10 Types of Ransomware

Types of Ransomware

What is Ransomware?

There are different types of ransomware. Ransomware is one of the most pernicious cyber threats facing organizations today, as it can quickly cause havoc across a device or enterprise network–even servers!

Criminals may gain entry to an organization’s systems via phishing emails or exploiting software flaws and vulnerabilities.

Victims are advised to avoid paying ransom demands as this could void their cyber insurance policies and allow further data loss or destruction. Instead, they should create and test backups in order to limit loss and expedite recovery as quickly as possible.

10 Different Types of Ransomware

Ransomware typically involves encryption of files, locking victims out until they pay an amount in cryptocurrency or make payment arrangements to get access to their data again. Some forms of crypto ransomware disable system restore features or delete backups to increase pressure on victims; other non-encrypting ransomware locks the device screen or displays popup messages to stop people from accessing computers and devices.

Attackers gain entry to networks, install malicious encryption software and then activate it. As soon as an attack begins, on-screen alerts inform users that their systems or files have been locked up and payment must be made in order to gain access.

Ransomware attacks can be both costly and disruptive for organizations. Ransomware can keep organizations offline for weeks or months, leading to significant revenue losses as well as the time and resources required to clean up after such an attack. It is crucial that organizations implement consistent, protected data backup solutions; automating regular backups so they are accessible when necessary will offer greater protection from such threats.

As ransomware attacks continue to surge by 13 percent annually, it is essential for organizations to understand different forms of ransomware such as crypto ransomware, locker ransomware and scareware.

Crypto ransomware encrypts files on victim systems and displays a message demanding payment. Some attack variants even delete shadow copies and backups to make recovering originals difficult.

1. Crypto Ransomware

Crypto ransomware infiltrates victim systems, rendering files inaccessible, then demands payment for the decryption key to unlock them. Attackers typically display threatening messages or countdown clocks to prompt victims into taking immediate action against themselves.

Attackers gain entry to networks through software exploits or flaws, cracked passwords or other vulnerabilities. Once inside, malicious code searches out vulnerable systems or servers and targets them with infection.

Attackers may gain entry to networks through various means, with email phishing being the most prevalent way in which hackers gain entry. When opened, these emails often contain malicious attachments or links with embedded macros that activate automatically upon being opened. Ransomware attacks can also occur through compromised web apps or drive-by downloads – the possibilities are limitless!

Backups should always be stored off-network to protect digital data from ransomware attacks, according to experts. They advise against paying ransom, as this doesn’t ensure hackers will release keys for the files taken hostage; one study reported only 60% of victims who paid ransom were successful in recovering access after doing so.

2. Exfiltration Leakware

Ransomware typically infiltrates computers through viruses or Trojan horses and begins encrypting files, replacing the originals with encrypted versions and erasing backup and shadow copies in order to make recovery from incidents more challenging without access to a decryption key. While some variants selectively select which files they encrypt, others take more aggressive approaches such as targeting login credentials, customer information or intellectual property for double extortion purposes.

Once a system has been compromised, attackers will display a ransom message demanding payment in order to unlock victims’ files and prevent further infections or threats against publishing stolen or encrypted information online.

Criminals have started offering ransomware-as-a-service offerings that resemble software-as-a-service models. Customers can buy their ransomware over the dark web for a monthly subscription fee; their ransomware variants usually leverage existing malware code with features like data extortion, exfiltration or DDoS attacks; making deployment and operation of such threats simple even for threat actors with limited skills or resources.

3. DDoS Ransomware

Cybercriminals use ransomware to blackmail businesses and consumers into parting with money. Cybercriminals encrypt files on PCs or network of PCs, servers and attached systems before blocking access until payment of a ransom has been received from victims – one of the most prevalent cyberattacks today.

In 1989, the first recorded ransomware attack known as the AIDS Trojan or PC Cyborg Trojan emerged and spread via floppy disc. This ransomware, commonly referred to as “AIDS” for short, concealed file directories on infected machines while counting how often their computer booted up before demanding that victims pay USD 189 as ransom in order to regain access to their data.

Hackers today use multiple techniques for spreading ransomware, from sending emails with malicious attachments and drive-by downloads that occur when vulnerable websites are accidentally visited unknowingly, to exploit kits scanning websites for vulnerabilities and malvertising (legitimized digital ads that have been hijacked by hackers to pass ransomware onto devices).

The FBI does not advise paying ransomware demands as this encourages criminals to continue their business model. Instead, businesses should prioritize prevention of ransomware attacks through updating cybersecurity tools such as anti-malware software, firewalls, network monitoring systems; employee training to recognize signs of phishing and social engineering; as well as zero trust architecture solutions like security orchestration automation response (SOAR), endpoint detection response (EDR) or security information and event management (SIEM).

4. BadRabbit

FedEx and Merck were two companies affected by an unprecedented global ransomware outbreak on October 24, 2017 known as Bad Rabbit that caused major disruption across Russia and Eastern Europe – impacting media agencies as well as transportation services in Russia.

Similar to other forms of ransomware, CryptoLocker encrypts files and demands a payment in Bitcoin in order to unlock them. Once paid, victims can generally restore their data if successful – however this kind of malware cannot always be easily resolved; often reimaging or recovering from backup may be required in certain cases.

Bad Rabbit acts as a trojan that infiltrates compromised websites using JavaScript injection, disguising itself as an Adobe Flash update and downloading ransomware files that disguise themselves as updates from Adobe. To safeguard against such an attack, ensure your endpoint security solutions have the latest signature set and monitor event logs for signs of Drogon, Rhaegal or Viserion scheduled tasks that appear. If any are detected immediately take appropriate actions. You may also consider consulting with a Managed IT Service Provider who can ensure protection from new malware attacks like this.

5. NotPetya

Although businesses are frequently targeted with ransomware attacks, other industries and critical infrastructure also present attractive targets for cybercriminals looking to disrupt operations. Schools and universities who rely heavily on remote learning during coronavirus pandemic outbreaks represent prime candidates for disruption by cybercriminals seeking an opportunity.

NotPetya was an unprecedented ransomware attack that caused substantial financial losses for companies like Maersk and Merck; however, its purpose didn’t appear to be making money but more like an experiment disguised as ransomware causing the damage it did deliberately.

NotPetya was spread via phishing emails with malicious attachments and once infiltrated into a system it would wait an hour before rebooting to begin encrypting files and demanding $300 in bitcoin to unlock them. Victims received a message demanding this amount in order to restore their data.

Before making their decision to pay a ransom demand, businesses should review their insurance policies thoroughly. Some policies specifically state that paying ransom can void an organization’s coverage, leading to more expensive remediation and downtime costs, and higher cyber insurance premiums later on.

6. Petya

Petya ransomware caused widespread disruption across Europe and the US. After infiltrating computers, this malware encrypted files before demanding that victims pay a ransom in bitcoin to unlock them again.

Petya may seem like just another money-grab attempt, but others think it could be an act of cyberwarfare. A Nato cybersecurity group speculates that Petya may have been launched by “state actors”, in which case “armed conflict law may apply.”

As with other forms of ransomware, Petya should be protected against by following best practice online security methods. That includes being vigilant with email opening and only downloading files from sources you trust as well as keeping software updated with patches and updates regularly.

Ransomware attacks often arise as a result of human error, so it’s critical that all employees in your organization understand the importance of practicing good cybersecurity hygiene. This includes regularly disconnecting physical and virtual connections from devices, scanning external hard drives for malware and creating backup copies of vital information.

7. REvil

When your files become encrypted by ransomware, your only options are two: pay or lose all your files. Even when paying a ransom is paid, cybercriminals don’t always provide the decryption key as promised – they’re in it to make money!

In June 2021, a ransomware attack by REvil Group spread fear throughout Europe and North America. Swedish grocery chain Coop, Dutch IT services providers Hoppenbrouwer Techniek and VelzArt, as well as JBS (one of the world’s largest meat processing companies) all lost access to their computers, leading JBS even temporarily suspending cattle slaughtering at its US plants resulting in higher food prices for consumers.

REvil (also known as Sodinokibi) is the successor to GandCrab, which amassed $2.4 billion in ransom payments before its creators decided to retire it earlier this year. REvil follows a ransomware-as-a-service model in which one group maintains and distributes malware code while affiliates distribute it; additionally, REvil’s code and ransom note composition share similarities with an active ransomware group like DarkSide which heightens suspicion of collaboration.

8. Ryuk

Ryuk, named after a character in Death Note, is an attack more targeted than most ransomware variants. While Petya, WannaCry and Bad Rabbit spread quickly via exploits such as EternalBlue and Server Message Block, Ryuk attacks tend to be conducted manually by attackers using guided missiles aimed by them at specific targets.

Attackers typically begin their campaigns with a phishing email that contains a malicious Office document containing macro functionality that once activated allows hackers to execute code in the background and move laterally throughout a network.

Attackers using tools such as Mimikatz to steal credentials and PowerShell Empire for reconnaissance and privilege escalation will use tools such as Falcon to prevent Ryuk attacks.

9. SamSam

Widespread awareness of ransomware attacks risks creating dangerous complacency among organisations, yet 2022 statistics demonstrate their continued impact. SamSam remains one of the most destructive forms, targeting businesses; attackers have even been observed conducting surveillance of victims to assess whether or not they would pay the ransom demand; once inside networks they use various tools to map them and steal passwords before unleashing one or more variants of ransomware variants.

These ransomware variants are specifically designed to encrypt sensitive files, like documents and pictures, and withhold access until payment has been received from victims. Such ransomware has caused widespread havoc across industries – from healthcare institutions (as evidenced by MedStar hospital’s 2018 incident) to government organizations (like with USCIS in 2010). Attackers behind such campaigns appear highly motivated – their strategy appears successful.

10. WannaCry

In April 2017 people worldwide awoke to find all their data encrypted and subject to ransom demand in bitcoin. The attack quickly spread, crippling networks at schools, hospitals and businesses worldwide.

Like Ryuk, WannaCry infiltrates systems through phishing attacks with malicious attachments containing macros that prompt users to accept. Once inside, WannaCry installs backdoor access and tools for privilege escalation.

WannaCry stands apart from other crypto ransomware in its ability to spread itself via exploit kits and Remote Desktop Protocol rather than social engineering or worming. Furthermore, the ransomware uses an automated password guessing algorithm in order to brute force weak passwords on network devices; additionally it employs an “infinite loop” which renders computers unusable while demanding payment within 72 hours.

Ransomware Protection Tips

Malware that encrypts files is held hostage until victims pay a ransom fee to secure decryption keys from attackers. Once payment is made, decryption keys will be released by attackers.

Cybercriminals often distribute ransomware via malicious emails containing attachments or links, unsecure websites and software vulnerabilities, as well as through remote desktop protocols, USB devices or unprotected WiFi networks.

Staying current with operating system updates and employing strong antivirus and firewall software are crucial elements to protecting data against ransomware attacks. Furthermore, employees should be trained in cybersecurity best practices as well as incident response playbooks, which can reduce their impact. Finally, backing up data regularly and running standard accounts rather than administrator accounts is recommended in order to minimize ransomware-encrypted files that might otherwise become vulnerable.


Ransomware is malware that encrypts data, files and devices until its creator receives payment from an attacker. After infection of one system or device by ransomware, it can spread further and even steal information from them – while as ransomware attacks evolve they increasingly employ cyber extortion tactics by threatening to publish stolen information online or attack customers and business partners as ransom demands are demanded.

Attackers typically spread ransomware through email phishing attacks with malicious attachments or links, and exploited vulnerabilities in software. One effective defense against ransomware attacks is keeping security software up-to-date; cyber awareness training also plays an integral part in helping users recognize suspicious emails and recognize when ransomware attacks may arise. Having a backup strategy implemented is important in lessening its effects should an attack be successful.

Sam is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.