Ransomware has become an increasingly common threat facing individuals and organizations. Knowing the types of ransomware and examples of each can help organizations develop a defense approach that best fits their needs.
Ransomware has been around for about 30 years but has only recently become a serious concern as exploits from ransomware groups such as APT29, Carbanak/FIN7, Wizard Spider, and Sandworm reach ever-greater proportions.
In October 2021, Microsoft’s Digital Defense Report suggested that ransomware and extortion attacks could generate more profits than nation-state attack organizations. This potential means ransomware gangs suddenly have access to a budget they previously lacked, allowing them to launch even more potent campaigns.
As ransomware continues to affect individuals and businesses, the U.S. Department of Justice announced in June 2021 that ransomware investigations are now being given priority on par with terrorism. The events of May 2021, when the notorious hack against the Colonial Pipeline resulted in expensive financial damages and the leaking of personal information, serves as a stark reminder of the ransomware danger lurking for victims worldwide.
7 Common Types of Ransomware Attacks
Ransomware types vary depending on the function and components of an attack.
The most common types of ransomware attacks have historically been Locker and Crypto. However, double extortion and triple extortion tactics and ransomware as a service (RaaS) are now just as widespread, followed by leakware and scareware.
Locker ransomware is a nasty piece of malware that can wreak havoc on a Windows system. It typically resides in the C:\Windows\SysWOW64 directory and installs additional services into the directories C:\ProgramData\Steg\ and C:\ProgramData\rkcl\.
LDR, the latter service, then installs another executable, rkcl.exe, which is responsible for Locker’s activities like encryption, termination of processes, or deleting files related to security protection.
Attackers then demand ransom payment before restoring access to the system and files. Victims may find a pop-up message on their screen with instructions such as, “Pay $100 fine to unlock your computer,” or “Click here to resolve the issue,” prompting them to pay up for the ransomware attack to be resolved.
Crypto ransomware is among the most common ransomware attacks available today. This type of ransomware uses encryption to block access to files on a computer as well as any files stored or shared on network or cloud drives.
The perpetrator of this ransomware asks the victim for a ransom payment in return for a decryption key to unlock access to their data.
Crypto ransomware is mostly spread through malicious emails, websites, and downloads, making it important to be extra diligent in recognizing potential scams and malware threats.
Scareware is a type of ransomware attack that uses fake security alerts to scare users into paying a ransom. This type of ransomware typically displays pop-up windows claiming there is an infection on the user’s computer and requiring payment for a “full version” of the software or to “recover lost files.”
Leakware is a form of ransomware where attackers threaten to leak confidential information if the victim doesn’t pay the ransom. The hackers initially gain access to the system by exploiting vulnerabilities or social engineering techniques that allow them to steal the data. Attackers then contact victims and demand payment in return for not disclosing sensitive information publicly.
Double extortion ransomware is a dangerous form of attack that not only denies access to data but also threatens its eventual public release should the ransom not be paid.
This type of malicious attack can have devastating repercussions for businesses, organizations, and other institutions that must protect sensitive information pertaining to their employees, customers, clients, and—when government agencies are the targets—even the general public.
Double extortion leaves little recourse or security against having sensitive data leaked and is an unfortunate reminder of the real risks of cyber threats.
Triple extortion takes double extortion one step further by combining encryption, data exfiltration, and public shaming.
In this type of attack, the cybercriminal not only encrypts victims’ files and data but also threatens to release those files on the dark web or publicly if the ransom is not paid. This gives the attacker three distinct methods of extortion:
- Receive the ransom payment.
- Sell the stolen data on the dark web for further profit.
- Use the data release to embarrass victims and their customers publicly. For example, a hospital might be threatened that a patient’s confidential information will be exposed, and the patient may also be contacted directly and threatened.
RaaS is another form of a ransomware attack that criminals use to target victims. RaaS is a cloud-based service that enables customers or “partners” to access and use ransomware with minimal technical knowledge or resources.
The RaaS model allows cybercriminals to run criminal ransomware enterprises without having to develop the code themselves, as they can outsource it from an existing provider. The cybercriminal then takes a percentage of the ransom payments collected from their victims in exchange for the use of the ransomware service.
In a different variation of this model, the user may pay the developer a regular subscription fee to use the software.
Need a primer? Read “What Is Ransomware?”
Recent Ransomware Examples
Some of the most well-known recent examples of ransomware, in terms of their widespread effects and the sophistication of their methods, are WannaCry, Petya/NotPetya, and Colonial Pipeline.
One of the most destructive ransomware attacks to date, WannaCry was a cryptoworm created by a North Korean criminal group in 2017.
It spread rapidly via a worm-like mechanism, which enabled it to quickly propagate across networks without any user interaction. This attack targeted the Microsoft Windows operating system, exploiting a known security vulnerability in older versions. It was named WannaCry due to the .wncry extension the worm added to the files it encrypted.
WannaCry moved from one machine to another using a powerful piece of spy code, known as EternalBlue, stolen from the National Security Agency (NSA) by the hacker group Shadow Brokers. Once WannaCry infected a computer, hackers were able to instantly penetrate unpatched Windows computers and execute hostile code that encrypted files and demanded Bitcoin ransom.
The results were devastating. For example, in the U.K., WannaCry infected more than 600 medical clinics within hours, resulting in over 20,000 canceled appointments.
As it went on a blitzkrieg around the world, it infected the computers of some of the world’s leading brands, such as Nissan, Honda, FedEx, and Boeing. It also affected government departments globally, such as the Indian Police Department. Educational institutions were not spared either, as several Chinese universities were attacked.
In a single afternoon, the ransomware is estimated to have led to financial losses of between $4 and $8 billion, according to press reports.
It was slowed down by security researcher Marcus Hutchins, who throttled its global spread with a static domain-level kill switch the criminals had inadvertently built into its code. This gave security teams and the internet infrastructure community time to patch systems.
Petya and NotPetya
Petya has been making headlines since its discovery in 2016. It’s believed to have been developed by the Sandworm cybercriminal group based in Russia.
Petra is usually spread through infected email attachments. It targets Microsoft Windows-based systems, encrypting the master boot record, and renders the system unusable unless a ransom payment is made.
Petya saw its most devastating attack in June 2017, when a new variant, dubbed NotPetya, was used as part of a global cyberattack that primarily targeted Ukraine. This new variant quickly spread due to leveraging EternalBlue, the same exploit—believed to have been developed by the U.S. NSA—that had previously been seen in use with WannaCry earlier that year.
Unlike WannaCry, NotPetya was not designed to generate revenue for criminals. Instead, the malware was designed to cause as much damage as possible.
For example, one of the attacks on June 27, 2017, brought the Chernobyl nuclear power plant offline. It quickly spread from the initial targets in Ukraine to other countries such as the United Kingdom, France, Germany, Russia, and the United States, where it caused a range of business interruptions and destruction.
Some of Petya’s biggest damages include:
- Maersk, the leading operator of container ships and supply vessels, suffered financial losses estimated at between $200 million and $300 million in foregone revenues.
- In 2018, the business impact on FedEx was estimated at $400 million as noted in its 2019 annual report.
Petya remains a significant security risk, and it’s essential to be aware of the threats that come with it.
The Colonial Pipeline ransomware attack of May 2021 is an example of triple extortion ransomware. It was a widespread and concerning affair believed to have been perpetrated by DarkSide, a highly sophisticated hacker group, which targeted the company’s billing infrastructure.
The effects of the attack were far-reaching, disrupting supply chains, affecting consumers and air transport along the U.S. east coast, and prompting a declaration of a state of emergency by President Joe Biden. The attack involved the theft of over 100GB of data within two hours of accessing the network and infecting Colonial Pipeline’s networks with ransomware. The attackers threatened to dump the data on the internet if the ransom wasn’t paid.
As is becoming more common with such attacks, to cease further damage and return access to their systems, Colonial Pipeline had to pay 75 bitcoin (about $5 million) in ransom within hours of the attack. Unfortunately, the decryption tool provided by the hackers proved too slow, and the company ultimately resorted to its own backups to restore the system to full capacity.
An FBI operation quickly led to the seizure of $2.3 million worth of bitcoin paid to the DarkSide hacker group by Colonial Pipeline. But the human faces behind DarkSide remain at large.
How Do You Prevent Ransomware?
Unfortunately, there’s no surefire, easy way to prevent ransomware. Securing your data against intrusion requires a multifaceted, defense-in-depth approach, which includes email phishing protection, strong authentication measures, restricted network access, consistent security updates, and preplanned mitigation procedures.
- Regular system updates: Regular system security updates are critical for staying on top of known vulnerabilities that can be exploited by ransomware. Additionally, installing the latest version of your operating system (OS) and applications will help reduce the attack surface.
- Advanced email phishing protection: Phishing emails are one of the most common ways ransomware is spread. Adding an advanced email security solution to your setup can help detect and block malicious emails from ever reaching your inbox.
- Strong Identity and Access Management (IAM) security: Ensuring that only the right people have access to sensitive data is key to ransomware prevention. IAM solutions provide centralized control over user accounts and credentials and detailed logging of all user activities.
- Restricted permissions and limited network access: Setting up user accounts with restricted access to data and services can help limit the spread of ransomware if it does get in. Additionally, segmenting your network into subnets will help contain the damage of a successful attack.
- Automated, secure data backup tools: Regular backups are essential for restoring systems after an attack. Automated backup solutions ensure backups are taken regularly, and encryption helps keep them secure.
- A robust incident response plan: While you can take action to diminish your threat surface and bolster your defenses, there’s no 100% guarantee against ransomware. It’s important to have a detailed incident response plan in place to respond quickly and effectively if you do get attacked. And when all else fails, ransomware insurance can shield your organization from the worst of the financial burden.
Bottom Line: Protect Your Network From All Types of Ransomware
Ransomware is constantly evolving, and new variations are often appearing. It’s essential to keep up with the latest trends in ransomware and implement a ransomware protection strategy to protect yourself from attacks.
Ensure your organization stays ahead of the latest threats with dedicated ransomware protection software. Here are the top 5 ransomware protection software to keep your data safe.