The Different Types of Ransomware

The Rising Tide of Ransomware Attacks

Ransomware has been around for decades, but, in recent years, the threat of ransomware has grown dramatically. The WannaCry ransomware outbreak in 2017 demonstrated that ransomware was a profitable attack vector, and the creation of cryptocurrencies like Bitcoin made it easy for attackers to demand and receive ransom payments.

The pandemic also contributed to the rise of ransomware as cybercriminals took advantage of the rise of remote work and the increased importance of healthcare organizations. As remote work becomes part of business as usual, the ransomware pandemic continues to grow.

Understanding the Ransomware Threat

Ransomware is an evolving threat to corporate security. The original ransomware campaigns were relatively simple. The malware was delivered via email or exploitation of a software vulnerability and encrypted files on the infected machines. If the ransom was paid, the attackers provided decryption software that enabled the victim to restore normal operations.

In the last few years, ransomware campaigns have evolved quickly. One major change is in the infection vectors used. Ransomware now mainly targets remote access solutions, exploiting VPN vulnerabilities or using compromised employee credentials to log in via RDP.

The techniques used by ransomware operators to force victims to pay the ransom have changed as well. The ability to restore from backups neutralizes the impact of data encryption, so ransomware has branched out to data theft as well. Modern ransomware operators threaten to leak stolen data if a ransom is not paid by the victim and, in some cases, their customers. Some ransomware groups also use the threat of Distributed Denial of Service (DDoS) attacks as incentive to meet their demands.

Finally, the ransomware threat has evolved due to role specialization and the creation of the Ransomware as a Service (RaaS) model for attacks. Instead of a single group developing malware, infecting organizations, and collecting ransoms, ransomware authors now distribute their malware to “affiliates” for use in their attacks. RaaS provides affiliates with access to advanced malware and enables the ransomware authors to scale their campaigns, increasing the ransomware threat.

Top Ransomware Variants

The success of ransomware has prompted many different cybercrime groups to develop their own variants. Some of the most prolific and famous ransomware variants include:

• REvil: REvil, also known as Sodinokibi, was famous for being one of the ransomware variants with the highest demands. REvil suddenly ceased operations in July 2021 after a famous attack on Kaseya.
• LockBit: LockBit ransomware is a RaaS variant that first emerged in September 2019, when it was called the ABCD ransomware (due to its .abcd file extension). In July 2021, LockBit infected Accenture, stealing internal data and encrypting servers that were later restored from backups. WannaCry: WannaCry is the ransomware variant that started the recent surge in ransomware attacks. The original variant of WannaCry used EternalBlue, an NSA-developed exploit leaked by the ShadowBrokers, to spread via vulnerable versions of Windows’ SMB.
• Conti – Conti is a ransomware-as-a-service (RaaS) group, which allows affiliates to rent access to its infrastructure to launch attacks. Industry experts have said Conti is based in Russia and may have ties to Russian intelligence.
• Ryuk: Ryuk is a very targeted ransomware variant that demands high ransoms from its victims. In July 2021, the average Ryuk ransom payment was $691,800.
• CryptoLocker: CryptoLocker is an early ransomware variant that mainly operated from September 2013 to May 2014. Operation Tovar, which took down the Gameover ZeuS botnet, largely killed this ransomware variant.
• Petya: Petya is a family of ransomware variants. Unlike most ransomware, these variants encrypt the Master Boot Record (MBR) rather than individual files.
• Locky: Locky is a ransomware variant that first began spreading in 2016. It was used by multiple different cybercrime gangs and inspired other ransomware variants.
• Bad Rabbit: Bad Rabbit was a short-lived ransomware variant that is attributed to BlackEnergy, the makers of NotPetya. Unlike NotPetya, which was a wiper masquerading as ransomware, paying the Bad Rabbit ransom enabled recovery of the encrypted files.
• DarkSide: DarkSide is a now-defunct ransomware group most famous for its attack on Colonial Pipeline in May 2021. The group is now believed to operate under the name BlackMatter.
• DearCry: DearCry is a ransomware variant developed by the HAFNIUM group to exploit the Microsoft Exchange vulnerabilities reported in March 2021.

Protect Against Ransomware with Check Point

The wide variety of ransomware variants and attack vectors can make it difficult to defend against and remove them. Protecting against one ransomware attack vector may provide no security against another.

Check Point Harmony Endpoint Protection offers market-leading ransomware detection and prevention capabilities according to the MITRE Engenuity ATT&CK Evaluations. Learn more about the ransomware pandemic and other cyber threat trends in the 2021 Cyber Attack Trends report. You’re also welcome to sign up for a free trial to see the ransomware prevention capabilities of Harmony Endpoint for yourself.