What are the different types of ransomware?

Ransomware is the scourge of the tech industry and has been, for years, the single biggest cyber security threat troubling businesses across the globe. Not the first ransomware incident on record, but the WannaCry attack in 2017 was arguably the catalyst that saw cyber criminals pivot to ransomware as the go-to weapon of choice when looking to deal damage or extort a business for financial gain.

In those five years, ransomware itself has evolved both in the types of ransomware that criminals deploy and the approaches they adopt to inflict the most damage to victims. But, at its core, ransomware is built to infect a victim’s machine, encrypt every file on the system, and essentially render the computer useless until the victim pays the attacker money to decrypt their files.

Operated by individuals, organised cyber criminal ‘gangs’, and nation states alike, ransomware is an immensely powerful and destructive tool that every business should be aware of and know how to defend against.

Different types of ransomware

Over the course of ransomware’s prominence in the industry, it has been used to target individuals, then bigger targets like businesses and entire countries. Unsophisticated programs have evolved to be almost impenetrable, and the tactics used to deploy the ransomware have changed from immature to so well-thought that victims are often left with no choice but to pay, despite industry advice vehemently and consistently objecting to that.

In operation today, there is mainly only one type of ransomware in widespread operation. Various strains are developed by different groups operating slightly differently from the last, but the core principle remains the same: to encrypt data and prevent third-party decryption.

That said, there are still older strains in circulation, albeit comparatively much more rarely, so understanding what’s out there is still important for any business - especially when regulatory and reputation-related pressures are at play.

Crypto-ransomware

The most common type of ransomware by far, this is the quintessential ransomware strain that attracts all the headlines. Once infected, victims lose access to the large majority of their files and cannot access them until either the program is decrypted, the system is wiped and restored from backups, or the ransom is paid.

Ransomware lockers

These programs were examples of immature ransomware strains that didn’t actually do any encryption at all, merely attempting to convince the victim that they did.

Sometimes called blockers or lock screen ransomware, it doesn’t affect the data stored on the device. Instead, it prevents the victim from accessing the device. The ransom demand is displayed across the screen and, in the past, they often masqueraded as a notice from a law enforcement agency claiming that the victim had accessed illegal web content and demanded an on-the-spot fine. This type of ransomware is usually easier to treat than crypto-ransomware and third-party decryptor programs are more widely available.

Different ransomware models

While there is only really one ‘type’ ransomware model in existence currently, there are different approaches to how ransomware threat actors conduct their misdeeds. The business model of ransomware is fascinating and one that has evolved more frequently than the software itself.

Double extortion ransomware

More recently, ransomware criminals have pivoted to a double extortion model which involves stealing the victim’s data before encrypting it all and demanding a payment to restore access. Not only is the data encrypted but the attacker will often threaten to expose the data - usually of high value or sensitivity when a business is the victim - if the ransom isn’t paid.

This is an example of how career cyber criminals have innovated on the ransomware approach to maximise rewards. They noticed that as ransomware became more pervasive, more businesses increased cyber resilience and became capable of restoring systems from backups, bypassing the need to pay a ransom. This loophole then allowed them to become more successful with increasingly aggressive tactics.

Ransomware-as-a-Service (RaaS)

Like everything in IT seems to be going to an as-a-service model, ransomware is no different. It’s perfect for career criminals with little-to-no technical expertise but still want to make a living from ransomware.

The business model for RaaS varies between vendors but there are three main approaches. Criminals can either pay experienced developers a monthly subscription without paying a portion of the profits their attacks generate. They can pay a larger, one-time fee that usually grants lifetime access without the need to share any profits, or operate on an affiliate basis where no up-front payment is made to the group that developed the ransomware but a portion of profits from every attack will be taken.

RaaS organisations typically have dedicated websites found on the deep web and sell their services from there. Alternatively, affiliates or subscribers can be found on hacking forums, also located on the deep web which affords greater anonymity for both parties.

Ransomware payments

First and foremost, paying ransomware operators is highly frowned upon in the technology industry for a few reasons. Chiefly, it is directly funding criminal acts which is highly amoral. Paying the ransom is also exactly what these criminals want, which means paying up is encouragement for the attackers to continue what they are doing - the idea is that not paying dissuades attackers from using ransomware at all.

Ideally, all businesses will have a robust backup strategy on which they can fall if they are successfully targeted with ransomware. They can wipe all systems and restore from the last point at which everything worked, investigate how the attackers got initially entered the system, and plug the gap before going back online.

This is often easier said than done for some organisations, though. Some industries rely on outdated technology that is difficult to update and back up. Others operate on a just-in-time model, like the manufacturing sector, so every second lost to operational downtime can place a major dent in a business's bottom line and share prices if they are a publicly listed company. It’s why manufacturing is consistently one of the most-targeted sectors by ransomware because the incentive to pay, and to end the situation as quickly as possible, is so high.

Critical infrastructure organisations also manage services that are essential to modern societies functioning seamlessly - any disruption can cause shockwaves across entire countries, and that’s exactly what happened in Colonial Pipeline’s case last year. The organisation ultimately paid after major disruptions across the east coast of the USA became too much to handle.

The ransom demands typically vary between targets, with richer companies often charged more. For a cyber criminal, there is a fine balance to strike between getting the most out of a company and charging so much that there is no way the victim could ever consider paying it. The criminals wants to get paid, at the end of the day.

This is why modern ransomware operations offer a negotiation service, most of the time. Once infected and when nearly all files are encrypted, victims are navigated to one of the only files still accessible which is usually one dropped by the ransomware program. Typically a basic text file, it contains a link to the operator’s deep web payment portal where live chat assistants are on-hand to negotiate the ransom demand. Operators would rather be paid a little less than nothing at all.

The entire process usually has a time limit set by the attacker after which time the encrypted files will be lost forever, and in the case of double extortion, the previously stolen data would also be leaked. The limit is usually around three days and is there to discourage any delays and increase urgency.