7 Common Types of Ransomware Attacks
Ransomware attacks were responsible for 24% of all breaches, according to the Verizon 2023 Data Breach Investigations Report (DBIR).
Even today, we hear news of the latest ransomware attacks affecting both individuals and companies. This is not a new phenomenon, as the threat began with floppy disks distributed via snail mail and has since evolved with the internet, blockchain technologies, and cryptocurrencies.
A record $176 million has been extorted by ransomware attackers in the first half of 2023, making it the second costliest year in ransomware history.
Attackers follow a consistent pattern of targeting vulnerable victims, blocking access to something they need, and then demanding a ransom to restore access despite the ever-changing methods used.
It is crucial to thoroughly understand the background and latest methods of cyber attacks to prevent them and take necessary measures.
What is Ransomware?
Ransomware is a type of malware that is designed to encrypt files on a device, making them unusable and disrupting the systems that rely on them. Once installed, it blocks access, deletes, or otherwise compromises legitimate data and applications.
According to the 2023 Cost of a Data Breach report by IBM, the average cost of a ransomware-caused data breach is $5.13 million.
Ransomware operators usually look for unsecured, open ports to initiate their attack. Remote Desktop Protocol (RDP) endpoints exposed to the internet are often cited in threat reports as the primary entry point for ransomware attacks.
The Sophos State of Ransomware 2023 report found that 66% of respondents experienced a ransomware attack in the previous year, indicating no significant change in the rate of attacks.
The Story Behind - A Brief History of Ransomware
Ransomware has been a persistent threat for over three decades now. The first ransomware attack was recorded in 1989 after the World Health Organization's AIDS conference. A Harvard-educated biologist, Joseph L. Popp, sent 20,000 floppy disks to the conference attendees, which contained the first ransomware virus. This case is known as the AIDS trojan (PC Cyborg Virus), which was released via floppy disk in 1989. Victims had to send $189 to a P.O. box in Panama to restore access to their systems, even though it was a simple virus that utilized symmetric cryptography.
Collecting money and monetizing the attacks has always been a challenge for hackers. However, the advent of cryptocurrencies such as Bitcoin has changed the game of ransomware by providing an easy and untraceable method for hackers to collect payments from their victims. This has led to a significant surge in ransomware attacks since 2012.
While Bitcoin payments provide cybercriminals with a simple transaction process, it is not always straightforward for victims. Hackers have even opened call centers to provide technical support and assist victims in signing up for Bitcoin. Bitcoin exchanges allow attackers to receive instant payments anonymously without the involvement of traditional financial institutions.
7 Common Types of Ransomware Attacks
There are two main types of ransomware: encrypting ransomware or crypto ransomware, and non-encrypting ransomware or screen-locking ransomware.
The first type, which is more common, encrypts the victim's data and holds it hostage. The attacker then demands a ransom in exchange for providing the decryption key to unlock the data. The second type, which is less common, locks the entire device by blocking access to the operating system. Instead of starting up normally, the device shows a screen with the ransom demand.
These two types can also be further divided into subcategories:
1. Crypto Ransomware
Crypto-ransomware or crypto-malware is a type of malicious software that encrypts files stored on a computer or mobile device with the aim of extorting money. Encryption is a process that scrambles the contents of a file, making it unreadable without a decryption key. Cybercriminals use this technique to hold the victim's data hostage and demand a ransom payment in exchange for the decryption keys.
This type of attack is also referred to as data kidnapping, and it is one of the most common forms of ransomware. The attacker may also try to encrypt any backup files to prevent the victim from restoring their data without paying the ransom.
2. Scareware
Scareware is a type of malicious software that uses social engineering tactics to deceive users into thinking that their computer has been infected with malware or has encountered some other problem that requires immediate attention. It usually displays a pop-up alert, which may include the logo of legitimate security software, instructing the user to purchase and install software to resolve the issue.
Scareware may take different forms, such as a message from a law enforcement agency accusing the user of a crime and demanding a fine, or a fake virus infection alert, encouraging the user to buy antivirus or antimalware software. In some cases, it may even be ransomware, which encrypts the victim's data or locks their device, or it may act as a vector for ransomware, coercing the user to download it.
3. Extortionware
Extortionware is a type of ransomware that is designed to lock down the victim's device while also threatening to disclose their private information unless a ransom is paid. Hackers who use extortionware are able to access any information stored on the device and use it against the victim. They often search for confidential company information or personal data that can be used as leverage to extort money from the victim.
4. Exfiltration
Data exfiltration is the theft of Personally identifiable information (PII) used in phishing, spear-phishing, and ransomware attacks. Double extortion is a technique used by hackers where they steal, encrypt, and demand a ransom.
Spear-phishing is a cyber attack that targets individuals or organizations through malicious emails. The attackers carefully research their targets to make the emails appear to be from trusted senders in the targets' lives.
If refused, the stolen information is leaked to the public or on the dark web. Hackers tend to target essential industries like healthcare, government, or education that have significant IT vulnerabilities.
5. DDoS Ransomware
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the regular functioning of an online service by overwhelming it with a massive volume of traffic.
DDoS ransomware attacks differ from crypto ransomware and exfiltration attacks as they do not target the data but instead aim to disrupt network services. The attack involves overwhelming the servers with an excessive number of connection requests, which causes them to crash. The attacker then sends a ransom note, demanding payment to end the attack.
However, there is no guarantee that the attacker will follow through with their threat even after receiving the payment. In some cases, the ransom note may be sent before the attack is initiated, and the attacker may or may not carry out the attack.
6. Doxware
Doxing malware is more severe than regular ransomware. It not only encrypts files, documents, and applications on the user’s device but also threatens to release sensitive data or personal information of the victim, which can lead to identity theft or physical danger.
This type of attack can be targeted towards businesses or individuals. The consequences of a doxware attack can be more severe than standard doxxing since hackers gain access to confidential information from the victim's device.
Doxxing is a malicious act of gathering an individual's private information from various online platforms, including social media, without their consent and then publishing it to the public to shame or embarrass the victim.
7. Locker
Locker ransomware or locker is a type of ransomware that blocks access to a device or a particular application (such as a browser), and demands a ransom to restore it. Lockers can be distributed through mailing lists, ad networks (malvertising), or disguised as useful apps (mobile lockers).
After infecting a device, a locker malware restricts access to certain or all data and files on the device. It then displays a ransom note on the screen, demanding payment from the user. Unlike crypto ransomware, which usually doesn't conceal the criminal intent behind it, lockers often disguise the ransom as a fine or other mandatory payment.
Ransomware as a Service (RaaS)
It's important to understand that RaaS is not a specific type of ransomware but rather a delivery model that is often included in lists of ransomware types.
In this model, perpetrators rent access to a ransomware strain from the author, who offers it as a pay-for-use service. The creators of RaaS host the ransomware on dark net sites and allow criminals to purchase it as a subscription, similar to a SaaS model. The fees charged depend on the complexity and features of the ransomware, and there is usually an entry fee to become a member. Once members infect computers and collect ransom payments, a portion of the ransom is paid to the RaaS creator under previously agreed-upon terms.
FAQ
What does a ransomware attack?
Ransomware is a type of malicious software that can lock and encrypt a victim's data, files, devices, or systems, making them inaccessible and unusable until the attacker receives a ransom payment from the victim.
What is ransomware attack threats?
Ransomware attacks involve holding a victim's data or device hostage, with a threat to keep them locked until a ransom is paid.
What is the most common attack for ransomware?
The most common types of ransomware attacks have historically been Locker and Crypto.
What are the two 2 main types of ransomware?
There are two main types of ransomware: crypto-ransomware and locker ransomware.
What is the 3 2 1 rule for ransomware?
The 3-2-1 Rule is a data backup strategy that suggests keeping three copies of your data, stored on at least two different types of media, with one copy stored off-site.
- Always keep three copies of your data: the original and two backups.
- Use two different media types for data storage.
- Keep a backup copy off-site to ensure data safety.
What are the top 3 causes of successful ransomware attacks?
The top three causes of successful ransomware attacks are:
- Social engineering and phishing: 98% of all cyber-attacks are attributed to social engineering.
- Remote Desktop Protocol (RDP) and Credential Abuse In an RDP attack, cybercriminals exploit unsecured Remote Desktop Protocol (RDP) to gain access to enterprise networks.
- Exploitable third-party vulnerabilities: As businesses increasingly rely on third-party vendors and service providers for various aspects of their operations, the need to manage and minimize the risks associated with these tools becomes more important.
Keep on Reading
