got its name from the code references to the popular fantasy character 'Gandalf the Grey' from J.R.R. Tolkien's Lord of the Rings, specifically the phrase 'Bad Rabbit'.
    • Propagation Method: Bad Rabbit mainly propagated through malicious drive-by downloads from compromised legitimate websites, often posing as Adobe Flash updates.
    • Infection Process: Once executed, Bad Rabbit attempted to spread laterally across an organization's network using SMB protocol and also employed a list of hardcoded credentials to aid in its spread.
    • Ransom Note: Upon infection, victims were presented with a ransom note instructing them to visit a Tor hidden service website and pay a ransom in Bitcoin to regain access to their files.
    • Extension Encryption: Bad Rabbit primarily targeted Microsoft Windows operating systems and encrypted the files on an infected machine, appending an extension to the file names.
    • RSA-2048 Encryption: The ransomware used the RSA-2048 encryption algorithm to encrypt files, making decryption without the proper private key extremely difficult.
  7. 7
    GandCrab is a ransomware that was first discovered in 2018. It spread through phishing emails and infected Windows computers. It encrypted the victim's files and demanded a ransom in bitcoin. GandCrab was one of the most successful ransomware attacks of 2018.
    GandCrab is a highly prevalent ransomware that emerged in early 2018. It is known for its sophisticated encryption techniques and rapid evolution, making it a persistent threat. The ransomware primarily targets Windows-based systems and has successfully infected millions of computers worldwide.
    • Encryption Key Length: GandCrab employs a strong 256-bit key length to encrypt files.
    • Ransom Payment: The ransom payment demanded by the attackers is typically in cryptocurrency, specifically Bitcoin, to maintain anonymity.
    • Distributed via Exploit Kits: GandCrab primarily spread through exploit kits, leveraging vulnerabilities in software and web browsers.
    • Multiple Versions: Different versions of GandCrab were released with improvements and new features, increasing its effectiveness.
    • Ransom Note and Extortion: The ransomware drops a note with instructions on how to make the payment, including a threat to permanently delete files after a specific time if the ransom is not paid.
  8. 8
    Maze is a ransomware that was first discovered in 2019. It encrypts the victim's files and demands a ransom in bitcoin. If the victim does not pay, Maze threatens to release sensitive data to the public. Maze has been responsible for several high-profile attacks on large companies.
    A maze is a puzzle that consists of a complex network of paths, typically represented as a series of interconnected corridors or passages. The objective of a maze is to find a way from the entrance to the exit, navigating through the convoluted paths and dead ends. Mazes can vary in complexity, size, and design, offering different levels of challenge to the solver.
    • Types: There are various types of mazes including hedge mazes, corn mazes, and grid mazes.
    • Difficulty Levels: Mazes can have different difficulty levels ranging from simple for beginners to intricate and challenging for experts.
    • Size: Mazes can range in size from small handheld puzzles to massive outdoor or digital mazes.
    • Solving Methods: There are multiple solving methods for mazes, including trial and error, solving algorithms, and using memory techniques.
    • Artistic Design: Many mazes are designed with artistic elements, creating visually appealing patterns and shapes when viewed from above.
  9. 9
    Ryuk is a ransomware that was first discovered in 2018. It spread through phishing emails and infected Windows computers. It encrypted the victim's files and demanded a ransom in bitcoin. Ryuk has been responsible for several high-profile attacks on hospitals and government agencies.
    Ryuk is a type of ransomware that targets businesses and organizations, primarily focusing on financial institutions, healthcare organizations, and government agencies. It was first discovered in August 2018 and has since become one of the most prevalent and financially impactful ransomware threats.
    • Encryption Algorithm: Ryuk uses AES-256 encryption algorithm to encrypt files.
    • Targeting: It primarily targets Windows-based systems and spreads laterally across networks.
    • Network Propagation: Ryuk exploits vulnerabilities or brute-forces its way into systems, utilizing tools like PowerShell and Windows Management Instrumentation (WMI).
    • Ransom Amount: The ransom amounts demanded by Ryuk are typically high, ranging from a few hundred thousand dollars to millions.
    • Payment Method: The attackers usually require payment in Bitcoin cryptocurrency to maintain anonymity.
  10. 10
    Sodinokibi is a ransomware that was first discovered in 2019. It spreads through phishing emails and exploits vulnerabilities in Windows. It encrypts the victim's files and demands a ransom in bitcoin. Sodinokibi has been responsible for several high-profile attacks on large companies.
    Sodinokibi, also known as REvil, is a ransomware that emerged in early 2019. It quickly gained popularity among cybercriminals due to its sophisticated features and successful attack campaigns. Sodinokibi operates as a Ransomware-as-a-Service (RaaS) model, meaning that it is developed by a group of cybercriminals who lease or sell it to other hackers, receiving a percentage of the ransom payments as profit. This approach allows for wider distribution and multiple actors exploiting the ransomware for their own purposes.
    • Encryption: Sodinokibi uses strong encryption algorithms, such as AES, to encrypt files on infected systems, making them inaccessible without the decryption key.
    • Payment: Payment is typically demanded in Bitcoin, with varying amounts depending on the victim's profile and data sensitivity.
    • Distribution: Sodinokibi often spreads through exploit kits, malicious email attachments, or compromised Remote Desktop Protocol (RDP) credentials.
    • Data Exfiltration: In addition to encrypting files, Sodinokibi has the ability to exfiltrate sensitive data from infected systems, threatening victims with data leaks to increase pressure for ransom payment.
    • Leak Site: Sodinokibi operators maintain a dedicated leak site where they publish stolen data from non-paying victims as a form of punishment and intimidation.

Missing your favorite ransomware?


Ranking factors for popular ransomware

  1. Prevalence
    The number of ransomware attacks reported worldwide, which includes the rate and the regions targeted. Ransomware types dominating the security incidents should be considered highly popular.
  2. Impact
    The degree of financial, operational, and reputational damage caused by the ransomware. Factors like the amount of ransom demanded, the duration of the attack, and the number of affected systems should be considered.
  3. Innovation
    The level of sophistication, novelty, and adaptability the ransomware exhibits. This includes features like encryption techniques, evasion from detection systems, and the use of different methods for propagation and distribution.
  4. Target profile
    Industries and sectors usually targeted by the ransomware, including healthcare, education, finance, and government institutions. A broader target profile reflects the popularity of the ransomware.
  5. Ease of use
    The simplicity and speed with which cybercriminals can deploy the ransomware for their attacks. Ransomware with user-friendly interfaces, accessible through ransomware-as-a-service (RaaS) platforms, or easily customizable is often considered popular among criminals.
  6. Persistence
    The duration for which the ransomware remains a significant threat. Persistent ransomware strains evolve or are frequently updated to maintain their effectiveness.
  7. Media coverage
    The amount of attention the ransomware garners in the media, reflecting its impact on society. Higher media coverage could indicate the ransomware's popularity.
  8. Success rate
    The percentage of successful ransomware attacks that lead to victims paying the ransom.
  9. Law enforcement efforts
    High-profile ransomware incidents that have attracted significant attention from law enforcement agencies, resulting in attempts to apprehend the perpetrators and dismantle the ransomware infrastructure.
  10. Code availability
    The availability of the ransomware's code in underground forums and darknet markets. Code sharing and sales in the cybercriminal community contribute to the popularity of the ransomware.

About this ranking

This is a community-based ranking of the most popular ransomware. We do our best to provide fair voting, but it is not intended to be exhaustive. So if you notice something or ransomware is missing, feel free to help improve the ranking!


  • 151 votes
  • 10 ranked items

Movers & Shakers

Voting Rules

A participant may cast an up or down vote for each ransomware once every 24 hours. The rank of each ransomware is then calculated from the weighted sum of all up and down votes.

More information on most popular ransomware

Ransomware has become an increasingly prevalent issue in recent years, with cybercriminals using this type of malware to encrypt victims’ files and demand payment in exchange for the decryption key. The most popular ransomware strains are designed to spread quickly and efficiently, infecting as many computers as possible and maximizing the attackers’ profits. Some of the well-known ransomware strains include WannaCry, Petya, Locky, and CryptoLocker. These ransomware attacks can be devastating for individuals and businesses alike, often resulting in the loss of critical data and the payment of large ransoms. It is essential to stay vigilant and take proactive measures to protect against these threats, including regular software updates, data backups, and implementing security measures such as firewalls and antivirus software.

Share this article