What are the different types of ransomware?
Ransomware comes in more than one form, so here's what to look out for


Ransomware is the scourge of the tech industry and has been, for years, the single biggest cyber security threat troubling businesses across the globe. Not the first ransomware incident on record, but the WannaCry attack in 2017 was arguably the catalyst that saw cyber criminals pivot to ransomware as the go-to weapon of choice when looking to deal damage or extort a business for financial gain.
In those five years, ransomware itself has evolved both in the types of ransomware that criminals deploy and the approaches they adopt to inflict the most damage to victims. But, at its core, ransomware is built to infect a victim’s machine, encrypt every file on the system, and essentially render the computer useless until the victim pays the attacker money to decrypt their files.
Operated by individuals, organised cyber criminal ‘gangs’, and nation states alike, ransomware is an immensely powerful and destructive tool that every business should be aware of and know how to defend against.
Different types of ransomware
Over the course of ransomware’s prominence in the industry, it has been used to target individuals, then bigger targets like businesses and entire countries. Unsophisticated programs have evolved to be almost impenetrable, and the tactics used to deploy the ransomware have changed from immature to so well-thought that victims are often left with no choice but to pay, despite industry advice vehemently and consistently objecting to that.
In operation today, there is mainly only one type of ransomware in widespread operation. Various strains are developed by different groups operating slightly differently from the last, but the core principle remains the same: to encrypt data and prevent third-party decryption.
That said, there are still older strains in circulation, albeit comparatively much more rarely, so understanding what’s out there is still important for any business - especially when regulatory and reputation-related pressures are at play.
Crypto-ransomware
The most common type of ransomware by far, this is the quintessential ransomware strain that attracts all the headlines. Once infected, victims lose access to the large majority of their files and cannot access them until either the program is decrypted, the system is wiped and restored from backups, or the ransom is paid.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Ransomware lockers
These programs were examples of immature ransomware strains that didn’t actually do any encryption at all, merely attempting to convince the victim that they did.
Sometimes called blockers or lock screen ransomware, it doesn’t affect the data stored on the device. Instead, it prevents the victim from accessing the device. The ransom demand is displayed across the screen and, in the past, they often masqueraded as a notice from a law enforcement agency claiming that the victim had accessed illegal web content and demanded an on-the-spot fine. This type of ransomware is usually easier to treat than crypto-ransomware and third-party decryptor programs are more widely available.
Different ransomware models
While there is only really one ‘type’ ransomware model in existence currently, there are different approaches to how ransomware threat actors conduct their misdeeds. The business model of ransomware is fascinating and one that has evolved more frequently than the software itself.
Double extortion ransomware
More recently, ransomware criminals have pivoted to a double extortion model which involves stealing the victim’s data before encrypting it all and demanding a payment to restore access. Not only is the data encrypted but the attacker will often threaten to expose the data - usually of high value or sensitivity when a business is the victim - if the ransom isn’t paid.
This is an example of how career cyber criminals have innovated on the ransomware approach to maximise rewards. They noticed that as ransomware became more pervasive, more businesses increased cyber resilience and became capable of restoring systems from backups, bypassing the need to pay a ransom. This loophole then allowed them to become more successful with increasingly aggressive tactics.
Ransomware-as-a-Service (RaaS)
Like everything in IT seems to be going to an as-a-service model, ransomware is no different. It’s perfect for career criminals with little-to-no technical expertise but still want to make a living from ransomware.
The business model for RaaS varies between vendors but there are three main approaches. Criminals can either pay experienced developers a monthly subscription without paying a portion of the profits their attacks generate. They can pay a larger, one-time fee that usually grants lifetime access without the need to share any profits, or operate on an affiliate basis where no up-front payment is made to the group that developed the ransomware but a portion of profits from every attack will be taken.
RaaS organisations typically have dedicated websites found on the deep web and sell their services from there. Alternatively, affiliates or subscribers can be found on hacking forums, also located on the deep web which affords greater anonymity for both parties.
Ransomware payments
First and foremost, paying ransomware operators is highly frowned upon in the technology industry for a few reasons. Chiefly, it is directly funding criminal acts which is highly amoral. Paying the ransom is also exactly what these criminals want, which means paying up is encouragement for the attackers to continue what they are doing - the idea is that not paying dissuades attackers from using ransomware at all.
Ideally, all businesses will have a robust backup strategy on which they can fall if they are successfully targeted with ransomware. They can wipe all systems and restore from the last point at which everything worked, investigate how the attackers got initially entered the system, and plug the gap before going back online.
RELATED RESOURCE
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
This is often easier said than done for some organisations, though. Some industries rely on outdated technology that is difficult to update and back up. Others operate on a just-in-time model, like the manufacturing sector, so every second lost to operational downtime can place a major dent in a business's bottom line and share prices if they are a publicly listed company. It’s why manufacturing is consistently one of the most-targeted sectors by ransomware because the incentive to pay, and to end the situation as quickly as possible, is so high.
Critical infrastructure organisations also manage services that are essential to modern societies functioning seamlessly - any disruption can cause shockwaves across entire countries, and that’s exactly what happened in Colonial Pipeline’s case last year. The organisation ultimately paid after major disruptions across the east coast of the USA became too much to handle.
The ransom demands typically vary between targets, with richer companies often charged more. For a cyber criminal, there is a fine balance to strike between getting the most out of a company and charging so much that there is no way the victim could ever consider paying it. The criminals wants to get paid, at the end of the day.
This is why modern ransomware operations offer a negotiation service, most of the time. Once infected and when nearly all files are encrypted, victims are navigated to one of the only files still accessible which is usually one dropped by the ransomware program. Typically a basic text file, it contains a link to the operator’s deep web payment portal where live chat assistants are on-hand to negotiate the ransom demand. Operators would rather be paid a little less than nothing at all.
The entire process usually has a time limit set by the attacker after which time the encrypted files will be lost forever, and in the case of double extortion, the previously stolen data would also be leaked. The limit is usually around three days and is there to discourage any delays and increase urgency.
Esther is a freelance media analyst, podcaster, and one-third of Media Voices. She has previously worked as a content marketing lead for Dennis Publishing and the Media Briefing. She writes frequently on topics such as subscriptions and tech developments for industry sites such as Digital Content Next and What’s New in Publishing. She is co-founder of the Publisher Podcast Awards and Publisher Podcast Summit; the first conference and awards dedicated to celebrating and elevating publisher podcasts.
-
UK enterprises regret going all-in on public cloud
News Data sovereignty, rising costs, and governance issues mean many IT decision-makers regret having made the move
-
Trend Micro and Google Cloud double down on AI security with expanded partnership
News The agreement targets improved proactive security across cloud environments, alongside enhanced scam defense capabilities
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs