Ransomware has rapidly become one of the biggest cyberthreats facing businesses of all sizes. Last year, for example, BlackFog’s 2021 State of Ransomware Annual Report found a 17% increase in publicly disclosed attacks year over year, while figures from International Data Corporation estimate one in three firms globally fell victim.

But these incidents won’t be the same for every company. Ransomware attacks come in several forms, some of which may be far more dangerous than others. Therefore, knowing what type of incident you’re dealing with is an essential first step in formulating a response plan. At the same time, a good knowledge of the different attack types helps you plan your defenses and reduces the risk of being infected in the first place.

Here are four common types of ransomware you need to be familiar with.

Among the oldest, and traditionally the most common form of ransomware, crypto ransomware works by finding valuable files on a system and applying encryption to them so they become unusable. Hackers then demand a ransomware payment, after which they will (in theory) provide businesses with the decryption key needed to unlock them.

Such ransomware may infect all files on a device or seek out certain file types. Some variants can even look beyond the devices themselves to infect shared or networked drives or even cloud storage, potentially spreading the issues to all parts of a business. They do, however, typically leave the device usable.

This type of attack is becoming less common as businesses become more aware of the threat of ransomware and take more preventative measures. Having comprehensive, off-site backups, for instance, can be an effective way of mitigating the damage caused by this type of ransomware. However, hackers who do continue to use these tools have started countering these efforts by adding timed delays to their malware in order to infect backups as well.

Locker ransomware can be more disruptive than crypto ransomware as it locks users completely out of a system, often leaving them with nothing except basic mouse and keyboard inputs to allow them to pay the ransom.

In these cases individuals may turn on their device to see nothing except a lock screen with information on how to pay and a countdown clock to instil urgency – with the threat that if the ransom is not paid, the device will be rendered permanently unusable.

This type of ransomware usually targets systems rather than user files, so if a ransom is paid and access restored, there’s less chance that users will lose data. However, as with crypto ransomware, it prevents businesses from operating normally, and many firms may feel they have no choice but to pay the hackers in order to restore functionality.

Scareware is an evolution of older, social engineering-based attacks that aim to trick users into paying to fix a non-existent problem with their machine. In a classic form, malware will send multiple pop-up warnings that a device is infected with a virus and urge them to download paid-for ‘antivirus’ software in order to get rid of it. At best, this will do nothing, but it is far more likely to simply add additional malware onto the system.

Whether or not scareware should be considered as ransomware is debated, but many of these attacks can be highly disruptive, either flooding the screen with warnings or, in some cases, adding elements of locker ransomware to remove functionality. Therefore, as it disrupts systems until a payment is made, for most victims the impact will be the same.

This tactic often relies on taking advantage of human emotions, so effective cybersecurity training is essential in preventing this type of attack. Ensuring all employees can spot the signs of these attacks, regardless of their level of technical knowledge, is therefore vital.

Double extortion ransomware is one of the most popular ransomware tactics used today – and one of the most dangerous. It works by exfiltrating data from a network as well as encrypting systems. Once this data is in the hands of criminals, this gives them more leverage when it comes to making ransom demands.

A common form of double extortion is for hackers to say they will publicly release data if a ransom is not paid by a certain date. This type of ransomware may also be referred to as ‘doxware’. Hackers may also threaten to inform regulators or stakeholders of the breach, which could have further harmful consequences for a business’ reputation and finances. The goal of this is to add time pressure and increase the risks of not paying.

There is even a subvariant of this type of ransomware called triple extortion, which looks to pile even more pressure on businesses to respond quickly. One way of doing this is through  the threat of a further attack, such as a Distributed Denial of Service (DDoS). Adding the risk of further disruption to an organization on top of the threat of data exposure can act as another incentive for businesses to pay up.

To counter these types of ransomware, advanced, holistic solutions are required. In addition to solutions such as perimeter defenses and backups, Anti Data Exfiltration (ADX) technology is a must-have in order to prevent this type of ransomware. This monitors your network for data exfiltration and blocks the transfer of files, preventing hackers from gaining access to the sensitive files they need to operate this form of ransomware.