What are the different types of ransomware?

Ransomware is a specific type of malware that tries to extract a ransom payment in exchange for unblocking access to the victim's device. Unlike other cyber attacks, ransomware encrypts data rather than stealing or destroying it.

The WannaCry attack that affected the NHS in 2017 and infected over 400,000 computers across 150 countries has propelled ransomware to the forefront of people's minds, with many businesses questioning whether they would be able to cope with the consequences of a ransomware attack, should their cyber security defences fail.

Types of ransomware

Ransomware currently comes in two main forms: locker ransomware, and crypto-ransomware.

Crypto-ransomware, also known as a cryptor, is the most common type of ransomware. These programs encrypt data on the victim's device and demand money in return for a promise to restore the data. The user interface may still be usable, but files will be inaccessible.

Ransomware lockers, sometimes called blockers or lock screen ransomware, don't affect the data stored on the device. Instead, it prevents the victim from accessing the device. The ransom demand is displayed across the screen, often masquerading as a notice from a law enforcement agency claiming that the victim has accessed illegal web content and demanding an on-the-spot fine. This type of ransomware is usually easier to treat than encryptors.

Other types of ransomware will inevitably come to prominence in the future. One which is being increasingly used is master boot record (MBR) ransomware. MBR ransomware changes the master boot record in the hard drive, interrupting the normal boot process by displaying a ransom demand on the boot up screen.  Petya was initially launched as a master boot record software, but was later upgraded to a version which completely wiped hard drives.

Ransomware payments

With crypto-ransomware or cryptors the files and data that are stored on the infected device are encrypted into an unreadable form, so that the data can only be decrypted by using the appropriate decryption key. The key is only released by the criminal after the victim has paid the ransom demand.

Consumers affected by crypto-ransomware are usually faced with demands of 250 to 500 worth of Bitcoin, but ransom charges for businesses can be much higher. The attacker will normally give 48 to 72 hours to pay the ransom.

If the ransom goes unpaid, the price will steadily increase until the decryption key is deleted, making it virtually impossible to recover the files.

According to a survey conducted by the University of Kent's Interdisciplinary Research Centre in Cyber Security, over 40% of the victims of CryptoLocker, a popular family of malware, agreed to pay the ransom.

Even if a ransom is paid, though, there's no guarantee the data will be unencrypted. Of the companies affected by ransomware in 2018, 51% lost their data, even after paying. Some cryptors contain software bugs that may cause the decryption process to fail, and some criminals simply won't enable decryption, instead just taking the money.

There are also an increasing number of cases of cyber criminals demanding payment not only for decrypting the user's data, but also for some additional "services". For example, the attacker may turn to blackmail: "Pay extra, or we may be forced to mail your browsing history to all your contacts".

But there is a growing intolerance for paying out as part of a ransomware demand, with 40% of top IT security professionals saying that it should be illegal to pay out.

The growth of ransomware

Because it's relatively inexpensive to develop and launch a cryptor, the volume of attacks is increasing. A single item of crypto-malware can generate massive revenues, making it a tempting prospect for cyber criminals.

As with most other types of malware, there are many ways in which ransomware can find its way onto computers and other devices. Email phishing is one of the most common ways, where the victim receives an email that looks genuine but contains an infected attachment or includes a link to a phishing website.

Watering hole attacks are also very common; where visiting a legitimate website that's popular with a specific type of user (for example, an accountancy forum) can result in the employee's device becoming infected. In these cases of drive-by' infection, the website will have already been infected with malware that's ready to exploit vulnerabilities on visitors' devices.

Ransomware can attack a wide range of devices, including PCs, Macs and smartphones. If the affected device is also attached to a network drive, the shared files are likely to be encrypted as well, regardless of which operating system is running.

Cybercriminals who launch ransomware are getting increasingly good at avoiding law enforcement agencies, which makes it harder to track down and close modern crypto-operations. Payment is normally demanded in Bitcoin, which is very difficult to trace, and the attackers' command and control servers may be hidden in the anonymous Tor network.

Educating people about IT security basics, including awareness of suspicious emails, is key to reducing the risk of being attacked by ransomware, as is investing in sufficient security software. Regular offline backups will also ensure data can be restored should the worst happen and a device or network is compromised.