In recent years, we've seen a rise in ransomware victims: Apple in 2021, Uber and Continental in 2022, and VMware in 2023.
No matter what, facts have shown that no one is safe from this cyber attack. That’s why, in 2023, it is super important to know the different types of ransomware and how to prevent their damage.
After reading this article, you’ll learn the following:
- What ransomware is and how it works
- Can ransomware encrypt encrypted files?
- 7 (+1) different types of ransomware IT leaders must know
- What Ransomware as a Service is and why it’s becoming so popular
- 24 famous ransomware attack examples (and their damage)
- 5 major ransomware attacks that recently happened
- A 5-step ransomware prevention checklist
What is ransomware, and how does it work?
Ransomware is malicious software that encrypts a victim's files. The attacker then demands a ransom payment from the victim to decrypt data. To create urgency, it can also threaten to publish (e.g., Ryuk) or delete (e.g., Jigsaw) critical information.
Ransomware starts with installing the ransomware on the victim's device, either through phishing emails, malicious advertisements or by exploiting vulnerabilities in unpatched software.
Related reading: What is ransomware? 4 main types and a practical guide to restoring files encrypted by ransomware in 2023
It is important to note that paying the ransom will not guarantee getting your data back. Sometimes, the attacker may not provide the decryption key even after receiving the payment. Moreover, paying the ransom may encourage attackers to continue their malicious activities and target other victims.
Can ransomware encrypt encrypted files?
One question that often arises is whether ransomware can encrypt encrypted files and what implications this has for data security.
The short answer is: 'yes, hackers can install their encryption on top of your security layer and make your data inaccessible.'
Yet, the practice of encrypting files for prevention is still highly recommended. The reason is the rise of the double extortion threat: a type of ransomware that encrypts your file and exfiltrates your data. This way, it will urge to pay, because if you don’t, it will publish all your confidential information.
Let’s now get to know 7 (+1) different types of ransomware every business leader should know.
Related reading: Does ransomware steal data? (And the cost of it)
7 (+1) different types of ransomware IT leaders must know
Understanding the different types of ransomware can help IT managers, CTOs, and developers effectively respond to and prevent attacks.
1. Encryption ransomware: This threat encrypts your data and asks for payment to give you back access. This ransomware spreads through malicious emails, websites, and downloads and can infect shared, networked, and cloud drives. A well-known example of encryption ransomware is WannaCry, which affected hundreds of thousands of computers in over 150 countries in 2017.
2. Locker ransomware: This attack will block your system entirely. A pop-up on the victim's screen may appear, claiming that the computer has been infected with a virus or has been used to visit illegal websites and demanding payment to unlock it.
3. Double extortion ransomware: The attacker encrypts files and exports data to blackmail the victim into paying a ransom. The attacker threatens to publish stolen data if their demands are unmet, even if the victim can restore their data from a backup. An example of double extorsion ransomware is Ryuk, which targeted several large companies in the United States and Europe in 2019 and 2020.
Related reading: How does ransomware get in? 7 attack vectors companies should know
4. Leakware: Unlike double extorsion, this ransomware threatens to publish sensitive data stolen from the victim's computer or network if the ransom is not paid — without encrypting any file.
5. DDoS Ransomware: DDoS ransomware is a type of ransomware that targets servers and network infrastructure. It works by launching a Distributed Denial of Service (DDoS) attack against the target, making its systems and services unavailable to users. The attacker then asks for money to stop the attack and restore access. An example of DDoS ransomware is Armada Collective, which targeted several high-profile companies in 2016.
6. Scareware: This type of malware typically displays pop-up ads or alerts claiming that the computer is infected with viruses or other threats and offering to clean up the problems for a fee. An example of scareware is Antivirus Pro 2010, which infected computers through malicious ads and pop-ups.
7. MBR ransomware: This threat infects the Master Boot Record (MBR) of a computer's hard drive, making the operating system inaccessible until the ransom is paid. One notable example of MBR ransomware is Petya, which first appeared in 2016 and quickly gained notoriety for its ability to spread rapidly and cause widespread damage.
And not only these scary 7. In the next section, we'll look at a rising, paradoxical model where cybercriminals sell their ransomware service as a SaaS product.
What is Ransomware as a Service? (And why it’s becoming so popular)
Ransomware as a Service (RaaS) is a growing trend in the cyber criminal world. This business model enables individuals or groups without technical skills or resources to launch a successful ransomware attack in exchange for a percentage of the ransom payment. The RaaS provider typically offers a complete package of tools, services, and support, including malware, a payment platform, and support.
Another danger posed by RaaS is the reputation aspect. Ransomware groups often refer to their activity as "business" and view their victims as "customers." As such, they have a reputation to defend and may use it as leverage to negotiate a higher ransom demand or to carry out additional attacks if their needs are not met.
24 famous ransomware attack examples (and their damage)
Different types of ransomware have become increasingly common in recent years. Some famous examples of attacks include Petya, Ryuk, and WannaCry. This section will discuss these 24 attacks and the damage they caused.
#1 Petya and NotPetya
First discovered in 2016, Petya is an MBR ransomware type. It operates by infecting the master boot record of a computer’s hard drive, making the operating system inaccessible. Initially used in 2017 for a massive cyberattack against Ukraine, it quickly spread worldwide, causing more than $10B in damages.
Petya later evolved into NotPetya: one of the most destructive ransomware in history, capable of spreading around computers and networks — without human intervention for phishing or other kinds of initial access. Also, NotPetya is famous for going beyond attacking the master boot of record and encrypting everything.
#2 Wannacry/Wannacrypt0r ransomware
WannaCry is an encryption ransomware that first appeared in May 2017. WannaCry is famous for encrypting all the data in Windows operating systems and demanding a ransom to provide the file back. WannaCry attacks have affected 300,000+ computers in 150 countries, with a total damage of more than 100,000,000,000$.
#3 Cryptolocker
Likewise, Wannacry ransomware, Cryptolocker encrypts all data of infected computers. It first appeared in September 2013, asking victims to pay the ransom to get their data back. Numerous reports state that Cryptolocker ransomware extorted $27M in total.
Related reading: The ultimate guide to CryptoLocker prevention
#4 Ryuk ransomware
First appeared at the end of 2018, Ryuk is a double-extorsion ransomware. Similarly to encryption ransomware, it encrypts all its victim's data — yet, it gained fame thanks to its ability to exfiltrate information and create FOMO in the victim to pay the ransom. If the demand is unmet, it will publish all confidential data. United Health Services estimated that the attack it got from Ryuk ransomware in 2020 cost $67M.
#5 Ransomware SamSam
Released in 2016, SamSam ransomware uses remote desktop brute-force attacks to pry into passwords as initial access. Once it enters the system, it encrypts everything: from data to applications, sometimes even removing them. This cyber attack made over $6M and impacted their victims by approximately $30M (US Department of Justice).
#6 GandCrab
Discovered in 2018, GandCrab is an encryption ransomware family. Since the launch, its authors claimed to have brought $2B+ in ransom payment, and declared 'it was time for a well-deserved retirement.'
#7 Cryptowall
Cryptowall first appeared in 2014, and went through several iterations, making it more and more dangerous. It has raised $325M+ in revenue for its creator.
#8 Ransomware Dharma (CrySiS)
Ransomware Dharma, also known as CrySiS, is a trojan encryption ransomware. Unlike classical ransomware, Dharma enters the victim's computer with legitimate software used as a camouflage shield. It, then, encrypts every file added to the directory by adding a suffix [bitcoin143@india.com].dharma. Dharma, on average, asks $42,900 to give back access to files.
#9 Ransomware Maze
First appeared in 2019, Ransomware Maze is a double extortion ransomware. Unlike traditional attacks, Maze encrypts critical data and threatens the victim to publish them if they refuse to pay the ransom. In 2020, Maze infected Canon, Xerox, and LG Electronics, stealing 10TB+ of data and confidential source codes.
#10 Locky ransomware
Locky ransomware is encryption ransomware. It's famous for the variety of files it can encrypt: from documents to source code — wasting your computer. Its typical initial access is via phishing email attachment on an email that apparently looked unreadable. The whole Locky ransomware campaign is estimated to generate $7.8M+ in revenue.
#11 BitPaymer
Initially identified in 2017, BitPaymer mainly targeted medical institutions, locking all their data and asking for payment between $500 and $1500 in cryptocurrencies. Its popularity gave rise to even more dangerous types of ransomware like DoppelPaymer.
#12 DoppelPaymer
Raised in April 2019 with a way to operate similar to BitPaymer, DoppelPaymer encryption ransomware origins belong to the Dridex malware family. Unlike BitPaymer, this new ransomware has different command-line parameters to avoid being detected easily. The average ransom demand ranges between $25,000 and $1.2M.
#13 Jigsaw ransomware (BitcoinBlackmailer)
Jigsaw first entered the hacker scene in 2016. This is how it works: first encrypts all data (Windows-only computers!), then a countdown starts. If the ransom is not paid within the first hour, the first file will be deleted, and the demand will increase. After the first 60 minutes deadline, the number of files deleted will increase exponentially.
#14 NetWalker
Netwalker became famous in 2020 by leveraging a Ransomware-as-a-Service model. This means that the creator (i.e., Circus Spider) provides affiliates with all the support and tools they need to profit from this cyber attack. Like Maze, Netwalker is a double extortion ransomware: it encrypts data and leverages the threat of publishing it to make urgency on the ransom payment. Netwalker is among the top ransomware strain by revenue, with $46M+ funds.
#15 Cerber ransomware
Like Netwalker, also Cerber leverages a Ransomware-as-a-Service model, $2.3M is the annual revenue generated by this encryption ransomware.
#16 Bad Rabbit
Bad Rabbit is a Petya and WannaCry variant that rose in 2017. Unlike the two ransomware strains mentioned above, Bad Rabbit is a locker ransomware that encrypts data and the whole system and servers. It became famous by spreading a fake Adobe Flash update. Bad Rabbit demands approximately $280 in cryptocurrency within 40 hours.
#17 MedusaLocker
MedusaLocker is an encryption ransomware that threatens the victim to publish the data, but there is no evidence of its capability of actually doing that action. MedusaLocker leverages the Ransomware as a Service model.
#18 Reveton (aka FBI Virus or Police Trojan)
Reveton became popular in 2012 as a password stealer. It then evolved into locker ransomware, popping up in the victim's pc as a 'police agency' and asking to pay a fine to unlock the system and avoid arrest. Between 2012 and 2014, it generated $400,000 per month.
#19 Teslacrypt
First identified in 2015, Teslacrypt is ransomware famous for encrypting gaming files: from saves to replays. In 2016, it was shut down, and the master decryption key was released.
#20 AIDS trojan (aka PC Cyborg virus)
AIDS trojan is the first ransomware ever to appear in history. It was spread via floppy disk directly mailed to the victim with the name 'AIDS Information Introductory Diskette.' Once it enters the system, this ransomware counts the time a particular file is executed, and after overcoming an established threshold, the file becomes encrypted.
#21 SimpleLocker
SimpleLocker is a locker ransomware that encrypts data and locks the whole system. As reported by BBC, SimpleLocker is the first case of ransomware encrypting Android devices.
#22 Troldesh
Troldesh is a double extortion ransomware: encrypting data and stealing them. Numerous are the targeted file extensions of this cyber attack.
#23 ZCryptor
ZCryptor is 50% ransomware and 50% worm, which encrypts data while copying it into external media. It usually targets Windows systems, masquerading as an installer of Adobe Flash or other popular programs.
Now that we’ve analyzed the 24 most famous ransomware attacks (and their damage), let’s dive into real life and see what happened recently in the news.
#24 Medusa ransomware
Not to be confused with MedusaLocker, Medusa is a double extortion ransomware, born in 2021 and is gaining popularity in 2023. Its specialty is to encrypt with a combination of AES-256 and RSA-2048 and then publish victims' sensitive data in its Medusa Blog. Cybersecurity360 reported its ability to terminate over 280 Windows services and processes, including e-mail, databases, antivirus, and backups. In addition, it can eliminate shadow copies to complicate file recovery. In February 2023, as Pierguido Iezzi (Cybersecurity Director and CEO, Swascan) stated, Medusa hit 17 different targets.
5 major ransomware attacks that recently happened
So far, we've seen different types of ransomware, the most famous examples of ransomware attacks, and the damage attached. Let's now see some major real-life examples: from the attack on Apple to the most current VMware exploitation.
#1 VMware global ransomware attack
At the beginning of February 2023, 1,000+ servers globally went offline due to a major ransomware attack. The attack was linked to two-year-old VMware vulnerabilities.
There were many summits and discussions throughout the day to understand the attack's impact. According to Alessandro Longo, Director of Cybersecurity360 — the primary reference for Italian IT leaders, known vulnerabilities of VMware were attacked.
The Italian government, for example, immediately convoked national cybersecurity intelligence to figure out how to restore the hundreds of public services that went offline due to the attack.
In the subsequent weeks, the attack didn't stop.
#2 Colonial Pipeline
On May 7th 2021, a ransomware attack linked to the DarkSide Group completely froze the operations of the giant Colonial Pipeline. The initial attack vector is not known.
Colonial Pipeline faced the threat of a double extorsion ransomware of publishing confidential data. And, indeed, it was forced to pay $4M+ to get a decryption tool and its business continuity back.
Related reading: How to decrypt files encrypted by ransomware (free, 6-step process)
#3 Yum! The fast food operator of KFC, Pizza Hut, and Taco Bell
At the beginning of January 2023, a ransomware attack was forced on Yum! and caused the closure of 300 selling locations of its brands KFC, Pizza Hut, and Taco Bell.
Although not 100% certain, this ransomware attack was a double extortion that put at risk of stealing databases, confidential data, and systems of this brand operator.
#4 Uber, Continental, and the rise of Lockbit 3.0
2022 saw the rise of the Lockbit ransomware gang.
In fact, according to NCC Group, the attacks by this group accounted for 40% of all ransomware incidents that happened in August 2022.
In 2022, it first attacked Uber and GTA 6 and later targeted juicy enterprises like Continental: encrypting data and threatening to publish it.
At the beginning of February 2023, the LockBit group targeted Royal Mail with a double extortion attack.
#5 $50M ransomware attack on Apple supplier
In April 2021, the Russian ransomware group REvil carried out a double extorsion attack against Apple supplier Quanta.
The goal of this activity was to block Apple's production and make the company pay the ransom since there was a threat to publish critical data.
In 2016, Apple declared itself as the 'most effective security organization in the world.' This attack points out how it's vital never to lower the blind.
5-step ransomware prevention checklist
As we've seen in the previous section, no one can consider herself safe from ransomware attacks (not even Apple!).
That's why it's essential to apply the best practice in terms of prevention and know how to get rid of ransomware once it gets into your system.
Below are the 5 best practices for ransomware prevention:
1. Implement immutable, versioned backups: So backups can't be modified, and you always have multiple versions.
2. Keep software up-to-date: To avoid attacks like the one that happened to VMware servers.
3. Adopt a 3-2-1 backup strategy: Create three copies of your data, store them in two different media, and keep one copy offsite.
Related reading: 6 backup strategy solutions for ransomware data recovery in 2023
4. Leverage Veeam forever incremental backup: A technique used by Veeam to ensure quick and efficient recovery from ransomware. Learn more about it in this article.
5. Use encryption: To avoid double extortion attacks and threats of data stealing.
If you want to learn more about how to prevent a ransomware attack and how to get rid of it once it happens, check out this article.
Conclusion
This article has seen different types of ransomware and the most famous examples of attacks. Finally, we've considered 5 best practices to prevent ransomware damage.
The takeaway should be: in 2023, no one is safe from this threat, but everyone has all the tools to protect their company and minimize the damage. Everything begins with knowing your enemy.
Cubbit offers a solution to accelerate ransomware data recovery with its geo-distributed, secure, S3 compatible, and immutable object storage.
Each stored data is encrypted, micro-fragmented, and geo-distributed in multiple copies in a peer-to-peer network under user control. Cubbit provides a simple and S3 compatible UX, making it easy to switch from AWS to Cubbit by changing one configuration parameter in the CLI.
Want to see Cubbt in action? You can take a look at our latest demos. Instead, if you'd like to start immediately, you can activate a free Cubbit object storage trial here.
P.S. For further questions or advice about cybersecurity and storage, we encourage you to get in touch with our team for a free 15-minute consultation. Our experts are here to help you stay protected against the constantly evolving threat of cyber attacks.