What Is Ransomware?

Ransomware is a sophisticated form of malware designed to hold your data hostage, effectively locking you out of your files and systems. It encrypts your data using complex algorithms, making it inaccessible without a unique decryption key that only the attackers possess. To regain access, you must pay a ransom, often demanded in cryptocurrency, to maintain the attacker’s anonymity.

Modern ransomware has evolved beyond simple encryption, with emerging types like crypto-ransomware and CryptoWall raising the stakes. Some variants now employ a double extortion technique (ransomware 2.0), encrypting your data and threatening to leak sensitive information if the ransom isn’t paid. This adds extra pressure, particularly for businesses concerned about reputational damage or regulatory compliance.

Ransomware attacks have become increasingly prevalent, targeting organizations of all sizes across various industries. From small businesses to major corporations, no one is immune. These attacks often come with strict deadlines, adding urgency to a stressful situation. If you don’t pay in time, you might lose your data forever or face an increased ransom demand.

While the temptation to pay the ransom can be strong, especially when critical data is at stake, many government agencies, including the FBI, advise against it. Paying the ransom encourages future attacks and doesn’t guarantee the safe return of your data. In fact, on average, about half of the victims who pay the ransom will likely encounter repeat attacks—mainly when the initial infection isn’t thoroughly cleaned from the system.

Ransomware can be traced back to 1989, when the “AIDS virus” was used to extort funds from ransomware recipients. Payments for that attack were mailed to Panama, at which point a decryption key was sent back to the user.

In 1996, Columbia University’s Moti Yung and Adam Young introduced ransomware known as “cryptoviral extortion.” This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy Conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.

Attackers have grown creative over the years by requiring nearly untraceable payments, helping cyber criminals remain anonymous. For example, the notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of standard currencies, like dollars.

Ransomware attacks began to soar in popularity with the growth of cryptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Litecoin, and Ripple.

Ransomware has attacked organizations in nearly every vertical, with one of the most famous viruses being the attacks on Presbyterian Memorial Hospital. This attack infected labs, pharmacies, and emergency rooms, highlighting the potential damage and risks of ransomware.

Social engineering attackers have become more innovative over time. The Guardian wrote about a situation where new ransomware victims were asked to have two other users install the link and pay a ransom to decrypt their files.

Ransomware blocks access to data or systems until a ransom is paid, primarily through encryptors (file encryption) or screen lockers (system lockdown). Attackers demand cryptocurrency payments for decryption keys, though success rates vary. Businesses are frequent targets due to higher payout potential, with attacks often starting via phishing emails or voice scams (vishing).

Infection and Spread Mechanisms:

• Phishing and social engineering: Deceptive emails trick users into opening malicious attachments or links. These emails often mimic trusted sources, exploiting urgency or authority to bypass scrutiny. Once activated, ransomware spreads across connected networks.
• Remote Desktop Protocol (RDP) exploits: Poorly secured RDP connections, especially in remote work environments, allow attackers to infiltrate systems. Compromised credentials or unpatched vulnerabilities grant them direct access to deploy ransomware.
• Exploitable vulnerabilities: Outdated software or unpatched systems provide easy entry points. Attackers scan for weaknesses in firewalls, operating systems, or applications to install ransomware silently.
• Infected USB drives: Physical devices loaded with malware bypass network defenses. Inserting an infected USB can trigger automatic ransomware installation, spreading to other connected systems.
• Malvertising and exploit kits: Compromised online ads or websites redirect users to malicious domains. These kits automatically probe devices for vulnerabilities to deliver ransomware payloads.

After initial access, ransomware encrypts files and exfiltrates data for double extortion. Attackers increasingly threaten regulatory leaks or partner disruptions to pressure payments. Cryptocurrency anonymity, remote work expansions, and reliance on legacy systems fuel ransomware’s prevalence. Proactive measures—like zero-trust frameworks and employee training—are critical to counter evolving threats.

The growing prevalence of ransomware has brought about increasingly complex ransomware attacks.

• Scareware: This common type of ransomware displays a fake warning message claiming detection of malware on the victim’s computer. These attacks are often disguised as an antivirus solution demanding payment to remove the nonexistent malware. While scareware might seem less threatening, it can still cause significant stress and financial loss. It’s crucial to verify the legitimacy of any security warnings you receive and to rely on reputable antivirus software.
• Screen lockers: These programs are designed to lock the victim out of their computer, preventing them from accessing files or data. A message is typically displayed that demands payment to unlock it. Screen lockers can be incredibly disruptive, making your entire system unusable. Having a data backup and knowing how to safely boot your system to bypass the lock screen is essential.
• Encrypting ransomware: Also called “crypto-ransomware,” this common ransomware encrypts the victim’s files and demands payment in exchange for a decryption key. This type of ransomware can be devastating, rendering all your files inaccessible. Regular backups and robust cybersecurity measures are your best defense against encrypting ransomware.
• DDoS extortion: A Distributed Denial of Service extortion threatens to launch a DDoS attack against the victim’s website or network unless a ransom payment is fulfilled. The threat of DDoS extortion can be particularly damaging for businesses that rely heavily on their digital presence. It’s crucial to implement DDoS protection and have a well-prepared incident response plan in place to effectively mitigate this threat.
• Mobile ransomware: As the name suggests, mobile ransomware targets devices like smartphones and tablets and demands payment to unlock the device or decrypt the data. Mobile ransomware is becoming a growing concern with the mounting use of mobile devices across personal and business purposes. Regularly updating your mobile operating system and being cautious about app downloads can help protect you from this threat.
• Doxware: While less common, this sophisticated ransomware threatens to publish sensitive, explicit, or confidential information from the victim’s computer unless a ransom is paid. Also known as leakware, this form of ransomware adds increased pressure by threatening your privacy or reputation. Implementing robust data protection measures and being cautious about what information you store digitally can help mitigate the risk of doxware.
• Ransomware-as-a-Service (RaaS): Cyber criminals offer ransomware programs to other hackers or cyber-attackers who use such programs to target victims. RaaS has streamlined the accessibility of such threats, making ransomware attacks more prevalent. This model operates similarly to legitimate software-as-a-service businesses, providing customer support and regular updates to its criminal clientele.

These are just some of the most common types of ransomware. As cyber criminals adapt to cybersecurity strategies, they pivot to new and innovative ways to exploit vulnerabilities and breach computer systems.

The following notable ransomware attacks offer organizations a solid foundation of each attack’s tactics, exploits, and characteristics. While ransomware codes, targets, and functions vary, attack innovation is typically incremental.

• WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. Proofpoint identified the sample used to find the kill switch and deconstructed the ransomware. Learn more about how Proofpoint helped stop WannaCry.
• CryptoLocker: First detected in 2013, CryptoLocker ransomware used RSA encryption and demanded Bitcoin payments. It spread through phishing emails disguised as FedEx/UPS tracking notices via the Gameover ZeuS botnet. Law enforcement disabled its infrastructure in 2014 and released a decryption tool after attackers extorted millions from victims. Modern variants like 2023’s CryptoLocker 2.0 mimic these tactics but target USB drives and Bitcoin wallets.
• NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya targeted the same vulnerability as WannaCry to rapidly spread payment demands in Bitcoin to undo the changes. Some have classified it as a wiper since NotPetya cannot undo its changes to the master boot record, which renders the target system unrecoverable.
• Bad Rabbit: Considered a cousin of NotPetya, using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russian and Ukrainian media companies. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. Most cases indicated that it was spread via a fake Flash player update that impacted users via a drive-by attack.
• REvil: REvil is authored by a group of financially motivated attackers. It exfiltrates data before encryption to blackmail targeted victims into paying if they choose not to send the ransom. The attack stemmed from compromised IT management software used to patch Windows and Mac infrastructure. Attackers compromised the Kaseya software used to inject the REvil ransomware onto corporate systems.
• Ryuk: Ryuk is a manually distributed ransomware application mainly used in spear-phishing. Targets are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files hosted on the infected system are then encrypted.

• 59% of organizations experienced a ransomware attack in 2024, with 70% of incidents resulting in data encryption, according to Sophos’ The State of Ransomware 2024.
• Ransomware payments skyrocketed to record highs in 2024. The median ransomware payment surged from less than $200k in early 2023 to $1.5 million in June 2024, according to IBM’s top ransomware stories of 2024.
• 88% of breaches at small businesses stemmed from ransomware, while 64% of victims refused to pay—a 14% increase from 2023, according to Verizon’s latest Data Breach Investigations Report (DBIR).
• 32% of attacks exploited unpatched vulnerabilities (Sophos), while 68% of employees knowingly engaged in risky behaviors, enabling phishing—a top ransomware vector, according to Proofpoint’s 2024 State of the Phish report.
• Cybersecurity Ventures predicts $57 billion in global damages for 2025, escalating to $275 billion annually by 2031 as attacks occur every two seconds.

Ransomware tactics have intensified in sophistication and impact, driven by evolving criminal strategies and shifting defense measures. Key trends reshaping the threat landscape include:

1. Surging Attack Volumes

2024 saw a record 5,263 ransomware attacks—the highest since 2021—with a 25% year-over-year increase in disclosed incidents. Groups like LockBit and RansomHub dominated, while newcomers exploited unpatched vulnerabilities in critical sectors like healthcare and manufacturing.

2. Double and Triple Extortion as Standard

Ninety-three percent of ransomware attacks now involve data exfiltration, with 43% of victims paying ransoms to prevent leaks, according to BlackFog. Attackers increasingly combine encryption with threats to release stolen data or disrupt third-party partnerships, as seen in a 2024 UK healthcare breach exposing 300M patient records.

3. Faster, More Targeted Attacks

Negotiations now begin within hours of infiltration, with attackers using AI-driven phishing and insider threats to bypass defenses. Small-to-midsize businesses (SMBs) faced 41.53% of attacks, as threat actors shifted from high-profile targets.

4. Ransomware-as-a-Service (RaaS) Proliferation

“The professionalization of the ransomware economy is growing as Ransomware-as-a-Service (RaaS) has not only significantly lowered the barriers for even novices to execute a cyberattack successfully but has also connected security researchers with ransomware groups,” summarizes Christian Have, CTO at Logpoint.

5. Targeting Critical Infrastructure

Ransomware attacks on critical infrastructure continue to surge, with industrial, healthcare, and manufacturing sectors facing heightened risk. According to the IT-ISAC, out of approximately 3,500 ransomware incidents tracked last year, 20% targeted critical manufacturing, followed by commercial facilities, healthcare, IT, and financial services.

6. Government Countermeasures

Governments worldwide have stepped up efforts to disrupt ransomware operations through coordinated law enforcement actions and new regulations. In 2024, international operations such as Europol’s Operation Endgame dismantled over 100 servers and 2,000 domains used for ransomware distribution, while the U.S. Department of the Treasury, in partnership with the UK and Australia, sanctioned individuals and entities linked to major cyber crime groups like Evil Corp.

While each ransomware attack may have unique characteristics, most follow a similar pattern. Here’s a breakdown of the typical stages:

1. Initial breach: The attack begins when cyber criminals enter your system. This access could happen through a phishing email, an exploited vulnerability, or even a careless click on a malicious link. It’s like leaving a window open in your house—attackers always look for these entry points.
2. Establishing a foothold: Once inside, the attackers work to solidify their position. They might install additional malware or create backdoors for future access. Think of it as the intruders setting up camp in your attic without you knowing.
3. Reconnaissance: Now comfortable in your system, the attackers start exploring. They’re looking for valuable data, understanding your network structure, and identifying potential targets. It’s akin to a burglar quietly moving through your home, checking each room for valuables.
4. Privilege escalation: Attackers seek to increase their system privileges to gain more control. They’re essentially trying to get the master key to your house, allowing them access to previously off-limits areas.
5. Data harvesting: With elevated access, the attackers begin collecting sensitive information. They might copy files, steal credentials, or extract valuable data. This stage is like the thieves filling their bags with your most prized possessions.
6. Preparation for attack: Before launching the ransomware, attackers often take steps to ensure maximum impact. This could involve disabling security software or deleting backups. It’s the equivalent of cutting your phone lines so you can’t call for help.
7. Ransomware deployment: Finally, the ransomware is activated. Files are encrypted, systems are locked, and the ransom demand appears. It’s the moment when you realize your house has been ransacked and the thieves have left a note demanding payment for the return of your assets.

Ransomware attacks can move quickly through these stages, sometimes in a matter of hours. Staying vigilant and having robust security measures in place at each potential stage of attack is crucial for protecting your organization’s digital assets.

A business that falls victim to ransomware can lose thousands of dollars in productivity and data loss. Attackers with access to data blackmail victims into paying the ransom by threatening to release data and expose the data breach. Organizations that do not pay fast enough could experience additional side effects such as brand damage and litigation. The impact of ransomware extends beyond immediate financial losses, potentially causing long-term damage to a company’s operations and reputation.

Since ransomware stops productivity, the first step is containment. After containment, the organization can either restore from backups or pay the ransom. However, paying the ransom doesn’t guarantee data recovery and may encourage future attacks. Restoring from backups, while often the recommended approach, can still result in significant downtime and potential data loss.

Law enforcement gets involved in investigations, but tracking ransomware authors requires research time that delays recovery. This delay can exacerbate the financial impact, as every hour of downtime translates to lost revenue and productivity. Additionally, the involvement of law enforcement may lead to public disclosure of the attack, further damaging the company’s reputation.

Root-cause analysis identifies the vulnerability but may also delay recovery. Once the immediate crisis is managed, businesses often face substantial costs in upgrading their security infrastructure to prevent future attacks. This may include investing in advanced cybersecurity solutions, employee training programs, and hiring additional IT security personnel.

The aftermath of an attack can have lasting effects on a business. Customer trust may be eroded, potentially leading to loss of business. In regulated industries, companies may face fines or legal action for failing to protect critical data. The psychological impact on employees shouldn’t be underestimated either, as the stress and uncertainty of an attack can affect morale and productivity long after systems are restored.

After ransomware encrypts files, it displays a screen to the user announcing that files are encrypted and the ransom amount. Usually, the victim is given a specific period of time to pay, or the ransom increases. Attackers also threaten to expose businesses and publicly announce that they were victims of ransomware.

The most significant risk of paying the ransom is never receiving the cipher keys to decrypt data. Most experts advise against paying the ransom to stop perpetuating the monetary benefits to attackers, but many organizations have no choice. Ransomware authors require cryptocurrency payments, so the money transfer cannot be reversed.

The payload from ransomware is immediate. The malware displays a message to the user with instructions for payment and information on what happened to the files. Administrators must react quickly because ransomware may spread to scan other network locations for critical files. You can take a few basic steps to properly respond to ransomware—note that expert intervention is usually required for root-cause analysis, cleanup, and investigations.

• Determine which systems are impacted. You must isolate systems so that they cannot affect the rest of the environment. This step is part of containment to minimize damage to the environment.
• Disconnect systems and power them down if necessary. Ransomware spreads rapidly on the network, so any systems must be disconnected by disabling network access or powering them down.
• Prioritize the restoration of systems. This ensures that the most critical ones are returned to normal first. Typically, priority is based on productivity and revenue impact.
• Eradicate the threat from the network. Attackers might use backdoors, so a trusted expert must perform eradication. The expert needs access to logs to perform a root-cause analysis that identifies the vulnerability and all impacted systems.
• Have a professional review the environment for potential security upgrades. It’s common for a ransomware victim to be a target for a second attack. Undetected vulnerabilities can be exploited again.

Authors constantly change code into new variants to avoid detection. Administrators and anti-malware developers must keep up with these new methods to detect threats quickly before propagating across the network. Here are a few new threats:

• DLL side loading. Malware attempts to avoid detection by using DLLs and services that look like legitimate functions.
• Web servers as targets. Malware on a shared hosting environment can affect all sites hosted on the server. Ransomware, such as Ryuk, targets hosted sites, mainly through phishing emails.
• Spear-phishing is preferred over standard phishing. Instead of sending malware to thousands of targets, attackers perform reconnaissance on potential targets for their high-privilege network access.
• Ransomware-as-a-Service (RaaS) lets users launch attacks without any cybersecurity knowledge. The introduction of RaaS has led to an increase in ransomware attacks.

A primary cause for the increase in threats using ransomware is remote work. An at-home workforce is much more vulnerable to threats. Home users do not have the enterprise-level cybersecurity necessary to protect from sophisticated attacks, and many of these users comingle their personal devices with work devices. Since ransomware scans the network for vulnerable devices, personal computers infected with malware can also infect network-connected business devices.

Prevention for ransomware attacks typically involves setting up and testing backups, as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defense, while endpoints are a secondary defense. Intrusion Detection Systems (IDSs) can detect ransomware command-and-control to alert for a ransomware system calling out to a control server. While user training is critical, it’s just one of several layers of defense to protect against ransomware. It typically comes into play after the delivery of ransomware via email phishing.

If other ransomware preventative defenses fail, a fallback measure is to stockpile Bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected organization. Hospitals and the hospitality industry are at particular risk of ransomware, as patients’ lives could be affected or people could be locked in or out of facilities.

How to Prevent Ransomware Attacks

• Defend your email against Ransomware: Email phishing and spam are the primary ways ransomware attacks are distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, documents, and URLs in emails delivered to user computers.
• Defend your mobile devices against Ransomware: When used with mobile device management (MDM) tools, mobile attack protection products can analyze applications on user devices and immediately alert users and IT to any applications that might compromise the environment.
• Defend your web surfing against Ransomware: Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
• Monitor your server and network, and back up critical systems: Monitoring tools can detect unusual file access activities, viruses, network C&C traffic, and CPU loads in time to block ransomware from activating. Keeping a full image copy of critical systems can reduce the risk of a crashed or encrypted machine causing a critical operational bottleneck.

Ransomware attackers collected, on average, $115,123 per incident in 2019, but costs soared to $312,493 in 2020. One recorded event cost an organization $40 million. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.