Home Learn Types of Ransomware Be Prepared for These Common Types of Ransomware 6 forms of ransomware attacks, 9 high-profile ransomware attacks, and 12 current ransomware variants you should know about. Request demo Types of Ransomware Overview Ransomware Types Ransomware Attacks Ransomware Threats Related Terms Resources Overview Understanding Common Ransomware Types in 2024 Of all the perils in today’s threat landscape, ransomware may be the most feared. Different types of ransomware attacks can vary in motive and mechanism, but they all have one thing in common: rendering the victim’s data inaccessible. For a modern business, that can be an existential threat. Let’s learn more about the most common forms of ransomware, including: • Lockers • Crypto ransomware • Scareware • Ransomware as a Service (RaaS) • Extortionware (including Doxware and Leakware) • Wiper malware You’ll also learn about high-profile past attacks as well as today’s most severe ransomware threats. Ransomware Types The 6 Most Common Types of Ransomware Attacks When people hear the word “ransomware,” they usually think about forcible encryption. While this is a factor in many of the most high-profile ransomware attacks, it’s not always the case. What really defines a ransomware attack is – as the name suggests – a demand for payment to restore the victim’s ability to use their data. We can see this tactic play out in the following six common types of ransomware attacks. 1. Crypto ransomwareOne of the most well-known and damaging forms of ransomware, crypto or encryptor ransomware forcibly encrypts the files and data within a system, making the content inaccessible unless the victim pays up. To heighten the pressure, crypto developers often add a countdown to their ransomware demand, after which the files will be deleted. Of course, even if the ransom is paid, typically in cryptocurrency, there’s no guarantee the threat actors will follow through on their promise to provide a decryption key. Common forms of crypto ransomware have included Hive, REvil, and Ryuk. 2. Lockers Rather than encrypting files, locker ransomware blocks access to data by disabling basic computer functions to render your files and applications inoperable. You’re typically unable to access your desktop, though you retain just enough mouse and keyboard functionality to send payment. A lock screen displays the ransom demand, often with the dreaded countdown clock. While complete destruction of your data is unlikely, the malware can spread quickly across your network to infect other devices in your organization. Common forms of locker ransomware have included CryptoLocker and Locky. 3. Ransomware as a Service Currently surging in popularity, RaaS brings the convenience of SaaS to cybercrime. In this form of the threat, the attack is delivered by a professional RaaS group that hosts and distributes its own malware, collects payments from victims, and restores access (ideally) in return for a cut of the ransom. RaaS gives less technically sophisticated or amateur cybercriminals the ability to carry out a highly effective ransomware attack. For the creators of the malware used, carrying out the attack in the name of their customer makes for easy money with less risk. RaaS gangs can use any type of malware they choose, but common forms have included LockBit, Black Basta, and the DarkSide successor BlackMatter. 4. Extortionware Elevating the menace of run-of-the-mill ransomware, extortionware goes beyond encryption by threatening to release proprietary data or personal identifying information (PII) about their targets unless a payment is made. When such attacks target an individual victim, a version also known as doxware, this disclosure can put the individual at risk of public humiliation, ruined careers or personal relationships, or even physical harm. When the attacker’s scope focuses more broadly on an organization as a whole, i.e. Leakware, the potential impact resembles any other type of data breach, including public embarrassment, damaged customer and business relationships, and regulatory fines. Software commonly used in different types of extortionware attacks have included DoppelPaymer, Revil, and EvilQuest. 5. Wiper malware Though it doesn’t meet the classical understanding of ransomware, wiper malware attacks often masquerade as ransomware so it’s important to understand how the two compare. Like ransomware, wiper malware restricts the user’s access to data. As in a ransomware attack, threat actors often demand a payment, perhaps using a countdown clock for dramatic effect. But there’s a key difference: In most cases, the perpetrators of a wiper malware attack have no intention of restoring the victim’s data access. Their main objective is to wreak havoc by destroying the data permanently, and any money they make along the way is simply a bonus for a job well done. Software used in wiper malware attacks has included NotPetya and KillDisk. 6. Scareware Often successful against less savvy victims, scareware is fake software that claims to have detected a virus or other issue on your computer and directs you to pay to resolve the problem. A pop-up alert – or a flood of them – urges the user to download a tool or service to resolve the issue. Of course, it’s this download software that actually gives the attacker access to the system. At that point, some types of scareware then will lock the computer and demand a ransom, though they usually don’t damage the system or compromise files. Common forms of scareware have included Mac Defender and WinFixer. ransomware attacks 9 Well-Known Ransomware Attacks A complete list of publicly disclosed ransomware attacks would run longer than you’d want to read, and many victims understandably remain silent (though publicly traded companies are required by the SEC to come forward about cyberattacks). A handful of high-profile examples make the potential damage – including ransom payments as well as their broader impact – all too clear. • CryptoLocker (2013-2014) – One of the first major ransomware attacks, spreading via infected email attachments and the Gameover ZeuS botnet, CryptoLocker extracted an estimated $3 million in payments from various small and midsize businesses. • WannaCry (2017) – This global attack affected over 230,000 computers in 150 companies. The U.K. National Health Service suffered an estimated $92 million in losses in addition to untold distress for patients, practitioners, and facilities. Total losses worldwide reached $4 billion. • Petya/NotPetya (2017) – This highly successful campaign caused $10 billion in losses globally, including $300 million for the Maersk shipping company. • GandCrab (2018-2019) – Targeting numerous small and midsize businesses rather than a few rich victims, GandCrab caused an estimated $2 billion in total damages worldwide. • REvil/Sodinokibi (2021) – Used in more than a fifth of IBM incident response engagements in 2022, REvil is estimated to have infected roughly 175,000 computers worldwide with at least $200 million paid in ransom. JBS Foods alone paid a reported $11 million. • Maze (2019-2020) – IT consultancy Cognizant took a heavy blow from the Maze ransomware strain. The company reported direct recovery losses of $50 million to $70 million; adding lost revenue, the total financial impact was estimated to be as high as $140 million. • Ryuk (2020) – An attack targeting Universal Health Services affected 250 U.S. care sites. The long-term impact is hard to assess, but short-term losses amounted to $67 million. • DarkSide (2021) – Best known for its impact on Colonial Pipeline, this RaaS attack earned a ransom of $4.4 million – but that’s only part of the picture. Attackers also stole roughly 100 GB of data from the company’s servers. Meanwhile, widespread fuel shortages and price increases rippled across consumer, business, and financial markets. • ALPHV/BlackCat and Scattered Spider (2023) – The ransomware gangs collaborated in an attack on MGM Resorts, gaining initial access through social engineering tactics on LinkedIn. In spite of significant disruptions to its operations and guest experience over nearly two weeks, the company refused to pay the ransom – but saw an estimated $100 million in lost revenue and other damages. Ransomware Threats 12 of Today’s Most Severe Ransomware Threats The current ransomware landscape is becoming more fragmented. While many older well-known strains may have evolved, rebranded, or ceased operations, new groups continue to emerge. Many or most take the form of RaaS and use double extortion tactics in which separate ransoms must be paid for decryption and the deletion of stolen data. Here are a dozen ransomware threats you should be aware of now. • LockBit – Delivered by a highly sophisticated RaaS gang, LockBit is one of the most prolific and destructive forms of ransomware worldwide. It uses native Windows tools to evade detection, disguises its executable as a .PNG file, and can self-propagate across a network with minimal manual intervention. Aggressive marketing, a user-friendly interface, and an attractive profit-sharing model have fueled its rising popularity. • PLAY – Also known as PlayCrypt, this sophisticated cyberthreat emerged in June 2022 with a focus on Latin America. Currently available as a RaaS, PLAY exploits vulnerabilities in public-facing assets, such as Fortinet SSL VPN and Microsoft Exchange ProxyNotShell, and uses compromised valid accounts for initial access. • Black Basta – Since early 2022, Black Basta has been one of the world’s most active RaaS operations. The group uses a double extortion tactic by encrypting victims’ data and then threatening to publish sensitive information. Continuously evolving its tactics, Black Basta has recently incorporated email DDoS and voice phishing (vishing) into its attacks. • RansomHub – Relatively new but growing fast, RansomHub RaaS targets critical infrastructure sectors such as healthcare, water management, financial services, and government services. Common tactics like phishing, exploiting vulnerabilities, and password spraying, used in tandem with EDR-killer tools, have helped the group breach over 200 victims including Christie’s auction house and Change Healthcare. • Hunters International – Possibly a rebranded version of Hive, Hunters International operates as a RaaS focused primarily on data exfiltration and extortion rather than file encryption. Written in Rust, which enhances its ability to evade detection and accelerate encryption, the malware is known for its ability to kill processes, delete backups, and disable recovery mechanisms. • Akira – Yet another RaaS known for double extortion tactics, Akira quickly has become a top global ransomware threat. Ransom demands typically range from $200,000 to over $4 million, with most victims in education, finance, manufacturing, and healthcare. • Medusa – Spreading quickly through global affiliates, the Medusa RaaS typically gains initial access by exploiting vulnerable services or through phishing campaigns. Once inside, it terminates over 280 Windows services and processes to facilitate encryption. Victim name-and-shame blog on both the dark and surface web has built its notoriety in the cybersecurity community. • BianLian – Currently a top global ransomware threat, BianLian recently has shifted its focus from encryption to extortionware attacks. Often gaining access via compromised RDP credentials, the group uses open source tools and command-line scripts for credential harvesting and data discovery, and then exfiltrates data via FTP, Rclone, or Mega file-sharing services. • 8Base – Initially emerging in 2022 in the guise of penetration testers, the 8Base now operates double extortion schemes against small and midsize companies in the U.S., Brazil, and the U.K. Its malware disables Windows Defender components, deletes shadow copies, clears event logs, and modifies registry entries to bypass User Access Control and achieve persistence. • INC Ransomware – Since July 2023, this operation gains access through spear-phishing emails or by exploiting vulnerable services, and then uses a combination of commercial tools and living-off-the-land binaries (LOLBINs) for reconnaissance and lateral movement. The group cynically offers the “service” of revealing its methods to make the victim’s environment more secure after payment. • Qilin – Originally operating its RaaS under the name Agenda, Qilin uses a double extortion strategy with ransom demands ranging from $50,000 to $800,000. Advanced malware written in both Golang and Rust gains initial access through phishing emails and VPN networks lacking multi-factor authentication. Customizable features such as altering file extensions and terminating specific processes make the service highly adaptable. • Vanir Group – Since its debut in July 2024, the Vanir Group RaaS gang has developed links with former associates of other notable ransomware groups, enabling it to grow quickly in sophistication. The group is known for both a veneer of professionalism and highly aggressive tactics, such as sending intimidating messages to CEOs to add urgency to double extortion demands. Both the types of ransomware software and the tactics of the gangs who employ it are always evolving. There’s no way to achieve complete protection from a breach, but by maintaining a ceaseless focus on data protection, backup and recovery, and cyber resilience capabilities, you can mitigate the risk these threats pose. Be vigilant, be prepared, and you can help enable continuous business no matter what happens. Related Terms What is Ransomware Protection? Ransomware protection is the process of preventing the occurrence of a ransomware event, and/or mitigating the risk of a successful attack. Learn more What is Data Protection? Data protection refers to the practices, technologies, and policies that are used to safeguard data against unauthorized access, loss, corruption, and other threats. Learn more What is Cyber Deception? Cyber deception is a proactive security and defense tactic which hinges on deceiving bad actors and malicious attacks. Learn more related resources Explore related resources View all resources eBook Ransomware 101 Understand ransomware better to recover your data. Read more Video Ransomware Recovery Demo See how Commvault performs a complete restore and recovers all files in the event of a ransomware attack. Watch now Infographic A-Z of Ransomware Recovery As cyber risks evolve, data estates grow, and IT resources shrink, today’s organizations need a better way of safeguarding theirinvaluable data. Read more