Since the appearance of the first Bitcoin-based ransomware in 2013, the number of different types of ransomware has exploded. Ransomware variants are a potent tool in the arsenal of both criminals, and have also gained popularity with some governments.
So why are there so many different kinds of ransomware, and what can we do about it?
Silicon Valley for Ransomware Variants
The ransomware market is actually a lot like the market for legitimate software. There are even ransomware venture capitalists that finance different types of ransomware.
All ransomware works according to the same principles; cause as much damage as possible to the victim in order to coerce them into paying. Usually this involves encrypting or stealing data to put pressure on the victims.
The main difference between different types of ransomware is how they evade detection. The most popular ransomware variants work on a “ransomware-as-a-service” model (RaaS). This means that a professional team of hackers develops the software, and then leases out the software to other hackers who do the dirty work of breaking into networks.
Just like in Silicon Valley, RaaS developers compete for funding from investors and advertise their products to potential customers. For example, they attempt to prove that their software can encrypt files more quickly than their competitors, since the amount of data encrypted before detection can make or break a ransomware attack.
Ransomware developers work continuously to stay a step ahead of antivirus software and cybersecurity professionals. Unfortunately, hackers are winning the ransomware arms race for now. Antivirus software is continuously recalibrated to detect now types of ransomware, but ransomware developers constantly change their software to avoid detection.
Types of Ransomware
All ransomware works according to the same principle, which is causing victims some kind of pain or distress and demanding money to make it go away. Many ransomware variants fit into more than one of these categories at the same time.
An encryptor will encrypt as much of your data as possible so that your files become unusable. File names are often replaced with a random string of letters and numbers, or the same filename with a new file extension. If a victim is able to catch an encryption attack early, some files might remain unencrypted.
Encryption ransomware will sometimes replace each file with a folder containing the encrypted file and a ransom note with payment demands and instructions for payment.
Lockware locks you out of your system completely. Usually the only thing you can still access is a ransom note with details about how to pay the ransom. Some less sophisticated forms of lockware may not encrypt the files, meaning they can still be recovered. These variants are more likely to target home computers and spread via spam emails or phishing links.
Scareware attempts to extort money from victims by making (usually false) claims. For example, a ransomware might claim to have recorded you watching pornography, and threaten to post videos of it on your social media accounts unless you pay. Other examples include the hacker claiming to be a government agency that has found out about unpaid taxes, and threatening fines and penalties unless paid.
These variants often include time limits to put pressure on the victim so they don’t have time to think about the situation rationally.
Leakware works by getting hold of sensitive data, and then threatening to release it to the public. Leakware tends to target companies like law firms, medical practices, and companies with trade secrets. Many leakware operators run web sites on the dark web where they publish stolen data and allow anyone to download it.
Ransomware as a Service
Ransomware as a Service (RaaS) ransomware is probably the most dangerous type of ransomware out there. Since development is so specialized, high-end RaaS variants can penetrate even advanced defenses.
The multi-million dollar ransom payments you hear about in the news? They were probably RaaS variants. Most highly targeted ransomware attacks are carried out by specialized teams of hackers partnered with RaaS operators.
Since there is so much money being made with ransomware, new variants are constantly under development. Sometimes, gangs will just “retire” when they’ve made a lot of money, or when they are facing pressure from law enforcement.
Other times, ransomware developers will leave to join new teams. Since antivirus software is continuously being improved, it’s necessary for ransomware hackers to constantly develop new variants which can infect systems and networks undetected. Generally, all ransomware variants work along similar lines, but are tweaked in different ways to optimize performance.
Following is a list of some of the most well known and dangerous ransomware variants.
Avaddon ransomware was a RaaS usually spread through phishing. Avaddon both encrypted files and acted as a leakware by stealing data. The gang was also known to threaten company web pages with DDoS attacks in order to put additional pressure on victims.
The gang retired in June, 2021, and released all of their decryption keys to the public, allowing victims who had not paid ransoms to recover their files.
Blackcat is a ransomware gang also known as ALPHV. They typically attack large companies running outdated firewall or VPN software. The gang gained infamy for its attack on a European gas pipeline in July, 2022, recalling the Colonial pipeline attack of 2021. Many experts believe the gang members may be the same people who were behind the Colonial pipeline attack
Phobos ransomware is a more basic ransomware variant that often targets small businesses or individuals. There are a wide range of active Phobos variants operated by gangs with quite different methods. Phobos is often spread by spam campaigns and can target personal computers as well as business networks. Phobos is also frequently spread through poorly secured remote desktop protocols (RDPs).
Phobos rarely if ever acts as a leakware.
Dharma ransomware, also known as CrySIS, is an older ransomware variant that first appeared in 2016. It most commonly spreads through spam email extensions, though it is also known to target RDP ports.
Some believe that Phobos was inspired by Dharma, and like Phobos, Dharma has a wide variety of variants and often targets smaller businesses.
Experts believe that Ryuk ransomware is operated by the WIZARD SPIDER hacker group. It is known for targeting large companies, with ransom demands running into the millions of dollars.
Most Ryuk attacks gain access via phishing emails.
Conti ransomware is one of the more widespread RaaS variants. Like many ransomware variants, it spreads via phishing emails, sometimes with a unique twist. It often fools victims by hiding in excel spreadsheets, which many people are less likely to suspect of containing a virus.
GlobeImposter 2.0 Ransomware
Lockbit is one of the most widely used ransomware variants. A standard RaaS and leakware variant, the gang behind it is known for their creative marketing efforts, including organizing hacking contests and seeking to recruit company insiders to help infect corporate networks in exchange for a percentage of the ransom.
Hive is a RaaS and leakware variant known for targeting outdated Windows servers. Those using the software are known for their aggression, and frequently attack healthcare facilities. Most attacks are targeted and sophisticated.
Clop ransomware is known for hitting high-profile targets and raking in huge ransoms. Arrests of Clop gang members in Ukraine in 2021 were unable to stop the gang. It tends to use complex attacks which exploit zero-day vulnerabilities, and almost always acts as leakware.
Haron ransomware appears to be a spin-off of Avaddon ransomware. Like Avaddon, Haron attacks tend to be highly focused on data exfiltration and extortion, so they also tend to concentrate on targets with sensitive data.
BlackMatter ransomware was an RaaS strain which shut down in November of 2021, citing pressure from the authorities. The gang made a number of high-profile ransom demands, ranging as high as $15 million.
Sodinokibi, also known as REvil, is believed to be from the same developers as the infamous GandCrab variant. It is a very widespread RaaS which has been observed hitting targets of all types and sizes.
Matrix is a ransomware that typically uses RDP ports as its preferred attack vector. The Matrix gang is known for asking its victims for encrypted files, and then using them to customize the ransom amount according to the size of the company.
MAKOP is a lesser-known ransomware variant. It’s useful to note that the MAKOP gang has been known to claim to have stolen sensitive data even when that is not the case.
Quantum ransomware is an unusually fast virus. It’s a good example of how hackers are working to optimize performance in response to increased cybersecurity efforts.
Quantum is known to spread through targeted phishing emails, and only occasionally steals data to act as leakware.
Staying Ahead of the Game
With so many new variants emerging all the time, keeping up can be daunting. Education is key to fighting ransomware, so it’s important that every organization have someone who is responsible for keeping up with new phishing techniques and attack vectors, and helping to raise awareness