Types of Ransomware: What to Look Out For in 2021 and Beyond

The big two: Locker and crypto-ransomware

As we outlined in our article on the origins of ransomware, most of today’s ransomware can be placed into one of two categories: lockers and crypto-ransomware. Let’s look at each type in detail.

Locker ransomware

Locker ransomware was the first type of ransomware to emerge all the way back in 1989. While the first attack appeared to be something of an anomaly, it emerged again around 2005, and this time it didn’t go anywhere.

As David Bisson notes over on our blog, locker ransomware works by “preventing victims from interacting with their keyboard, mouse, or other basic computer functions,” effectively “locking” the victim out of their computer entirely.

With this type of ransomware, the user’s data is typically not affected. As Bisson puts it, the upside of this is that it’s typically easier for victims to recover their information if they pay the ransom or find another way to get past the attack. The downside, however, is that lockers can set the stage for future attacks. From Bisson:

As an example, an attacker might program a locker to disguise their ransom screen as a tech support dialog box containing a phone number. The attackers might restore control of the infected device once the victim calls the number and pays for a fake antivirus solution. But in doing so, the victim might unknowingly install remote access software onto their computers that the attackers can then use to steal information, conduct reconnaissance for account takeover (ATO) fraud attempts, or even remotely deploy another locker or a strain of crypto-ransomware.

While this type of ransomware has become relatively less common as crypto-ransomware has grown more ubiquitous, it still poses a threat. As Bisson’s example highlights, it’s perhaps most dangerous when it works in conjunction with other types of ransomware.

Crypto-ransomware

The entire ransomware landscape changed in 2013. This was the year CryptoLocker came onto the scene, which was the first of its kind. As Bisson explains, modern crypto-ransomware works by “encrypting a victim’s information and then demanding that victims pay up for a corresponding decryption key.”

The introduction of this type of ransomware was so impactful because of the way it operates, which is vastly different from the ransomware that predated it. As Bisson notes, “In many instances of crypto-ransomware, victims can still use the basic functions of their infected machine to confirm the encryption of their data.” This is especially effective because, as Bisson puts it, “From an attacker’s perspective, it helps when a victim sees that a version of their data is still available.” If they can see what’s affected, they may be more likely to comply and pay ransom.

As Digital Guardian reports, CryptoLocker was one of the most profitable ransomware strains of its time: “Between September and December 2013, CryptoLocker infected more than 250,000 systems” before it was taken offline in 2014 in an international operation.

Though its reign was brief, it inspired many other similar variants which effectively work the same way. Today, crypto-ransomware is by far the most prevalent strain, with well-known versions like CryptoWall and TorrentLocker having emerged over the years.

As our Senior Cybersecurity Analyst David Pickett explains, the downside of crypto-ransomware for attackers is that “they have to do it really well and correctly.” There have been many groups in the past that have done it poorly and have been easily foiled by decryptors, he added.

Additionally, crypto-attacks are not the most efficient route for attackers to choose. According to Pickett, “Encrypting terabytes of data takes a lot of time, and decrypting it can take even longer. Sometimes, it’s easier for victims to start over fresh rather than waiting for their data to be decrypted.”

Other types of ransomware

While locker and crypto-ransomware are by far the most prevalent threats out there today, there are still other types to look out for.

Scareware

While technically not a form of ransomware, scareware is still a very disruptive thing for victims to encounter, and the experience for the victim is very similar to a legitimate ransomware attack.

As Varonis explains on their blog, scareware works by using malware to “pose as a legitimate alert, claiming to detect some other form of virus or malfunction. It then prompts the user to make a payment to a fake service or company to resolve the issue.” It gets its name from the way it works: by scaring victims into thinking they’re under attack, and then paying to fix it.

Ransomware-as-a-Service (RaaS)

This type of ransomware has exploded in the last few years. As Varonis explains, it works almost exactly the same way as a software-as-a-service model does, where anyone can purchase a license over the dark web and pay a monthly subscription fee to use it to carry out attacks on victims.

According to Pickett, this type of ransomware is so dangerous because “It’s made it possible for anybody, even the technically uninclined, to perpetrate an attack.” In other words, while other forms of ransomware require a strong technical acumen, RaaS has substantially lowered the barrier to entry and made it easier for anyone to participate.

Ransomware families

Now that we’ve covered the types of ransomware that are out there, let’s take a look at who’s carrying them out. CIO Advise recently came out with a report on the state of ransomware in 2021, and they provided a great recap of the top groups that are wreaking the most havoc today.

Conti

This is one of the most prominent ransomware families currently operating. It uses phishing attacks to target a number of sectors, including finance, consumables, technology industries, and perhaps most disturbingly, healthcare systems.

According to CPO Magazine, the most recent notable attacks by Conti were carried out in May 2021 against the Irish healthcare system, which included a ransom demand of $20 million (the Irish healthcare system did not pay the ransom).

REvil

As CIO Advise explains, “REvil is a blocking malware that encrypts the victim’s files after infecting the entire system and then sends a request message. Most often, the message explains to the victim that they need to pay the ransom in bitcoins.” It mostly uses backdoor software installers, vulnerability exploits, and exploit kits in order to infect systems.

REvil is perhaps the most prolific of all the ransomware families, having gone after a number of industries in the past year alone. CIO Advise reports that in 2021, they’ve gone after food production firms and technology firms, as well as “insurance companies, the healthcare system, lawyers, and the court system.”

REvil’s most well-known attack is likely the software supply chain attack they carried out against Kaseya in July 2021. According to Bleeping Computer, this attack, which “encrypted 60 managed service providers and over 1,500 businesses using a zero-day vulnerability in the Kaseya VSA remote management platform,” was so catastrophic that it got the attention of international law enforcement agencies. REvil announced it was shutting down shortly after, but re-emerged in September 2021 with new attacks.

Netwalker

This family uses phishing emails to enter Windows networks, but it’s also known for leaking a sample of the victim’s data online. After this, says CIO Advise, it “threatens to release more if the victim doesn’t pay that ransom.”

This family has been quite busy in 2021. According to UpGuard’s blog, they have targeted government agencies, enterprises, educational institutions, and healthcare organizations alike. They carried out a number of their healthcare system attacks at the height of covid, with one attack targeting Philadelphia-based Crozer-Keystone Health System in June 2020, and another targeting California University’s covid research unit.