Ransomware is a form of malicious software that encrypts a victim’s files, preventing the victim from accessing them. The attacker then demands a ransom from the victim to restore access to the data upon payment. There are two main types of ransomware: locker ransomware and crypto ransomware.
Locker ransomware, also known as lockscreen ransomware, locks the victim out of their device. It does this by locking the screen or computer and preventing the user from accessing the desktop and applications. The ransomware displays a full-screen image or notification demanding a ransom payment in order to unlock the screen. Payment is demanded in cryptocurrency, such as Bitcoin. Locker ransomware is designed to completely lock the user out until the ransom is paid.
The locker typically blocks all activity on the device and may even disable certain functions like turning the device off or accessing task manager. Some variants play an audio track or display images while the device is locked. The goal is to get the victim to pay the ransom as soon as possible in order to regain access to their device and data.
Some examples of locker ransomware variants include:
- Reveton – Targeted users by claiming to be law enforcement and accusing victims of illegal activity
- PowerLocker – Blocked access to desktop and apps on Android devices
- LockScreen – Early locker ransomware that changed the lock screen on Android devices
The primary function of locker ransomware is to completely block device access in order to elicit fast ransom payments from victims who need immediate access to their devices and data.
Crypto ransomware, also known as data-encrypting ransomware, uses encryption algorithms to encrypt files on a device or network. Once the files are encrypted, the ransomware demands payment in order to decrypt them and restore access. Crypto ransomware encrypts documents, photos, databases, and other important files so they are inaccessible to the user.
Crypto ransomware aims to encrypt as many files as possible on the target system. Some variants even search connected devices and mapped network drives to encrypt additional files and cause maximum impact. The ransom payment is demanded in cryptocurrency, and the amount generally depends on how quickly the victim pays. The faster they pay, the lower the ransom demand.
Some examples of crypto ransomware variants include:
- CryptoLocker – One of the first crypto ransomware that infected over 250,000 computers
- WannaCry – Notorious 2017 ransomware that affected 200,000+ computers across 150 countries
- Ryuk – Targeted large organizations and encrypted sensitive network files
Crypto ransomware often utilizes advanced encryption algorithms, such as RSA and AES, to encrypt files. These algorithms use encryption keys consisting of long strings of random characters. Without access to these keys, it is virtually impossible to decrypt the files. This is why paying the ransom is the only option for most victims to regain access to encrypted files.
In addition to encryption, crypto ransomware often utilizes other techniques, such as:
- Deleting volume shadow copies on Windows machines – Prevents file recovery
- Encrypting file names and extensions – Prevents identification of encrypted files
- Targeting backups and mapped network drives – Increases number of encrypted files
By encrypting irreplaceable data and backups, crypto ransomware often leaves victims with no choice but to pay the ransom to get their files back. This makes it a very effective attack.
Comparing the Two Types
In summary, the two main differences between locker and crypto ransomware are:
|Locks access to the device
|Encrypts files on the device
|Prevents access to the system
|Prevents access to specific files
|Generally does not encrypt files
|Encrypts user files, databases, backups etc.
|Demands quick payment to unlock system
|Demands payment to decrypt files
While locker ransomware locks users out of their devices immediately, crypto ransomware takes time to encrypt files before the impact is felt. Crypto ransomware is considered more dangerous as it targets valuable data and backups that are difficult to replace if encrypted. However, both types have severe consequences if the ransom is not paid.
How Ransomware Infects Systems
Ransomware uses various strategies to infect systems and deploy its malicious payload. Some of the most common ransomware infection methods include:
- Phishing emails – Malicious attachments or links to fake websites that download ransomware.
- Drive-by downloads – Infectious code on malicious sites that exploit browser vulnerabilities.
- Malvertising – Ransomware downloads triggered by malicious ads on websites.
- Remote desktop protocol (RDP) exploits – Brute force attacks on internet-facing RDP servers.
- Software vulnerabilities – Exploiting holes in operating systems, applications, and services.
- Malicious email attachments – Fake invoices, notices, and other files with embedded ransomware executables.
Once downloaded via these vectors, ransomware payloads then utilize various strategies to avoid detection and infect systems. This includes using polymorphic code that constantly changes form, disabling security software, spreading through networks, and more. Advanced ransomware families like Ryuk can breach organization networks and credential stores to spread rapidly across systems.
Ransomware payloads are also constantly improving evasion techniques to deliver their payloads. This makes them highly adept at circumventing traditional signature-based antivirus solutions.
Human-Operated vs Automated Ransomware
Modern ransomware families fall under two major categories:
- Human-operated ransomware – Manually deployed, controlled, and operated by a group or individual.
- Automated ransomware – Follows pre-programmed behavior using worm-like propagation.
Human-operated ransomware represents the greatest threat today as these sophisticated actors can breach networks, combine multiple attack vectors, intelligently spread laterally across systems, and demanded higher ransoms. The infamous Ryuk, REvil, and Conti are prime examples.
Automated ransomware acts in more predictable ways, often utilizing worm-like behavior to self-propagate. While less complex, automated ransomware can still cause considerable damage, especially variants like WannaCry that exploit known software vulnerabilities.
Ransomware Objectives and Targets
The main objectives of ransomware actors include:
- Extorting money from victims by holding their data hostage
- Inflicting maximum impact so victims urgently pay
- Remaining anonymous using cryptocurrency for ransoms
- Sustaining ransomware campaigns via ransom payments
To achieve these goals, ransomware operators target victims that are most likely and able to pay ransoms quickly, including:
- Businesses – Especially mid-size companies with valuable data
- Critical infrastructure – Healthcare, transportation, utilities, etc.
- Public institutions – Local government, schools, hospitals
- Individuals – Targeted through mass campaigns
By understanding the psychology of their victims, ransomware gangs can calibrate their ransom demands, malware behavior, and infected targets to maximize profit.
Ransomware Attack Process
A typical ransomware attack follows this general sequence of events:
- Initial compromise – Gains access via phishing, brute force, exploits etc.
- Lateral movement – Spreads through the network silently mapping connected devices
- Payload deployment – Encrypts files or locks systems with ransomware payload
- Impact and detection – Users notice ransom notes, encrypted files, or locked systems
- Extortion – Demands ransom payment, often threatening leak of data
- Payment – Victims pay ransom to recover data and keys
- Data recovery – Decryption keys provided if ransom paid
The initial compromise and lateral movement actions are stealthy and designed to gain maximum access before deploying ransomware across all available devices and data. Once files are encrypted and systems locked, the impact quickly builds panic and urgency to pay the ransom and recover.
Defending Against Ransomware
Defending against ransomware requires a multi-layered strategy combining technological defenses and user awareness. Recommended security measures include:
- Next-gen antivirus – Advanced endpoint protection to block known and unknown ransomware strains.
- Email security – Block malicious phishing emails and attachments.
- Vulnerability management – Patching software, OS, and application vulnerabilities.
- Firewall – Blocking access to known malicious IP addresses.
- Web filtering – Prevent access to malicious domains.
- Network segmentation – Isolate and partition networks to control lateral movement.
- Backups – Maintain recent backups offline to recover encrypted data.
- User education – Training staff to recognize social engineering and ransomware lures.
- Incident response plan – Protocols to rapidly contain, eradicate, and recover from incidents.
Ransomware resilience requires planning and preparation before an attack. Organizations should conduct ransomware simulation exercises and continually test defenses against the latest threats.
Should You Pay the Ransom?
Paying the ransom demand is controversial. While it may allow you to recover your data, it also encourages and funds further ransomware activity. There are risks to consider with paying ransoms:
- No guarantee you’ll get decryption keys
- Paying one ransom may lead to more demands
- Rewarding criminals encourages further ransomware development
- Payment can be considered illegal depending on laws
However, for businesses that need access to data in order to operate, ransom payment may be the most viable option, especially if backups are not available. The FBI actually lists paying the ransom as an “option” on its ransomware webpage. Factors to consider include:
- Importance and criticality of encrypted data
- Ability to recover data through other means
- Cost of business downtime vs ransom payment
- Risk of repeat infections if ransom is paid
Consulting law enforcement, regulators, cyber insurance providers, and outside experts can help organizations decide if paying the ransom aligns with their policies and regulations.
Ransomware presents a severe threat to businesses, organizations, and individual users. Defending against ransomware requires securing systems against intrusion, blocking malicious code, updating software, maintaining offline backups, and training users on detection. Understanding the different types of ransomware, infection methods, and process behind attacks allows organizations to prepare defenses and incident response plans.
Staying vigilant against the cybercriminal groups constantly innovating new ransomware techniques and technology is crucial. With a sophisticated, multi-layered defense and comprehensive incident response, organizations can build resilience against ransomware and avoid being held hostage when the next major threat emerges.