Types of ransomware to recognize + ransomware protection tips


Consider this your ultimate guide to the different types of ransomware, including an overview of how ransomware works and spreads.

Today’s cyberthieves are adaptable — they are exceptional at finding new ways to survive and evolve over time. One of the tactics they use to do this is creating new types of ransomware to attack our devices.  

The continued emergence of new ransomware variants has made it more important than ever to understand the dangers of these programs. Here, you can do just that by reading about the top ransomware strains used by hackers, different types of ransomware seen on the internet, and getting answers to frequently asked questions, such as: 

  • What is ransomware?
  • How does ransomware work?
  • How does ransomware spread?
  • What types of ransomware are out there?

What is ransomware + how does it work?

Five illustrations depict the methods hackers use to spread different types of ransomware on the internet.

Ransomware, put simply, is a form of malware that can lock and encrypt a victim’s computer or data. The cybercriminal then uses this leverage to demand a ransom, meaning payment, to restore access. 

How does ransomware work? Malicious software gains access to your system to lock and encrypt your most sensitive data to use against you. Usually seeking some form of compensation, the cybercriminal will grant access back if the victim meets their demands. However, these are thieves we’re talking about, so there’s no guarantee these cybercriminals won't make more demands once their target satisfies their initial request.

Cybercriminals use a number of techniques to get different types of ransomware strains installed onto their victims’ devices. These include techniques such as manipulating remote desktop protocol (RDP), malicious URLs, malvertisingdrive-by downloads, and infected email attachments.

5 most common types of ransomware

An illustration is accompanied by a list of the five types of ransomware attacks carried out by today’s cybercriminals.

Cybercriminals have been dedicated to crafting such an incredibly extensive pool of ransomware strains that we can now classify them into their own specific types. Here are some of the most popular types of ransomware seen on the internet today. 

1. Crypto ransomware 

The goal of crypto ransomware is to hack and encrypt the sensitive files located on the victim’s computer, such as documents, pictures, or videos. While cybercriminals withhold access to these files, they don’t go as far as interfering with basic computer functions like other types of ransomware. Hackers want to create a sense of panic within the user by allowing them to see their files without the ability to open their information.

2. Locker ransomware 

Locker ransomware is unique in that it solely aims to lock victims out of their computers. Hackers do this by disabling all basic computer functions with an exception for minor mouse and keyboard capabilities. Leaving the mouse and keyboard somewhat operable lets the user fulfill the demands of the cybercriminal to gain access back into their device.

A common trend with locker ransomware is that it generally doesn’t target specific files. So, the likelihood of data destruction is lower compared to other types of ransomware attacks. However, there are no guarantees when dealing with cybercriminal masterminds. 

3. Scareware 

Scareware is a malicious software created to make false claims about viruses infecting a user's computer or device. A payment is typically requested from the owner to solve the falsified issues. While some types of scareware can lock a user out of their device, others will only go as far as flooding the screen with countless pop-ups to overwhelm the user.

4. Ransomware as a Service (RaaS) 

Ransomware as a Service (RaaS) is a dark web business model created to help ransomware hackers streamline their attacks. Developers created this software to automatically carry out all aspects of a ransomware attack for the cyberthief, from sending out the ransomware to collecting payments and restoring user access.

5. Doxware or leakware 

Doxware, also known as leakware, threatens the distribution of sensitive data online, targeting people and businesses alike. Since hackers know people, and especially businesses, will do almost anything to prevent confidential and personal data from falling into the wrong hands, they often demand compensation to prevent its release.   

20 different strains of ransomware attacks 

Knowing the different types of ransomware out there is just the start of getting a full understanding of this kind of cyberattack. There are also ransomware strains — or individual ransomware attacks — that fall under each type. Here is a list of examples of ransomware that could pose a danger to you and your device.

Types of ransomware strains used today

1. Cerber

An illustration accompanies information regarding a Cerber ransomware attack that took place in 2016.

Cerber is an active RaaS virus that can mass-target victims to lock and encrypt their data. The hackers license the ransomware to carry out the time-consuming process of a ransomware hack. Hackers split the profits made with the ransomware developer to compensate them for the use of their program.

2. Bad Rabbit 

Appearing in 2017, Bad Rabbit ransomware has infected devices all around the world. Distributed via a fake Adobe Flash update on corrupt websites, this locker ransomware virus can compromise data in an instant. Once infected, the program directs users to a payment window demanding .05 bitcoin as ransom. This payment method allows the identity of the cybercriminal to remain anonymous. 

3. CryptoWall 

As a locker ransomware variant, emerging sometime after 2013, CryptoWall is a new and improved version of a previously released crypto ransomware. The software hides within .zip files and other email attachments to make its way on your devices. Once installed, it finds Java vulnerabilities to encrypt and withhold your data. And just like other types of ransomware, payment is required to restore access.

4. Crysis 

Spotted back in March of 2016, this incredibly volatile crypto ransomware finds its way onto your device by piggybacking on files shared via email or pretending to be an installer for a video game or other legitimate software. Just as crypto ransomware does, once installed, it looks for personal files to encrypt in order to demand a ransom payment. 

5. LockerGoga 

This locker ransomware virus was first detected after an attack on Norsk Hydro, a Norwegian renewable energy company in 2019, and infected thousands of computers internationally. It works just as other ransomware strains do, using phishing emails to corrupt personal and corporate devices and demanding a ransom to make a profit.

6. LeChiffre 

Created in 2016 and coming from the French noun “chiffrement” meaning encryption, LeChiffre is a type of crypto ransomware known for wreaking havoc across the world, from the U.S. all the way to India. Different from most types of ransomware, LeChiffre ransomware must be manually run on the targeted system. Ransomware hackers can do this by scanning a network for computers with security vulnerabilities and remotely logging in to run and install the malicious software. 

7. Petya 

First seen in an attack executed in June of 2017, Petya is a type of crypto ransomware virus targeting Windows servers, laptops, and PCs in particular. It takes advantage of a Server Message Block vulnerability and credential-stealing technique to spread the virus onto machines. With attacks crippling personal and corporate systems around the world, some could deem Petya to be the most widely feared ransomware out of all the variants.  

8. NotPetya

An illustration accompanies information regarding a NotPetya ransomware attack that occurred in 2017.

As you might have guessed, NotPetya is, well, not Petya ransomware. But it was derived from it. NotPetya is different because it uses improved encryption keys, reboot styles, and displays previously used on Petya. Devious hackers use this more advanced ransomware strain to bypass security measures created to protect against Petya cyberattacks.

9. KeRanger 

KeRanger is a crypto ransomware variant discovered in 2016 that specifically poses a threat to Mac OS users. Some KeRanger attacks use a remote desktop protocol software to infect several personal devices. The developer had access to a Mac Developer certificate, which allowed them to bypass Apple’s Gatekeeper protection, a security feature protecting Apple products from these kinds of cyberattacks.

10. Jigsaw 

Named after a horrifying character appearing in the popular horror film franchise Saw, Jigsaw is one of the first locker ransomware variants to carry out its threat of deleting files until the cybercriminal receives their payment. The software emerged in 2016 and begins by requiring a $150 payment within the first hour of infection or the destruction of one file ensues. If payment is not made before time runs out, the hacker resets the clock and threatens to delete an even greater number of files.  

11. GoldenEye 

Seen mostly in ransomware attacks carried out in Germany, GoldenEye is a locker ransomware variant first noticed in June of 2017 and spread via phishing emails like other known types of ransomware. In addition to encrypting files to hide data from the owner, it can also revoke essential computer functions to bring the user to a complete standstill.

12. CTB-Locker 

Infecting computers via malicious emails and downloads since mid-2014, CTB-Locker is a type of locker ransomware strain with the ability to encrypt several different kinds of files (.doc, .pdf, .jpg, etc.). These cybercriminals require payment in Bitcoins to decrypt the data they’re withholding, allowing the transaction to remain anonymous. 

13. Maze 

Maze is a complex crypto ransomware, targeting companies and organizations across the globe since May 2019. Previously identified as ChaCha ransomware, hackers demand a cryptocurrency payment in order for them to return stolen files. If a payment is not received, they will leak the confidential documents and files on the web for the public to see.

14. Locky 

Seen throughout North America, Europe, and Asia, Locky is a crypto ransomware that first emerged in 2016. One of the first major attacks reported was on a Los Angeles hospital, requiring them to hand over $17,000 to return highly confidential information. A string of additional heists ensued, targeting more healthcare institutions following that incident, but have ceased in recent years.

15. WannaCry

An illustration accompanies information regarding a WannaCry ransomware attack that took place in 2017.

WannaCry was first seen in a large-scale crypto ransomware attack that took place in May 2017 and compromised nearly a quarter-million machines internationally. Finding a security flaw within Windows operating systems, hackers used WannaCry ransomware to attack a Spanish mobile company called Telefonica. After successfully finding its way onto the company network, it locked data and demanded cryptocurrency as ransom.

16. ZCryptor  

ZCryptor is a hybrid ransomware strain first noticed in 2017. It’s understood to be a kind of ransomware and crypto worm combined. Crypto worms are able to infect different computer systems and spread to connected devices without needing to host malware in phishing emails or corrupt attachments. Similar to Crysis, ZCryptor pretends to be an installer of legitimate software to get onto your system and network.

17. TorrentLocker 

TorrentLocker is a type of locker ransomware attack gaining attention in recent years. It uses spam emails as its attack vector and has seen five major modifications since 2014. These modifications have allowed TorrentLocker to adapt to many of the decryption techniques victims use to get their information back on their own. This adaptiveness has caused people to know this virus as an incredibly difficult ransomware to beat without paying the ransom. 

18. TeslaCrypt 

Targeting video game users specifically, TeslaCrypt first attacked in 2015 and seeks to infect gaming files such as game saves, recorded plays, user profiles, etc. This crypto ransomware operates like most other types of ransomware strains, infecting devices then locking valued data. However, it only seeks out files less than 268 MB in size. Using stolen data, these cyberthieves could demand up to $500 or more to re-configure user access. 

19. Spider 

Spider ransomware was a strain first discovered by Netskope in 2017 and distributed by hackers using phishing campaigns. As a crypto ransomware, it gives victims a 96-hour window to submit a Bitcoin payment set by the attacker. An added layer of security equipped Spider with security measures that will destroy files if the victim tries to retrieve them on their own. Failure to pay could result in the destruction of your data or computer operating system.

20. Ryuk 

Ryuk is one of the most financially detrimental crypto ransomware strains. It first appeared in late 2018 and has demanded up to $100,000 in the past. Created by a group called CryptoTech, this variant is able to encrypt and delete original documents as well as stored shadow copies saved onto the computer system’s hard drive. 

10 ransomware protection tips  

Having a fear of your computer and devices falling victim to a ransomware attack is a legitimate concern. Here are some things you can do to protect yourself and your data:

1.    Back up your data regularly.

2.    Install reliable antivirus and ransomware protection software. 

3.   Only download from secure websites. 

4.    Keep your operating system and security software up to date

5.    Never click on suspicious email attachments or links. 

6.    Be cautious of pop-ups. 

7.    Never trust public Wi-Fi networks. 

8.    Use a VPN. 

9.    Never use data storage devices from unknown sources. 

10. Remember to monitor your network. 

As new types of ransomware arise almost every day, it’s important to know how to protect your data, privacy, and networks from these dangerous cyberattacks. Use what you’ve learned here to create a Cyber Safe environment for yourself and your loved ones. 

Cyber threats have evolved, and so have we.

Norton 360™ with LifeLock™, all-in-one, comprehensive protection against viruses, malware, identity theft, online tracking and much, much more.

Try Norton 360 with Lifelock.

Clare Stouffer
  • Clare Stouffer
  • Gen employee
Clare Stouffer, a Gen employee, is a writer and editor for the company’s blogs. She covers various topics in cybersecurity.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.