4 Types of Ransomware: Recognizing and Understanding the Threat

Last year, ransomware cost firms over $1.1 billion in direct payments. This makes it one of the biggest cybersecurity threats facing businesses of all sizes, and in 2024, this threat has shown no signs of slowing down.

Although almost half of recorded incidents in 2023 were in the US, it’s a global problem, with the UK and Canada the next most-targeted nations. However, many attacks go unreported, with BlackFog’s analysis estimating the number of undisclosed incidents in the first quarter of 2024 was five times higher than those that were made public.

In the vast majority of cases, if firms wait until an attack has already been initiated, it is too late to do anything, so prevention is much better than cure when it comes to tackling these incidents. Therefore, a good knowledge of the different ransomware attack types helps you plan your defenses and reduces the risk of being infected in the first place.

But not every incident is the same for every company. There are several types of ransomware variants to be aware of, some of which may be far more dangerous than others. Therefore, knowing what type of incident you’re dealing with is an essential first step in formulating a response plan, and especially when it comes to establishing whether or not vital business or personal data has been compromised.

Here are four common types of ransomware threats you need to be familiar with to successfully prevent ransomware attacks from impacting your business.

Crypto ransomware is among the oldest, and traditionally the most common form of ransomware attack –  though as more advanced attacks have gained prominence, this is no longer the case. It works by finding valuable data on a computer network and encrypting files so they become unusable. Attackers then demand a payment, after which they will (in theory) provide businesses with the decryption key needed to unlock them.

Such ransomware may infect all files on a device or seek out certain file types. Some variants can look beyond the devices themselves to infect shared or networked drives or even cloud storage, potentially spreading the issues to all parts of a business. They do, however, typically leave the device usable.

This type of attack is becoming less prevalent as businesses become more aware of the threat of ransomware and boost their defenses. Having comprehensive, regularly-updated off-site backups or even continuous data protection tools, for instance, can be an effective way of mitigating the damage caused by this type of ransomware. However, hackers who do continue to use these tools have started countering these efforts by adding timed delays to their malware in order to infect backups as well.

Locker ransomware is similar to crypto ransomware but can be much more disruptive, as it locks users completely out of a system, often leaving them with nothing except basic mouse and keyboard inputs to allow them to pay the ransom.

In these cases, individuals may turn on their device to see nothing except a lock screen with information on how to pay and a countdown clock to instill urgency – with the threat that if the ransom demand is not paid, the device will be rendered permanently unusable.

This type of ransomware attack usually targets systems rather than files, so if a ransom is paid and access restored, there’s less chance that users will lose data. However, as with crypto ransomware, it prevents businesses from operating normally, and many firms may feel they have no choice but to pay the hackers in order to restore functionality, or hope that law enforcement can take down the hackers and recover keys.

Scareware is an evolution of older, social engineering-based attacks that aim to trick users into paying to fix a non-existent problem with their machine. In the classic form, malware will send multiple pop-up warnings that a device is infected with a virus and urge them to download paid-for ‘antivirus’ software in order to get rid of it. At best, this will do nothing, but it is far more likely to simply add additional malware onto the system.

Whether or not scareware should be considered a ransomware type in its own right is debated, but many of these attacks can be highly disruptive, either flooding the screen with warnings or, in some cases, adding elements of locker ransomware to remove functionality. Therefore, as it disrupts systems until a payment is made, for most victims the impact will be the same.

This tactic often relies on taking advantage of human emotions, so effective cybersecurity training is essential in preventing this type of attack. Ensuring all employees can spot the signs of these attacks, regardless of their level of technical knowledge, is therefore vital.

Double extortion ransomware is one of the most popular ransomware tactics used today – and one of the most dangerous. It works by exfiltrating data from a network as well as encrypting systems. Once this data is in the hands of criminals, this gives them more leverage when it comes to making ransom demands.

This has rapidly become the most common form of ransomware threat. For instance, BlackFog’s 2023 State of Ransomware report revealed that last year, 91 percent of ransomware attacks exfiltrated data. 

A common form of double extortion is for attackers to say they will publicly release data if a ransom is not paid by a certain date. This type of ransomware may also be referred to as ‘doxware’. Hackers may also threaten to inform regulators or stakeholders of the breach, which could have further harmful consequences for a business’ reputation and finances. The goal of this is to add time pressure and increase the risks of not paying.

Such techniques often target businesses for which any release of data can be especially damaging, such as healthcare, education, technology and financial services providers. 

There is even a subvariant of this type of ransomware called triple extortion, which looks to pile even more pressure on businesses to respond quickly. One way of doing this is through the threat of a further attack, such as a Distributed Denial of Service (DDoS). Adding the risk of further disruption to an organization on top of the threat of data exposure can act as another incentive for businesses to pay up.

Any of these types of ransomware can cause serious disruption to a business’ operation, although it is likely to be double extortion attacks that include data exfiltration that are most dangerous. Once sensitive information is in the hands of cybercriminals, the damage is already done. Therefore, ransomware prevention must be the number one priority, followed by mitigation.

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends the below best practices in order to prevent ransomware from successfully impacting a business.

• Maintain offline, encrypted backups of critical data
• Create, maintain, and regularly exercise a basic cyber incident response plan 
• Implement a zero trust architecture to prevent unauthorized access to data and services
• Conduct regular vulnerability scanning to identify and address vulnerabilities
• Regularly patch and update software and operating systems to the latest available
• versions
• Ensure all on-premises, cloud services, mobile, and personal devices are properly configured
• Limit the use of RDP and other remote desktop services 

In the event that a ransomware attack is not discovered until after it has infiltrated a business, there are still steps that firms can take to mitigate the damage. In this case, the UK’s National Cyber Security Centre (NCSC) recommends the following key steps.

• Immediately disconnect infected devices from all network connections
• In serious cases, consider turning off Wi-Fi, disabling any core network connections (including switches) and disconnecting from the internet
• Reset credentials including passwords 
• Safely wipe the infected devices and reinstall the OS
• Verify any backups are free from malware before restoring from them

When it comes to actually paying ransoms, many companies will believe this is the simplest option in order to restore services quickly. This course of action may be particularly tempting in the case of double extortion ransomware, where the financial and reputational costs of having data publicly released could far exceed the ransom demand. However, in the long run, this is likely to do more harm. Indeed, the NCSC highlights four key reasons why it is a bad idea to pay. These are:

• There is no guarantee that firms will get access to their data or devices
• Devices will still be infected
• Companies will be paying criminal groups
• Victims are more likely to be targeted in the future

In recent years, there have been many examples of large-scale ransomware attacks using the above methods. Here are some of the most infamous and consequential attacks and ransomware groups.

The infamous Petya ransomware was one of the first strains of crypto ransomware infection to gain mainstream attention. It surfaced in 2016 targeting systems running Microsoft Windows. Later, the NotPetya variant – widely blamed on state-sponsored Russian hackers – was responsible for a huge attack in Ukraine that took down energy infrastructure, transport and banking systems.

One of the most prevalent locker ransomware variants is LockBit. In 2024, BlackFog’s research found this was responsible for 21 percent of all attacks, with notable incidents including the UK’s Royal Mail postal service, which was forced to completely halt its overseas package processing as a result of the disruption caused.

One of the more notorious types of double extortion ransomware, this group earned more than $100 million in payments by targeting over 1,500 victims in over 80 countries before being taken down by the FBI in 2023. We noted several incidents of this ransomware group executing attacks targeting healthcare providers, including one on New York-based ambulance provider Empress EMS.

To counter these threats, advanced, holistic cybersecurity solutions are required. In addition to solutions such as perimeter defenses and backups, Anti Data Exfiltration (ADX) technology is a must-have in order to prevent this type of ransomware. This advanced security software monitors your network for unauthorized data exfiltration and blocks the transfer of files in real-time, preventing hackers from removing sensitive files they need to operate this form of ransomware.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.