What is Ransomware?

Malignant (malicious) software, aka malware, are programs that enter computers and other devices and perform unauthorized operations affecting the data, systems, or networks. Ransomware are malware designed to lock users' systems or their access to files until a ransom is paid. Today, they are hot cakes in the cyber underworld, with thousands of users and businesses becoming victims. In most cases, attackers demand a hefty sum as ransom. According to a report, the average amount of reported ransomware transactions per month in 2021 was $102.3 million.


Types Of Ransomware

Ransomware continues to evolve in terms of nature (mode of attack) and sophistication. With victims willing to pay without choice, threat actors have brought in a great deal of innovation, the scope of which includes double- or triple extortion ransomware and ransomware-as-a-service.

Ransomware can be broadly classified into two types–one that restricts users' access to systems (locker ransomware), and one that encrypts the data and files from being accessible to the users (crypto-ransomware:) Below are some of the more traditional and nuanced variants of ransomware.


1. Locker Ransomware

These types of ransomware lock the users out of their systems. Most of the time, users are allowed to view only the lock screen or interact with a screen containing the ransom demand. The mouse and keyboard would be partially enabled to make the payment to the attacker. Lockers usually don't destroy the data as it only prevents users from accessing it. A timer with a deadline would be displayed to persuade the victim to pay up.


2. Crypto-Ransomware

As the most common type of ransomware, they encrypt the data, information, or files on the victims' device. The victim would usually be able to see the data and even use the system. However, they would not be able to access the data due to encryption. Crypto ransomware also prompts the victims to make the payment. If the user misses the deadline, all encrypted data would be permanently deleted.


3. Scareware

Scareware generally tries to freak the users out by displaying an alarming message and consequently tricks them into downloading malware. The attackers often use prompts that look official and legitimate and urge the user to act fast without giving them much time to think or analyze. The prompts can be a popup, a threatening message, or a false button, displaying alarming messages such as: "Your PC is slow. Speed up Now", or "Attackers can see your IP, Protect it now." Users who take the bait enable the ransomware to enter their systems and lock them out or encrypt their data.


4. Leakware

Through leakware, the attacker, instead of destroying the data, threatens to release it on public domains. Also known as Doxware, leakware attacks are targeted at organizations like banks and nationalized entities that handle confidential or sensitive data.


5. Ransomware As a Service (RaaS)

RaaS is where the threat actors embrace a SaaS-like business model to carry out ransomware attacks. RaaS operates like an affiliate network and allows cybercriminals with low technical knowledge to subscribe to RaaS and launch ransomware attacks. Members of the affiliate earn a percentage of the ransom payment. The RaaS model is one of the prime reasons for the dramatic increase in ransomware attacks in the recent past because it removes the barrier of prerequisite coding knowledge to launch an attack.


Note that scareware, leakware, and RaaS are essentially crypto- or locker ransomware variants.

Common Examples Of Ransomware

Ransomware continues to devastate businesses, MSPs, and their clients. Here is a list of some of the most known and infamous ransomware programs:


1. CryptoLocker

One of the earliest ransomware strains, CryptoLocker encrypts the victims' data and offers a private key to decrypt in exchange for bitcoins or pre-paid vouchers. The attackers threaten to delete the private key upon missing the deadline, denying access to the data permanently.

● Year of Emergence: 2013
● Target: Computers running on Microsoft Windows
● Mode of Propagation: Infectious email attachments
● Areas Affected: Across the globe
● Estimated extortion: $3 million

Bad Rabbit

2. Bad Rabbit

Bad Rabbit encrypts the user's file tables and demands Bitcoins to decrypt them. It primarily affected government authorities like the Ministry of Infrastructure of Ukraine. Some of the strings used in the code contained character names from the popular series Game of Thrones.

● Year of Emergence: 2017
● Target: Organizations and consumers
● Propagation: via fake Adobe Flash update request
● Areas Affected: Russia, Ukraine, and Eastern Europe
● Estimated extortion: Unknown, with a publicly admitted ransom payment of $1 million.


3. NotPetya (Petya)

This malware directly infects the system's boot record and encrypts the NTFS file system. This prevents the system from booting into the OS until the ransom is paid. Some researchers have deemed it a nation state 'act of war' against Ukraine rather than cybercriminals' intent for money.

● Year of Emergence: 2016
● Target: Computers running on Microsoft Windows
● Propagation: via infectious email attachments
● Areas Affected: Mainly Ukraine
● Estimated extortion: Unknown


4. Cerber

Cerber is crypto-ransomware RaaS that infects the system when the user clicks on a malicious ad or a spammy email initiated by the attacker.

● Year of Emergence: 2016
● Target: cloud-based Microsoft 365 users
● Propagation: phishing campaigns and malvertising
● Areas Affected: Across the globe
● Estimated extortion: Around $2 million in its first year


5. WannaCry

WannaCry launches a worm attack into the target system, locks the data, and demands a ransom in cryptocurrency. It spreads rapidly within systems. Its transport code uses an exploit known as EternalBlue–a cyberattack exploit developed by the U.S. National Security Agency (NSA)-- to gain access and make copies of itself.

● Year of Emergence: 2017
● Target: Computers running on Microsoft Windows
● Propagation: via a Microsoft exploit known as EternalBlue
● Areas Affected: 150 countries across the globe
● Estimated extortion: A total of 327 payments amounting to US$130,634.77


6. Dharma (CrySiS)

Dharma is a RaaS operation targeting small and medium businesses (SMBs) that cannot afford a high-profile cybersecurity team. It allows the attackers to encrypt the directory files on the victims' Windows-based systems. Once it conceals within the system, it infects each file being added to the directory. Threat actors using Dharma often demand relatively smaller ransom in the range of $8000 to $10000. However, the number of attacks that happened was of huge proportions, making it one of the most effective RaaS ever created.

● Year of Emergence: 2016
● Target: directories inside the user’s directory on Windows
● Propagation: via phishing emails or attacks on Remote Desktop Protocol (RDP) entry points.
● Areas Affected: Across the globe
● Estimated extortion: $24 million


7. Maze

Maze works on an affiliated network of cybercriminals and mainly targets SaaS companies. Once Maze affects an IT provider's network, it spreads onto the network of their clients' networks too. Maze usually encrypts data on the victim's system and threatens to leak it online unless the ransom is paid in cryptocurrencies.

● Year of Emergence: 2019
● Target: enterprise networks running on Windows
● Propagation: RDP brute force attacks and spam emails
● Areas Affected: Across the globe
● Estimated extortion: $24 million

What Should Companies Do?

There has been a steady increase in the number of ransomware attacks with each passing year. This not only causes financial damage to firms but also dampens their reputation and destroys the customers' trust. Here are some important measures that MSPs and businesses can take to avoid ransomware attacks:

● Use up-to-date versions of operating systems, browsers, antivirus, and software applications.
● Always back up important data on cloud servers or as hard, offline copies. This will help protect data and reduce the impact of crypto-ransomware attacks.
● Manage cookies carefully, allowing only the essential ones from any site
● Download software applications and antivirus from legitimate sources only.
● MSPs can educate their clients, and businesses can educate their employees on malware attacks and safe browsing.
● Build a cybersecurity team to proactively mitigate cybersecurity attacks and provide all essential support and remediation should an attack or a cybersecurity event occur.
● Hire a team of ethical hackers to discover and patch vulnerabilities across networks and systems.
● Use Network Detection and Response (NDR) products that use technologies like deep learning and statistical analysis to detect and respond to suspicious activities and actors on networks. This can take companies a long way in minimizing ransomware risks while identifying the weak spots in their networks.

Featured Resources

Prevention is no longer enough
Getting Ahead of Today’s Fast-Growing Ransomware Threats
Manufacturing network vulnerabilities
A blueprint for combatting ransomware in the manufacturing industry
Insider Threats – Who can you trust?
Insider threats are becoming center stage to some of the deadliest cyberattacks in recent news.

Network Threat Defense Software

Novacommand can help detect threats by inspecting and analyzing the network traffic. The information about the network traffic (metadata) will be correlated and analyzed as well. 

By doing this, threats can be detected in an early stage by their behavior, destination, or a combination of both. 

Novacommand will not 'defend' you against threats but will alarm you on a threat and if needed initiate an action with a 3rd party integration like a firewall or EPP. 

Watch the webinar
ForeNova Final Logo PNG-4


Counting the number of ransomware is beyond anyone's capabilities. Broadly speaking, there are two types of ransomware - crypto-ransomware that encrypts your data and locker ransomware that locks you out of your system.

The most commonly reported variants in H1 2021 were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.

Ransomware is a type of malware. Malware attacks usually come in the form of a computer virus or worm.