Common Ransomware Attack Types

When it comes to cybersecurity, ransomware is probably one of the first threats you think of. It seems like it’s everywhere — and it is.  

Ransomware is one of the most notorious cyber threats affecting individuals, businesses, and organizations globally. The frequency and impact of these attacks have surged in recent years, making it crucial to understand their nature and how to protect against them.

It comes as no surprise, then, that your organization must know the types of ransomware that exist and how they behave so you can stop or combat them. This article explains types of ransomware along with some well-known examples. It will also guide you on how to protect yourself and your company from ransomware attacks.

What is ransomware?

Ransomware is a type of malware that locks you out of your system or denies access to your files until a ransom is paid. This malicious software infiltrates computer systems through various means, like:

• Phishing
• Malicious websites
• Downloads

Once ransomware gains access to your system, it prevents you from accessing your files or locks down your computer screen, demanding a ransom to restore access. Modern ransomware often demands payment in cryptocurrencies like Bitcoin, with ransom amounts reaching millions of dollars depending on the target.

Unlike some other cyber threats, ransomware is about control and extortion.

What does a ransomware attack entail?

By the time you, the victim, sees the ransom message, it's already too late. Ransomware has already encrypted files before you can know it.

A ransomware attack typically follows a specific pattern — here's what happens from infection to ransom demand:

1. Arrival, contact, and search. The ransomware attack starts with the malware infiltrating the system through a vulnerability or user action.
2. Encrypt data, files, or systems. Once inside, it begins encrypting files or locking the screen.
3. Ransom. The victim is then presented with a ransom note demanding payment in exchange for the decryption key or restoration of access. The note often includes threats of data deletion or public release if the ransom isn't paid within a specified time frame.

Ransomware types

For a long time, there were only two major types of ransomware: crypto and locker ransomware. Today, unfortunately, more types of ransomware have emerged, targeting users and organizations with different approaches. These ransomware types currently exist worldwide:

• Crypto ransomware
• Locker ransomware
• Scareware
• Leakware
• Ransomware-as-a-service (RaaS)

Let's understand these types of ransomware and the approach they take to make your computer system inaccessible.

Crypto ransomware

This kind of ransomware makes unavailable your important files and data, including documents and multimedia, by encrypting them and taking away the decryption key. Still, the other functionalities of the victims’ computers remain intact.

Attackers then demand a ransom in exchange for the decryption key. They often provide a countdown and a warning that files will be deleted if the ransom isn't paid. Victims tend to pay the ransom depending on how sensitive and important the encrypted data is. However, you can never guarantee that the attackers will return the decryption key.

(Read our encryption introduction.)

Locker ransomware

Locker ransomware, also called "screen lockers," locks your computer once it's attacked, making all or some of the system data and functionalities inaccessible. For instance, you may not be able to access the computer desktop, but you might still be able to operate the mouse and keyboard with limited functionality.

Here, the attackers allow you to interact only with the screen that shows the ransom note. Since the important data remains unencrypted, it won't be completely destroyed. This type of ransomware also often includes a countdown clock to force the user to pay the ransom as soon as possible.

Scareware

As its name implies, scareware scares users by informing them that their computers have been infected with malware. It tricks them into paying a fee or purchasing antivirus software to fix the problem. Scareware usually comes with pop-ups when you visit or install software infected with it. And here is the primary play here: your computer has not yet been infected with malware — but the antivirus software the scareware asks you to pay for is malicious.

Here, malware can infect your computer only if you purchase the software. Otherwise, the data won't be affected — though it will continue to bombard your computer with popups.

Scareware can also be distributed through spam emails, which trick users into buying something that has no value. Those purchases can include malware, which can steal sensitive user information.

Leakware (Exfiltration)

Leakware is ransomware that goes further than encrypting your sensitive data. It threatens to leak your data to the public or third parties unless you pay the attackers' ransom demand. As a result, it's a more dangerous type of ransomware than traditional crypto ransomware.

Like crypto ransomware, leakware encrypts the dataset, making it inaccessible, and keeps the encryption key with the attacker. They ensure that this data is confidential to the victim, so leaking it could potentially harm the individual or the organization.

Ransomware-as-a-Service (RaaS)

Like software-as-a-service (SaaS), RaaS is a business model that provides ransomware to attackers who don't have the time or skills to develop it on their own. Instead, attackers can buy or rent ransomware from RaaS providers.

RaaS is advertised on the dark web in the same way that advertisements for goods and services are advertised on the real web. The buyers of RaaS are called affiliates. They can access this software through an online subscription. This subscription may also include usual SaaS features like 24/7 support and other offers.

This business model enables affiliates with zero or little knowledge of ransomware to launch a ransomware attack quickly and affordably. As a result, RaaS has now significantly aided the growth of ransomware attacks. It has also developed into an independent ecosystem of ransomware developers, operators, and other threat actors.

(Related reading: cybercrime as a service.)

Examples of ransomware

Now, let’s look at some of these attack types in action. The following section details a lot of recent ransomware attacks that, for one reason or another, are infamous today.

(If you like these histories, check out these security books to read, recommended by security pros.)

CryptoLocker

Discovered in September 2013, CryptoLocker ransomware was distributed primarily via the GameOver Zeus botnet and email attachments. The victims were asked to pay the ransom in cryptocurrency so that the attackers could avoid being tracked. This ransomware targeted Microsoft Windows devices and encrypted files using RSA public-key cryptography, the most common key in use today.

Though it’s impossible to know the full effects of this attack, experts confirm that CryptoLocker attacked over 250,000 computer systems within four months. Its extortion efforts resulted in the attackers amassing at least $3 million within nine months.

WannaCry

Discovered in 2017, the WannaCry ransomware targeted Windows systems with outdated versions that have the EternalBlue vulnerability in the SMB protocol. It infected the systems as self-contained software that could encrypt the targeted files and prevent users from accessing them. WannaCry has caused around $4 billion in damages and spread to nearly 150 countries.

(Like always, Splunk tackled WannaCry from the moment it began.)

Petya

Petya ransomware, discovered in March 2016, could encrypt a complete hard drive. It was primarily spread through fake job applications with malware infections. Petya attacks the master boot record (MBR) of a computer and then encrypts the Master File Table of the NTFS file system.

Petya is in the same ransomware family as NotPetya, which attacked commercial and government organizations in Ukraine and other countries.

W-2 Scareware

This 2017 scareware attack stole employee W-2 forms from the targeted organizations. (W2s are important tax documents in the US.) Attackers launched this scareware by sending spam emails to payroll or human resources department employees and asking them to send W-2 forms to employees.

The attackers sent an urgent follow-up email, asking them to do wire transfers. The result was at least thousands of dollars lost.

Ryuk

Ryuk ransomware, first observed in August 2018, is known for its targeted attacks on large enterprises and public institutions, demanding high ransom amounts. What makes Ryuk unique is its use of a two-pronged attack strategy: initially deploying TrickBot or Emotet malware to gain network access, followed by the deployment of Ryuk to encrypt data. Ryuk is also notorious for its ability to disable system restore features, making recovery even more challenging.

Here are other notorious ransomware attacks from real life:

• Maze is a ransomware that we can consider leakware. It’s impacted many organizations since 2019. After encrypting data, Maze ransomware threatens to leak it unless the victims pay the ransom.
• Cerber is a popular ransomware as a service. Once infected, it encrypts files while executing silently on the machine. It also attempts to stop Windows security features, including antivirus programs, so that it can spread further into the system.
• Discovered in 2016, Dharma is another ransomware that belongs to the RaaS model. Attackers can spread this ransomware through spam emails by exploiting vulnerabilities in the Remote Desktop Protocol (RDP) and corrupted setup files. The primary targets of this ransomware are the directories of Windows systems.
• DarkSide is also a RaaS-type ransomware that initially targeted Windows machines. However, it later expanded to Linux machines. Associated with the crime group called Carbon Spider, DarkSide attacks unpatched VMware or steals vCenter credentials. (Read more about DarkSide and the attack on Colonial Pipeline, one of the largest gas pipelines in the U.S.)
• Bad Rabbit is ransomware that came to light in October 2017, primarily targeting Russian media agencies. It was spread through compromised websites with fake Adobe Flash updates. Bad Rabbit uses RSA 2048-bit keys to encrypt the file systems and demands a ransom payment via cryptocurrency.

What are the options for victims after a ransomware attack?

Victims of ransomware attacks face tough decisions. Here are the three main options they have:

Option 1. Pay the ransom

Some victims choose to pay the ransom to regain access to their encrypted data. And research from The CISO Report shows that 83% of organizations hit by a ransomware attack paid their attackers. (Curious which industry is most likely to pay the ransom? Retail.)

While this might seem like the quickest way to resolve the issue, it comes with significant risks. Paying the ransom does not guarantee that:

• The attackers will provide the decryption key.
• They won't attack again in the future.

Additionally, paying the ransom encourages cybercriminals to continue their activities.

Option 2. Attempt to remove the ransomware

Victims can try to remove the ransomware and recover their data without paying the ransom. This involves:

• Using antivirus software and decryption tools, if available. 
• Working with a professional IT services team to clean the infected systems.

This option can be time consuming and may not always be successful, especially if the ransomware is sophisticated or if no decryption tools are available.

Option 3. Restore from backups

If the victim has maintained regular backups of their data, they can restore their systems to a state before the ransomware attack. This is often the most effective way to recover from an attack without paying the ransom. However, the success of this option depends on the availability and integrity of the backups. It's crucial to ensure that backups are stored securely and not connected to the infected network to avoid being compromised by the ransomware.

How can you stop ransomware attacks?

Attackers are always evolving their strategies. But security best practices are the least you can do to make it harder for them to victimize your machine and your data.

• Secure your user accounts. Use two-factor or multi-factor authentication (MFA) mechanisms to provide an additional layer of security for your accounts.
• Avoid revealing personal information. Ransomware attackers research the targets before the attack. They can get your personal information from your social media profiles if you share them publicly. Never expose your private information unless absolutely necessary.
• Install robust antivirus software. Installing an antivirus is the first step, but you need to regularly update it, too, to capture the most advanced and newest ransomwares.
• Always keep your systems updated. Ensure that your operating systems, firmware, and other software are regularly updated with patches for vulnerabilities.
• Protect your sensitive data. Implement access control mechanisms for your sensitive data. Apply the privilege of least access.
• Back up your file system and data. Regular backups help you restore your files in case you lose your original files due to ransomware. Ensure you store them securely with encryption and proper access control.
• Prevent vulnerabilities from RDP ports. Remove RDP ports that are no longer in use. Always monitor ports for any unusual behaviors.
• Educate your employees on ransomware. Train your employees to identify ransomware and what actions should be taken in such a situation. Regular security awareness training and random ransomware simulations can detect employees who are vulnerable.
• Configure spam filtering. Configure your emails to filter spam. Additionally, you can use secure email gateways to block phishing attacks.
• Implement zero-trust network security model. The zero-trust model enforces strict identity verifications for all users and devices that try to connect to a private network. The user must undergo strict identity verification, whether they are inside or outside the network perimeter. Therefore, it's difficult for malware to breach such networks.

Early detection mitigates the damage ransomware causes

Early detection and response are critical in minimizing the impact of ransomware attacks. It enables rapid response, protecting business continuity and reducing recovery time. Organizations can enhance their security posture by using endpoint detection and response tools, network monitoring, behavioral analysis, and regular updates. Employee training on recognizing phishing and other attack vectors is also required for early detection.

By implementing the above-mentioned best practices, you can significantly reduce the likelihood of a successful ransomware attack and limit the damage if one occurs.

To learn more, visit StopRansomware.gov, the US government’s primary spot for effectively tackling ransomware.

Ransomware statistics: Why you should care

In 2022 alone, the world saw over 2.3 billion ransomware attacks. This staggering number translates to a ransomware attack occurring every 2 seconds, totaling more than 43,000 attacks daily. Additionally, the average cost of a ransomware attack is approximately $1.85 million, highlighting the severe financial impact on victims.

No matter the current ransomware trends happening, it's important to know that ransomware evolves daily, posing an ever-increasing threat. Research on ransomware encryption speeds shows the rapid pace at which these attacks can compromise systems. Here’s a brief look at the results:

^{Median ransomware speed measured across 10 ransomware families.}

Ransomware today: Still a major threat

Because new variants emerge daily, ransomware remains one of the major security threats. Organizations and individuals must stay vigilant.

There are currently five different types of ransomware: crypto ransomware, locker ransomware, scareware, leakware, and RaaS. RaaS has become more prevalent since it enables attackers with even little knowledge of ransomware execution to easily launch an attack.