Ransomware Variants

Destructive ransomware variants like Samas and Locky compromised the systems of people and organizations, including healthcare facilities and hospitals, in early 2016. When threat actors infect a system with ransomware, users falling victim to ransomware attacks cannot access it until a ransom payment is made to regain access. Ransom is paid in digital money, like Bitcoin. The ransom demand varies widely but is mostly between $200 – $400.

An advisory is published by the US Department of Homeland Security (DHS) in partnership with the Canadian Cyber Incident Response Center (CCIRC) to share additional details about ransomware. It includes potential ransomware variants, key traits, frequency, etc. It also provides prevention guidelines for victims to protect themselves against ransomware.

What Is Ransomware?

Ransomware is a sort of malware. A ransomware attack is a cyber attack that encrypts the files and data of a victim and blocks access until a ransom is paid. Threat actors utilize malicious software to hack an organization’s sensitive data and related resources for monetization. Ransomware-infected computer systems or networks either encrypt files or prevent system access to organizations falling victim to the ransomware. Cyber-criminals put forward ransom demands for the release of victims’ data. Using security software and keeping a vigilant eye against ransomware attacks is advised. Following a ransomware infection, targets have 3 choices:

  • Pay the ransom.
  • Reboot the operating system.
  • Attempt to delete the malicious software.

Extortion cyber criminals usually employ various threat vectors to enter the victim’s surroundings:

  • Malicious software.
  • The Remote Desktop Protocol.
  • Social engineering strategies like phishing emails.

Hence, ransomware attacks exploit both businesses and people. Additionally, threat actors occasionally need help to maintain their agreement part.

How Ransomware Spreads?

Drive-by downloads or phishing emails with infected attachments are common ways for ransomware to transmit. Drive-by downloading happens if a user accesses malicious or compromised websites inadvertently, at which point malware is deployed on their computer without their notice.

Similar techniques are used to propagate Crypto ransomware, a virus type that encrypts files. It spreads via social media platforms, including Web-based instant-messaging tools. The latest ransomware techniques include unsecured web servers used as access points to enter a company’s network drives.

Types Of Ransomware

There are various types of ransomware. Previously, the two most common ransomware variants were Locker and Crypto. Recently, new variants like Ransomware as a Service (RaaS) and Double Extortion have gained popularity among cybercriminals.

Locker Ransomware

A system is locked out by a locker, making your files and applications unavailable. The ransom demand is shown on a lock screen, potentially with a countdown timer to create a sense of panic and encourage victims to respond.

Crypto Ransomware

Crypto ransomware, often known as encryptors, is among the most harmful. With this kind of, files and data inside infected systems are encrypted and impenetrable. A decryption key from the hacker is required to regain access.

Ransomware As A Service (RaaS)

Ransomware as a Service, or RaaS, is a term used to describe secretly deployed malware. A professional cyber-criminal manages all facets of the assault, from disseminating ransomware to obtaining payments and regaining access in exchange for a percentage of the proceeds.

Double Extortion Ransomware

A ransomware variant that uses data export and encrypted files is double extortion ransomware. If the hackers’ conditions are not fulfilled, they threaten to disclose hacked information with double extortion. It implies that the hacker controls the victim’s files or the victim’s computer even after backup data recovery. However, ransom payment does not ensure data protection since hackers can access the stolen files.

Other variants include:

Leakware Or Doxware

When Doxware or Leakware intimidates to publish private information about individuals or businesses online, many victims freak out and pay the ransom demanded to protect the information from becoming publicly available or ending up in vicious hands. Police-themed ransomware is one variant. It poses as federal authorities and informs users that it has discovered illicit internet conduct and that prison sentences can be averted by penalty payment.


Scareware is hoax spyware that urges you to spend money to fix problems it pretends it has discovered on a system, such as viruses or threats. Some scareware variants merely saturate the screen with pop-up notifications without causing any file damage, while others lock out the computer.

Ransomware Strains

Although ransomware is not uncommon, several types of ransomware strains have existed over the past 30 years or more. Nevertheless, ransomware poses a serious risk for people, businesses, organizations, and governments. Here are some of the most egregious occurrences of ransomware strains.

AIDS Trojan

A Harvard biologist named Joseph Popp developed the first known ransomware. Popp sent 20,000 floppy discs of the AIDS Trojan or the PC Cyborg virus to scientists worldwide. Receivers assumed they included Popp’s AIDS research. Patient data files were encrypted via basic symmetric encryption upon access to the discs. For access recovery, victims were instructed to deposit $189 to a Panama P.O. box. Popp is considered the inventor of ransomware, whose intentions are still unknown.


This ransomware strain was the first to employ a Rivest-Shamir-Adleman (RSA) 1024-bit encryption key, which was challenging to decipher. It spreads through spam emails and malicious URLs to target Windows systems. Malicious Microsoft Office Documents on the computer system were its target. After the encryption of files, hackers point victims to an internet store, where they have to buy a password to unlock files. Archievus was immediately discarded after the realization that the threat actors always used identical passwords to encrypt files.


Drive-by-download attacks spread the financial ransomware known as Reveton. When a victim’s computer is compromised, an alert pops-up claiming to be from the police force. It alleges the victim is a criminal (like, for downloading illegal content) and threatens to arrest them for not paying the penalty. Later versions targeted Mac and mobile devices, demanded bitcoin payments, disseminated malware to steal passwords, and utilized targets’ cameras.


One of the advanced ransomware examples is Cryptolocker. It employed a 2,048-bit RSA encryption key to lock victims out of their systems, cloud services, and linked network drives. Disabling the lock was useless as the system was encrypted and inaccessible. It raised the likelihood of payments. CryptoLocker ransomware proliferated through compromised websites and malicious attachments in unsolicited UPS and FedEx tracking alerts. Cyber-criminals demanded $300 for unlocking systems and managed to secure $27 million in the initial two months.


The Dell Secureworks Counter Threat Unit referred to the CryptoWall (clone of CryptoLocker ransomware) as the greatest and most highly damaging attack. Nevertheless, it attained a different level of notoriety than its forerunner. CryptoWall proliferated through malware adverts on trustworthy websites, exploit kits, and phishing emails. The malware compromised 635,000 systems in its early six months, collecting more than $1.1 million in ransom money. Moreover, targets might have averted the attack several times via software updates and server backup.


With the Necurs network, the Locky ransomware sent spam mail with Excel or Word attachments incorporating malicious macros. It locks various file types with AES encryption once the victims enable macros.


It can replace the master boot record (MBR) and encode the master file table (MFT), which records all device files’ metadata and locations.


It uses an elaborate phishing campaign to attack Microsoft 365 cloud members, impacting millions. Cerber highlights the increasing necessity for SaaS backup in conjunction with on-premises.


Jigsaw malware targets get displayed Billy from the Saw film, and a countdown clock after their PCs were compromised by fraudulent emails. It encrypts files and then gradually erases them (one per hour until 72 hours, after that, it deletes all the remaining files) until victims pay the ransom. It publicly offered a decryption tool.


This Petya subtype is also referred to as WannaCry’s variant. It propagates through an elaborate phishing campaign on Human resources departments, Master File Table (MFT), Master Boot Record (MBT), EternalBlue, and encoded files. Targeted endpoints experienced crashes, restarts, and ransom pop-up screens. The following month, a decryptor became accessible.

Bad Rabbit

This NotPetya variant employs fake Adobe Flash update ads to exploit victims. Bad Rabbit involves Master Boot Record (MBR) encryption and EternalBlue exploitation. The majority of drive-by attacks need a person to access a compromised page. The infection is brought on by launching an installer containing hidden malware, referred to as a malware dropper. A notification is requesting 0.05 bitcoin displays upon device infection. Payment is required within 40 hours; otherwise, the ransom will rise.


It was the first RaaS variation that receivedDash cryptocurrency payments. It implemented the highest domain ending in .bit for privacy, which is unauthorized by the ICANN. GandCrab proliferates through exploit kits, malware campaigns, emails, etc. It controlled over 50% of the malware business. The GandCrab extortion group dissolved in 2019, offering a decryption key.


It is sometimes associated with GandCrab and referred to as Sodin and Sodinokibi. Before GandCrab’s departure, both strains were simultaneously employed in attacks on targets’ computers and share striking similarities. Initial assaults can gain access through Windows zero-day and Oracle WebLogic vulnerabilities. However, successive attacks can gain access via phishing, VPN, supply chain assaults, and Remote Desktop Protocol vulnerabilities. It employs double extortion and has a Happy Blog on the dark web. It caused noteworthy assaults on Kaseya, Acer, USA, and JBS. In July 2021, the extortion gang went silent but reappeared in September 2021, providing victims before July 2021 with a universal decryptor.


This earliest instance of double extortion, a ChaCha variant, is transmitted through an exploit kit, unsolicited email, and an RDP attack. Maze declared a cartel of cybercrime gangs launched in June 2019. It was terminated in November 2020.


This exploit kit lets cybercriminals communicate with a PC for data access. Angler assaults are prolonged. Users watch the access channel while threat actors on the opposite side wait to attack at the right time.

There are numerous ransomware variants, the most notable being:

  • Curve-Tor-Bitcoin Locker
  • SimpleLocker
  • TeslaCrypt
  • LockerPin
  • Chimera
  • Crysis
  • Linux.Encoder.1
  • Ransom32
  • KeRanger
  • SamSam
  • LeChiffre
  • Zcryptor
  • Mamba
  • Spider
  • Spora
  • Jaff
  • WannaCrypt
  • TorrentLocker
  • NotPetya
  • Ryuk
  • RobbinHood
  • Tycoon
  • DarkSide
  • Egregor, etc.

Defending Against Ransomware Attacks

The major problem MSPs currently encounter is ransomware. Ransomware strains are triggered due to human contact. Also, a ransomware strain like Wannacry can take advantage of outdated or unencrypted computers. Applying good cybersecurity practices is crucial to reduce the likelihood of falling victim to ransomware. MSPs can secure and restore systems to combat ransomware by employing the strength of Datto.

Recommendations To Combat Ransomware

The following recommendations can help individuals and organizations to mitigate and fight ransomware effectively:

  • Protect Endpoints.
  • Use proper IT security.
  • Establish an Identity and Access Management (IAM) strategy.
  • Boost Internet-facing application resilience.
  • Offline Backups for Ransomware-Proof Data.
  • Improve and deploy email security for email messages.
  • Limit Access to Infrastructure for Virtualization Management.
  • Understand When to Request Assistance.
  • Create an IRP (Incident Response Plan) and pressure test it.


A ransomware attack can take on a variety of forms and dimensions. The method of attack has a significant impact on the ransomware types that are employed. Always assess the vulnerabilities and security holes or files that could be publicly exposed or erased when estimating the scale and scope of the ransomware attack.

It is critical to take the right precautions to protect critical files to prevent being a ransomware infection victim. Irrespective of the ransomware type, properly employing data backup and security software beforehand can dramatically minimize the attack’s severity.

Employ the 3-2-1 rule for files and data backups. Recovering from backups can help you defeat numerous ransomware attacks. Practice caution while using the internet and beware of the common ransomware infection sources like malicious emails, ambiguous email attachments, spam emails, etc. Endpoint security and sophisticated malware protection software can aid in safeguarding devices. Never assume that your computer systems and files are already safe and protected.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.