By Guest February 03, 2023
When it comes to cybersecurity, ransomware is probably one of the first threats you think of. It seems like it’s everywhere — and it is. Today, ransomware among the major cybersecurity threats affecting individuals, businesses and organizations every day. Recently, we’ve seen a huge rise in ransomware attacks, with more than 2.3 billion attacks in 2022 alone. Statistics show:
- A ransomware attack occurs every 2 seconds. (That’s 43,000+ a day.)
- The average cost of a ransomware attack is $1.85 million.
It comes as no surprise, then, that your organization must know the types of ransomwares that exist, and how they behave, so you can stop or combat them. This article explains types of ransomware along with some well-known examples. It will also guide you on how to protect yourself and your company from ransomware attacks.
(This article was written by Shanika Wickramasinghe. See more of Shanika's contributions to Splunk Learn.)
What is ransomware?
Let’s first formally define the threat.
Ransomware is a type of malware that infiltrates computer systems through various means, like phishing, malicious websites and malicious downloads. This part isn’t unique to ransomware — it’s what comes next. Once ransomware gets hold of your system, it prevents you from accessing your files or locks down your computer screen, threatening to keep you locked out until you pay a ransom (hence its name).
Modern ransomware demands users pay the ransom with cryptocurrencies or bitcoins. It can amount to millions of dollars depending on the type of ransomware, targeted organization or individual. Unlike some other cyber threats, ransomware is about control.
Ransomware research
Unfortunately for all of us, ransomware evolves daily and it will continue to do so. At Splunk, we have several security teams focused on understanding these threats so everyone — not just our customers — can fight them. In 2021, we covered the REvil RaaS scheme including tools, guidance and support for the industry. (Splunk was not impacted by this ransomware attack.)
Last year, our in-house SURGe team researched how quickly ransomware could encrypt data from a machine. They wanted to know the answer to: “How long do you have before ransomware encrypts your systems?” Here’s a brief look at the results:
Family |
Median Duration |
LockBit |
00:05:50 |
Babuk |
00:06:34 |
Avaddon |
00:13:15 |
Ryuk |
00:14:30 |
Revil |
00:24:16 |
BlackMatter |
00:43:03 |
Darkside |
00:44:52 |
Conti |
00:59:34 |
Maze |
01:54:33 |
Mespinoza (PYSA) |
01:54:54 |
Average of the median |
00:42:52 |
Median ransomware speed measured across 10 ransomware families.
You can read the blog or the full research. For more threat research, explore our Threat Research Team’s work. Now let’s move into the types and examples of ransomware.
Ransomware types
For a long time, there were only two major types of ransomware: Crypto and Locker Ransomware. Today, unfortunately, more types of ransomware have emerged, targeting users and organizations with different approaches. These ransomware types currently exist worldwide:
- Crypto Ransomware
- Locker Ransomware
- Scareware
- Leakware
- Ransomware-as-a-Service (RaaS)
Let's understand these types of ransomware and the approach they take to make your computer system inaccessible.
Crypto ransomware
This kind of ransomware makes unavailable your important files and data, including documents and multimedia, by encrypting them and taking away the decryption key. Still, the other functionalities of the victims’ computers remain intact.
Attackers then demand a ransom in exchange for the decryption key. They often provide a countdown and a warning that files will be deleted if the ransom is not paid. Victims tend to pay the ransom depending on how sensitive and important the encrypted data is. However, you cannot guarantee that the attackers will return the decryption key.
(Read our encryption introduction.)
Locker Ransomware
Locker Ransomware, also called "screen lockers," locks your computer once it's attacked, making all or some of the system data and functionalities inaccessible. For instance, you may not be able to access the computer desktop, but you might still be able to operate the mouse and keyboard with limited functionality.
Here, the attackers only allow you to interact with the screen that shows the ransom note. Since the important data remains unencrypted, it will not be completely destroyed. This type of ransomware also often includes a countdown clock to force the user to pay the ransom as soon as possible.
Scareware
Scareware, as its name implies, scares users by informing them that their computers have been infected with malware. It tricks them into paying a fee or purchasing antivirus software to fix the problem. Scareware usually comes with pop-ups when you visit or install software infected with it. And here is the primary play here: your computer has not yet been infected with malware — but the antivirus software the scareware asks you to pay for is malicious.
Here, malware can infect your computer only if you purchase the software. Otherwise, the data will not be affected — though it will continue to bombard your computer with popups.
Scareware can also be distributed through spam emails, which trick users into buying something that has no value. Those purchases can include malware, which can steal sensitive user information.
Leakware (Exfiltration)
Leakware is ransomware that goes farther than encrypting your sensitive data. It threatens to leak your data to the public or third parties unless you pay their ransom demand. As a result, it is a more dangerous type of ransomware than traditional crypto-ransomware.
Like crypto-ransomware, leakware encrypts the data set, making it inaccessible, and keeps the encryption key with the attacker. They ensure that this data is confidential to the victim(s), so leaking it could potentially harm the individual or the organization.
Ransomware-as-a-Service (RaaS)
Like software-as-a-service, RaaS is a business model that provides ransomware to attackers who do not have the time or skills to develop it on their own. Instead, attackers can buy or rent ransomware from these “businesses”.
RaaS is advertised on the dark web in the same way that advertisements for goods and services are advertised on the real web. The buyers of RaaS are called affiliates. They can access this software through an online subscription. This subscription can also include usual software-as-a-service features like 24/7 support and other offers.
This business model enables affiliates with zero or little knowledge of ransomware to launch a ransomware attack quickly and affordably. As a result, RaaS has now significantly aided the growth of ransomware attacks. It has also developed into an independent ecosystem comprising ransomware developers, operators and other threat actors.
Examples of Ransomware
Now let’s look at some of these attack types in action. The following section details a lot of recent ransomware attacks that, for one reason or another, are infamous today.
(If you like reading these histories, check out these security books to read, recommended by security pros.)
CryptoLocker
Discovered in September 2013, Cryptolocker ransomware was distributed primarily via the Gameover Zeus botnet and email attachments. The victims were asked to pay the ransom in cryptocurrency, so that the attackers could avoid being tracked. This ransomware targeted Microsoft Windows devices and encrypted files using RSA public-key cryptography, the most common key in use today.
Though it’s impossible to know the full effects of this attack, experts confirm that CryptoLocker went on to attack over 250,000 computer systems within four months. Their extortion efforts resulted in the attackers amassing at least $3 million within nine months.
WannaCry
Discovered in 2017, the Wannacry ransomware targeted Windows systems with outdated versions that have the EternalBlue vulnerability in the SMB protocol. It infected the systems as self-contained software that could encrypt the targeted files and prevent users from accessing them. WannaCry has caused around $4 billion in damages and spread to nearly 150 countries.
(Like always, Splunk tackled WannaCry from the moment it began.)
Petya
Petya ransomware, discovered in March 2016, could encrypt a complete hard drive. It was primarily spread through fake job applications with malware infections. Petya attacks the master boot record (MBR) of a computer and then encrypts the Master File Table of the NTFS file system.
Petya is in the same ransomware family as NotPetya, which attacked commercial and government organization in Ukraine and other countries.
W-2 Scareware
This 2017 scareware attacks stole employee W2 forms from the targeted organizations. (W2s are important tax documents in the U.S.) Attackers launched this scareware by sending spam emails to payroll or human resources department employees and asking them to send W-2 forms to employees.
The attackers sent an urgent follow-up email, asking them to do wire transfers. The result was at least thousands of dollars lost.
Maze
Maze is a ransomware that we can consider leakware. It’s impacted many organizations since 2019. After encrypting data, Maze ransomware threatens to leak it unless the victims pay the ransom.
Cerber
Cerber is a popular ransomware as a service. Once infected, it encrypts files while executing silently on the machine. It also attempts to stop Windows security features, including antivirus programs, so that it can spread further into the system.
Dharma
Discovered in 2016, Dharma is another ransomware that belongs to the RaaS model. Attackers can spread this ransomware through spam emails by exploiting vulnerabilities in the Remote Desktop Protocol (RDP) and corrupted setup files. The primary targets of this ransomware are the directories of Windows systems.
DarkSide
DarkSide is also a RaaS-type ransomware that initially targeted Windows machines. However, it later expanded to Linux machines. Associated with the crime group called Carbon Spider, DarkSide attacks unpatched VMware or steals vCenter credentials.
(Read more about DarkSide and the attack on Colonial Pipeline, one of the largest gas pipelines in the U.S.)
Bad Rabbit
Bad Rabbit is ransomware that came to light in October 2017, primarily targeting Russian media agencies. It was spread through compromised websites with fake Adobe Flash updates. Once attacked, it uses RSA 2048-bit keys to encrypt the file systems and demands a ransom payment via cryptocurrency.
How can you stop ransomware attacks?
Attackers are always evolving their strategies, yes. But security best practices are the least you can do to make it harder for them to victimize your machine and your data.
- Secure your user accounts. Use two-factor or multi-factor authentication (MFA) mechanisms to provide an additional layer of security for your accounts.
- Avoid revealing personal information. Ransomware attackers research the targets before the attack. They can get your personal information from your social media profiles if you share them publicly. Thus, never expose your private information unless absolutely necessary.
- Install robust antivirus software. Installing antivirus is the first step, but you need to regularly update it, too, to capture the most advanced and newest ransomwares.
- Always keep your systems updated. Ensure that your operating systems, firmware and other software are regularly updated with patches for vulnerabilities.
- Protect your sensitive data. Implement access control mechanisms for your sensitive data. Apply the privilege of least access.
- Backup your file system and data. Regular backups help you restore your files in case you lose your original files due to ransomware. Ensure you store them securely with encryption and proper access control.
- Prevent vulnerabilities from RDP ports. Remove RDP ports if they are no longer in use. Always monitor ports for any unusual behaviors.
- Educate your employees on ransomware. Train your employees to identify ransomware and what actions should be taken in such a situation. Regular security awareness training and random ransomware simulations can detect employees who are vulnerable.
- Configure spam filtering. Configure your emails to filter spam. Additionally, you can use secure email gateways to block phishing attacks.
- Implement Zero Trust Network Security Model. The zero-trust model enforces strict identity verifications for all users and devices that try to connect to a private network. The user must undergo strict identity verification, whether he is inside or outside the network perimeter. Therefore, it is difficult for malware to breach such networks.
To learn more, visit StopRansomware.gov, the U.S. government’s primary spot for effectively tackling ransomware.
Ransomware in 2023 still a major threat
Because new variants emerge daily, ransomware remains one of the major security threats. Organizations and individuals must stay vigilant.
There are currently five different types of ransomware: Crypto and Locker Ransomware, Scareware, Leakware and RaaS. RaaS has become more prevalent among them since they enable attackers with even little knowledge of ransomware execution to easily launch an attack.
Related reading
- Common Cyberattacks: Beware These Attack Types
- Cross-Site Scripting (XSS) Attacks & How To Prevent Them
- Introduction to Spyware: It’s Not All Bad News
- The Cyber Threat Intelligence (CTI) Guide
- The CVE Guide: Common Vulnerabilities and Exposures Explained
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.
Shanika Wickramasinghe is a software engineer by profession and a graduate in Information Technology. Her specialties are Web and Mobile Development. Shanika considers writing the best medium to learn and share her knowledge. She is passionate about everything she does, loves to travel, and enjoys nature whenever she takes a break from her busy work schedule. She also writes for her Medium blog when she gets some free time. You can connect with her on LinkedIn.