What Are the Types of Ransomware?

Ransomware has become one of the most prevalent and challenging cyberthreats worldwide, impacting businesses, educational institutions, healthcare organizations, and governments. Ransomware is a type of malicious software or malware that is designed to infect a victim’s system and encrypt files to make them inaccessible. In exchange for a decryption key that restores access to files, cybercriminals demand a ransom payment, usually in the form of cryptocurrency like bitcoin. Variants of this dangerous malware have evolved in recent years, resulting in multiple types of ransomware.

How ransomware works

Ransomware threats rely on a variety of vectors to gain access to a victim’s IT environment and infect machines. The most common types of ransomware attack methods include:

Phishing emails: Attackers often send malicious emails that appear to be messages from a known or trusted source. Ransomware is downloaded to a computer when a user clicks on a malicious link or opens an attachment embedded with malware.
Exploitation of software vulnerabilities: Threat actors may exploit security flaws in software or in operating systems like Microsoft Windows to inject malicious code into a machine or network. Notably, the EternalBlue vulnerability was exploited by the WannaCry ransomware variant in a high-profile malware attack.
Trojans disguised as legitimate software: Users may be duped into downloading malicious software that appears to be a legitimate application or software update.
Compromised websites: Ransomware may also be spread when users click on a link in a website or file sharing network that has been compromised by attackers.
Credential theft: Cybercriminals are able to purchase user credentials on the dark web, or gain access to user accounts through brute-force attacks on user accounts or technologies like Remote Desktop Protocol (RDP).

After gaining access to an IT environment, attackers install ransomware on individual machines and servers. The malware then spreads to other machines through taking advantage of vulnerabilities to move laterally throughout the IT environment. When ransomware infects an individual computer, it encrypts files and folders on the hard drive, making them inaccessible to users. The software relies on an encryption key with a strong algorithm.

After files have been encrypted, attackers present users with an on-screen message detailing ransom demands and providing instructions on how to make a payment. If the victim chooses to pay the ransom, they may receive a decryption key that restores access to files and data. However, there is no guarantee that a decryption key will be provided as promised.

The different types of ransomware

There are six basic types of ransomware, with many variations in each category.

Crypto ransomware. Crypto is the most common type of ransomware. Typically distributed through email attachments or downloads from compromised sites, crypto ransomware encrypts the files on a hard drive using a complex encryption algorithm and requires a ransom in cryptocurrency. Notable examples include CryptoLocker, Cerber, Bad Rabbit, and Ryuk ransomware.
Leakware. This is also known as doxware, exfiltrationware, extortionware, and double extortion ransomware. Leakware raises the stakes by threatening to publish the victim’s sensitive data online if the ransom is not paid. Attackers typically use exfiltration techniques to steal data before encrypting files on the system. Leakware places additional pressure on the victim, who may fear damage to reputation or business opportunities if certain information is made public. REvil and Maze ransomware are examples of this type of extortion-based malware.
Locker ransomware. This somewhat-less dangerous variant is also known as a screen locker. Rather than encrypting files, it locks victims out of their devices, which prevents them from accessing the operating system, application, or files on their devices. High-profile examples include Petya ransomware and Locky ransomware strains. Users may be able to circumvent this type of malware using safe mode boot-ups and antivirus software.
DDoS ransomware. Rather than encrypting files, this type of ransomware uses botnets to overwhelm servers with illegitimate traffic, causing network resources and services to slow down, crash, or become unavailable to users. This is commonly known as a DDoS attack.
Ransomware as a service (RaaS). RaaS is a business model in which cybercriminals develop ransomware and rent it to others, allowing hackers with little experience or skill in ransomware to nevertheless launch devastating attacks. The ransomware developers receive a percentage of the payments. High-profile RaaS examples include Cerber and REvil.
Scareware. This variant doesn’t actually encrypt files, but rather presents a pop-up message that says a device has been infected and encourages the user to quickly download a product or service to resolve the issue. Scareware preys on the fear that ransomware has created among individuals and organizations.

Best practices for ransomware protection

To defend against the many types of ransomware infection, security teams must implement a multilayered approach to ransomware protection and ransomware removal.

Antivirus, anti-malware, and anti-ransomware solutions detect and remove ransomware.
Email filtering technology blocks phishing emails and malicious attachments.
Firewalls block unauthorized access to networks and filter out malicious traffic.
Frequent backups enable organizations to restore a victim’s data without paying a ransom.
Endpoint protection provides firewalls and detection and response capabilities on individual devices.
Optimal patch management keeps software and operating systems updated to prevent attacks that exploit vulnerabilities in software and hardware.
Security awareness training helps users and employees to spot potential cyberattacks, dangerous spam emails, and social engineering techniques while developing good security hygiene that can prevent ransomware attacks.
Incident response plans enable coordinated action immediately after ransomware is detected. These should involve notification of law enforcement agencies like the FBI.

Why customers choose Akamai

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away.

Additional Resources

What was the biggest cybersecurity story of 2023?

A Year in Review — A Look at 2023’s Cyber Trends and What’s to Come

Our Security Intelligence Group reviews the year’s top events and offers perspective on what they mean for the future.

Download report

4 Reasons Your Business Needs to Implement a Zero Trust Architecture

Learn the scenarios where implementing Zero Trust can deliver real-world business benefits: remote work, ransomware protection, cloud migration and compliance.

Learn more

A Blueprint for Building a Zero Trust Architecture

This guide helps software buyers make informed Zero Trust purchasing decisions around microsegmentation, MFA, secure web gateways, and ZTNA (zero trust network access) solutions.

Learn more

Learn more about related topics and technologies on the pages listed below.

What Is Zero Trust?

How Zero Trust Improves Network Security?

What Is Remote Work Security?

What Is a Secure Internet Gateway?

What Is a Web Gateway or Secure Web Gateway?

Where to Start with Zero Trust?

What Is a Zero Trust Network?

What Is Zero Trust Networking?