What are The Types of Ransomware and Ransomware History

Ransomware is a severe cyberthreat. One of the most popular harmful malware, they can affect any organization. Attackers deploy ransomware within four days of network access, leaving little time for detection and prevention. Operations are stopped down, finances are lost, reputation is damaged, and data is lost.

Ransomware breaches cost an average of USD 5.68 million, not considering ransom payments, according to the IBM Cost of a Data Breach report. Some ransom demands exceed USD 80 million.

Security teams are improving, as ransomware infections dropped 11.5% between 2022 and 2023, probably due to better threat identification and prevention.

What are The Types of Ransomware

Different ransomware strains exploit vulnerabilities.

Crypto ransomware: Encrypts crucial files leaving them unavailable until a ransom is paid for the decryption key. Examples: WannaCry, Locky, CryptoLocker. This is ransomware encryption.
This sort of ransomware disables access to the victim’s device or system, preventing them from accessing files or utilising applications until the ransom is paid. Screen-locking ransomware is non-encrypting.
Scareware: Faux software that identifies system issues and urges users to purchase hazardous solutions. Scareware can restrict system access or use overwhelming pop-up alerts to force users to install malware or pay. Scareware can deliver ransomware or be it.
Doxware also known as leakware includes stealing sensitive data and threatening publication without payment. The attacks use reputational risk to pressure victims. Variants today routinely steal and encrypt data.
Mobile ransomware: Spreads through malicious apps or drive-by downloads on mobile devices. Standard cloud backups on many mobile devices make encryption assaults easier to reverse, therefore most mobile ransomware is screen-lockers.
Wipers: Destructive ransomware threatens data destruction if not paid. Cybercriminals and nation-state actors use ransomware that destroys data even after payment.
Modern ransomware attacks use double- and triple-extortion. Double-extortion threatens to steal and leak vulnerable data online if the ransom is not paid. Triple extortion threatens to target consumers or business partners with stolen data. Even with data backups, these approaches heighten the stakes. The IBM Security X-Force event Response team has witnessed double extortion in almost every ransomware event since 2019.

You can also read BRC, MFG-ISAC work with Google Cloud to Boost Cybersecurity

The Ransomware Infection Process

Multiple vectors can infect a system or device with ransomware. Well-known methods:

Social engineering attacks, such as phishing, employ emails with fake attachments or lure users to malicious websites to convince them to download and launch dangerous files.
Operating system and software vulnerabilities: Cybercriminals use zero-day vulnerabilities to inject harmful malware. The 2017 WannaCry attack leveraged fixed vulnerabilities as attack vectors.
Credential theft includes stealing, buying, or cracking user credentials to log in and deploy ransomware (typically using Remote Desktop Protocol or RDP).
Malware, such as the Trickbot Trojan (initially seeking banking credentials), can distribute ransomware.
Drive-by downloads: Exploit kits or malvertising can infect devices with ransomware without user awareness.
Cybercriminals use thread hijacking to propagate malware while in genuine online conversations.

RasS: Ransomware as a Service

Running ransomware as a service (RaaS) allows cybercriminals to distribute it. Developers distribute malware code with “affiliates” who attack and split the ransom. Developers can raise revenues without launching more assaults and affiliates can profit without producing malware. Distributors of RaaS can sell dark web access or recruit affiliates. Massive ransomware gangs have heavily recruited affiliates.

Ransomware Attack Stages

Typical ransomware attacks include numerous stages:

Initial access: Attackers get access by phishing, vulnerability exploitation, or compromised remote protocols like RDP.
Post-exploitation: Attackers may use RATs to get a firmer foothold after first access.
After gaining access to a system or network, attackers may execute lateral movement to obtain access to other systems and domains.
Ransomware operators steal important data, including credentials, client information, and intellectual property. Data theft is used for double-extortion.
Crypto ransomware deployment leads to file encryption, system restore disablement, and backup deletion/encryption to raise pressure. Locking or spamming the device is non-encrypting ransomware. The ransomware then sends a text file or pop-up window to the victim with instructions on how to pay the ransom (typically in cryptocurrency) to decrypt or restore access.

The history of ransomware

Ransomware versions are in the thousands. Some notable ones are:

The AIDS Trojan was the first ransomware known to be transmitted via floppy discs in 1989. It hid file directories but could be reversed easily.

CryptoLocker, introduced in 2013, is credited with paving the way for advanced ransomware assaults using cryptocurrency as payment.

WannaCry: A 2017 cryptoworm used an unpatched Microsoft Windows vulnerability to infect over 200,000 systems in 150 countries. The ransom threatens to delete files if not paid.

Petya and NotPetya affect PC booting by encrypting the file system table. A modified variant of NotPetya used in a 2017 attack on Ukraine was a wiper that could not restore systems after payment.

Ryuk, appearing in 2018, popularised large-scale ransomware assaults against high-value targets with hefty demands. It locates and disables backups.

In 2021, DarkSide, a suspected Russian-based group, attacked the Colonial Pipeline, briefly disrupting a vital fuel supply. This group licenses ransomware through RaaS.

Locky: Encrypting malware that hides dangerous macros in email attachments, typically posing as bills.

REvil (Sodinokibi): Popularised RaaS for big-game hunting and double-extortion attacks, particularly against JBS USA and Kaseya Limited in 2021.

The Conti gang, active since 2020, had a large RaaS scam, earning hackers a regular income. Conti threatened to sell network access to other hackers in a unique double-extortion operation. After 2022 internal communication dumps, the gang split, however former members are related to BlackBasta, Royal, and Zeon.

LockBit: A popular ransomware version in 2023. The organisation is notorious for businesslike behaviour, sometimes acquiring other malware. Despite police efforts, LockBit attacks victims.

You can also read Amazon CloudFront VPC Origins: Improved CloudFront Security

Paying Ransom

An average ransom is hard to estimate, however estimates range from high six-figures to low seven-figures. In 2023, 37% of victims paid ransom, down from 70% in 2020, presumably due to increased planning.

Federal law enforcement, particularly the FBI and NCIJTF, strongly discourage ransom payments. Paying may not retrieve data, empower attackers, fund illegal actions, and encourage further assaults.

With strong backup systems, recovery is feasible without negotiation. Authorities encourage reporting attacks before paying. Paying a ransom to attackers from nations under US economic sanctions or state government entities in specific US jurisdictions is unlawful.

How to prevent Ransomware

Technology and user behaviour must be combined to prevent ransomware. Major strategies are:

Regular software updates and patches: Updates for operating systems, apps, and firmware solve ransomware security vulnerabilities.
Use modern antivirus and anti-malware software for real-time scanning, behavioural detection, and automated updates to identify and resolve threats.
A well-configured firewall prevents unauthorised network access.
Email filtering and scanning: Prevents phishing attacks by detecting questionable links and attachments.
Regular backups provide speedy recovery without ransom payments. Data can be restored from secure, immutable backups if systems fail. Data should be copied three times on two media types, with one offsite. Geographic redundancy, encryption, and immutability are benefits of cloud backups like Seagate Lyve Cloud.
Network security measures can prevent assaults by implementing firewalls, intrusion detection systems, network segmentation, and secure VPNs for remote access. Using least privilege access and endpoint security policies hardens the network.
AI can forecast and prevent attacks by analysing behaviour patterns, detecting anomalies, and disrupting attacks before execution. With automated playbooks, AI-driven technologies can detect zero-day attacks, monitor users and endpoints, and respond faster.
Policies and procedures: Effective preparedness requires a detailed crisis response plan with clear responsibilities, timetables, and communication mechanisms.
Team training: Employees need regular security awareness training to recognise phishing and suspicious emails, as human error is a major threat.

A Ransomware Response Plan

Every system has vulnerabilities, thus a detailed reaction plan is essential. Actions include:

To prevent ransomware propagation, disconnect infected systems immediately.
Report to authorities: Coordinate with FBI or CISA for law enforcement assistance. Legal requirements may demand reporting.
Assess damage: Identify affected systems, assess data compromise, and collaborate with IT/security teams for containment.
Restore data from the latest clean backup. Reliable recovery requires secure, immutable solutions like Seagate Lyve Cloud.
Communicate: Build trust and manage reputation by informing employees, partners, and customers.
Don’t pay the ransom: Experts advise against it since it may not ensure data recovery and may promote further attacks.