Ransomware types: encryption, wipers, exfiltration

Ransomware families

Understanding the distinctions between ransomware variants matters for your defense strategy. The appropriate response to an encryption attack differs significantly from your response to a wiper or a pure exfiltration campaign. Each type exploits different weaknesses and requires specific countermeasures.

Classic encryption

The original model: ransomware encrypts files using a strong algorithm (AES-256, RSA) and demands a cryptocurrency ransom in exchange for the decryption key. If the victim does not pay, files remain inaccessible.

Examples: LockBit, BlackCat/ALPHV

Classic encryption ransomware typically targets file extensions associated with documents, databases, and backups. The malware scans drives methodically, encrypts files, and often deletes shadow copies before presenting a ransom note. Recovery without the decryption key is computationally infeasible when implemented correctly — which is why the backup strategy is your most important defense.

The encryption phase itself is often very fast, executing across thousands of systems in minutes once triggered. This is why endpoint detection during the reconnaissance and staging phases is far more valuable than attempting to detect active encryption.

Double extortion

The dominant model since 2020. The attacker exfiltrates data BEFORE encrypting, then threatens to publish it. Even if the victim restores from backups, the stolen data remains a powerful pressure lever.

Examples: Qilin, Cl0p, Akira

Double extortion fundamentally changed the risk calculus. Organizations that invested in robust backup infrastructure discovered that backups, while still valuable for operational recovery, did not eliminate the threat. Stolen customer records, financial data, intellectual property, and employee information can be published on dedicated leak sites or sold to competitors or nation-state actors.

This model also introduced a new negotiation dynamic: attackers now have two separate leverage points. They can negotiate the decryption key price separately from the data deletion price. Some groups sell data even after receiving payment, arguing the data is commercially valuable regardless of the ransom outcome.

Wipers disguised as ransomware

Some malware presents itself as ransomware but permanently destroys data. No decryption key exists, no negotiation is possible. Often used by state-sponsored actors to mask sabotage operations.

Examples: Handala/Void Manticore (Stryker attack), NotPetya (2017), Sicarii

Wipers are particularly dangerous because organizations spend critical time attempting to negotiate or recover when no recovery is possible. The ransomware facade wastes response time that should be spent on containment and rebuilding. The primary indicators distinguishing a wiper from ransomware include: unusually rapid spread, overwriting of the Master Boot Record, destruction of backup infrastructure first, and absence of a meaningful negotiation channel.

State-sponsored actors deploy wipers for geopolitical objectives rather than financial gain. NotPetya, initially appearing to be ransomware, caused over $10 billion in global damage — making it the most destructive cyberattack in history despite never generating significant ransom revenue.

Exfiltration without encryption

A growing trend in 2026: the attacker steals data without encrypting it. Faster, stealthier, and less likely to trigger EDR tools. The threat of publication alone is enough to secure payment.

Attacker advantages: no technical risk tied to encryption, no key management required, faster execution.

Pure exfiltration attacks are often indistinguishable from data theft until the attacker makes contact. This means organizations may not know they have been compromised until a ransom demand arrives, sometimes weeks after the actual exfiltration occurred. Data Loss Prevention (DLP) tools and network monitoring for anomalous outbound data volumes are the primary detective controls.

Ransomware-as-a-Service (RaaS)

A business model where ransomware developers provide their tool to “affiliates” who conduct attacks. Revenue is split between developer and affiliate, typically 70/30 or 80/20 in favor of the affiliate.

Impact: lowers the barrier to entry significantly. Attackers without advanced technical skills can conduct sophisticated operations by purchasing access to mature, tested toolkits.

RaaS ecosystems include everything a criminal needs: encryption toolkits, negotiation portals, data leak infrastructure, customer support (ironically), and even bug reports from affiliates. Some groups offer service-level agreements to affiliates guaranteeing support response times. The developer group benefits from reduced operational exposure while earning revenue from every affiliate attack.

Law enforcement takedowns of RaaS operations have had limited long-term impact because the affiliate network disperses and re-forms around new developer groups. When LockBit was disrupted in 2024, many affiliates simply migrated to Qilin, Akira, and other competing platforms within days.