Lockers vs. Crypto-Malware: How These Two Ransomware Categories Stack Up

Dollar graphic

On July 14, 2021, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) called ransomware “a long-standing problem and a growing national security threat.” CISA’s position in part reflects an increase in how much ransomware actors have extorted from their victims in recent years. Ransomware payments earned attackers at least $350 million in 2020, reported ZDNet. Overall, those transactions accounted for 7% of all funds received by known “criminal” cryptocurrency addresses that year—an increase of 311% compared to the previous year. 

CISA’s pronouncement also helps us to recall several recent ransomware attacks that actually endangered national security. Take what happened in the Colonial Pipeline attack. Following an infection by the DarkSide Ransomware-as-a-Service (RaaS) operation, the Colonial Pipeline Company suspended all its pipeline operations and effectively disrupted the flow of 100 million gallons of fuel between Houston, Texas and New York Harbor for several days. This incident caused fuel shortages and panic buying up and down the East Coast, touching an untold number of people’s daily lives in the process. 

An Overview of Crypto-Ransomware 

In saying what it did, CISA actually didn’t call out all ransomware. It singled out a type of ransomware with which we’re arguably the most familiar. That sub-category, known as “crypto-ransomware,” works by encrypting a victim’s information and then demanding that victims pay up for a corresponding decryption key. Some crypto-ransomware strains try to prey off their victims’ fear and anxiety by giving them a deadline within which they must pay and by threatening to delete all their files if they remain noncompliant. 

In many instances of crypto-ransomware, victims can still use the basic functions of their infected machine to confirm the encryption of their data. That’s part of the logic of a traditional crypto-ransomware attack. From an attacker’s perspective, it helps when a victim sees that a version of their data is still available. A victim might be less inclined to pay if a malicious program wiped their computer outright, for instance, or if that program rendered their computer inoperable such that they couldn’t follow the attackers’ payment instructions. In the attacker’s mind, hope of recovery means that a victim might be more willing to comply.  

Some attackers have gotten creative with this crypto-ransomware formula over the years. Recently, we’ve seen attackers using double extortion as a means of foiling victims’ use of backups and of demanding a second ransom demand. Emsisoft has seen something similar in attackers’ use of double encryption to affect some or all a victim’s data with more than one ransomware strain. Not only does double encryption increase the complexity of recovering from a crypto-ransomware attack, but it also increases the profitability of an infection by empowering ransomware actors to demand a ransom for each strain that’s involved. 

Don’t Forget About Lockers 

Notwithstanding its prevalence, crypto-ransomware doesn’t account for all ransomware. There’s also the lesser-known subcategory of locker ransomware. Locker threats do not go after encrypting a victim’s information. Instead, they focus on preventing victims from interacting with their keyboard, mouse, or other basic computer functions. Such functionality “locks” the victim out of their computer until they pay a ransom. 

The good news with this type of ransomware is that lockers don’t generally go after data, meaning victims can most likely recover their information. The bad news is that lockers can serve as a gateway for follow-up attacks. As an example, an attacker might program a locker to disguise their ransom screen as a tech support dialog box containing a phone number. The attackers might restore control of the infected device once the victim calls the number and pays for a fake antivirus solution. But in doing so, the victim might unknowingly install remote access software onto their computers that the attackers can then use to steal information, conduct reconnaissance for account takeover (ATO) fraud attempts, or even remotely deploy another locker or a strain of crypto-ransomware. 

Defending Against All Types of Ransomware 

Organizations want to do everything they can to avoid a ransomware infection whether it’s at the hands of crypto-malware or lockers. To do that, they need to strengthen their email security, as many ransomware infections rely on email as their delivery vector. Specifically, organizations should consider investing in a solution that scans incoming messages for threat indicators while allowing legitimate correspondence to arrive unimpeded. Learn how Zix | AppRiver can help.