Perpetrators of ransomware attacks all have the same goal: They all aim to extort money from their victims by blackmailing them. To get their hands on important data they can use as leverage, cybercriminals use malicious software called ransomware. <\/p>\n\n\n\n
Ransomware is a type of malware that prevents users from accessing their files, usually by encrypting them. It infects the victim\u2019s device by various means ranging from email phishing to brute force attacks.\u00a0<\/p>\n\n\n\n
Cybercriminals usually target companies and organizations since they\u2019re more willing to pay to regain access to their sensitive data. Besides, ransom amounts in these cases are significantly higher. <\/p>\n\n\n\n
That said, ordinary people can become victims of ransomware attacks, too, so we\u2019ll discuss what steps you can take to protect yourself later in this article.<\/p>\n\n\n\n
Cybercriminals keep developing new types of ransomware but at the end of the day, all this variety of malicious code can be classified into just two categories: the ones that encrypt your files (crypto ransomware) and the ones that lock you out from your device (locker ransomware). <\/p>\n\n\n\n
In a crypto ransomware attack, the perpetrator aims to encrypt a victim\u2019s files, after which they leave a ransom note with payment details on the victim\u2019s desktop. To scramble the victim\u2019s data, cybercriminals use strong encryption – AES (Advanced Encryption Algorithm), RSA (Rivest, Shamir, Adleman)<\/strong>, or a combination of them.<\/p>\n\n\n\n Once the files are encrypted, it\u2019s practically impossible to decrypt them without a key. This leaves the user with few to no alternatives. They can either pay to get the key, restore the data (provided that they\u2019ve previously backed them up), or accept the loss of their data. <\/p>\n\n\n\n Locker ransomware or screen-locking ransomware limits the victim\u2019s access to their own device by blocking essential functions while leaving them with limited use of mouse and keyboard so they can continue to interact with the attacker. Since locker ransomware doesn\u2019t encrypt victims\u2019 files<\/strong>, it leaves them with more options to combat it.<\/p>\n\n\n\n To sum it up, the difference between crypto and locker ransomware is that crypto ransomware encrypts the files, but locker ransomware doesn\u2019t.<\/strong> Instead, it prevents the user from accessing their data.<\/p>\n\n\n\n To be able to glimpse the future, you first need to understand the past. The same applies to ransomware attacks. A look at the most significant breaches in the past four decades can help us predict how ransomware will evolve.<\/p>\n\n\n\n The first known ransomware attack wasn\u2019t executed through an email or unverified link. Instead, biologist Joseph Popp distributed thousands of floppy disks labeled \u201cAIDS information – Introductory Diskettes\u201d to his colleagues at the World Health Organisation AIDS conference held in Stockholm. Each floppy disk contained a Trojan. <\/p>\n\n\n\n Once the virus was in the system, it would count down until the PC booted up 90 times, and then, it would launch an attack. Ransomware would hide the directories and encrypt or lock the victim\u2019s files.<\/p>\n\n\n\n Then it would demand a $189 ransom to be sent to the \u201cPC Cyborg Corporation\u201d PO box in Panama. Luckily, the encryption wasn\u2019t strong, and a free decryption tool was soon released to help out the victims. <\/p>\n\n\n\n CryptoLocker debuted in September 2013<\/a>, announcing a new era of ransomware attacks. It\u2019s believed this piece of malicious code was used to extort more than $3 million from its victims. It targeted devices running on Windows and spread via email attachments and compromised websites.<\/p>\n\n\n\n When activated, CryptoLocker would encrypt specific files on local and shared drives. It would then request users to pay ransom in Bitcoin or prepaid cash vouchers.<\/p>\n\n\n\n Authorities managed to shut down the CryptoLocker operation in 2014 by shutting down the Gameover ZeuS botnet server<\/a> used to distribute the ransomware. They also obtained a set of database keys used for decrypting files, which were later used to create a decryption tool.<\/p>\n\n\n\n Koler.a ransomware initially targeted adult website visitors. It masked itself as a video file or a video player or redirected the user to a compromised website where it would infect their PC or smartphone.<\/p>\n\n\n\n It accessed the unsuspecting user\u2019s geolocation to create a locked screen with a message that impersonated local police authorities, saying they had found illegal pornographic material on the device and that the victim had to pay a fine or face criminal charges. <\/p>\n\n\n\n TeslaCrypt was a CryptoLocker strain that used the same methods to gain access to its victims\u2019 devices – phishing emails and website vulnerabilities. In addition to encrypting personal files, it also targeted popular game files from World of Warcraft and other games. In 2016, the group behind TeslaCrypt released a universal master key for decrypting files.<\/p>\n\n\n\n Usually, crypto ransomware attacks target specific operating systems, but Ransom32 was fully developed in Javascript, CSS, and HTML, which allowed it to be easily configured to attack any operating system, including Linux.<\/p>\n\n\n\n The same modularity gave this piece of malware multiple avenues of attack, although the attackers mainly relied on phishing emails. To this day, there is no publicly available decryption for it. <\/p>\n\n\n\n Locky ransomware creators used spear phishing to trick their victims into believing that the attachment they had received in an email is an invoice. For ransomware to be deployed fully, the victim had to download the file and install the macro from it.<\/p>\n\n\n\n That \u201cmacro\u201d was Locky. Locky was used for one of the first major ransomware attacks on hospitals. It targeted a Los Angeles hospital that was forced to pay $17,000 in ransom. <\/p>\n\n\n\n Locky had some success with hospital ransomware attacks, but WannaCry, launched in May 2017, managed to infect multiple National Health Service (NHS) systems<\/a> in England and Scotland, causing significant disruptions and a staggering \u00a392 million loss. <\/p>\n\n\n\n WannaCry exploited a Microsoft Windows vulnerability developed by the US National Security Agency and exposed by the ShadowBrokers group a month before the attack. After the vulnerability was exposed, Microsoft released a security patch that addressed the issue, but the attack targeted computer systems that hadn\u2019t installed the patch.<\/p>\n\n\n\n Thanks to British computer security researcher \u200b\u200bMarcus Hutchins, a killswitch was implemented to stop the spread of WannaCry malware while security teams rushed to patch all the vulnerabilities in crucial systems. During that time, French cybersecurity researchers found a method to unlock and decrypt infected computers, but it worked only in certain situations. <\/p>\n\n\n\n Petya malware was first revealed in 2016. Engineered to attack Microsoft Windows devices, it would encrypt its victims\u2019 hard drive\u2019s file system table, preventing Windows from booting. <\/p>\n\n\n\n In 2017, another strain of Petya, called NotPetya, was used in a malware attack in Ukraine. It used the same method of infiltration as WannaCry, but the encryption of files was permanent. There was no way to revert it even if the victim paid the ransom.<\/p>\n\n\n\n REvil a.k.a Sodinokibi is a type of crypto ransomware created by the REvil cybercriminal group based in Russia. It mostly spreads by phishing, although the group is known to have launched brute force attacks on high-profile targets. It mainly targeted US and European companies, refraining from attacks on companies from countries that used to be part of the Soviet Union.<\/p>\n\n\n\n One of its targets was foreign currency exchange and travel insurance company Travelex. The hackers exploited a vulnerability of a VPN service often used in corporate settings to enter the company\u2019s systems and extract 5 GB of customer data from it. They demanded a $6 million ransom but settled for $2.3 million after negotiations.<\/p>\n\n\n\n In January 2022, the Russian Federal Security Service reported that it had dismantled the REvil group with the help of intelligence provided by the US.<\/p>\n\n\n\n In September 2020, a massive hospital ransomware attack hit Universal Health Services (UHS), causing $67 million (pre-tax) in damage. UHS decided not to pay the ransom. It collaborated with internal and external security experts to regain access to its systems and data.<\/p>\n\n\n\n A strain of malware called Ryuk was discovered to have been used in the attack. Ryuk doesn\u2019t launch an attack as soon as it infiltrates the victim\u2019s system. Instead, it takes a couple of days for it to start encrypting files.<\/p>\n\n\n\n In the meantime, it spreads through the system to inflict maximum damage. Ryuk disables the Windows System Restore feature so the victim can\u2019t roll back to a previous uninfected version of the system. <\/p>\n\n\n\n A hacker crew known as DarkSide<\/a> used a strain of REvil malware in a recent ransomware attack on oil pipeline system Colonial Pipeline, heralding the rise of cyber attacks on critical infrastructure<\/a>. The result? Colonial Pipeline had to temporarily close its 5,500-miles-long pipeline on the East Coast. In a matter of hours, the company paid $4.4 million in Bitcoin. The FBI later managed to track down and recover part of the ransom money.<\/p>\n\n\n\n Conti ransomware was first detected in 2020, but it earned its notoriety in 2021 when a group known as Wizard Spider used it to attack the Irish Health Service Executive. Just like the UHS, the HSE refused to pay the ransom. It responded by shutting down its IT systems and disconnecting the National Healthcare Network from the internet.<\/p>\n\n\n\n This caused disruptions in healthcare services countrywide as doctors and other medical personnel instantly lost access to their patients\u2019 medical records. It took four months for the HSE to recover from the incident.<\/p>\n\n\n\n Some of the malicious software from our list, for example, Ransom32, belongs to a type of ransomware called ransomware-as-a-service. <\/p>\n\n\n\n RaaS is typically developed by one hacker or a group of hackers and used by another to mount an attack. RaaS functions like a business model where prospective executors of a cyberattack pay the developers a one-time fee or a percentage of the ransom amount.<\/p>\n\n\n\n This makes ransomware accessible to cybercriminals who don\u2019t have the knowledge required to create malicious code themselves. RaaS is likely one of the reasons behind the increased number of ransomware attacks in 2021 and 2022.<\/p>\n\n\n\n Cybercriminals use various methods to infect a victim\u2019s systems. These include:<\/p>\n\n\n\nLocker Ransomware<\/h3>\n\n\n\n
Ransomware Examples<\/h2>\n\n\n\n
AIDS Trojan\/PC Cyborg (1989)<\/h3>\n\n\n\n
CryptoLocker (2013)<\/h3>\n\n\n\n
Koler.a (2014)<\/h3>\n\n\n\n
TeslaCrypt (2015)<\/h3>\n\n\n\n
Ransom32 (2016)<\/h3>\n\n\n\n
Locky (2016)<\/h3>\n\n\n\n
WannaCry (2017)<\/h3>\n\n\n\n
Petya\/NotPetya (2016\/2017)<\/h3>\n\n\n\n
REvil (2019)<\/h3>\n\n\n\n
UHS (2020)<\/h3>\n\n\n\n
DarkSide (2021)<\/h3>\n\n\n\n
Conti (2021)<\/h3>\n\n\n\n
Ransomware-as-a-Service (RaaS)<\/h2>\n\n\n\n
Ransomware Protection<\/h2>\n\n\n\n