Common Types of Ransomware and Attacks Examples You Should Know

Table of Contents

Ransomware, a type of malware that plays the sinister role of a digital extortionist, comes in many forms, each more cunning than the last. It lurks in the shadowy recesses of the internet, a malevolent force with the power to cripple businesses, hold critical data hostage and exploit the vulnerabilities of both individuals and organisations.

With technological progress, the arsenal of ransomware variants evolved into a sophisticated adversary capable of launching attacks from unexpected vectors. The ongoing cat-and-mouse game between cybersecurity experts and these digital marauders has given birth to a covert realm where comprehending the intricacies of ransomware is not merely a precaution but a strategic necessity. Let’s delve into the realm of ransomware types and attack examples, gaining insights that position us ahead of potential consequences.

Different Types of Ransomware Attack

Crypto Ransomware

Crypto ransomware is one of the most notorious and common types of ransomware attacks. In this type, malicious software encrypts the victim’s files, rendering them inaccessible. The attackers then demand a ransom payment, usually in cryptocurrency, in exchange for the decryption key that restores access to the files.

Locker Ransomware

Locker ransomware takes a different approach by locking the victim out of their entire operating system or device rather than encrypting specific files. This type of attack prevents users from accessing their computer or mobile device until a ransom is paid. Essentially, it denies access to the system rather than encrypting individual files.


Scareware operates on psychological manipulation, leveraging misleading or deceptive pop-up messages, often masquerading as security alerts or warnings about non-existent issues on the victim’s device, such as being infected with malware. The goal is to instil fear and urgency, convincing the user to pay for fake security software or services to purportedly resolve the fabricated problems.

Doxware or Leakware

Doxware, also known as leakware, goes beyond encrypting files. Instead, it threatens to publish sensitive or private information unless the victim pays the ransom. The attackers leverage the fear of data exposure to coerce individuals or organisations into complying with their demands.

RaaS (Ransomware as a Service)

Ransomware as a Service is a criminal business model where individuals with limited technical skills can purchase or rent ransomware tools and infrastructure from more sophisticated cyber criminals. This approach lowers the entry barrier for aspiring attackers, enabling them to launch ransomware campaigns without extensive technical knowledge.

DDoS Ransomware

DDoS (Distributed Denial of Service) ransomware combines the disruptive power of DDoS attacks with ransom demands. In this type of attack, cybercriminals overwhelm a target’s network or online services with traffic, causing a temporary or prolonged disruption. The victim is then extorted for payment to cease the DDoS attack and restore normal functioning.


10 Examples of Ransomware Strain


WannaCry, a ransomware strain, gained global attention in May 2017 for impacting over 300,000 computers in 150 countries. Its primary targets were computers utilising Microsoft Windows operating systems, and it exploited the notorious EternalBlue vulnerability—a leaked hacking tool developed by the U.S. National Security Agency (NSA). What heightened concerns was WannaCry’s ability to horizontally propagate across networks, infecting other vulnerable systems within the same network.

  • Ransomware payload delivers a message notifying users of file encipher and demands payment in Bitcoin: $300 within three days or $600 within seven days (equivalent to about $360 and $720 in 2022).
  • The top four most affected countries are Russia, Ukraine, India, and Taiwan.
  • Estimated economic losses from the cyber attack: Up to US$4 billion, with some groups suggesting losses in the hundreds of millions.


Cryptolocker ransomware, introduced in 2013 and designed for Windows platforms, specifically targets Windows users by employing robust encryption methods to restrict access to files. Its propagation occurs through deceptive email attachments, cleverly disguised as legitimate files or documents. Upon unwittingly executing the infected attachment, the ransomware quietly encrypts various file types on the victim’s computer, encompassing documents, photos, videos, and critical data. It utilises strong encryption algorithms, making it extremely difficult to decrypt the files without the unique decryption key.

  • Operators of CryptoLocker reportedly extorted approximately $3 million from victims of the Trojan.


DarkSide is a ransomware-as-a-service (RaaS) group that gained significant attention in 2021 due to its involvement in high-profile attacks. It is a cybercriminal organisation that operates by developing and distributing the DarkSide ransomware to affiliates who carry out the attacks.

DarkSide follows a model known as “double extortion,” which involves encrypting the victim’s files and then threatening to publish or sell the stolen data if the ransom demands are not met. This approach puts additional pressure on the victim to pay a ransom to prevent the public exposure or misuse of sensitive information.

Supercharge your organisation’s defences and armour up against threats like DarkSide with us! 

Our solutions, including the power of dark web monitoring, fortify your digital stronghold. Contact us now! Safeguard your data, confidently navigate the landscape of ransomware risks, and eliminate the gamble of vulnerability.


Ryuk, identified as a highly sophisticated and targeted type of ransomware, emerged in August 2018 and gained notoriety for its devastating impact on organisations, particularly large enterprises and critical infrastructure systems. In contrast to certain other types of ransomware, Ryuk lacks a self-propagation mechanism; instead, it is manually deployed by attackers following extensive reconnaissance. The intruder ensures access to critical systems and data before initiating the Ryuk ransomware. Ryuk is believed to be utilised by two or more ransomware groups, likely of Russian origin, with a strategic focus on targeting organisations rather than individual consumers.

  • In 2020, Ryuk ransomware attacks affected schools from Havre, Montana, to Baltimore County, Maryland.
  • Perpetrators demanded varying extortion amounts, ranging from $100,000 to $377,000 or more in these incidents.


Emerging in 2016, Locky ransomware propagated through malicious email attachments, encrypting files and requiring Bitcoin payment for decryption keys. A distinctive feature of Locky lies in its utilization of robust encryption algorithms, posing challenges to file decryption without the specific key held by the attackers. Once the encryption is finalised, Locky presents a ransom note on the victim’s screen, demanding payment in Bitcoin or alternative cryptocurrencies in exchange for the decryption key.

  • Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom on February 18, 2016, to obtain the decryption key for patient data.
  • On June 22, 2016, a new version of Locky was released by Necurs, featuring a new loader component with detection-avoiding techniques, including identification of virtual machines and code relocation.

Bad Rabbit

Bad Rabbit is a strain of ransomware that emerged in October 2017, causing widespread disruption primarily in Eastern European countries. This ransomware spread through compromised websites, where users were prompted to download a fake Adobe Flash installer. Upon execution, Bad Rabbit ransomware encrypts files on the victim’s system and displays a ransom note demanding payment in Bitcoin for the release of the decryption key. Bad Rabbit employed disk-level encryption, encrypting the Master Boot Record (MBR) of the infected system. This prevented the system from booting up, making it unusable until the extortion was paid or the system was restored from backups.


Petya is a family of ransomware that first emerged in 2016. Notably, Petya goes beyond traditional ransomware by encrypting the entire hard drive’s master file table, preventing access to the entire file system. Often distributed through phishing attacks or malicious links, it infects the Master Boot Record (MBR) of the victim’s computer, making it impossible to boot the computer system. After infecting the MBR, Petya displays a ransom note demanding payment in Bitcoin for the decryption key.

  • A variant of Petya ransomware, known as NotPetya, gained significant attention in June 2017.
  • NotPetya targeted systems primarily in Ukraine but quickly spread globally.


Also Read: How Can You Avoid Downloading Malicious Codes?

Jigsaw ransomware

Jigsaw ransomware, named after the “Saw” character, emerged in 2016 with a unique and manipulative approach. Upon infecting a system, it encrypts files and displays a graphical interface featuring the Jigsaw character, a countdown timer, and threats. Failing to pay the ransom within an hour results in the deletion of one file, escalating exponentially hourly to thousands. If payment is not made within 72 hours, the computer faces complete data loss. Reboot or termination attempts trigger the immediate deletion of 1,000 files. An updated version also threatens doxing by revealing personal information online.

Sodinokibi (REvil)

Sodinokibi, also known as REvil, is an intricate ransomware-as-a-service (RaaS) operation that emerged in April 2019. REvil is considered one of the most prolific and financially motivated ransomware groups. REvil is also known as double extortion ransomware, where, in addition to enciphering files, the group exfiltrates sensitive data from the victim’s network before encrypting it. This data is then threatened to be leaked or sold on the dark web if the extortion is not paid, increasing the pressure on the victim to comply.

  • In May 2020, the Sodinokibi (REvil) group demanded $42 million from U.S. President Donald Trump, claiming to have decrypted the elliptic-curve cryptography used to protect the data.
  • In April 2021, REvil stole plans for upcoming Apple products, including laptops and an Apple Watch, from Quanta Computer. They threatened to publicly release the plans unless paid $50 million.


Emerged in May 2019, maze ransomware gained significant attention for its advanced attack techniques and its involvement in high-profile attacks against organisations worldwide. The sophistication of Maze, along with its dual-extortion tactics, underscores the evolving nature of ransomware threats. The group behind Maze has been linked to various high-profile attacks, targeting organisations across different sectors. Developed as a type of ChaCha ransomware, Maze has been very active in targeting victims across numerous industries. In April 2020, Maze ransomware targeted Cognisant, a global IT services giant. The attack disrupted services, encrypting and disabling internal systems, compelling Cognizant to take certain systems offline to contain the impact.

Stand strong against the menace of ransomware! Ensure your valuable data remains out of reach of the wrong hands.

Fortify your digital stronghold by unleashing our powerful network security measures, detecting and blocking digital threats. 

Don’t wait on this! Reach out to us now and strengthen your defences against cyber threats.


The Dharma ransomware is part of a ransomware family that includes Crysis and Phobos. Crysis, the initial member, was launched in February 2016, followed by Dharma in July 2018 and Phobos in September 2019. Despite their distinct release dates, these family members share substantial code, making it challenging for anti-malware systems to differentiate between them. Dharma is often misidentified as Crysis, further complicated by numerous variants of each. The group responsible for Dharma remains largely unknown.

  • In March 2020, a Dharma variant’s code was available for purchase on a Russian-language Dark Web platform at the price of $2,000.
  • This price contrasts significantly with the extortion demands linked to Dharma attacks, which generally ranged from $1,500 to an average of $8,620 per attack in December 2019.


In 2016, a novel strain of ransomware emerged with a focus on targeting JBoss servers. Unlike many other types of ransomware, SamSam deviates from the typical distribution method involving phishing emails or malicious attachments. Instead, the attackers choose a more targeted approach by identifying vulnerable servers or systems with weak or easily guessed passwords. Exploiting these security weaknesses allows them to gain initial access to the network.

  • Mohammad Mehdi Shah Mansouri (born in Qom, Iran, 1991) and Faramarz Shahi Savandi (born in Shiraz, Iran, 1984) are wanted by the FBI for their alleged role in launching the SamSam ransomware.
  • The duo is accused of extorting approximately $6 million through their ransomware activities.
  • Using the SamSam malware, Mansouri and Savandi are estimated to have caused over $30 million in damages.

What is a Ransomware Attack?

Ransomware is a type of malicious software that is created to encrypt files on a victim’s computer or network, making them inaccessible. The attackers who use ransomware demand payment in exchange for providing the decryption key to unlock the encrypted files. Essentially, it holds the victim’s data hostage until the extortion is settled.

Five stages of ransomware attack

  1. Initial Compromise: In this stage, the ransomware attackers breach systems through phishing, malicious attachments, or compromised websites, seeking a vulnerable entry point.
  2. Lateral Movement: Once inside, attackers explore networks, escalate privileges, and identify valuable targets for encryption.
  3. File Encryption: Ransomware strains encipher files, rendering them inaccessible without a decryption key held by the attackers.
  4. Ransom Note and Communication: Attackers leave a ransom note explaining file encryption and providing payment instructions via email or Tor-based sites.
  5. Ransom Payment and File Recovery: Victims decide to pay the ransom or pursue recovery options, following attackers’ instructions or seeking assistance from cybersecurity experts.


Also Read: What are different types of cyber security?

Safeguarding the Future with our Cybersecurity Solutions

The ever-present danger of ransomware underscores the need for a proactive and resilient cybersecurity strategy. We stand out as a formidable ally in the digital arena, providing state-of-the-art solutions, including cutting-edge network vulnerability and detection tools, to strengthen your defences against constantly evolving threats. With proficiency in detecting, preventing, and recovering from cyber threats, we serve as your strategic partner, ensuring the protection of vital data and the continuity of your business operations.

Proactivity is the shield that guards against digital adversaries, and our expertise stands as your impenetrable armour. Why wait for the storm to hit when you can secure your digital stronghold today? We don’t just offer solutions; we deliver assurance. Don’t gamble with the security of your crucial data and the very heartbeat of your business. Reach out to us now, where proactive protection meets unparalleled expertise.

Written By:



Latest Blogs

Send us a Message

More Posts

Report A Cyber Threat

Need help from our investigation and response team?