Ransomware has become a serious threat to businesses and individuals worldwide. Between January and July 2021, the FBI noted ransomware attacks increased by 62%. While any form of virus, worm or malware can be harmful, ransomware can be particularly damaging because its goal is to extort funds from the victim of the infection under the threat of data loss or leaks.
Here, we explain some of the different types of ransomware, how they work and what users and systems administrators can do to reduce the risk of infection. If you'd like to take a deeper dive into the subject, you can learn more about ransomware by exploring our glossary pages.
What Are the Four Types of Ransomware?
Ransomware can be divided into four key categories, based on the type of threat it presents to its victims.
Lockers: this style of ransomware locks users out of their machines, presenting a demand for the victim to transmit payment (usually in cryptocurrency) to the attacker to have the lock released. The warning may include a threat to delete the user's data if they fail to comply within a given time period.
Crypto ransomware: crypto ransomware is similar to lockers; however, it takes an additional step of encrypting the victim's files to prevent them from being able to recover any data on the system if they choose not to pay the ransom.
Scareware: scareware is less disruptive than other types of ransomware. This type of attack shows a warning to the victim, telling them their system is infected with a Trojan or virus and directing them to purchase a product to fix the issue.
Doxware: the approach of doxxware is slightly different from that used by developers of other forms of ransomware. Rather than restricting access to data or threatening to delete it, doxware developers threaten to release sensitive documents found on infected machines. Alternatively, they may target people who frequent websites used for piracy or other illegal activities and threaten to inform the authorities about the user's activities if they don't pay the ransom.
Computers may become infected by ransomware accidentally through users downloading infected software from malicious websites. Some ransomware is spread in a more targeted fashion by Ransomware as a Service (RaaS) criminal organizations. Professional hacking organizations accept commissions from clients and will handle the infection process, as well as host the servers the malware connects to and handle payments. One common joke is that malware now comes with "customer service," as the hackers assist victims with the process of purchasing cryptocurrencies and making the transfer to pay the ransom.
Examples of Ransomware Strains
There are several ransomware strains in the wild today, each with its own infection mechanism. Some of the most well-known ransomware strains are:
Cryptolocker: this ransomware was released in 2013 and spread through phishing emails designed to look like FedEx or UPS tracking messages. Users are tricked into downloading and running an executable file that encrypts the files on their computer using an asymmetric encryption method that's difficult to break because only the attackers have the private key required for decrypting the files.
Wannacry: the Wannacry ransomware is perhaps the most well-known variant outside the IT space, making headlines after infecting organizations in 150 different countries. The malware was released in 2017 and would lock users out of their files until they paid a ransom of 0.1781 bitcoin, which was worth around $300 in U.S. dollars at the time.
CryptoWall: the CryptoWall ransomware first appeared in 2014, but it's been updated several times since then to bypass antivirus protections and can still be found in the wild. It's spread via malicious email attachments and advertisements on compromised websites. This malware targets specific file types and also disables the automatic backup and restore features found in Windows 7 and newer versions of the operating system.
Bad Rabbit: unlike some of the other malware types in this list that rely on phishing emails, Bad Rabbit was spread through compromised websites by displaying a message telling users their Adobe Flash extension was out of date. The malware's primary target demographic was organizations in Russia and Eastern Europe. Adobe Flash is no longer supported, but it was still in use in 2017 when the malware was released, making fake update notifications a highly successful attack vector.
Ryuk: The Ryuk ransomware was first identified in the wild in 2018. Instead of spreading itself indiscriminately, Ryuk is primarily used in highly targeted attacks against organizations. The attackers charge ransom amounts measured in hundreds of thousands of U.S. dollars. In addition to encrypting files on the infected machine, Ryuk disables System Restore and can identify network drives and encrypt the files stored on them.
Spider: Released in 2018, Spider is a ransomware variant that spreads itself via phishing messages. The attackers used malicious Microsoft Word documents to infect users, presumably in the hopes they'd achieve more successful infections with seemingly innocuous Word documents than with executable files. The documents in question were fake debt collection letters. Once infected, users were told they had 96 hours to pay the ransom.
What is the most common type of ransomware attack?
Crypto ransomware is the most common type of ransomware attack. This type of ransomware encrypts the victim's files, preventing them from being recovered unless the user pays the ransom.
What are the four most used vectors for ransomware?
Four common attack vectors for ransomware include email attachments, browser pop-ups, instant messages and text messages. Most attacks rely on fooling the user into choosing to run a malicious executable file.
What are the top three causes of successful ransomware attacks?
The most common causes of successful ransomware attacks are user errors, such as falling victim to phishing attacks or poor cybersecurity practices. For example, installing software from an unknown source or plugging unknown USB devices into a computer could allow a ransomware infection to occur.
Get Protected From Ransomware With Veeam
There are several simple steps organizations can take to protect themselves from ransomware. Making use of antivirus software and ad-blocking tools can reduce the likelihood of an infection occurring. Windows Defender is included with all modern versions of Windows and offers good malware and virus protection with regularly updated definitions and robust heuristics. Ad-blocking can either be performed via browser extensions or by using a VPN with content filtering enabled.
Technical solutions can only go so far, however. It's important to provide good cybersecurity awareness training to your employees, so they're aware of the basic precautions they can take to avoid falling for phishing attacks or social engineering attempts.
Even with these precautions, there's still the risk of falling victim to a new attack that's able to get past your cybersecurity defenses. That's where Veeam's ransomware protection can save the day. Modern ransomware is so sophisticated that some variants can disable Windows System Restore and reach your network drive backups, preventing you from being able to use those to recover your essential data. We use the 3-2-1-1-0 rule to offer maximum protection. Even if your network backups are somehow affected by the ransomware, there will still be an off-site and offline backup for you to fall back on in an emergency.
If you'd like to know more about how Veeam Backup & Replication can help you protect your data from ransomware, contact us today to talk to a salesperson or request a demonstration.