E-Book: Top 50 Cybersecurity Threats
Get a complete look at the top most critical security threats of the year.
When it comes to cybersecurity, ransomware is probably one of the first threats you think of. It seems like it’s everywhere — and it is. Today, ransomware among the major cybersecurity threats affecting individuals, businesses and organizations every day. Recently, we’ve seen a huge rise in ransomware attacks, with more than 2.3 billion attacks in 2022 alone. Statistics show:
It comes as no surprise, then, that your organization must know the types of ransomwares that exist, and how they behave, so you can stop or combat them. This article explains types of ransomware along with some well-known examples. It will also guide you on how to protect yourself and your company from ransomware attacks.
Let’s first formally define the threat.
Ransomware is a type of malware that infiltrates computer systems through various means, like phishing, malicious websites and malicious downloads. This part isn’t unique to ransomware — it’s what comes next. Once ransomware gets hold of your system, it prevents you from accessing your files or locks down your computer screen, threatening to keep you locked out until you pay a ransom (hence its name).
Modern ransomware demands users pay the ransom with cryptocurrencies or bitcoins. It can amount to millions of dollars depending on the type of ransomware, targeted organization or individual. Unlike some other cyber threats, ransomware is about control.
Unfortunately for all of us, ransomware evolves daily and it will continue to do so. At Splunk, we have several security teams focused on understanding these threats so everyone — not just our customers — can fight them. In 2021, we covered the REvil RaaS scheme including tools, guidance and support for the industry. (Splunk was not impacted by this ransomware attack.)
Last year, our in-house SURGe team researched how quickly ransomware could encrypt data from a machine. They wanted to know the answer to: “How long do you have before ransomware encrypts your systems?” Here’s a brief look at the results:
Family |
Median Duration |
LockBit |
00:05:50 |
Babuk |
00:06:34 |
Avaddon |
00:13:15 |
Ryuk |
00:14:30 |
Revil |
00:24:16 |
BlackMatter |
00:43:03 |
Darkside |
00:44:52 |
Conti |
00:59:34 |
Maze |
01:54:33 |
Mespinoza (PYSA) |
01:54:54 |
Average of the median |
00:42:52 |
Median ransomware speed measured across 10 ransomware families.
You can read the blog or the full research. For more threat research, explore our Threat Research Team’s work. Now let’s move into the types and examples of ransomware.
For a long time, there were only two major types of ransomware: Crypto and Locker Ransomware. Today, unfortunately, more types of ransomware have emerged, targeting users and organizations with different approaches. These ransomware types currently exist worldwide:
Let's understand these types of ransomware and the approach they take to make your computer system inaccessible.
This kind of ransomware makes unavailable your important files and data, including documents and multimedia, by encrypting them and taking away the decryption key. Still, the other functionalities of the victims’ computers remain intact.
Attackers then demand a ransom in exchange for the decryption key. They often provide a countdown and a warning that files will be deleted if the ransom is not paid. Victims tend to pay the ransom depending on how sensitive and important the encrypted data is. However, you cannot guarantee that the attackers will return the decryption key.
(Read our encryption introduction.)
Locker Ransomware, also called "screen lockers," locks your computer once it's attacked, making all or some of the system data and functionalities inaccessible. For instance, you may not be able to access the computer desktop, but you might still be able to operate the mouse and keyboard with limited functionality.
Here, the attackers only allow you to interact with the screen that shows the ransom note. Since the important data remains unencrypted, it will not be completely destroyed. This type of ransomware also often includes a countdown clock to force the user to pay the ransom as soon as possible.
Scareware, as its name implies, scares users by informing them that their computers have been infected with malware. It tricks them into paying a fee or purchasing antivirus software to fix the problem. Scareware usually comes with pop-ups when you visit or install software infected with it. And here is the primary play here: your computer has not yet been infected with malware — but the antivirus software the scareware asks you to pay for is malicious.
Here, malware can infect your computer only if you purchase the software. Otherwise, the data will not be affected — though it will continue to bombard your computer with popups.
Scareware can also be distributed through spam emails, which trick users into buying something that has no value. Those purchases can include malware, which can steal sensitive user information.
Leakware is ransomware that goes farther than encrypting your sensitive data. It threatens to leak your data to the public or third parties unless you pay their ransom demand. As a result, it is a more dangerous type of ransomware than traditional crypto-ransomware.
Like crypto-ransomware, leakware encrypts the data set, making it inaccessible, and keeps the encryption key with the attacker. They ensure that this data is confidential to the victim(s), so leaking it could potentially harm the individual or the organization.
Like software-as-a-service, RaaS is a business model that provides ransomware to attackers who do not have the time or skills to develop it on their own. Instead, attackers can buy or rent ransomware from these “businesses”.
RaaS is advertised on the dark web in the same way that advertisements for goods and services are advertised on the real web. The buyers of RaaS are called affiliates. They can access this software through an online subscription. This subscription can also include usual software-as-a-service features like 24/7 support and other offers.
This business model enables affiliates with zero or little knowledge of ransomware to launch a ransomware attack quickly and affordably. As a result, RaaS has now significantly aided the growth of ransomware attacks. It has also developed into an independent ecosystem comprising ransomware developers, operators and other threat actors.
Now let’s look at some of these attack types in action. The following section details a lot of recent ransomware attacks that, for one reason or another, are infamous today.
(If you like reading these histories, check out these security books to read, recommended by security pros.)
Discovered in September 2013, Cryptolocker ransomware was distributed primarily via the Gameover Zeus botnet and email attachments. The victims were asked to pay the ransom in cryptocurrency, so that the attackers could avoid being tracked. This ransomware targeted Microsoft Windows devices and encrypted files using RSA public-key cryptography, the most common key in use today.
Though it’s impossible to know the full effects of this attack, experts confirm that CryptoLocker went on to attack over 250,000 computer systems within four months. Their extortion efforts resulted in the attackers amassing at least $3 million within nine months.
Discovered in 2017, the Wannacry ransomware targeted Windows systems with outdated versions that have the EternalBlue vulnerability in the SMB protocol. It infected the systems as self-contained software that could encrypt the targeted files and prevent users from accessing them. WannaCry has caused around $4 billion in damages and spread to nearly 150 countries.
(Like always, Splunk tackled WannaCry from the moment it began.)
Petya ransomware, discovered in March 2016, could encrypt a complete hard drive. It was primarily spread through fake job applications with malware infections. Petya attacks the master boot record (MBR) of a computer and then encrypts the Master File Table of the NTFS file system.
Petya is in the same ransomware family as NotPetya, which attacked commercial and government organization in Ukraine and other countries.
This 2017 scareware attacks stole employee W2 forms from the targeted organizations. (W2s are important tax documents in the U.S.) Attackers launched this scareware by sending spam emails to payroll or human resources department employees and asking them to send W-2 forms to employees.
The attackers sent an urgent follow-up email, asking them to do wire transfers. The result was at least thousands of dollars lost.
Maze is a ransomware that we can consider leakware. It’s impacted many organizations since 2019. After encrypting data, Maze ransomware threatens to leak it unless the victims pay the ransom.
Cerber is a popular ransomware as a service. Once infected, it encrypts files while executing silently on the machine. It also attempts to stop Windows security features, including antivirus programs, so that it can spread further into the system.
Discovered in 2016, Dharma is another ransomware that belongs to the RaaS model. Attackers can spread this ransomware through spam emails by exploiting vulnerabilities in the Remote Desktop Protocol (RDP) and corrupted setup files. The primary targets of this ransomware are the directories of Windows systems.
DarkSide is also a RaaS-type ransomware that initially targeted Windows machines. However, it later expanded to Linux machines. Associated with the crime group called Carbon Spider, DarkSide attacks unpatched VMware or steals vCenter credentials.
(Read more about DarkSide and the attack on Colonial Pipeline, one of the largest gas pipelines in the U.S.)
Bad Rabbit is ransomware that came to light in October 2017, primarily targeting Russian media agencies. It was spread through compromised websites with fake Adobe Flash updates. Once attacked, it uses RSA 2048-bit keys to encrypt the file systems and demands a ransom payment via cryptocurrency.
Attackers are always evolving their strategies, yes. But security best practices are the least you can do to make it harder for them to victimize your machine and your data.
To learn more, visit StopRansomware.gov, the U.S. government’s primary spot for effectively tackling ransomware.
Because new variants emerge daily, ransomware remains one of the major security threats. Organizations and individuals must stay vigilant.
There are currently five different types of ransomware: Crypto and Locker Ransomware, Scareware, Leakware and RaaS. RaaS has become more prevalent among them since they enable attackers with even little knowledge of ransomware execution to easily launch an attack.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.