What is Ransomware? | Protection, Types & More

Katie Allison
November 15, 2024
Cyber Security, Reviews & Research

What is Ransomware?

What is Ransomware?

Ransomware is software that infects devices and locks the files and information on these systems for ransom, demanding payment to restore access (although payment often still results in the loss of the information). There are several different types of ransomware that we’ll discuss below. They all share a similar goal — exploit vulnerabilities to gain access to devices or networks with sensitive information and hold them ransom for financial gain.

Looking for tools to help protect your organization from ransomware, or other forms of malware? Check out these options:

History of Ransomware

The first ransomware attack occurred in 1989 with the AIDS Trojan, a relatively basic and rudimentary method compared to modern variants. However, this was followed by nearly a decade of very little ransomware activity, which many experts attribute to a combination of technology, online payment options, and encryption method limitations. Unfortunately, in the 2000s, ransomware came back with a vengeance, as techniques like RSA encryption enabled malicious actors to fortify their attacks. The early 2010s saw a surge in ransomware that impersonated authority groups like law enforcement to accuse victims of illegal activities and pressure them into paying to regain access to their devices.

Modern ransomware often takes advantage of cryptocurrencies like Bitcoin and their anonymity. Further advances in encryption have made variants like CryptoLocker, WannaCry, and others far harder to crack. The ransomware space has continued to evolve into the 2020s with the rise of RaaS (Ransomware-as-a-Service), which creates formal business models around selling new ransomware platforms to cyber criminals. This has vastly expanded the availability of these dangerous systems and requires new tools that can protect against them.

Is Ransomware a Type of Malware?

Yes, ransomware is a subset of malware (malicious software). Malware is an umbrella term for any software with harmful intent. However, because of its breadth, protecting against malware often involves several different tools and practices to mitigate vulnerabilities.

Common Ransomware Categories & Variants

When it comes to ransomware, there are several different “types” that vary in their approach to locking users out of data or how they threaten victims.

Cryptoware

Perhaps the most recognizable ransomware format, cryptoware finds its way onto devices (usually through email attachments or similar methods) and begins encrypting all the files in the system. Once these are inaccessible behind the encryption, the victim is forced to pay a ransom for the decryption key, hopefully regaining access to their files. However, it should be noted that paying the ransom does not guarantee that the other end of the deal will be held up — there have been many instances where the decryption key is still withheld even after victims complied.

Scareware

As the name suggests, scareware leverages impersonation or other methods to scare the victim into paying. These often involve alarming messages, fake alerts, and aggressive pop-ups. Scareware can be more convincing to users than other methods because they typically impersonate a security or antivirus company, pushing the victim to purchase (fake) software to get rid of the malware. In some cases, purchasing the fake software is enough to remove the ransomware — but in other cases, the downloaded “protection” software further encrypts files to extort the user even more. Be wary of pop-ups and messages about “urgent threats” that prompt you to download suspicious fixes, and always verify that the cleanup software is real.

Leakware

Also known as doxware, this type of ransomware threatens to release sensitive information on the hacked device(s) to the public. This could be private, financial, or personally identifiable data. While this may apply to individuals, large institutions like hospitals or insurance companies can also fall victim to this kind of attack, with the threat often being the release of patient records and reputational harm.

Specific Variants

Within these categories, several ransomware variants have become well-known for their impact or reputation.

CryptoLocker

One of the earliest and most infamous ransomware variants, CryptoLocker was first seen in 2013 and was largely spread through phishing emails with malicious attachments. As you may have guessed from the name, it used a cryptoware format, encrypting a victim’s files and demanding a ransom payment to get them back. CryptoLocker is largely credited with popularizing ransomware at a global scale, particularly when it comes to anonymous cryptocurrency payments. The largest attack using this variant happened over the course of eight months, from September 2023 to May 2024, targeting Windows computers. While this instance of CryptoLocker was isolated and taken down, other ransomware strains have continued to use the name.

BlackCat

Created by a group of Russian-speaking cybercriminals, this ransomware started appearing in 2021. Since then, it’s become one of the most active forms of ransomware, even spinning off new variants like Sphynx. BlackCat is written in Rust, a fast and efficient programming language that is difficult for security software to detect. It’s also a popular RaaS product, allowing customers to modify and tailor the attacks and encryption methods to target a more diverse array of operating systems, industries, and targets.

BlackSuit (Royal)

Previously known as Royal, BlackSuit ransomware is known for its attacks on healthcare, manufacturing, and infrastructure targets. It’s relatively new on the scene, appearing in Spring 2023, but its impacts have been felt dramatically. BlackSuit seems to avoid targeting organizations in Russia, Belarus, and other nearby countries, leading to speculation that like BlackCat, it was also created by a Russian group. However, BlackSuit doesn’t appear to be a RaaS operation.

Clop

Clop, (or Cl0p) ransomware was used in several high-profile hacks of energy companies, American universities, and more in recent years. It dates back to 2019 and is a variant of CryptoMix ransomware (2016). The name comes from the Russian word for “bug” — “klop” — and usually targets data backups, financial records, confidential information, and other high-value files on a system. One of the aspects of Clop that sets it apart is its ability to disable Microsoft Defender and infect the user’s device without detection. So far, it has primarily targeted large organizations for higher payouts rather than many smaller targets.

DarkSide

Another RaaS operation, DarkSide was responsible for the Colonial Pipeline attack in 2021, crippling its operations and causing fuel shortages up and down the East Coast of the United States. DarkSide can be tailored to its target, with the ransom demands varying depending on the target’s financial resources. While the group claims to be apolitical and avoids targeting organizations that would cause societal problems (like healthcare institutions), they still employ a “double extortion” tactic. This means that the ransomware functions as both cryptoware and leakware. It starts by locking files and requiring payment to unlock them — but if the victim doesn’t pay, the program threatens to release sensitive information until the victim capitulates.

Ryuk

While DarkSide tends to avoid critical organizations like those in the healthcare industry, Ryuk has repeatedly targeted this field, causing serious consequences like delays in patient care. This variant has also attacked government agencies, manufacturing companies, educational institutions, and more. This is yet another ransomware platform that is likely operated by Russian cybercriminals, specifically the group WIZARD SPIDER. Most Ryuk infections begin with phishing emails, emphasizing the importance of training for these threat vectors and using tools to detect potential problems.

Lockbit

Yet another RaaS variant, Lockbit is known for its automated network infiltration capabilities. This self-spreading ability enables it to infect even more devices (and therefore extort money from more victims). Lockbit can also terminate security tools on infected systems, making it difficult to detect and even more contagious. Even more concerning, it was the most deployed ransomware variant in the world in 2022 and has continued to be widely used by RaaS affiliates.

REvil

Also known as Sodinokibi, this ransomware variant is behind attacks on JBS Foods, Kaseya, and more. The group was extremely well-coordinated and thought to be Russian-based, likely an offshoot of the previous ransomware group GandCrab. REvil is another program that used double extortion, encrypting data and files first before threatening to release or auction off the information if the victim didn’t pay. While law enforcement was able to shut REvil down in 2022, its impact on advancing the RaaS business model and sophisticated ransomware cannot be understated.

How Does Ransomware Work?

We’ve looked at a number of ransomware examples so far, all with slightly different ways of infecting and extorting victims. But how do they access devices and take them over in the first place? Below are the basic stages that most ransomware follows:

Stage 1: Infection

The most common infection method is phishing emails, which can include links or attachments that gain login credentials or device access when downloaded. However, other infection techniques include software vulnerability exploits (such as unpatched software), malicious ads or infected websites, and even remote desktop access to install the malware.

Once the ransomware files are installed on a device, they begin checking for system defenses like antivirus software and try to disable them. Infection can also spread to other devices connected to the same network (called “lateral movement”), which is particularly concerning for large organizations.

Stage 2: Encryption

Once embedded within the system(s), the ransomware begins to lock files with encryption — the most common encryption types used are RSA and AES. Some ransomware variants will lock all files, while others may only target specific file types that are more valuable to the user. Even with modern decryption methods, these are basically unbreakable without a decryption key.

Stage 3: Notification

Once the encryption process is complete, the ransomware informs the device user of the attack with a ransom note. This is typically a text or HTML file with an explanation of what’s happened, as well as the ransom demand. In more aggressive cases, the ransomware may display a pop-up message that prevents the victim from using the device until they read the note. Depending on the type of ransomware, this notification to the user might be direct (“We have encrypted your system”) or deceitful (“Someone has hacked your computer and you need to buy this antivirus tool”). The note may also include instructions for payment or communication channels.

Stage 4: Extortion

As we discussed earlier, the extortion method will depend on the type of ransomware on the system. For example, leakware will likely threaten to release or auction the stolen data, and double extortion may combine this with other methods to increase pressure on the victim (and therefore, their likelihood of payment). The extortion sometimes includes additional criteria like a payment deadline, ramping up the urgency, and limiting a victim’s ability to contact law enforcement.

Stage 5: Resolution

Whether or not a victim pays the ransom, the resolution stage is typically where communication with the malicious actors ends. However, it doesn’t necessarily end with the removal of the ransomware. Many ransomware variants stay on a device even after someone has paid the group, as a final act of harm to the victim. And even if a decryption key is sent, decryption is not a major focus for ransomware development and may only partially work (or even corrupt the affected files).

Why You Shouldn’t Pay the Ransom

While it might be tempting to give in to the demands and pay, there is no guarantee of data recovery. Plus, once the group behind the attack knows that you’ll pay the ransom, what’s to stop them from doing it again? As we discussed above, not only are you trusting the word of criminals, but the decryption key provided may not even be able to properly decrypt the files. Further, the money will go towards funding more ransomware activity, harming other systems and users. Instead, you should contact a cybersecurity team or law enforcement to help resolve the issue and recover as much data as possible.

Ransomware Protection: How to Prevent

Because of the difficulties we’ve discussed when it comes to removing ransomware, your first line of defense should always be prevention and avoidance. This can come in the form of security awareness training (e.g. knowing what phishing emails look like) or technical practices (e.g. frequent data backups to secure offline drives). Other best practices for ransomware protection include:

  • Patch management: Regularly update software, operating systems, firmware, etc. to close vulnerabilities that could be exploited.
  • Access controls: Limit who has access to certain systems and use MFA (multi-factor authentication) to help contain ransomware infection and spread.
  • Zero trust architecture: Adopt a model of zero trust that verifies all users and devices before they can access any part of the network.
  • Endpoint protection: Use firewalls, antivirus, and endpoint security software to identify suspicious activity before it becomes a problem.

Ransomware Detection: How to Quickly Identify a Ransomware Attack

Unfortunately, prevention can’t be 100% effective as ransomware evolves, and some malicious files may slip through the cracks. This is where efficient detection can mean the difference between stopping ransomware in its tracks and the infection spreading across networks to dozens of devices. Intrusion detection systems and anomaly detection tools can flag unusual activity like mass file encryption. Other best practices for ransomware detection include:

  • Heuristic-based scanning: While traditional antivirus tools can catch some ransomware, they look for known file signatures — heuristic scanning looks for abnormal behavior to identify issues, including previously unknown threats.
  • Early warning indicators: Monitoring metrics like spikes in CPU or disk usage can surface potential signs of ransomware operating in the background.

Decoy techniques: Deceiving the cybercriminals with fake decoy files can catch ransomware in the act and give security teams time to respond — but this can also be risky.

Ransomware Removal: How to Clear

If ransomware has infected a device or multiple systems, there may not be many options to remove it. Instead, the focus should be on containing the malware, eliminating it, and recovering what data is possible. Start by isolating the infected system(s) by disabling network connections like Ethernet, Wi-Fi, and Bluetooth to prevent lateral movement. From there, you should:

  • Identify the variant: If you can determine what ransomware strain is behind the infection, there may be decryption tools available from cybersecurity sites.
  • Try backup recovery: If possible, restore the system from backups and check if the ransomware has been completely removed.
  • Run comprehensive antivirus scans: This should not only include traditional antivirus tools but also EDR (Endpoint Detection and Response) to completely eradicate any deeply integrated malware files.
  • Find the entry point: Investigate how the ransomware got into the system and patch any vulnerabilities that allowed it.

Famous Ransomware Attacks

There have been a number of incredibly high-profile ransomware attacks in recent memory, some of which we’ve mentioned earlier. However, it’s important to note the rate of major attacks — as more RaaS operations pop up, more and more ransomware stories are appearing as well.

AIDS Trojan (1989)

As discussed at the beginning of this article, AIDS Trojan is widely considered the first ransomware attack. The name comes from its promise that the file would cure AIDS, but instead contained an infection that acted as a Trojan horse. Created by an evolutionary biologist named Joseph Popp, it was distributed on floppy disks that would lock the computer and require payment to restore access. Although not widespread, being the first meant that users didn’t know how to react and often ended up just paying the ransom. This laid the foundation for more sophisticated attacks in the future as criminals realized how this could be exploited for financial gain.

CryptoLocker (2013)

Of those more sophisticated attacks that followed AIDS Trojan, CryptoLocker was one of the largest ransomware variants to start using file encryption and Bitcoin payment in the early 2010s. It also leveraged early versions of phishing emails to get victims to download malicious files or click fake links. CryptoLocker made cryptocurrency-based ransoms the norm in these kinds of attacks and was the basis for many future ransomware strains.

WannaCry Ransomware (2017)

Arguably the most infamous ransomware attack of all time, WannaCry infected over 200,000 computers across 150 countries and 6 continents. It was able to infiltrate so many devices because of lateral movement across networks using the Service Message Block protocol vulnerability in Windows systems. Major corporations like Nissan, Honda, Deutsche Bahn, and Telefónica were impacted, as well as the UK’s National Health Service. Thankfully, a security researcher named Marcus Hutchins noticed that the WannaCry source code would query a fake domain before executing. Since execution relied on not receiving a response from the fake domain, registering the domain essentially served as a kill switch for WannaCry. It is believed that this attack originated from North Korea, although this is not known for certain.

Colonial Pipeline (2021)

Caused by the DarkSide ransomware, this attack disrupted the largest fuel pipeline in the United States, causing fuel shortages and panic buying (particularly in the southeast US). The initial infection method was spear phishing — highly targeted phishing tactics to uncover sensitive information — followed by critical systems being locked up. This shut down Colonial Pipeline operations for several days, eventually ending when the company paid $4.4 million in ransom money to regain system access.

Costa Rican Government (2022)

The following year, the Conti ransomware group attacked the Costa Rican government’s systems. Using phishing to gain access, the ransomware encrypted sensitive data and threatened to release it unless the ransom was paid. The impact was so severe that the government declared a state of emergency, as they refused to pay the ransom. Eventually, some recovery was made through backup systems and external cybersecurity support, but plenty of damage had already been done. Since 2022, Costa Rica has heavily invested in improving its cybersecurity defenses and prevention efforts.

United Healthcare Ransomware (2024)

One of the most recent major ransomware news stories surrounds United Healthcare and the BlackCat variant. Similar to the Costa Rican attack, this was primarily a leakware scheme, with the malware threatening to release sensitive patient information and ruin the company’s reputation. This also delayed patient care and pharmacy operations for over a week. According to the company, this cost them $872 million, including a $22 million Bitcoin payment to BlackCat.

Protect Against Ransomware with the Right Software

It should be clear at this point how dangerous ransomware can be, from an individual level to small businesses to major enterprises like United Healthcare. As we’ve discussed, the first and most important line of defense is prevention, followed by identification, and then removal. However, not all antivirus tools are equal — more advanced features like heuristic-based scanning are critical to finding sophisticated and ever-evolving malware on your systems.

To find the right tools for your needs, it’s important to have verified review data and objective software recommendations that aren’t pay-to-play. Learn more about the best tools in each category below to enhance your malware prevention, detection, and resolution today:

About the Author

Katie Allison
Katie leads the TrustRadius research team in their endeavors to ensure that technology buyers have the information they need to make confident purchase decisions. She and her team harness TrustRadius' data to create helpful content for technology buyers and vendors alike. Katie holds multiple degrees from the George Washington University with a BA in International Affairs and an MA in Forensic Psychology. When she’s not at work, you will either find her on an adventure with her two rescue dogs, or on the couch with a new book.

Sign up to receive more buyer resources and tips.