Ransomware often targets businesses rather than individuals. They possess more valuable data and more money for ransom that range from roughly $500 per computer to $15000 for the entire enterprise. Cyphort examined various variants of ransomware to help users to get an idea of what they might encounter. So, here are some characteristics you should look for before your network or system is taken hostage.


It deletes the files at regular intervals to create panic to pay ransom faster. Jigsaw ransomware operates like this:

Every hour an encrypted file is deleted from the computer, making it unrecoverable even if the ransom is paid. Moreover, the malware also deletes 1000 files on attempt of restarting the computer or logging into operating system.


Petya is different from the other popular ransomware these days. Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the disk. It encrypts the Master File Table that contains all the information about how files and folders are allocated.

RansomWeb, Kimcilware:

It encrypts the web server data, RansomWeb, Kimcilware both take this unusual routes, instead of going after user's computers, they infect the web servers through vulnerabilities and encrypt website's databases and hosted files, and making the website unstable until ransom is paid.

DMA Locker, Locky, Cerber and CryptoFortress:

Encrypting Data on network drives, even on those that are not mapped. DMA Locker, Locky, Cerber, and CryptoFortress are all families that attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found. Unlike other ransomwares, they have their unique way to notify user about the encryption; like Cerber uses audio which allows the computer to speak the ransom message to the victim.


It is an android based ranomware that initiates through a simple malicious application download. Once one of the malicious apps is manually downloaded and installed on a mobile device, the malware will quickly display a full screen message stating that the phone has been locked due to child pornography being viewed and distributed on the device. The message also states that in order to unlock the device a payment must be paid. The message can be closed, but will immediately reopen if the user attempts to launch any other app.


Ransomware as a service is a model offered in underground markets. Tox provide the malicious code and infrastructure to facilitate the transfer of funds and the encryption key for the victim to be able to access their information.

These are the common characteristics that most of the well-known ransomware possess. In case of ransomware encounter, these characteristics will help to identify the exact type of ransomware to classify its severity. Moreover, for security professionals it is essential to have known about some basic characteristics of these disastrous ransomwares.