What Is Ransomware? Types, Working, and Notable Strains

What Is Ransomware? The Science of Cyber-Extortion

Ransomware is an advanced category of malicious software rooted in the field of cryptovirology. Its primary function is to block access to a victim's data or threaten to leak private files publicly unless a specific financial ransom is paid. While legacy, low-level ransomware strains simply locked user interface functions in a reversible manner, modern threats rely heavily on cryptoviral extortion.

In a properly executed cryptoviral extortion campaign, attackers use robust mathematical encryption algorithms to scramble files, making data recovery mathematically impossible without the matching private decryption key. To preserve anonymity, perpetrators demand payment via difficult-to-trace digital payment systems and cryptocurrencies like Bitcoin, severely complicating international tracking and prosecution efforts.

How Ransomware Attacks Infiltrate Networks

Threat actors deploy ransomware payloads across consumer systems and enterprise infrastructures using several diverse vectors:

• Drive-By Downloads: Compromising legitimate web infrastructure or hosting malicious domains that automatically push payloads to browsers containing unpatched security flaws.
• Malicious Email Attachments: Distributing highly targeted phishing campaigns featuring malicious macros embedded inside seemingly benign documents, invoices, or archives.
• Malvertising & Exploit Kits: Injecting compromised code streams into digital advertising networks that silently redirect users to exploit framework landing pages.

Once inside a system, the malware generally splits into one of two operational paths:

1. Locker Ransomware: This completely locks the computer's interface, blocking keyboard and mouse interactions. A prominent screen-filling window displays immediate local instructions for making payments, while keeping the underlying files untouched.
2. Crypto Ransomware: This allows system access but systematically crawls storage volumes to find and encrypt targeted file extensions (like databases, spreadsheets, documents, and local media), crippling institutional operations.

10 Notorious Strains of Ransomware

1. WannaCry

Launching a global crisis in May 2017, WannaCry became one of the largest scale ransomware events in history. It aggressively infected hundreds of thousands of corporate and government devices globally by utilizing the EternalBlue exploit, targeting an unpatched vulnerability in Microsoft’s Server Message Block (SMB) file sharing protocol.

2. CryptoLocker

While ransomware has existed for decades, CryptoLocker revolutionized the criminal ecosystem in 2013 by weaponizing military-grade asymmetric key encryption. Before its core distribution infrastructure was dismantled in 2014, the hackers extorted millions of dollars. The phrase "CryptoLocker" became universally synonymous with file-encryption threats.

3. Locker Ransomware (Computer Lockers)

Locker variants rely entirely on user interface restriction rather than file destruction. They target system shell components to lock down access, leaving just enough computing functionality exposed for the victim to view payment instructions and transmit cryptocurrency funds.

4. Locky & CryptoWall

Locky specialized in macro-driven document distribution, famously deleting internal Windows Shadow Copies to make built-in system recovery backups entirely useless. Later strains, like advanced versions of CryptoWall, went a step further by scrambling the actual metadata file names, preventing IT admins from identifying which files had been compromised.

5. Cerber

Cerber structured itself as a pioneer in the Ransomware-as-a-Service (RaaS) model. Operating like a franchise business scheme, the developer licensed the threat out to external affiliates who distributed the malware in exchange for a percentage of the profits. Cerber famously targeted vulnerabilities across cloud email infrastructures, putting millions of users at risk.

6. Crysis

Crysis focuses on maximum local disruption. It features strong multi-layer cryptographic configurations capable of simultaneously locking files across local hard drives, portable external media, and networked network-attached storage (NAS) folders.

7. NotPetya

Initially labeled as a variant of the 2016 Petya ransomware family, deep system forensics revealed a more sinister purpose. NotPetya was actually a destructive cyber-weapon known as a wiper. It mimicked a traditional ransomware lock screen to fool victims, but its underlying code permanently destroyed the storage disk's master file table, making file decryption impossible regardless of ransom payouts.

8. TeslaCrypt

TeslaCrypt predominantly target files associated with gaming applications, profiles, and mod configurations. It spread rapidly by leveraging automated web exploit frameworks like the Angler kit, dropping its executable structures directly inside local system temporary directories.

9. TorrentLocker

TorrentLocker paired traditional data encryption with data harvesting capabilities. Upon compromising a workstation, it extracted all valid contacts found within the victim’s address books, weaponizing those accounts to distribute spam attachments outward to spread the malware farther.

10. ZCryptor

ZCryptor represents a dangerous combination of ransomware and self-propagating computer worms. It encrypts the primary machine, then searches for external storage arrays and removable flash drives to automatically drop hidden executable copies of itself, ensuring the infection hops onto subsequent computers offline.

Comparative Analysis: Key Ransomware Varieties

Defending against these evolving threats requires keeping software patched, creating offline, immutable backups that are fully separated from the main production framework, and maintaining strong network filtering layouts.