In the digital age, cybersecurity has become an increasingly critical concern. One of the most pernicious and prevalent threats to individuals and organizations alike is ransomware. Ransomware is malicious software that encrypts your data or locks you out of your system until a ransom is paid to the attacker. Understanding the various types of ransomware is essential in defending against this ever-evolving threat.
In this article, we’ll see different types of ransomware, how they operate, and what you can do to protect yourself and your data.
Contents
Cryptographic Ransomware
This is the most common type of ransomware. It uses powerful encryption algorithms to lock files, making them inaccessible to the user.
Once installed, cryptographic ransomware systematically scans drives and network shares to encrypt a wide array of files such as documents, images, videos, and databases. The encryption often utilizes algorithms like AES and RSA that are virtually impossible to break without the decryption key. Victims typically see ransom notes demanding payment to receive the key.
Some well-known crypto ransomware families include:
- WannaCry: One of the most notorious ransomware attacks in history, WannaCry exploited a vulnerability in Windows systems and spread rapidly in 2017. It encrypted files and demanded a Bitcoin ransom from victims.
- CryptoLocker: This ransomware family emerged in 2013 and targeted Windows users. It employed strong encryption and demanded payments in cryptocurrencies, primarily Bitcoin.
- Locky: Locky was distributed through email attachments and used AES encryption to lock files. It demanded ransoms in Bitcoin, making it challenging to trace the payments.
Locker Ransomware
Locker ransomware takes a different approach. Instead of encrypting files, it locks the victim out of their device, preventing access to the entire system. This type of ransomware is often less technically sophisticated but still very effective.
Locker ransomware often accusingly claims the user has engaged in illegal online activity and demands payment of a “fine.” Users are prevented from using the device until the ransom is paid. However, files are left untouched making recovery easier than cryptographic ransomware.
Two prominent examples of locker ransomware are:
- a. Police Ransomware: This type of locker ransomware disguises itself as a message from law enforcement agencies, accusing the victim of illegal activities. It demands payment to unlock the victim’s device.
- b. Petya/NotPetya: Petya is a locker ransomware that gained infamy in 2016. It overwrote the master boot record, rendering the computer unusable. While its primary motive was not financial gain, it still demanded a ransom for decryption.
Scareware
Scareware doesn’t encrypt your files or lock your device, but it tricks you into believing you’re in grave danger, typically by displaying fake security alerts. It then prompts you to pay for a security solution that, in reality, does nothing. Some examples of scareware include:
- a. WinFixer: WinFixer displayed exaggerated security warnings and offered a paid solution to fix non-existent issues.
- b. Antivirus XP: This fake antivirus software bombarded users with pop-up warnings about infections and encouraged them to purchase a full version.
Doxware (Leakware)
Doxware, also known as leakware, takes a different approach. Instead of encrypting or locking files, it threatens to leak sensitive data unless a ransom is paid. This type of ransomware can be particularly devastating, as it puts victims at risk of data exposure.
Doxware represents an evolution of extortion techniques used in ransomware campaigns. This can expose trade secrets, intellectual property, customer and employee data, and other confidential information.
Notable doxware examples include:
- REvil (Sodinokibi): The REvil group is notorious for doxware attacks. They threaten to release sensitive data if the ransom is not paid, targeting high-profile victims.
- Maze: Maze ransomware was one of the first to use the doxware tactic. It gained notoriety for its high-profile victims and data leak threats.
Mobile Ransomware
This targets mobile devices like smartphones and tablets. It can lock the screen, encrypt data, or even steal personal information from the mobile device.
Given the private and sensitive data stored on them, mobile ransomware represents a major security risk for users. Attackers also find mobile devices more susceptible to social engineering attacks designed to fool victims into installing malicious apps containing ransomware.
Some mobile ransomware examples are:
- SimpleLocker: This Android ransomware encrypts files and demands payment to unlock them. It often poses as a legitimate app.
- Svpeng: Svpeng targets Android devices and typically locks the screen, demanding payment to unlock it.
Ransomware-as-a-Service (RaaS)
RaaS allows cybercriminals to carry out ransomware campaigns without needing the technical skills to build ransomware. They simply rent ransomware tools and infrastructure from ransomware authors, paying a percentage of their profits.
Ransomware as a Service is a business model where cybercriminals provide ransomware kits to other malicious actors, who then carry out the attacks. RaaS lowers the barrier of entry for cybercriminals, fueling the rise of ransomware.
Prominent RaaS families include:
- GandCrab: GandCrab was one of the most widely distributed RaaS ransomware families, with different criminal groups using the service to conduct attacks.
- Cerber: Cerber operated as RaaS and employed sophisticated techniques, such as cloud-based command and control servers.
Doppelganger Ransomware
Doppelganger ransomware disguises itself as legitimate software, making it harder for traditional security solutions to detect. It often imitates popular applications or utilities. This type of ransomware is relatively rare but highly dangerous.
Bad Rabbit: Bad Rabbit disguised itself as an Adobe Flash installer, tricking users into running it. Once executed, it encrypted files and demanded a ransom.
Multi-Vector Ransomware
Multi-vector ransomware combines multiple attack techniques to maximize the impact on victims. These attacks often use a combination of tactics like exploiting vulnerabilities, social engineering, and payload delivery.
TrickBot: TrickBot, while initially a banking Trojan, evolved into a multi-vector threat, delivering Ryuk ransomware and other payloads.
Human-Operated Ransomware
Most ransomware attacks today rely on some level of human involvement instead of being fully automated. Human operators directly manage the extortion, tailoring ransom demands to victims and manually activating encryption.
This enables ransomware groups to demand higher ransoms and make negotiations more personal. Some financially lucrative ransomware attacks against large organizations have involved extensive communication between attackers and victims.
Conclusion
Ransomware is a persistent and evolving threat in the digital world. Understanding the various types of ransomware and the tactics they employ is essential for individuals and organizations to defend against these attacks.
By staying informed and implementing robust cybersecurity measures, we can mitigate the risks posed by ransomware and protect our data and systems from malicious actors.
Always remember that the best defense is prevention, and with vigilance, backups, and security best practices, we can reduce the impact of ransomware on our digital lives.