Emergency Checklist hero image

Ransomware Variants

Since the appearance of the first Bitcoin-based ransomware in 2013, the number of different types of ransomware has exploded. Ransomware variants are a potent tool in the arsenal of both criminals, and have also gained popularity with some governments.

So why are there so many different kinds of ransomware, and what can we do about it?

Silicon Valley for Ransomware Variants

The ransomware market is actually a lot like the market for legitimate software. There are even ransomware venture capitalists that finance different types of ransomware.

All ransomware works according to the same principles; cause as much damage as possible to the victim in order to coerce them into paying. Usually this involves encrypting or stealing data to put pressure on the victims.

The main difference between different types of ransomware is how they evade detection. The most popular ransomware variants work on a “ransomware-as-a-service” model (RaaS). This means that a professional team of hackers develops the software, and then leases out the software to other hackers who do the dirty work of breaking into networks.

Just like in Silicon Valley, RaaS developers compete for funding from investors and advertise their products to potential customers. For example, they attempt to prove that their software can encrypt files more quickly than their competitors, since the amount of data encrypted before detection can make or break a ransomware attack.

Ransomware developers work continuously to stay a step ahead of antivirus software and cybersecurity professionals. Unfortunately, hackers are winning the ransomware arms race for now. Antivirus software is continuously recalibrated to detect now types of ransomware, but ransomware developers constantly change their software to avoid detection.

Types of Ransomware

All ransomware works according to the same principle, which is causing victims some kind of pain or distress and demanding money to make it go away. Many ransomware variants fit into more than one of these categories at the same time.

Encryptors

An encryptor will encrypt as much of your data as possible so that your files become unusable. File names are often replaced with a random string of letters and numbers, or the same filename with a new file extension. If a victim is able to catch an encryption attack early, some files might remain unencrypted.

Encryption ransomware will sometimes replace each file with a folder containing the encrypted file and a ransom note with payment demands and instructions for payment.

Lockware

Lockware locks you out of your system completely. Usually the only thing you can still access is a ransom note with details about how to pay the ransom. Some less sophisticated forms of lockware may not encrypt the files, meaning they can still be recovered. These variants are more likely to target home computers and spread via spam emails or phishing links.

Scareware

Scareware attempts to extort money from victims by making (usually false) claims. For example, a ransomware might claim to have recorded you watching pornography, and threaten to post videos of it on your social media accounts unless you pay. Other examples include the hacker claiming to be a government agency that has found out about unpaid taxes, and threatening fines and penalties unless paid.

These variants often include time limits to put pressure on the victim so they don’t have time to think about the situation rationally.

Leakware

Leakware works by getting hold of sensitive data, and then threatening to release it to the public. Leakware tends to target companies like law firms, medical practices, and companies with trade secrets. Many leakware operators run web sites on the dark web where they publish stolen data and allow anyone to download it.

Ransomware as a Service

Ransomware as a Service (RaaS) ransomware is probably the most dangerous type of ransomware out there. Since development is so specialized, high-end RaaS variants can penetrate even advanced defenses.

The multi-million dollar ransom payments you hear about in the news? They were probably RaaS variants. Most highly targeted ransomware attacks are carried out by specialized teams of hackers partnered with RaaS operators.

Ransomware Variants

Since there is so much money being made with ransomware, new variants are constantly under development. Sometimes, gangs will just “retire” when they’ve made a lot of money, or when they are facing pressure from law enforcement.

Other times, ransomware developers will leave to join new teams. Since antivirus software is continuously being improved, it’s necessary for ransomware hackers to constantly develop new variants which can infect systems and networks undetected. Generally, all ransomware variants work along similar lines, but are tweaked in different ways to optimize performance.

Following is a list of some of the most well known and dangerous ransomware variants.

Akira Ransomware

Akira is a double extortion ransomware variant that gained traction in mid-2023. It targets both Windows and Linux systems, and is known for exfiltrating sensitive data before encrypting it. The group operates as a Ransomware-as-a-Service (RaaS) and has been observed attacking various sectors, including education, finance, and manufacturing. Victims often report being contacted directly by the group via email.

Black Basta Ransomware

Black Basta is a sophisticated RaaS operation first observed in early 2022. It primarily targets enterprises and frequently disables antivirus tools during infection. The group is known for using both encryption and data theft, hosting stolen files on their leak site. Black Basta often gains initial access via compromised credentials or malware like Qakbot.

Clop Ransomware

Clop is a well-known ransomware variant that specializes in large-scale data breaches. It often exploits zero-day vulnerabilities, such as those found in MOVEit Transfer and Accellion FTA. The Clop gang is highly organized and prefers to extort high-value targets, almost always using double extortion techniques involving public data leaks.

eKing Ransomware

eKing Ransomware is a lesser-known variant that surfaced in 2023. It is typically delivered through malicious email attachments or poorly secured RDP access. Unlike more advanced strains, eKing rarely uses custom encryption techniques and has not shown consistent leakware behavior, although its operators may still threaten to publish stolen data.

FOG Ransomware

FOG is an emerging ransomware family that uses aggressive encryption tactics and custom ransom notes. It typically targets small to mid-sized businesses, often through phishing campaigns or RDP vulnerabilities. Though primarily a locker ransomware, recent FOG samples have included signs of data exfiltration for extortion purposes.

Inc Ransomware

Inc is a developing ransomware variant that first gained visibility in late 2023. It spreads via RDP compromise and software vulnerabilities. The group behind Inc often renames encrypted files with the .inc extension and uses a dark web portal to leak stolen data. The ransom notes emphasize speed, warning victims of rapid public exposure.

Lockbit Ransomware

Lockbit is one of the most active and widely-used RaaS variants globally. The group employs data theft, fast encryption, and high-pressure tactics including countdown timers and leak threats. Notably, Lockbit runs “bug bounty” programs and even pays insiders to install ransomware within their own companies for a share of the ransom.

MAKOP Ransomware

MAKOP ransomware is a persistent variant that primarily targets SMBs through exposed RDP services. It encrypts files with unique extensions and drops a ransom note in each affected folder. Although the gang often claims data exfiltration, there is little evidence to suggest this is consistently true. The group’s tactics focus on disruption over publicity.

Ransomhub Ransomware

Ransomhub is a rebranded or spin-off operation that surfaced after the disappearance of several major ransomware groups. It follows a typical double extortion model, hosting victim data on a dedicated leak site. Attacks are often opportunistic, leveraging exploits in public-facing services or third-party software.

BianLian Ransomware

Originally a ransomware variant, BianLian has evolved into a data extortion group that often skips file encryption entirely, focusing solely on data theft and public shaming. Early variants used Go-based ransomware payloads. Now, the group relies heavily on exfiltrating sensitive information and applying pressure through leak threats and media exposure.

GlobeImposter 2.0 Ransomware

GlobeImposter 2.0 is a continuation of the original GlobeImposter variant, known for mimicking other ransomware strains. It often spreads via pirated software downloads or malicious scripts. The variant encrypts files with various extensions and uses multiple decoy ransom notes to confuse victims. It’s particularly common in low-budget cybercrime campaigns.

Phobos Ransomware

Phobos Ransomware primarily targets small businesses and individuals, usually via exposed RDP services. There are numerous active variants, often used by different operators with varying levels of skill. Phobos rarely includes data theft functionality, focusing instead on file encryption and pressuring victims with personalized ransom notes.

Play Ransomware

Play is a RaaS variant known for its minimalist ransom notes, usually marked only with the word “PLAY”. It rose to prominence in 2022 and frequently targets government and infrastructure sectors. The group uses double extortion and often exploits known vulnerabilities in Fortinet and Exchange servers. Play is also notable for its rapid encryption process.

Staying Ahead of the Game

With so many new variants emerging all the time, keeping up can be daunting. Education is key to fighting ransomware, so it’s important that every organization have someone who is responsible for keeping up with new phishing techniques and attack vectors, and helping to raise awareness

Hit by ransomware? Contact us now for a

Free first assessment