Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. It is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. In many cases, the ransom demand comes with a deadline. If the victim doesn’t pay in time, the data is gone forever.

Types of ransomware

Ransomware attacks can be deployed in different forms. Some variants may be more harmful than others, but they all have one thing in common: a ransom. Here are seven common types of ransomware.

  • Crypto malware: This form of ransomware can cause a lot of damage because it encrypts things like your files, folders, and hard-drives. One of the most familiar examples is the destructive 2017 WannaCry ransomware attack. It targeted thousands of computer systems around the world that were running Windows OS and spread itself within corporate networks globally. Victims were asked to pay a ransom in Bitcoin to retrieve their data.
  • Lockers: Locker-ransomware is known for infecting your operating system to completely lock you out of your computer or devices, making it impossible to access any of your files or applications. This type of ransomware is most often Android-based.
  • Scareware: Scareware is fake software that acts like an antivirus or a cleaning tool. Scareware often claims to have found issues on your computer, demanding money to resolve the problems. Some types of scareware lock your computer. Others flood your screen with annoying alerts and pop-up messages.
  • Doxware: Commonly referred to as leak warm or extortion ware, doxware threatens to publish your stolen information online if you don’t pay the ransom. As more people store sensitive files and personal photos on their computers, it’s understandable that some people panic and pay the ransom when their files have been hijacked.
  • RaaS: Otherwise known as “Ransomware as a service,” RaaS is a type of malware hosted anonymously by a hacker. These cybercriminals handle everything from distributing the ransomware and collecting payments to managing decryptors — software that restores data access — in exchange for their cut of the ransom.
  • Mac ransomware: Mac operating systems were infiltrated by their first ransomware in 2016. Known as KeRanger, this malicious software infected Apple user systems through an app called Transmission, which was able to encrypt its victims’ files after being launched.
  • Ransomware on mobile devices: Ransomware began infiltrating mobile devices on a larger scale in 2014. What happens? Mobile ransomware often is delivered via a malicious app, which leaves a message on your device that says it has been locked due to illegal activity.

How does ransomware work?

There are several vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.

History of ransomware

How did ransomware get started? While initially targeting individuals, later ransomware attacks have been tailored toward larger groups like businesses with the intent of yielding bigger payouts. Here are some notable dates on the ransomware timeline that show how it got its start, how it progressed, and where ransomware is now.

  • PC Cyborg: also known as the AIDS Trojan, in the late 1980s. This was the first ransomware, released by AIDS researcher Joseph Popp. Popp carried out his attack by distributing 20,000 floppy disks to other AIDS researchers. Little did the researchers know, these disks contained malware that would encrypt their C: directory files after 90 reboots and demand payment?
  • GpCode in 2004: This threat implemented a weak form of RSA encryption on victims’ files until they paid the ransom.
  • WinLock in 2007: Rather than encrypting files, this form of ransomware locked its victims out of their desktops and then displayed pornographic images on their screens. To remove the images, victims had to pay a ransom with a paid SMS.
  • Reveton in 2012: This so-called law enforcement ransomware locked its victims out of their desktops while showing what appeared to be a page from an enforcement agency such as the FBI. This fake page accused victims of committing crimes and told them to pay a fine with a prepaid card.
  • CryptoLocker in 2013: Ransomware tactics continued to progress, especially by 2013 with this military-grade encryption that used key storage on a remote server. These attacks infiltrated over 250,000 systems and reaped $3 million before being taken offline.
  • Locky is 2016: So-called Locky ransomware used social engineering to deliver itself via email. When it was first released, potential victims were enticed to click on an attached Microsoft Word document, thinking the attachment was an invoice that needed to be paid. But the attachment contained malicious macros. More recent Locky ransomware has evolved into the use of JavaScript files, which are smaller files that can more easily evade anti-malware products.
  • WannaCry in 2017: These more recent attacks are examples of encrypting ransomware, which was able to spread anonymously between computers and disrupt businesses worldwide.
  • Sodinokibi in 2019: The cybercriminals who created this ransomware used managed service providers (MSPs) like dental offices to infiltrate victims on a larger scale.

Ransomware remains a popular means of attack and continues to evolve as new ransomware families are discovered.

Who are the targets of ransomware attacks?

Ransomware can spread across the Internet without specific targets. But the nature of this file-encrypting malware means that cybercriminals also can choose their targets. This targeting ability enables cybercriminals to go after those who can — and are more likely to — pay larger ransoms.

Here are target groups and how they may be impacted?

  • Groups that are perceived as having smaller security teams. Universities fall into this category because they often have less security along with a high level of file-sharing.
  • Organizations that can and will pay quickly. Government agencies, banks, medical facilities, and similar groups constitute this group because they need immediate access to their files — and may be willing to pay quickly to get them.
  • Firms that hold sensitive data. Law firms and similar organizations may be targeted because cybercriminals bank on the legal controversies that could ensue if the data being held for ransom is leaked.
  • Businesses in the Western markets. Cybercriminals go for the bigger payouts, which means targeting corporate entities. Part of this involves focusing on the United Kingdom, the United States, and Canada due to greater wealth and personal-computer use.

Dos and Don’ts when it comes to ransomware.

  • Do not pay the ransom. It only encourages and funds these attackers. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your files.
  • Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
  • Do not provide personal information when answering an email, unsolicited phone call, text message or instant message. Phishers will try to trick employees into installing malware or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your coworkers receive suspicious calls.
  • Use reputable antivirus software and a firewall. Maintaining a strong firewall and keeping your security software up to date is critical. It’s important to use antivirus software from a reputable company because of all the fake software out there.
  • Do employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
  • Do make sure that all systems and software are up-to-date with relevant patches. Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
  • If travelling, alert your IT department beforehand, especially if you’re going to be using public wireless Internet. Make sure you use a trustworthy Virtual Private Network (VPN) when accessing public Wi-Fi like Norton Secure VPN.


When it comes to malware attacks, knowledge is the best possible weapon to prevent them. Be careful what you click!! Preventive measures should be taken before ransomware establish stronghold. Keeping all the software updated and getting the latest security updates might help to prevent the attacks. Use of antivirus and original software is highly recommended. Creating a software restriction policy is the best tool to prevent a Cryptolocker infection in the first place in networks.