What are the different types of ransomware?

Ransomware is a specific type of malware that tries to extract a ransom payment in exchange for unblocking access to the victim's device. The WannaCry attack that affected the NHS in May has propelled ransomware to the forefront of people's minds, with many businesses questioning whether they would be able to cope with the consequences of a ransomware attack, should their cyber security defences fail.

Ransomware currently comes in two forms. The most common form is the cryptor, also known as crypto-ransomware. These programs encrypt data on the victim's device and demand money in return for a promise to restore the data.

Ransomware blockers, by contrast, don't affect the data stored on the device. Instead, they prevent the victim from accessing the device. The ransom demand is displayed across the screen, often masquerading as a notice from a law enforcement agency claiming that the victim has accessed illegal web content and demanding an on-the-spot fine, but this type of malware is usually easier to treat than encryptors.

With crypto-ransomware or cryptors the files and data that are stored on the infected device are encrypted into an unreadable form, so that the data can only be decrypted by using the appropriate decryption key. The key is only released by the criminal after the victim has paid the ransom demand.

Consumers affected by crypto-ransomware are usually faced with demands of 250 to 500 worth of Bitcoin, but ransom charges for businesses can be much higher. The attacker will normally give 48 to 72 hours to pay the ransom.

If the ransom goes unpaid, the price will steadily increase until the decryption key is deleted, making it virtually impossible to recover the files.

According to a survey conducted by the University of Kent's Interdisciplinary Research Centre in Cyber Security, over 40% of the victims of CryptoLocker, a popular family of malware, agreed to pay the ransom.

Even if a ransom is paid, though, there's no guarantee the data will be unencrypted. Of the people affected by ransomware in 2016, one in five never got their files back, even after paying the ransom. Some cryptors contain software bugs that may cause the decryption process to fail, and some criminals simply won't enable decryption, instead just taking the money.

There are also an increasing number of cases of cyber criminals demanding payment not only for decrypting the user's data, but also for some additional "services". For example, the attacker may turn to blackmail: "Pay extra, or we may be forced to mail your browsing history to all your contacts".

Because it's relatively inexpensive to develop and launch a cryptor, the volume of attacks is increasing. A single item of crypto-malware can generate massive revenues, making it a tempting prospect for cyber criminals.

As with most other types of malware, there are many ways in which ransomware can find its way onto computers and other devices. Email phishing is one of the most common ways, where the victim receives an email that looks genuine but contains an infected attachment or includes a link to a phishing website.

Watering hole attacks are also very common; where visiting a legitimate website that's popular with a specific type of user (for example, an accountancy forum) can result in the employee's device becoming infected. In these cases of drive-by' infection, the website will have already been infected with malware that's ready to exploit vulnerabilities on visitors' devices.

Ransomware can attack a wide range of devices, including PCs, Macs and smartphones. If the affected device is also attached to a network drive, the shared files are likely to be encrypted as well, regardless of which operating system is running.

Cybercriminals who launch ransomware are getting increasingly good at avoiding law enforcement agencies, which makes it harder to track down and close modern crypto-operations. Payment is normally demanded in Bitcoin, which is very difficult to trace, and the attackers' command and control servers may be hidden in the anonymous Tor network.

Educating people about IT security basics, including awareness of suspicious emails, is key to reducing the risk of being attacked by ransomware, as is investing in sufficient security software. Regular offline backups will also ensure data can be restored should the worst happen and a device or network is compromised.