Most people picture ransomware as a single thing: a skull-and-crossbones splash screen demanding Bitcoin. That mental model is comfortable but wrong, and the wrongness gets organizations hurt. “Ransomware” is a category, not a specimen. The tactic that locks a hospital’s imaging machines is technically and operationally different from the one that quietly steals a law firm’s client files and threatens to publish them. If your defenses assume every attack ends in encrypted disks, you will be blindsided by the variants that never encrypt anything at all.
Understanding the types matters because each one implies a different attacker goal, a different point of failure in your defenses, and a different answer to the ugly question of whether backups will actually save you.
What Ransomware Actually Is
At its core, ransomware is malware that denies you access to something you value and demands payment to restore it. The “something” is the key variable. Early ransomware denied access by encrypting files. Modern ransomware often denies access by stealing data and threatening exposure, or by combining both. The encryption itself is usually strong, asymmetric cryptography (an RSA or ECC public key encrypts a per-file symmetric AES key), which is precisely why “just decrypt it yourself” is rarely feasible. The attacker holds the only private key.
The delivery mechanisms are mundane and durable: phishing attachments, malicious links, exploited internet-facing services (unpatched VPNs, RDP exposed to the world), stolen credentials bought from access brokers, and supply-chain compromises. The novelty is almost never in how they get in. It is in what they do once inside.
The Core Categories
Ransomware splits into a handful of functional types. These describe behavior, and a single real-world attack can blend several.
- Crypto ransomware. The classic. It encrypts files on local and mapped network drives, leaves a ransom note, and demands payment for the decryption key. The operating system still boots; you just cannot read your data.
- Locker ransomware. Instead of encrypting individual files, it locks you out of the entire device or interface, often freezing the desktop or the login screen. It is more common on Android and older Windows scams. Locker malware frequently leaves the underlying files intact, which sometimes makes recovery easier than with crypto variants.
- Scareware. The bluff. Fake antivirus pop-ups or bogus “your files are encrypted” warnings that demand payment but may have done little or nothing. Not all scareware is harmless, but its power is psychological rather than cryptographic.
- Leakware / doxware (extortionware). This flips the model. Rather than denying access, the attacker exfiltrates sensitive data and threatens to publish it. Your backups are irrelevant here, restoring files does nothing to stop a leak.
- Double and triple extortion. The dominant modern playbook. Attackers encrypt and steal data (double), then add a third layer such as DDoS attacks or direct harassment of your customers and partners to increase pressure (triple).
- Ransomware-as-a-Service (RaaS). Not a technical type but a business model that shapes the whole landscape. Developers build and maintain the malware, then rent it to “affiliates” who carry out attacks and split the proceeds. RaaS is why the same strain can appear with wildly different tradecraft.
Notable Strains and What They Taught Us
A few families are worth knowing because they defined eras or techniques.
WannaCry (2017) was a worm-plus-ransomware hybrid that spread automatically across networks using the EternalBlue exploit against unpatched Windows SMB. It infected hundreds of thousands of machines in days, including parts of the UK’s National Health Service. Its lesson: patching and network segmentation matter as much as email hygiene, because self-propagating ransomware does not wait for a human to click.
Ryuk and its successors pioneered “big game hunting”, targeting large organizations for multi-million-dollar demands rather than spraying consumers. It typically arrived as a later-stage payload after other malware (like TrickBot) had already established a foothold.
LockBit became one of the most prolific RaaS operations, notable for the speed of its encryptor and a professionalized affiliate program, until law enforcement disruption in 2024 dented it. Conti was infamous both for its output and for an internal leak that exposed how corporate its operation had become, complete with salaries and HR-like structure. REvil (Sodinokibi) ran high-profile supply-chain and extortion campaigns. Older names like CryptoLocker (which popularized Bitcoin ransoms in 2013) and Petya/NotPetya (2017, where NotPetya masqueraded as ransomware but was really a destructive wiper) round out the history. NotPetya is the important cautionary tale: sometimes paying cannot recover your data, because destruction, not profit, was the goal.
Spotting the Behavior, Not Just the Note
You do not need reverse-engineering skills to reason about detection. Ransomware, whatever the family, tends to touch a lot of files quickly and reach for tools that let it spread and destroy recovery options. On Windows, a near-universal precursor is deleting the Volume Shadow Copies so victims cannot roll back:
vssadmin delete shadows /all /quiet
wmic shadowcopy deleteSeeing these commands run outside of a maintenance window is a strong signal of an in-progress attack. Detection and response tooling should alert on them aggressively.
On Linux or in file-server logs, a burst of rename or write operations creating files with an unusual, consistent extension is a hallmark of mass encryption. A crude hunt through recent filesystem changes might look like this:
# Flag directories where many files share a suspicious new extension
find /srv/share -type f -newermt '-1 hour' \
| sed 's/.*\.//' | sort | uniq -c | sort -rn | headA single extension suddenly dominating recently modified files is exactly the pattern encryptors produce. The point is not that these one-liners are a defense, they are diagnostics. Real prevention is layered: offline or immutable backups that ransomware cannot reach, least-privilege access so one compromised account cannot touch everything, prompt patching of internet-facing services, phishing-resistant multi-factor authentication, and network segmentation to slow lateral movement.
The Takeaway
The single most useful shift in thinking is to stop treating ransomware as an encryption problem and start treating it as an access-and-extortion problem. Backups defeat crypto-lockers, but they do nothing against a gang that has already copied your data and intends to publish it. That is why modern resilience combines two independent strategies: the ability to restore from backups the attacker cannot corrupt, and the ability to prevent the theft in the first place through monitoring, segmentation, and tight identity controls. Know which type you are actually facing, because the version that never touches your files can be the one that hurts the most.
