Threat Intelligence 101

7 Popular Types of Ransomware

Posted: 9th July 2024
By: Esteban Borges

Ransomware is a type of malware that locks you out of your files or system until you pay a ransom. In 2024, this threat is still very real. Believe it or not, 59% of organizations reported getting hit by ransomware last year, and the average cost to recover shot up to a whopping $2.73 million, which, according to the World Economic Forum, is a 50% jump from the year before​.

To make matters worse, these attacks are getting smarter and sneakier, focusing more on stealing data and using tricky encryption methods that make them harder to detect and fix​.

Understanding the various types of ransomware—like crypto ransomware, locker ransomware, scareware, doxware, ransomware-as-a-service, and wiper malware—is crucial to protecting yourself. This article will break down these different types and give you tips on how to defend against them.

Quick Facts

  • Ransomware is a malicious software that encrypts a victim’s files or locks them out of their device until a ransom is paid, often through phishing emails and exploiting software vulnerabilities.
  • Ransom payment is demanded by attackers in ransomware attacks, where victims must pay in cryptocurrency, such as Bitcoins, to regain access to their encrypted data or system. The amount varies based on the specific attack.
  • There are 7 types of ransomware: Crypto Ransomware, Locker Ransomware, Scareware, Doxware, Ransomware-as-a-Service (RaaS), Wiper Malware and Unknown Malware, each with different attack methods and impact.
  • Protecting yourself from ransomware means regular backups, up to date software, network segmentation, early adoption of ransomware mitigation solutions and a clear response plan without paying the ransom.

About Ransomware

Ransomware is a type of malware that infects a victim’s computer or network and leads to a ransomware attack. It:

  • Encrypts files or locks system access until a ransom is paid
  • Can lock and encrypt computers or data, and in some cases wipe the computer clean. The process of encrypting files is a crucial part of the ransomware's strategy to hold the victim's data hostage.
  • The ultimate goal of ransomware attackers is to extort money from their victims by promising to restore access after payment.

Ransomware spreads through social engineering where users are tricked into downloading infected files or clicking on malicious links. It can also exploit software vulnerabilities to infect systems and encrypt files for ransom. Common ways of infection are through email phishing, exploiting vulnerabilities, human error or lack of security updates. Once the malware is installed, it will go through several stages: infection, data encryption and ransom demand.

It is crucial to keep the operating system and security software up to date to patch system vulnerabilities and strengthen the device’s defenses against hackers.


Diagram illustrating the number of ransomware groups linked to exploiting vulnerabilities 2017-2023, with "one group" indicating a single reported group (Source: Insikt Group).

7 Types of Ransomware

With 7 types of ransomware, each with different characteristics and attack methods, you need to know the differences to defend yourself. These are:

  • Crypto Ransomware, which encrypts files
  • Locker Ransomware, which locks you out of your device
  • Scareware, which uses scary messages to trick you
  • Doxware, which threatens to leak your private data

And Ransomware-as-a-Service (RaaS) provides ransomware tools to affiliates so cybercriminals don’t need technical skills to launch ransomware attacks. Knowing these variants is key to ransomware protection.

Crypto Ransomware

Crypto ransomware is one of the most common and destructive types of ransomware. It targets individuals and organizations by encrypting important files and data, making them inaccessible without a decryption key. The process of encrypting files is a crucial part of the ransomware's strategy to hold the victim's data hostage. Sensitive data, which is confidential and critical to an individual or organization, is often targeted, highlighting the importance of protecting it from such attacks. This type of malware locks a computer until a ransom is paid, often in cryptocurrency.

Victims’ files are inaccessible due to encryption, crippling the function and availability of important data. Attackers demand a ransom for the decryption key, using the victims’ need to get access to critical files. But there’s no guarantee that paying the ransom will get you the correct decryption key or prevent future re-infection. The US government advises not to pay the ransom and explore recovery options with law enforcement or the FBI.

Examples of crypto ransomware are Maze which targets companies and organizations worldwide and Ryuk which targets enterprises and can encrypt and delete original files.

Given the destruction caused by Crypto ransomware attacks, knowing the protective and response measures is key.

Locker Ransomware

Locker ransomware, unlike its crypto counterpart, does not encrypt files but locks the entire computer system, making it unusable until a ransom is paid. This type of ransomware kicks the owner out of their device completely, often displaying a ransom note demanding payment to restore access.

One example of locker ransomware is LockerGoga which was first detected after an attack on Norsk Hydro, a Norwegian renewable energy company in 2019. The method is to use phishing emails to infect personal and corporate devices. After infecting the devices, the attackers demand a ransom to profit from the situation.

LockerPin is the first PIN-locking mobile ransomware and targets Android OS devices. These attacks show the different ways ransomware attackers can get in and lock you out of your device.

Even though data is not encrypted, locker ransomware can be very disruptive as you can’t access your device or any data stored on it, including encrypted data. So knowing how to defend against ransomware using strong security and regular updates is key to keeping access to your systems and data.


Scareware is a type of ransomware that tricks users into downloading malware by displaying scary messages that look legitimate. These messages often mimic warnings from antivirus software companies, telling you to act fast without giving you time to think or analyze the situation.

The goal of scareware is to scare users by telling them their computer is infected with malware and trick them into paying a fee or buying fake antivirus software. Scareware can be spread through spam emails asking you to download fake antivirus software or share access information for technical support. Examples of scareware are SpySheriff, XPAntivirus, ErrorSafe and Mac Defender.

When you encounter a scareware pop-up, close it by clicking the ‘X’ and then clear your browser history and restart your computer to secure yourself.

Doxware (Extortionware)

Doxware also called extortionware is a type of ransomware that not only locks the victim’s device but also threatens to expose private information unless a ransom is paid. This can be devastating for the victim. This malware targets both personal and proprietary data so the stakes are high for the victim.

Doxware can be disastrous for both individuals and organizations. Here are the potential impacts:

  • For individuals, doxware can expose personal photos, emails and financial information, embarrassing and potentially lead to identity theft.
  • For organizations, doxware can expose customer records, confidential files or intellectual property, leading to serious financial and legal consequences.
  • REvil ransomware threatened to leak victim data to underground forums if the ransom was not paid.

When you encounter doxware, stay calm and report the incident to the authorities.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) is a subscription-based model where ransomware tools are sold or rented to affiliates, so cybercriminals without coding skills can launch ransomware attacks. This model makes ransomware more accessible to unskilled criminals.

One of the most notable RAAS-based incidents that showcases the destructive nature of such threats is the Colonial Pipeline attack. According to Allan Liska, Recorded Future’s ransomware expert:

"For many people, the Colonial Pipeline ransomware attack was a wake-up call about the dangers of ransomware. However, ransomware itself has been around, disrupting—if not completely devastating—people’s lives since 1989.”

RaaS models can be affiliate programs, subscription-based access, lifetime licenses or partnerships with payments made via cryptocurrencies. Affiliates get 70-80% of the ransom profits. Notable RaaS groups are LockBit, BlackCat, Hive and Dharma. These groups provide infrastructure for negotiations and platforms to publish stolen data making it hard to trace and shut down their operations.

Ransomware Tracker: Most Prolific Groups 2024


In May 2024, LockBit was responsible for over one-third of ransomware attacks, highlighting its significant impact within the RaaS ecosystem, according to TheRecord's Ransomware Tracker.

Wiper Malware

Wiper malware is a type of malware that threatens to delete any files it infects, and aims to cause disruption rather than financial gain. Unlike other types of ransomware that aim for financial gain, wiper malware aims to delete data on infected systems.

NotPetya was considered wiperware and mainly affected Ukraine and crippled personal and corporate systems worldwide by focusing on deleting files rather than collecting money. Wiper malware can make systems unbootable by overwriting critical system files. These attacks are often used in cyber attacks to cause disruption or make political statements.

Notable Ransomware Strains

Several ransomware strains have made the headlines over the years, each with its own characteristics and attack vectors. Various ransomware types, such as Crypto, Locker, CryptoLocker, WannaCry, and new emerging variants, employ different approaches like locking, encrypting, and wiping computer systems, and extorting payment from the owners to restore access. Knowing these strains and ransomware variants is key to recognizing and responding to ransomware threats.


CryptoLocker ransomware:

  • First seen in September 2013, CryptoLocker is known for encrypting files using RSA public-key cryptography
  • Mainly spread via Gameover Zeus botnet and email attachments
  • Targets Microsoft Windows systems
  • Uses RSA public-key cryptography to encrypt files

During 2013 and 2014, CryptoLocker’s extortion efforts made an estimated $3 million in just 9 months.


In 2017 WannaCry ransomware strain became famous for exploiting a Windows vulnerability, causing mass panic. WannaCry spread via the Microsoft exploit EternalBlue, a vulnerability in the SMB protocol and caused around $4 billion in damages worldwide.


Petya is a crypto-ransomware virus known for encrypting files on Windows servers, laptops, and PCs. NotPetya is a variant of Petya that emerged in 2016 and has improved encryption keys and reboot style, and can spread independently.


Cerber ransomware emerged in 2016 and made around $2 million in its first year, using advanced evasion techniques to bypass security measures. It spreads primarily through malicious email attachments and exploit kits.

Bad Rabbit

Bad Rabbit ransomware emerged in 2017 and targeted victims through fake Adobe Flash installer ads. Mainly affected Russia, Ukraine and Eastern Europe.


What is the goal of ransomware?

The goal of ransomware is to extort money from victims by encrypting their files or blocking their systems and demanding a ransom to restore.

How does ransomware spread?

Ransomware spreads through social engineering like phishing emails, exploiting software vulnerabilities, human error or lack of security updates. Be careful and keep your software up-to-date to not get infected by ransomware.

Do I pay the ransom if infected?

No, never make a ransom payment as there is no guarantee of getting the correct decryption key, and it may encourage more attacks. Additionally, paying the ransom can lead to further risks, such as the attackers demanding additional ransom payments or targeting you again in the future.

What are some of the notable ransomware strains?

Some of the notable ransomware strains are CryptoLocker, WannaCry, Petya/NotPetya, Cerber and Bad Rabbit. Each has its own characteristics and attack methods.

What to do if my device is infected with ransomware?

If your device is infected with ransomware: disconnect from the internet, remove external storage devices, disable running tasks, take a screenshot of the ransomware message, report the incident to authorities, reset passwords and as a last resort, wipe the hard drive and reinstall the OS.

Level-up your Ransomware Mitigation Strategy

Ransomware is still a big threat in this digital age and there are many types and variants out there. Knowing the types of ransomware and being proactive in protection and detection is key to securing your data and systems. Whether it’s through backups, up-to-date security software or network segmentation, being prepared is key.

Don’t let your organization become another statistic. Secure your data, protect your assets, and maintain your operations with confidence. Book a demo today and discover how Recorded Future’s Ransomware Mitigation solutions can fortify your defenses and keep you one step ahead of cyber threats.

Esteban Borges
Esteban Borges

Esteban is a seasoned security researcher and IT professional with over 20 years of experience, specializing in hardening systems and networks, leading blue team operations, and conducting thorough attack surface analysis to bolster cybersecurity defenses. He's also a skilled marketing expert, specializing in content strategy, technical SEO, and conversion rate optimization. His career includes roles as Security Researcher and Head of Marketing at SecurityTrails, before joining the team at Recorded Future.