"Ransomware" is a useful umbrella term, but it covers a remarkably diverse set of techniques. Some variants encrypt your files. Some merely lock your screen. Some never bother with encryption at all and rely entirely on the threat of leaking data. Some pretend to be ransomware but are something else entirely. For defenders, knowing which kind you are dealing with, or planning for, changes both the response and the recovery options.
1. Crypto-ransomware
This is the dominant category and the one most people picture. Crypto-ransomware encrypts files on the victim’s systems with strong cryptography and demands payment for the decryption key. Modern families use a hybrid scheme: a per-file symmetric key (AES-256 or ChaCha20) encrypts the contents, and that key is then wrapped with the attacker’s asymmetric key (RSA-2048, RSA-4096, or Curve25519). Without the matching private key, held only by the attacker, the data is mathematically out of reach.
Examples: LockBit, BlackCat/ALPHV, Akira, Play, Conti, Royal, Medusa.
Crypto-ransomware is what people mean by "ransomware" almost all of the time. Recovery without payment depends on three things: backups, occasional decryptors released by researchers or law enforcement, and operational mistakes by the attacker (reused keys, broken implementations).
2. Locker ransomware
Locker ransomware does not touch your files. It locks the user out of the device or operating system entirely, typically with a full-screen overlay that the user cannot dismiss, and demands payment to restore access. Because the underlying data is intact, recovery for a technically capable user is usually a matter of booting from external media and removing the malware.
Lockers were dominant in the early 2010s on Windows and on Android. They are now rare on enterprise systems but still appear on consumer Android devices, often masquerading as adult-content apps or fake antivirus software.
3. Scareware
Scareware is the lazy cousin of ransomware. It does not encrypt anything, does not lock anything, and may not actually do anything at all besides display alarming pop-ups warning that the device is "infected" and demanding payment for a fake removal tool or "license." Many fake-antivirus campaigns and tech-support scams fall into this bucket. The damage is reputational and financial rather than operational, but the volumes can be enormous.
4. Leakware (a.k.a. doxware)
Leakware skips encryption and goes directly to extortion. The attacker exfiltrates sensitive data, customer records, source code, internal documents, executive email, and threatens to publish it unless a ransom is paid. There is no decryptor because there is nothing to decrypt; the leverage is reputational, regulatory, and competitive.
Leakware became a category of its own around 2020, when groups like Cl0p began running operations that were primarily extortion-by-leak. The MOVEit Transfer mass-exploitation campaign of 2023 was a textbook example: hundreds of organisations were notified that their data had been stolen, with no encryption involved at all.
5. Double extortion
Double extortion is the dominant model used by every serious ransomware group today. It combines crypto-ransomware and leakware: the attacker first exfiltrates data, then encrypts the environment, and applies both forms of leverage. Even an organisation with perfect backups still faces a leak threat. Even an organisation indifferent to a leak still has its operations stopped.
Maze pioneered this model in late 2019. By the end of 2020, virtually every active operator had a "leak site." It is now the default.
6. Triple (and quadruple) extortion
Some groups have stacked additional pressure tactics on top of the double-extortion model:
- DDoS attacks against the victim’s public-facing infrastructure, especially during negotiations.
- Direct harassment of customers, employees, partners, or patients whose data was stolen, often by phone or email.
- Regulatory weaponisation, reporting the victim to the SEC, GDPR regulators, or industry bodies to manufacture additional consequences for non-payment.
- Threats against executives and their families, used by a handful of more aggressive operators.
ALPHV/BlackCat and Cl0p have been particularly inventive on this front; ALPHV famously filed an SEC complaint against one of its own victims, MeridianLink, for failing to disclose the breach.
7. Wipers disguised as ransomware
Not every program with a ransom note is interested in your money. Wipers destroy data while presenting themselves as ransomware in order to delay attribution and confuse the victim. NotPetya in 2017 is the canonical case, a Russian state operation against Ukraine that masqueraded as ransomware but used a non-recoverable encryption scheme on purpose. More recent examples include HermeticRansom and CaddyWiper deployed against Ukrainian targets in 2022.
For incident-response teams, distinguishing wiper from ransomware as fast as possible is critical. With true ransomware, paying may be an option of last resort. With a wiper, there is no key, no negotiation, and no path back to the data.
8. Mobile ransomware
Mobile variants exist on Android (and very rarely on iOS). They typically combine locker-style behaviour, covering the screen with an unkillable overlay, with crypto behaviour against external storage. Distribution is overwhelmingly through sideloaded APKs and malicious app stores rather than the official Play Store.
9. ESXi and Linux ransomware
Many modern operators ship dedicated Linux variants targeting VMware ESXi, the hypervisor that runs the bulk of enterprise virtualisation. By encrypting VMDK virtual disk files at the hypervisor layer, attackers can take down hundreds of virtual servers from a single host, often before any in-VM detection has a chance to react. Almost every major operator (LockBit, BlackCat, Akira, Play, Babuk, Royal, RansomHub) has shipped an ESXi variant.
10. RaaS-distributed crimeware
This is not a different kind of payload, but a different kind of business model, and it has changed the threat landscape so completely that it deserves its own slot. In a Ransomware-as-a-Service operation, a core development group writes and maintains the ransomware and rents it to "affiliates" in exchange for a cut (typically 20–30%). The affiliates run the actual intrusions. RaaS turns ransomware into a franchise, multiplies the talent pool of intruders, and is the reason a single brand like LockBit could rack up thousands of victims across years and continents.
What this means for defenders
The defensive priorities shift depending on which type you are most worried about. Against crypto-ransomware, immutable offline backups are decisive. Against leakware and double extortion, data minimisation, encryption at rest, and network egress monitoring matter more. Against wipers, only prevention and rapid containment work, there is no recovery path through paying. The taxonomy is not academic; it is the menu of bad outcomes you are choosing how to defend against.