Types of Ransomware

The ransomware landscape is dynamic, with specialist criminal groups continually emerging and existing ones evolving. 

Experiencing Ransomware or Cyber Breach?

Response time is everything when you are under attack. If you have been breached or have an urgent matter, contact us immediately.

Ransomware & Ransomware Groups

In 2023, 60 ransomware groups were tracked, with half of those beginning their operations in the same year. Below is a list of the most common ransomware groups and their variants:  

  • cloak

  • CoinVault

  • Coverton

  • CryptoLocker

  • CryptoWall

  • CrySiS

  • CTB Locker

  • Dharma

  • DMA Locker

  • Eking (Phobos)

  • everest

  • GandCrab

  • GlobeImposter 2.0

  • HIVE

  • knight

  • LeChiffre

  • Lockbit3

  • Locky

  • losttrust

  • Makop

  • medusa

  • monti

  • noescape

  • Odin

  • Phobos

  • Play

  • qilin

  • QNPCrypt

  • Quantum

  • ragroup

  • Rakhni

  • Rannoh

  • rhysida

  • Ryuk

  • snatch

  • Sodinokibi / REvil

  • TeslaCrypt

  • trigona

  • WanaCryptor

  • WannaCry

  • Wildfire

How Ransomware Groups Work

Every ransomware group works slightly differently in the way they attack, but the general structure of an attack is similar across the ransomware groups.
Step 1

Initial Breach

Attackers gain entry into the system through various means, such as phishing emails, unsecured remote desktop protocols, or exploiting software vulnerabilities. The ransomware group will enter the estate days or weeks prior to encryption.

Step 2

Infiltration and Encryption

Once inside, the attackers navigate the network, identifying valuable data for extraction, disabling anti-virus products and encrypting files, rendering them inaccessible to the organisation. 

Step 3

Ransom Demand

Following encryption, once the attackers have all the data they want, they attackers issue a ransom demand, often in cryptocurrency, promising decryption keys in exchange for payment. Payment of the ransom however seldom leads to the restoration of data.

Step 4

Data Hostage Situation

With encrypted data inaccessible, the organisation faces a hostage situation, unable to operate or access critical information until the ransom is paid or recovery measures are implemented. 

Step 5

Deterioration of Systems

As time passes without resolution, the impact intensifies, leading to disrupted operations, potential data loss, and reputational damage. 

Step 6

Decision Point

Organisations must swiftly assess their options: pay the ransom (not recommended), seek professional recovery assistance, or restore systems from backups. 

Mitigation is more effective than recovery. However when faced with an attack, early detection and response provide the best opportunity for minimising the impact. It is advisable to engage a team of ransomware recovery specialists to investigate the attack and work to resolve it. Paying the ransom should be the last resort, as it doesn’t guarantee the retrieval of your data.

If you think you are under attack from a ransomware group, act now. Contact us or call us on 01202 308818.  

Recognising Signs of a Ransomware Attack

Identifying a ransomware attack requires prompt vigilance. Indicators suggesting a potential ransomware incident include: 

  1. Sudden File Inaccessibility: Unexplained inability to access files or folders with a changed file extension or displaying an altered file name.

  2. System Performance Changes: Significant decreases in system performance, such as delays in file operations or impaired software functionality. 

  3. Unusual Network Activity: Unusual network behaviour, increased outbound traffic, or unexpected connections to unfamiliar servers or domains. 

  4. Locked Out Systems: Being locked out of specific applications or systems, accompanied by a message demanding payment for access restoration. 

  5. Ransom Notes or Messages: Pop-up messages or text files demanding payment for decryption keys, often warning against attempting data recovery without their instructions. 

Contact Us

Experiencing an attack?

Act swiftly to safeguard your data and operations. Solace Cyber has teams across the UK who are specialists in ransomware recovery. Our bespoke recovery plans are designed to counter various ransomware impacts and bring your business operations back faster.

Don't delay your response. Call us at 01202 308818 immediately if you suspect a ransomware attack. Early action can minimise the attack's impact. Remember, paying the ransom should be the last resort; our specialist team can investigate and strategise for resolution. Protect your data—call us now. 

Request a callback

Solace Cyber, part of Solace Global, helps companies across the UK recover from ransomware attacks and data breaches.

Intelligence & Reports
Case Studies

Solace Cyber Limited is registered in England & Wales no. 14028838

Solace Global

Twin Sails House,
W Quay Rd,
Poole, BH15 1JF
United Kingdom


01202 308818

Please note that calls may be recorded for security and training purposes.