Types of ransomware

The first interesting question to answer is what type of ransomware attacked the system. Most commonly people associate file encrypters with the term ransomware but there are more ways for malware to hold something for ransom. Ransomware is every malware that prevents access to the whole system, part of the system or data, or pretends to do so, and asks for some kind of payment from the system's user to revert the changes.

1. File encrypter

The file encrypter typically searches for files on the system based on their file extensions, encrypts each file one by one and renames it, e.g., by adding an extension.

The file encrypter will often use persistence mechanisms for the duration of the encryption process. In case the user turns off the system midst of encrypting, the file encrypter will continue the process after restart.

Some file encrypters use password protected archives to encrypt and store files, e.g., CryptoHost.

2. Disk encrypter

This kind of ransomware will usually infect the master boot record, thus rendering the operating system unbootable. In addition they encrypt the data on disk or the master file table. There aren't many families out there that do this. Some known ones are Petya, Mamba (aka HDDCryptor) and some very old ones from the DOS era like the AIDS virus. Since there are only a few of them, identification should be comparably easy.

3. Wiper

Sometimes ransomware developers create bugs in the encrypting portion or key storing functions that make it impossible for them or anyone else to decrypt the data. They may damage data instead of encrypting it or make the retrieval of the key(s) impossible, e.g., Ordinypt.

Creating a wiper that poses as file or disc encrypter may also be done on purpose if the actual goal is to damage a business and threat actors want to hide their intent. Some believe Petna aka NonPetya to be one of those wipers.

Identifying this type of ransomware is of particular interest, since paying the ransom in these cases (should this option be considered viable) would be pointless as there are no files to decrypt or recover..

4. Fake encrypter

The fake encrypter will pretend to encrypt files without actually doing it. One common way is to just rename files, e.g. by adding ransomware-typical extensions to them, so that users are fooled into believing that their files are encrypted. As Windows decides based on file extensions which program it uses to open a file, changing the extension will make it seem like the files are "not working anymore". Restoring the file extension will also restore the functionality of the file. Others, like RansomPrank, just tell the user that the files were encrypted, without doing anything to the files.

Ransomware simulators, which are used to demonstrate an infection and to train staff, mostly fall into this category but those shouldn't actually infect systems in the wild.

5. Screenlocker

Screenlockers are often overlooked in discussions about ransomware. They seem less dangerous, less interesting, and less damaging. From a technical standpoint they are indeed less damaging because the locking mechanism can be reversed whereas decryption of data or recovery of wiped data is not always possible. For non tech-savvy users, however, screenlockers still pose a substantial threat. This is especially evident and tragic in those cases where people committed suicide due to a screenlocker infection (e.g., case1, case2).

Very common is the screenlocker combined with tech support scam, where the screenlocker may look like a fake blue screen and show a tech support number that is supposedly from Microsoft. The scammers who pose as Microsoft technicians will then proceed to show the user that their system is damaged and ask for payment in order to repair it (as demonstrated in this example).

Some ransomware families are screenlocker and file encrypter hybrids, that means they lock the screen and also encrypt files on the system. If they are pure screenlockers, it is usually all you need to know to reverse the damage.