November 06, 2020

Common Types of Ransomware

By Courtney Heinbach
RansomwareDatto Managed SOC

As new ransomware variants arise regularly, it can be challenging to keep track of the different strains. While each of these malware strains is different, they often rely on similar tactics to take advantage of users and hold encrypted data hostage.

Top 10 most well-known ransomware strains

  • Bad Rabbit
  • Cryptolocker
  • GoldenEye
  • Jigsaw
  • Locky
  • Maze
  • NotPetya
  • Petya
  • Ryuk
  • Wannacry

Types of ransomware

Although there are countless strains of ransomware, they mainly fall into two main types of ransomware. These are crypto-ransomware and locker ransomware.

What is Crypto ransomware?

Crypto ransomware encrypts valuable files on a computer so that they become unusable. Cyber Criminals that leverage crypto-ransomware attacks generate income by holding the files to ransom and demanding that victims pay a ransom to recover their files.

What is Locker ransomware?

Unlike crypto-ransomware, Locker ransomware does not encrypt files. Instead goes one step further, and it locks the victim out of their device. In these types of attacks, cybercriminals will demand a ransom to unlock the device.

In both types of attack, users can be left without any other option to recover back to normal. That’s why it’s vital to take steps to prepare your systems to be able to recover without falling victim to cyber attackers.

How to protect yourself from ransomware attacks

Ransomware is one of the significant issues that MSPs face today, and some strains like Wannacry exploit unpatched or out of date machines. At the same time, others rely on human interaction to trigger them. It’s essential to ensure that you apply security best practises to minimise your risk of falling victim to ransomware. By leveraging the power of Datto, MSPs are able to protect and recover machines if they do get hit by a ransomware attack.

Why wait to get protected? Request a Datto Demo Today


Overview of the Common Ransomware Strains

Bad Rabbit

A strain of ransomware that has infected organisations in Russia and Eastern Europe. Bad Rabbit spreads through a fake Adobe Flash update on compromised websites. When the ransomware infects a machine, users are directed to a payment page demanding .05 bitcoin. 


Cerber targets cloud-based Microsoft 365 users and has impacted millions of users using an elaborate phishing campaign. This type of malware emphasises the growing need for SaaS backup in addition to on-premises.


Ransomware has been around in some form or another for the past two decades, but it really came to prominence in 2013 with CryptoLocker. The original CryptoLocker botnet was shut down in May 2014, but not before the hackers behind it extorted nearly $3 million from victims. Since then, hackers have widely copied the CryptoLocker approach, although the variants in operation today are not directly linked to the original. The word CryptoLocker, much like Xerox and Kleenex in their respective worlds, has become almost synonymous with ransomware.


CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early 2014, and variants have appeared with a variety of names, including CryptoBit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. Like CryptoLocker, CryptoWall is distributed via spam or exploit kits.


Crysis ransomware encrypts files on fixed, removable, and network drives with a strong encryption algorithm making it difficult to crack in a reasonable amount of time. It’s typically spread via emails containing attachments with double-file extension, which makes the file appear as a non-executable file. In addition to emails, it can also be disguised as a legitimate installer for applications.


The criminals behind CTB-Locker take a different approach to malware distribution. Taking a page from the playbooks of Girl Scout Cookies and Mary Kay Cosmetics, these hackers outsource the infection process to partners in exchange for a cut of the profits. This is a proven strategy for achieving large volumes of malware infections at a faster rate.


GoldenEye is similar to the prolific Petya ransomware. Hackers spread GoldenEye ransomware through a massive campaign targeting human resources departments. After the file is downloaded, a macro is launched which encrypts files on the computer. For each file it encrypts, GoldenEye adds a random 8-character extension at the end. The ransomware then also modifies the user’s hard drive MBR (Master Boot Record) with a custom boot loader. 


Jigsaw encrypts and progressively deletes files until a ransom is paid. The ransomware deletes a single file after the first hour, then deletes more and more per hour until the 72-hour mark, when all remaining files are deleted.


According to ArsTechnica, KeRanger ransomware was discovered on a popular BitTorrent client. KeRanger isn’t widely distributed, but it’s known as the first fully functioning ransomware designed to lock Mac OS X applications.


“Le Chiffre”, which comes from the French noun “chiffrement” meaning “encryption”, is the main villain from James Bond’s Casino Royale novel who kidnaps Bond’s love interest to lure him into a trap and steal his money. Unlike other variants, hackers must run LeChiffre manually on the compromised system. Cybercriminals automatically scan networks in search of poorly secured remote desktops, logging into them remotely and manually running an instance of the virus.

Suggested Next Reads