4 Key Types of Ransomware – and how to Guard Against Them
Ransomware has rapidly become one of the biggest cyberthreats facing businesses of all sizes. In 2022, this type of incident set new records, and already in 2023 several high-profile brands have fallen victim to these attacks.
In the last 12 months, BlackFog’s 2022 State of Ransomware report recorded a 29 percent increase in ransomware activity over 2021 and a 34 percent rise from 2020. Meanwhile, figures from Verizon noted that ransomware was involved in 70 percent of malware infections last year.
But not every incident is the same for every company. There are several types of ransomware variants to be aware of, some of which may be far more dangerous than others. Therefore, knowing what type of incident you’re dealing with is an essential first step in formulating a response plan, and especially when it comes to establishing whether or not vital business or personal data has been compromised.
At the same time, a good knowledge of the different ransomware attack types helps you plan your defenses and reduces the risk of being infected in the first place.
Here are four common types of threats you need to be familiar with to successfully prevent ransomware attacks from impacting your business.
Among the oldest, and traditionally the most common form of ransomware attack, crypto ransomware works by finding valuable data on a computer network. It then encrypts files so they become unusable. Attackers then demand a payment, after which they will (in theory) provide businesses with the decryption key needed to unlock them.
Such ransomware may infect all files on a device or seek out certain file types. Some variants can even look beyond the devices themselves to infect shared or networked drives or even cloud storage, potentially spreading the issues to all parts of a business. They do, however, typically leave the device usable.
The infamous Petya ransomware was one of the first strains of this type of ransomware infection to gain mainstream attention in 2016, targeting systems running Microsoft Windows. Traditionally, a ransomware gang would use phishing email techniques to spread this malicious software onto systems, though more sophisticated methods such as drive-by downloads hidden in malvertising are also common.
This type of attack is becoming less prevalent as businesses become more aware of the threat of ransomware and boost their defenses. Having comprehensive, regularly-updated off-site backups or even continuous data protection tools, for instance, can be an effective way of mitigating the damage caused by this type of ransomware. However, hackers who do continue to use these tools have started countering these efforts by adding timed delays to their malware in order to infect backups as well.
Locker ransomware is similar to crypto ransomware but can be much more disruptive as it locks users completely out of a system, often leaving them with nothing except basic mouse and keyboard inputs to allow them to pay the ransom.
In these cases, individuals may turn on their device to see nothing except a lock screen with information on how to pay and a countdown clock to instill urgency – with the threat that if the ransom demand is not paid, the device will be rendered permanently unusable.
This type of ransomware attack usually targets systems rather than user files, so if a ransom is paid and access restored, there’s less chance that users will lose data. However, as with crypto ransomware, it prevents businesses from operating normally, and many firms may feel they have no choice but to pay the hackers in order to restore functionality.
In severe cases, this can render systems unrecoverable. For instance, the NotPetya ransomware variant destroyed 49,000 laptops and 3,500 servers belonging to Danish shipping company Maersk, costing the firm $350 million and making it one of the single most expensive attacks in history.
One of the most prevalent ransomware variants of this type today is Lockbit. In 2022, BlackFog’s research found this was responsible for 16 percent of all attacks. This marked a huge increase of over 600 percent from 2021, when the variant was practically unheard of, and made it the most common ransomware strain last year.
It also shows no sign of going away in 2023. Early into the new year, businesses infected with Lockbit ransomware included the UK’s Royal Mail postal service, which was forced to completely halt its overseas package processing as a result of the disruption caused.
Scareware is an evolution of older, social engineering-based attacks that aim to trick users into paying to fix a non-existent problem with their machine. In a classic form, malware will send multiple pop-up warnings that a device is infected with a virus and urge them to download paid-for ‘antivirus’ software in order to get rid of it. At best, this will do nothing, but it is far more likely to simply add additional malware onto the system.
Whether or not scareware should be considered a ransomware type in its own right is debated, but many of these attacks can be highly disruptive, either flooding the screen with warnings or, in some cases, adding elements of locker ransomware to remove functionality. Therefore, as it disrupts systems until a payment is made, for most victims the impact will be the same.
This tactic often relies on taking advantage of human emotions, so effective cybersecurity training is essential in preventing this type of attack. Ensuring all employees can spot the signs of these attacks, regardless of their level of technical knowledge, is therefore vital.
4. Double Extortion Ransomware
Double extortion ransomware is one of the most popular ransomware tactics used today – and one of the most dangerous. It works by exfiltrating data from a network as well as encrypting systems. Once this data is in the hands of criminals, this gives them more leverage when it comes to making ransom demands.
This has rapidly become the most common form of ransomware threat. For instance, BlackFog’s 2022 State of Ransomware report revealed that last year, 89 percent of ransomware attacks exfiltrated data. This marked a nine percent increase over 2021, with half of attacks sending data to either China or Russia.
A common form of double extortion is for attackers to say they will publicly release data if a ransom is not paid by a certain date. This type of ransomware may also be referred to as ‘doxware’. Hackers may also threaten to inform regulators or stakeholders of the breach, which could have further harmful consequences for a business’ reputation and finances. The goal of this is to add time pressure and increase the risks of not paying.
There is even a subvariant of this type of ransomware called triple extortion, which looks to pile even more pressure on businesses to respond quickly. One way of doing this is through the threat of a further attack, such as a Distributed Denial of Service (DDoS). Adding the risk of further disruption to an organization on top of the threat of data exposure can act as another incentive for businesses to pay up.
Such techniques often target businesses for which any release of data can be especially damaging, such as healthcare, technology and financial services providers. For example, in September 2022, we noted several incidents of the Hive ransomware group executing double extortion attacks, including one on New York-based ambulance provider Empress EMS.
To counter these types of ransomware, advanced, holistic cybersecurity solutions are required. In addition to solutions such as perimeter defenses and backups, Anti Data Exfiltration (ADX) technology is a must-have in order to prevent this type of ransomware. This advanced type of security software monitors your network for data exfiltration and blocks the transfer of files, preventing hackers from removing sensitive files they need to operate this form of ransomware.