Locky propagates through spam emails with infected files, and changes all file extensions to .locky.
Samas exploits webserver’s vulnerabilities to then spread inside the network
Petya propagates via phishing and introduces a new method of overriding hard drive MBR.
Cerber masquerades itself as an Adobe Flash player update, impersonating to a Windows executable to pop up in the next reboot.
BART – an evolution of Locky from the same creators, distributed through spam email after locky has become well known. BART does not encrypt the files, but creates a password protected archive
CTB Locker – spreads via customized deceptive emails. It can encrypt several machines within the same network, and also features a mechanism of recognizing malware analysis programs in order to avoid them (it simply won’t be triggered)
CryptXXX – spreads via spam emails. Scans files and adds the .crypt extension. 2.0, 3.0. and 4.0 versions feature immunity against free decryption tools, thus more victims tend to pay the ransom.
Unlock 92 – using RSA-2048 algorithm to encrypt files. Communicates in Russian only. In many cases did not unlock the files though payment was received
TeslaCrypt - It is typically exploits Adobe vulnerabilities and uses an AES algorithm to encrypt files.
Jigsaw – after encrypting the files, begins deleting them in bulks every hour until the ransom is paid (or all at once after 72 hours)