What Are the Most Common Types of Ransomware?
Ransomware is malicious software that restricts access to a computer system or data, demanding a ransom for release. Cybercriminals constantly evolve ransomware tactics to exploit vulnerabilities and maximize their impact. The most common types of ransomware include:
- Crypto Ransomware: Encrypts essential files and demands cryptocurrency payments to restore access.
- Locker Ransomware: Blocks access to the entire system without encrypting individual files, holding the device hostage until the ransom is paid.
- Scareware: Bombards users with frightening yet false security warnings to trick them into paying for unnecessary fixes.
- Doxware or Leakware: Threatens to expose sensitive information unless the ransom is settled, leveraging the fear of reputational or legal repercussions.
- RaaS (Ransomware as a Service): Has drastically lowered the entry barrier for cybercriminals, allowing them to lease ransomware tools from developers, further expanding this digital threat landscape.
Each type of ransomware presents different challenges and requires specific security measures to protect against it.
Ransomware Types and How They Work
Ransomware is a formidable threat in the digital age which manifests in various forms, each employing distinct strategies to extort victims. Encrypting Ransomware, Locker Ransomware, and Master Boot Record (MBR) Ransomware stand out for their unique approaches to hijacking user data and systems.
Even as malicious actors embrace novel and diverse new attack techniques, encrypting ransomware and locker ransomware remain the two main types of ransomware by far. The five most common types of ransomware, each with its unique mode of operation, are:
Crypto Ransomware
This type of ransomware encrypts the victim's files, making them inaccessible. The attacker then demands a ransom, typically in cryptocurrency, for the decryption key. Crypto ransomware targets individual files or entire systems, and the encryption is often strong enough that decryption without the key is impractical. It's spread through various methods, including phishing emails and malicious downloads.
Locker Ransomware
Unlike Crypto Ransomware, locker ransomware does not encrypt files. Instead, it locks the victim out of their operating system, preventing access to files or applications. The ransom demand is displayed on the lock screen, often with a countdown to increase urgency. Locker ransomware is usually distributed through exploit kits and infected websites.
Scareware
This type includes rogue security software and tech support scams. It bombards the user with false alarms or a fake detection of viruses or issues on the computer, demanding money to resolve these fabricated problems. While it may not restrict access to files or systems, its persistent and alarming notifications can be disruptive. Scareware often makes its way onto computers through pop-up ads or user-initiated software downloads.
H3; Doxware (Leakware)
This ransomware threatens to publish sensitive personal or organizational data online unless a ransom is paid. The effectiveness of Doxware lies in the fear of reputational damage or legal consequences from the data release. This type of ransomware can infiltrate systems similarly to other malware, including through phishing attacks or security vulnerabilities.
RaaS (Ransomware as a Service)
The RaaS model allows individuals to lease ransomware from developers, eliminating the need for technical expertise in creating the malware. The affiliate then conducts the attack, sharing profits between the developer and the affiliate. This model has made ransomware attacks more accessible and increased their frequency. RaaS is often distributed via dark web marketplaces, making it accessible to many cybercriminals.
How to Prevent Ransomware Attacks
It is essential to move toward a prevention-based platform and away from simple detection and remediation after infection. This approach requires a fundamental shift toward proactive, AI-powered security that is automated across the network and endpoints.
Implementing such a system involves using advanced tools and technologies, including machine learning, to stop unknown and zero-day threats like ransomware preemptively. Coordinating endpoint prevention and network security, malware analysis and threat management solutions is crucial for closing security gaps and stopping dangerous variants.
A multi-faceted response and recovery approach for businesses to protect themselves against ransomware is highly recommended.
Reducing the Attack Surface
Effectively managing the attack surface enhances security by having complete network traffic visibility and blocking any unknown or potentially high-risk traffic. Controls based on applications and users are essential to limit access to SaaS-based tools, especially for employees who do not require them for their work.
It is also essential to control dangerous file types associated with recent attacks and align the endpoint policy with the level of risk, thus preventing noncompliant endpoints from connecting to critical network resources.
Preventing Known Threats
Stopping known exploits, malware, and command-and-control traffic and blocking access to malicious and phishing URLs is vital. Scanning for known malware in SaaS-based applications is crucial because these platforms are a new path for malware delivery. Additionally, known malware and exploits on endpoints should be blocked.
Identifying and Preventing Unknown Threats
The ability to detect and analyze unknown threats in files and URLs is crucial. As new files are submitted, they should be detonated, analyzed, and scrutinized for malicious behavior. Updating protections across the organization to prevent previously unknown threats is a key step.
Contextualizing threats improves proactive protections and mitigation. Once these threats or trends of suspicious behavior have been identified, blocking unknown malware and exploits on the endpoint is essential.
The Evolution of Ransomware Attacks
Ransomware has evolved significantly, reflecting broader trends in cybercrime and technology. Today, threat actors are increasingly employing persistent extortion techniques to gain leverage over targeted organizations and accomplish their goals.
While much attention has been paid to ransomware in recent years—the malware itself—modern threat actors increasingly use cloud-based Ransomware as a Service tool and additional extortion techniques to coerce targets into paying. Sometimes, these ransomware groups dispense with ransomware and practice extortion independently.
Early Stages (Late 1980s - Early 2000s)
The earliest forms of ransomware were relatively primitive. In the late 1980s, the AIDS Trojan was one of the first known ransomware, which involved physically mailing the ransom payment. These early ransomware types used simple locking mechanisms and often demanded payment via snail mail or wire transfers.
Encryption-Based Ransomware (Mid-2000s - Early 2010s)
A significant evolution occurred with the advent of encryption-based ransomware. This type encrypts the victim's files, making them inaccessible without a decryption key. Notable examples include GpCode, CryptoLocker, and WannaCry. Payment was typically demanded in Bitcoin, reflecting the rise of cryptocurrencies. This era marked a shift to more sophisticated attack techniques and targeted larger organizations, causing widespread disruption.
Ransomware as a Service (RaaS) and Double Extortion (The mid-2010s - Present)
The ransomware landscape further evolved with RaaS, where ransomware developers lease their software to others in exchange for a portion of the ransom. This model has lowered the entry barrier for cybercriminals. The tactic of double extortion emerged, where attackers not only encrypt data but also threaten to release it publicly unless the ransom is paid. This approach compounds the impact on victims, including reputational damage and regulatory penalties.
Targeted Ransomware Attacks and AI Integration (Recent Trends)
More recently, attackers are moving away from widespread, indiscriminate attacks to highly targeted ones, often preying on large corporations, government entities, and critical infrastructure. Integrating AI and machine learning in ransomware operations is also a concerning trend, potentially leading to more adaptive and evasive malware.
Throughout its evolution, ransomware has consistently adapted to technological advancements and shifts in cybersecurity practices. This constant evolution underscores the need for robust, multi-layered cybersecurity strategies and regular updates to defense mechanisms.
Notable Ransomware Families
A few of the countless strains of ransomware have emerged as particularly notorious. They wreak havoc across industries with their advanced techniques and high-profile attacks. These notable ransomware families are known for their unique characteristics, methods of attack, and the significant impact they have had on the global cybersecurity ecosystem.
The Persistent Threat of Cryptolocker
Cryptolocker, emerging around 2013, set a precedent in the world of ransomware due to its advanced encryption methods. This malware encrypts a victim's files using asymmetric encryption, which requires two keys (public and private) to decrypt.
Victims would receive a ransom note demanding payment, usually in Bitcoin, for the private key. Cryptolocker was primarily spread through email attachments and was notorious for its high financial demands. It was effectively disabled by the Operation Tovar initiative in 2014, but its legacy endures as it inspired numerous subsequent ransomware strains.
Maze Ransomware: The Compounding Danger
Maze ransomware, which first appeared in 2019, introduced a new threat level by combining data encryption with data exfiltration. This double-extortion tactic meant that even if victims had backups to restore their data, the attackers could still publicly threaten to release sensitive stolen data unless an additional ransom was paid.
Maze targeted various sectors, from healthcare to finance, and was known for its sophisticated evasion techniques. Its impact was significant, causing data loss, reputational damage, and regulatory concerns for affected organizations.
Ryuk Ransomware: Targeting High-Value Networks
Ryuk ransomware emerged in 2018 and is known for targeting large, high-value organizations with a tailored approach. Unlike other ransomware that spreads indiscriminately, Ryuk attacks are typically well-planned and executed against organizations likely to pay large ransoms.
Ryuk disrupts networks by encrypting critical files and systems, causing significant operational and financial damage to organizations, including major newspapers, healthcare providers, and technology companies.
The Emergence of Ransomware Groups
Ransomware groups range from opportunistic amateurs using easily accessible tools to highly sophisticated, organized criminal enterprises. Some exhibit advanced techniques, encryption methods, and evasion tactics, while others rely on more basic strategies. Their motivations primarily revolve around financial gain.
Some seek quick profits through indiscriminate attacks on numerous small targets, while others meticulously target high-profile organizations for larger ransoms. Ideological or geopolitical motives might drive certain groups, where disrupting operations or causing chaos becomes their primary goal.
Some ransomware groups operate like businesses, with clear hierarchies, specialized roles (such as developers, affiliates, and negotiators), and efficient operational structures. Others might function as looser collectives or networks, sharing tools and intelligence.
How Nation-State Actors Have Embraced Ransomware
Extortion gangs are opportunistic, but there are some patterns in the organizations they attack. Based on an analysis of dark web leak sites by Palo Alto Networks’ Unit 42 research group, manufacturing was one of the most targeted industries in recent years.
This trend is due to the prevalence of systems used by this industry running on out-of-date software that isn’t regularly or easily updated or patched—not to mention the industry’s low tolerance for downtime. According to leak site data, organizations based in the United States were most severely affected.
Advanced threat groups may use extortion and ransomware to fund other activities—or hide them. Threat groups from countries under economic embargoes or sanctions have been observed using ransomware and extortion to fund their operations. Other threat groups, including some from Iran or China, seem to have a different objective when using ransomware.
Threat actors can gain more than money from deploying ransomware—it also has the potential for destruction and espionage.
In the years ahead, Unit 42 experts expect to see continuing evolution in different types of ransomware and emerging trends like these from extortion groups:
- Increases in significant cloud ransomware compromises.
- A rise in extortion related to insider threats.
- A surge in politically motivated extortion attempts.
- The use of ransomware and extortion to distract from attacks aimed to infect the supply chain or source code.
