Ransomware has grown into a category unto itself, and the variety will only continue growing. Let’s look at some common strains and how to deal with them.
The Most Common Variants
Encryptors, a.k.a. crypto ransomware, are what likely come to mind when you think of ransomware. This classic variant encrypts files on your system, then displays a message demanding ransom for the decryption key.
Lockers are similarly popular, and aptly named for locking part or all of a system, closing off access to any files within.
“Scareware,” as the name suggests, relies on scaring a victim by displaying a message alleging that their machine is infected and can only be cleansed if the ransom is paid. It relies on the victim reacting in panic before realizing the fraud.
“Doxware,” a.k.a. “leakware,” compromises privacy. Instead of simply locking away data, it threatens to share it across the public domain. In the event of a double extortion attack, it may do both. Doppelpaymer, which often attacks Linux systems, adheres to this method (as I’ve written about previously).
Ransomware-as-a-Service (RaaS) deserves mention. It may execute like any other variant; it’s more defined by who unleashes it. A third party “hacker” service, often procured via the dark web, hosts and manages all components of the attack for their client, from infection to ransom.
Variety in Delivery
These categories group ransomware by what and how they attack, but there is likewise variety in how they propagate.
Consider RDP ransomware, which is delivered via a compromised server’s remote desktop protocol (RDP) connections, through which it can rapidly spread itself to every client that connects to the server.
Windows Active Directory (AD) attacks are now on the rise, too. Any attacker who can gain a foothold into an organization’s AD architecture can grant themselves elevated permissions and discover otherwise hidden targets.
Both attack vectors take advantage of known vulnerabilities and seek unpatched servers through which to exploit them.
How to Identify an Attack
First, keep an eye out for mysteriously scrambled files or evidence of failed modification attempts. If you open a file you know should have readable text and instead find what appears to be nonsense characters, it may be a sign that an encryptor is in play.
A spike in CPU or disk usage you’re unable to account for and/or a stopped or disabled service may indicate that an encryptor is behind the scenes trying to free up file access, especially if the service belongs to your security or backup/recovery software.
Some varieties are more obvious. If you find yourself locked out of a browser or the entire system, that is a telltale sign a locker may be at work. Scareware is similarly lacking in subtlety. Never take a random message’s claim of infection at face value.
Shut down potential attack vectors with extra diligence toward possible points of entry. Never delay patching servers; it’s the first step toward mitigating RDP and AD vulnerabilities. Take nothing for granted, because attackers expect you to assume that surely your internal servers are already locked down and safe from intrusion.