What is Ransomware? Types & Real-Life Examples

Tags:

8 Examples of Dangerous Ransomware
Written by Eric Cisternelli
Sr. Digital Marketing Manager

Ransomware remains an enduring and evolving threat, consistently impacting critical sectors such as healthcare and even electoral processes. Over time, various reports have highlighted the prevalence and adaptability of this malicious software. Instances of ransomware attacks have been a concern for years, with significant increases observed across industries. This ongoing trend underscores the importance of understanding vulnerabilities within organizations to safeguard against potential attacks.

What is Ransomware?

Ransomware is a type of malware that encrypts data and files within an organization’s IT environment or locks users out of their devices, then demands a ransom payment in exchange for restoring access to the computer or the data stored on it. Most ransomware variants work by encrypting valuable files stored on an infected machine using an encryption key known only to the attacker. To reverse the encryption and restore access to their data, victims must pay the ransom to receive that key.

Ransomware has become a prolific malware variant because it is successful and profitable. Ransom demands in the millions of dollars are common, and victims often pay the ransom to gain access to critical data. As a result, ransomware groups have ample funding to attract new talent and improve their tools and techniques.

Over the past few years, ransomware attacks have grown more numerous, sophisticated, and costly to their victims. Protecting against ransomware attacks is vital to an organization’s bottom line and ability to remain in business.

What can ransomware do?

Financial loss is only one impact of ransomware. Obscuration, which occurs when the ransomware installation encrypts the victim’s data, can result in significant business disruption for days, weeks, or months. Aside from the immediate losses, businesses also incur the cost of incident response, digital forensics, regulatory fines, and legal and PR counsel resulting from long-term damage to a company’s reputation. In the healthcare sector, ransomware can even have deadly consequences.

How Does Ransomware Work?

Ransomware is designed to make money for cybercriminals by forcing victims to pay to regain access to their lost data. The way ransomware works is by encrypting data using a key known only to the attackers. With modern encryption algorithms, it is impossible to restore encrypted data without knowledge of the key, so cybercriminals can sell victims the decryption key for their own data.

What ransomware does is gain access to a computer like any other malware. It might be distributed via a phishing email, the attackers may leverage compromised credentials to log in via a VPN, or exploitation of an unpatched vulnerability may allow malware to be planted on a device. Once installed, the ransomware can do its job in a couple of ways:

  1. The better-known approach to ransomware involves targeted encryption of files. The ransomware searches for certain types of files (such as documents) and encrypts each file individually. This allows them to deny access to a user’s files without running the risk that the computer breaks if the wrong system file is encrypted.
  2. The other main approach to ransomware is to encrypt the Master Boot Record (MBR). The MBR is a map of the layout of the computer’s memory. If the MBR is encrypted, the computer can’t find the operating system or any other files on the system.

Regardless of its approach to encryption, the ransomware follows up by presenting a ransom demand to the user. Often this appears as a text file saved alongside encrypted files or a changed background image. The ransom demand includes the amount of cryptocurrency to be paid, where and how to pay the ransom, and potentially information for “customer support”.

Other ways ransomware works

Many ransomware variants exist, and different ransomware groups use different techniques to extort their victims. Ransomware operators are increasingly supplementing their attacks with data theft or the threat of distributed denial of service (DDoS) attacks. By threatening to leak sensitive information, perform a DDoS attack, or directly extorting a victim’s customers, the attacker increases their leverage and the probability of receiving a ransom payment.

Some ransomware groups also operate under an “affiliate” model where a ransomware developer distributes their malware to affiliates who infect victims’ machines with it. Under this model, profits are shared between the ransomware developer and the affiliates. This model enables ransomware operators to have their malware distributed to more targets, increasing overall ransom payments.

Who is a Target for Ransomware?

The modern ransomware attack is highly targeted. Ransomware groups carefully research potential targets to determine how to infect them and the maximum ransom that they can demand with an expectation of being paid.

While any organization can be a target of ransomware, certain organizations are more tempting targets than others. In addition to the ability to pay large ransoms, ransomware operators commonly target organizations that are more likely to pay the ransom quickly. For example, hospitals need access to their data to treat patients, so they have a greater incentive to pay a ransom demand quickly.

Ransomware groups’ tactics and targets change over time, and they benefit from the fact that it is difficult to attribute cyberattacks and pursue legal action against attackers. While a ransom note may state which group is behind an attack, the identity of the group’s members and their affiliates is hard to determine.

What Makes Ransomware so Widespread?

The answer comes down to money and time. Ransomware attacks are significantly faster and cheaper to carry out compared to many other cyber models and have a much higher payout. Take a banking trojan operation for example.

Before ransomware, banking trojans were the most common form of malware. The banking trojan business model is extremely complex and requires many people to play many roles. This scheme of money laundering limits profit because they have to split the earnings with everyone else involved in the cash-out. The business model that ransomware follows has several benefits over banking trojans and other forms of malware:

  1. It’s easier to launder cryptocurrencies than to launder traditional money. If the funds aren’t withdrawn right away, the fluctuation of Bitcoin could make the ransom even more valuable.
  2. Since fewer people are involved in the operation, the bad actors don’t have to split the stolen currency.

The rewards speak for themselves. The Verizon 2021 Data Breach Investigations Report found that the median ransom paid in 2020 was $11,150 but ran as high as $1.2 million. With such a great potential to earn money, so-called “ransomware gangs” have become more organized. Many of their members have different roles and specialize in specific ransomware attack methods, which helps these groups maximize their potential gains.

Why are ransomware attacks increasing?

Ransomware attacks are a growing threat for a few reasons, including malware availability, cross-platform technological advancement and new effective techniques the generate profit for ransomware groups:

  • Malware Availability: The ransomware affiliate model and the availability of malware kits make it easy to gain access to high-quality malware.
  • Technological Advancement: Cross-platform interpreters and other development tools enable ransomware operators to more easily target different systems.
  • Innovative Techniques: Ransomware variants have developed new techniques to evade detection, such as encrypting the MBR or encrypting only parts of files.
  • Business Drivers: Ransomware attacks are profitable and effective, creating incentives for ransomware groups to keep operating and refining their techniques.

What Types of Ransomware Are There?

Ransom can come in several varieties that pose different levels of risk to an infected computer. These range from scareware, which is primarily a scam, to encrypting ransomware, which carries the risk of permanent data loss, and screen lockers.

Scareware

Scareware is a form of ransomware designed to intimidate the target into taking some action. Typically, this involves locking the screen or putting up pop-ups claiming that a virus has been detected on the computer. This message will include instructions for contacting a “help desk,” which promises to fix the problem for a fee. While the offer to help clean up the virus is a scam, the computer does need to be checked and cleaned of the malware that creates the pop-up.

Screenlockers

Screen locking ransomware will lock the screen, keyboard, and mouse on a computer, making it impossible to use. This type of ransomware commonly comes with a pop-up demanding a ransom payment and showing a countdown clock designed to create a sense of urgency. While this type of ransomware is more inconvenient than scareware, it is less dangerous than encrypting ransomware. This ransomware variant does not usually encrypt files, reducing the probability of data loss.

Encrypting Ransomware

Encrypting ransomware is what most people think of when they hear ransomware. Encrypting ransomware will encrypt files or the MBR on a victim’s computer and demand a ransom payment in exchange for the decryption key. This is the most dangerous type of ransomware because there is the potential that data may be lost forever whether or not the target decides to pay the ransom.

Within these types of ransomware, there are a handful of primary pathways that cyber criminals use to deliver the ransomware. Learn more about the 7 most common ransomware attack vectors here

4 Popular Ransomware Variants

Many different ransomware variants exist, and new ones are discovered on a regular basis. However, some variants stand out from the crowd due to the scope and impact of their attack:

  1. REvil/Sodinokibi: The REvil ransomware variant is one of the most famous in existence. This ransomware variant first emerged in 2019 and was responsible for high-profile attacks such as the Kaseya and JSB hacks. It also was the most prolific ransomware variant in existence and demanded some of the highest ransoms to date. However, the fame of REvil also led to its downfall. In October 2021, a multi-national coalition took action against the malware, seizing its servers and forcing it offline. The following month, the US government indicted two alleged members of the group.
  2. Ryuk: Ryuk is another extremely expensive ransomware variant. A Ryuk ransomware attack carries a demand of over $1 million on average. This ransomware variant is highly-targeted, focusing on large organizations that have the ability to meet these large demands. Ryuk ransomware is one of the variants that took advantage of the switch to remote work in the wake of the COVID-19 pandemic. Its operators commonly take advantage of compromised credentials to log into enterprise networks via RDP or distribute the malware via spear-phishing emails.
  3. LockBit: LockBit is a ransomware variant that began its attacks in September 2019. A few months later, it began a Ransomware as a Service (RaaS) affiliate program in January 2020, recruiting other cybercriminals to distribute its malware. LockBit also operates a data leak site, providing it with additional leverage when demanding ransoms from its victims. In June 2021, LockBit was updated with a new version 2.0. A couple of months later, Accenture reported a data breach and ransomware infection by LockBit in August 2021 that included a $50 million ransom demand.
  4. DearCry: DearCry is a relatively new ransomware variant that emerged in April 2021. It was developed to take advantage of a set of four critical vulnerabilities in Microsoft Exchange Server that Microsoft publicly reported and released patches for that month. DearCry differed from most ransomware variants in that it didn’t include a cryptocurrency payment address in its ransom demand. Instead, victims were instructed to contact the operators directly via one of two email addresses.

7 Important Ransomware Examples

These ransomware examples indicate just how important it is to pay attention to how your organization could be vulnerable. Not every example of ransomware is financially motivated — some are primarily intended to cause an operational disruption on a network. Below, are seven real-life ransomware examples that are regularly used — and extremely dangerous.

Financially-motivated ransomware examples:

  1. Locky: Locky first appeared in February 2016 and has become one of the most distributed ransomware examples. In late 2016 it became so widespread that it was named one of the three most common forms of malware, and still today there are distribution campaigns of Locky via email.
  2. Troldesh: Troldesh is mostly distributed in Russia and European countries. It is not prevalent in the U.S. 
  3. “Ransomware as a Service” (RaaS) model: 1) GlobeImposter, 2) Philadelphia, and 3) Cerber

While some cyber criminals make and distribute their ransomware, some have begun to provide a software package—complete with ransom note customization—to other cybercriminals for a fee.

Disruption-motivated ransomware examples:

Interestingly, some of the biggest ransomware examples are believed to be motivated by operational disruption or systemic harm, not financial gain. Two recent attacks used a single Bitcoin wallet to collect ransom, placing greater emphasis on the disruption itself rather than payment collection. This tactic also makes it impossible for the distributor to know which victims paid the requested ransom.

  1. WannaCry: WannaCry is a wormable ransomware that spreads like a virus. Interestingly, it only collected a bit over $100,000 total, quite a small sum considering its global spread. Between May 12 and May 15, 2016, WannaCry was observed on over 160,000 unique IP addresses. The ransomware example hit telecommunications and technology companies the hardest, but those in the insurance industry saw their Bitsight rating drop the most due to the WannaCry attacks.
  2. NotPetya: NotPetya used a compromised accounting software provider as its initial point of distribution and impacted many Ukrainian companies. But NotPetya didn’t stop in Ukraine. Multinational companies with arms in Ukraine were compromised during the ransomware example as well.

NotPetya also impacted the bottom line of some large companies, even though it wasn’t a financially motivated ransomware example. According to this Insurance Journal article, “Package delivery company FedEx Corp. said a [NotPetya] attack on its Dutch unit slashed $300 million from its quarterly profit, and the company lowered its full-year earnings forecast. The company said the cyber attack slashed 79 cents per share from its profit.”

Ransomware Examples by Industry

The following examples show the pervasive and potentially catastrophic risk that organizations in almost every industry must address:

Energy & Utilities sector

One of the most costly and disruptive incidents of recent times is the Colonial Pipeline ransomware attack. Believed to be the largest-ever attack on an American energy system, hackers disrupted fuel supply across the East Coast for days until a $4.4 million ransom was paid (although the Department of Justice later seized the funds).

The attack was attributed to DarkSide, a relatively new RaaS group first discovered in August 2020. According to CISA, DarkSide explicitly targets large, high-revenue organizations, stating that their goal “is to make money [not create] problems for society.” The group’s ransom requests range from $200,000 to $2,000,000 – although history has shown that they are open to negotiation! In addition to the pipeline attack, DarkSide recently announced three more victims, including a Scottish construction company, a renewable energy product reseller in Brazil, and a technology services reseller in the U.S. The hackers stole client, employee, and financial data.

Bitsight research suggests that similar attacks in the U.S. are likely: after reviewing the cybersecurity performance data of more than 2,000 U.S.-based oil and energy companies, we found that 62% are at heightened risk of a ransomware attack.

Healthcare sector

Another vulnerable and lucrative target for hackers is healthcare. Since 2009, there have been over 3,000 healthcare data breaches in the U.S. medical industry. Notable incidents in recent years include NotPetya attacks against drugmaker Merck and Heritage Valley Health Systems (both in 2017), the latter resulting in postponed surgeries. In September 2020, major healthcare provider Universal Health Services experienced a ransomware attack resulting in widespread computer systems failures. And, in May 2021, Ireland’s health service suffered a ransomware attack forcing a shutdown within its IT infrastructure.

Public sector & Education

Hackers also have the public sector and education institutions in their sights. In 2020, 33% of cyberattacks on government agencies were ransomware, disrupting missions and public services and creating a national security risk. Schools are also fast becoming a leading target.

Supply chains

Supply chains are an emerging trend as a vehicle for ransomware. In July 2021, the REvil ransomware group attacked Kaseya, a Florida-based software provider of a widely used remote management monitoring solution. The attack impacted Kaseya, its customers, and companies who outsource IT management to Kaseya. Hackers requested $70 million in payment. 

These sectors are not alone. Manufacturing companies, financial services, retailers, and others are also vulnerable to the mounting ransomware threat.

Why Shouldn’t You Just Pay the Ransom?

If your organization is infected with a ransomware attack, the immediate question is usually “Should we pay?” We — along with the No More Ransom Project and various governmental agencies — do not recommend paying the ransom. This simply confirms the ransomware business model and encourages the cycle to continue. 

Paying the ransom may seem like the easiest solution to a ransomware attack and this is exactly what ransomware groups want their victims to think. However, there are several reasons why paying the ransom can only make things worse. Besides funding criminal activity, you may not get a description key to get your data back, or even put a target on your back that might lead to more demands for ransom.

  1. You May Not Get a Decryption Key: Many businesses choose to pay the ransom because they need access to that data, and paying is seen as the fastest and easiest way to regain it. However, ransomware victims must pay the ransom before they get a key, and they are making a deal with the exact same criminals who infected their networks with malware and are extorting them. When paying a ransom, there is no guarantee that the attacker will hold up their end of the deal and provide a working key.
  2. You Might Get Ransom Demands Repeatedly: Ransomware operators demand a certain ransom in exchange for the decryption key for an organization’s data. However, nothing binds them to that deal. After an organization pays a ransom for their data, no one is forcing the ransomware group to provide a decryption key that works on all of their encrypted data. The attackers may string their victims along, demanding more and more money before handing over a key. If a company has paid a ransom, they’re likely to be willing to pay a bit more to “ensure” that initial payment wasn’t wasted.
  3. You May Be Putting a Target on Your Back: Ransomware operators perform in-depth research to identify victims that are able and likely to pay large ransoms to regain access to their data. By paying a ransom, an organization signals that it is willing to pay the attackers to regain access to their data, demonstrating that they are a ransomware group’s ideal target. Many organizations that are the victim of a ransomware attack are targeted again in the future because they’ve shown that they are willing to pay.
  4. You Fund Criminal Activity: Ransomware attacks are extremely popular among cybercriminals because they are effective and profitable. Ransomware gangs can make millions of dollars from a single successful attack if the victim pays their ransom demand. By paying a ransom, a ransomware victim funds the attacker’s activities and demonstrates that ransomware attacks continue to be a profitable business venture. As long as these attacks remain profitable, ransomware operators have no incentive to stop.

Next Steps: How to Prevent Ransomware

After reviewing the different types and examples of ransomware, read more about best practices on how to prevent and protect your organization from ransomware attacks.

Law enforcement has had a difficult time fighting ransomware because of the sheer volume of ransomware examples in operation, and the fact that the operations themselves are difficult to track. The No More Ransom Project — founded in 2016 by the Dutch Police, Europol EC3, Kaspersky, and McAfee, and in partnership with over 100 other organizations worldwide—has helped decrypt tens of thousands of devices and is also helping to educate individuals and organizations about ransomware.