Blockers of all time
The technical side of the ransomware also did not stand still. If initially these were very simple programs written “on the knee”, then after a few years, the blockers presented very technologically sophisticated products that contained protection against analysis, protection against detection, technology of network worms, encryption, etc. etc.
The technologies with which scammers were going to demand money from users were also developed. If initially the system was completely blocked, and the user received information about a technical malfunction, then later more advanced social engineering technologies were used.
Here are just a few of them:
1) Partial locking of the system (for example, a window that is placed on top of others, in a third of the screen) - you can work with such a computer, but very uncomfortably;
2) Demonstration of adult content - designed for children at daddy's computers;
3) Demonstration of content containing perversion elements - designed for adults;
etc.
It is absolutely useless to pay scammers: sending an expensive SMS (or even several) does not guarantee that the victim will receive the promised unlock code. With the replenishment of the account through the payment terminal, the situation is no better - the receipt simply does not have the identification number referred to by the ransomware. By sending money, the user sponsors new developments, from which he himself subsequently suffers (according to our data, on average, users become infected more than 1 time).
In our work, we constantly encounter ransomware programs and decided to create our own hit parade, highlighting, in our opinion, the most interesting of them in the following categories:
The most inaccessible
This blocker is unique in that it infected MBR. He did not gain much popularity. We can say that he was more of a concept.
In May 2011, the second MBR blocker appeared, gaining more and more popularity.

| Verdict: | Trojan-Ransom.Boot.Seftad |
| Date of Appearance: | November 2010 |
| Outbreak Date: | did not cause an epidemic |
The most popular
MOST MASSIVE, MOST PROFITABLE blocker of all time. In June 2010, new blockers of this family came out literally once an hour. The epidemic stopped only after members of this criminal group were detained by law enforcement agencies.

| Verdict: | Trojan-Ransom.Win32.PinkBlocker |
| Date of Appearance: | November 2009 |
| Outbreak Date: | August 2010 |
The very first.
The first blockers in Runet open spaces used exotic forms of payment, little known to housewives and unpretentious design (no naked female and male body). But it was with them that it all began.

| Verdict: | Trojan-Ransom.Win32.BlueScreen |
| Date of Appearance: | fall 2007 |
| Outbreak Date: | fall 2008 |
The most beautiful

| Verdict: | Trojan-Ransom.Win32.Gimemo |
| Date of Appearance: | March 2011 |
| Outbreak Date: | did not cause an epidemic |
Animation
Blocker, using an animated gif c mamma (lat.) As an image, making oscillating movements. As a payment, the blocker asked to send an SMS to one of the short numbers, among which there were both Russian, and Ukrainian, Kazakhstan, Lithuanian and German.

| Verdict: | Trojan-Ransom.Win32.XBlocker |
| Date of Appearance: | December 2009 |
| Outbreak Date: | February 2010 |
The first non-Russian
This blocker, which caused the first major epidemic of blockers in Runet, came from Ukraine. Initially, SMS was received as a payment to a Ukrainian number.
A characteristic feature of the blockers from this family was the demonstration of the license agreement (!!!) at the first start of the blocker, in which it was reported that the user's computer would be blocked. But who reads these conventions?
In subsequent versions of the blocker, the license agreement, although it was demonstrated, was closed quite quickly, and the blocker began the installation regardless of the user's actions, whether he agreed to the conditions or not.

| Verdict: | Trojan-Ransom.Win32.Digitala |
| Date of Appearance: | October 2009 |
| Outbreak Date: | December 2010 |
The most harmless
This "blocker" blocker as such is not. Fraudsters specifically create sites that pretend to be adult sites and place JavaScript code in them that displays the image below in the browser. After the site is created, it is distributed through the banner system. To combat this type of fraud, it’s enough to simply close the browser and not go to this site in the future, but many users are scared, believe that their machine has been infected, and are in a hurry to pay money to ransomware.

| Verdict: | Trojan-Ransom.JS.Smser |
| Date of Appearance: | summer 2010 |
| Outbreak Date: | by current time |
The most creative
The first years of the development of blockers, the authors approached their creation with a soul. I came across very funny, funny and touching blockers. And only a few years later, the blockers began to rivet like pies - quickly and quickly, in order to manage to bring down the detections of antivirus products.

| Verdict: | Trojan-Ransom.Win32.ImBlocker |
| Date of Appearance: | summer 2008 |
| Outbreak Date: | did not cause an epidemic |
The most greedy.
Since there was an upper price limit on the cost of SMS (500-600 rub.), Some blockers began to ask to send 2 each, and very greedy - 3 SMS each.

| Verdict: | Trojan-Ransom.Win32.PinkBlocker |
| Date of Appearance: | spring 2010 |
| Outbreak Date: | August 2010 |
The most arrogant
Feature of this blocker in the big names with which it is covered.

| Verdict: | Trojan-Ransom.Win32.ZoBlocker |
| Date of Appearance: | N / a |
| Outbreak Date: | N / a |
The most honest
This blocker is interesting in that, unlike its colleagues, it honestly declares that it is a blocker.

| Verdict: | Trojan-Ransom.Win32.Honest |
| Date of Appearance: | N / a |
| Outbreak Date: | did not cause an epidemic |
The longest-running
This blocker is unique in that it uses a subscription system to enrich its authors. Instead of requiring sending an SMS or transferring money to an account, this blocker requires you to send your phone number. An SMS with a deactivation code arrives on the phone.
All these harmless actions have one goal - to register the user on the so-called subscription. Entering the deactivation code into the blocker, the user thereby agrees to the subscription conditions (which, of course, no one showed him). After subscribing, the user begins to regularly withdraw money from the user's phone (for example, every 3 days for 150 rubles). This method works until the user unsubscribes or within a certain time (for example, a week) there are no funds on the phone.

| Verdict: | Trojan-Ransom.Win32.Holotron |
| Date of Appearance: | February 2011 |
| Outbreak Date: | did not cause an epidemic |
The most brutal
This blocker is characterized by the display of homosexuals.
Its second “remarkable” feature is deactivation codes - this is not a meaningless character set, but codes from the game (for example, IDDQD), game characters (KERRIGAN IS SO SEXY), authors of favorite works (FRANK HERBERT), etc.

| Verdict: | Trojan-Ransom.Win32.HmBlocker |
| Date of Appearance: | November 2010 |
| Outbreak Date: | March 2011 |
The most detailed ("blonde")
This blocker can be called the most detailed in the field of instructions for its deactivation. Since this program does not use SMS as a form of payment, but uses the more exotic Vkontakte scheme, which is relatively familiar with a relatively small number of users, it provided infected users with very detailed step-by-step instructions on how to transfer money to scammers.

| Verdict: | Trojan-Ransom.Win32.GiviBlocker |
| Date of Appearance: | November 2010 |
| Outbreak Date: | did not cause an epidemic |
The most “Kaspersky"
This blocker impersonates a certain, really non-existent Kaspersky Lab product, Kaspersky Lab Antivirus Online. At one time, it was very popular and literally caused a flurry of letters to the company with the text "Do you really get little money, why do you need this program too." In general, this blocker spoiled a lot of blood for both shift analysts and the PR department.

| Verdict: | Trojan-Ransom.Win32.Chameleon |
| Date of Appearance: | N / a |
| Outbreak Date: | N / a |
Total:
In the trend, as you can see, the development of social engineering techniques, but the technical idea does not stand still. In any case, we decided that it would be more reliable to prevent blocking than to treat an already infected computer. And if until now we could offer you only the free utility support.kaspersky.ru/viruses/deblocker , now we are finishing work on a new tool, which we will present in one of the following posts. Ivan Tatarinov, Senior Virus Analyst, Kaspersky Lab
