What Is Ransomware?

Ransomware is a sophisticated form of malware designed to hold your data hostage, effectively locking you out of your files and systems. It encrypts your data using complex algorithms, making it inaccessible without a unique decryption key that only the attackers possess. To regain access, you must pay a ransom, often demanded in cryptocurrency, to maintain the attacker’s anonymity.

Modern ransomware has evolved beyond simple encryption, with emerging types like crypto-ransomware and CryptoWall raising the stakes. Some variants now employ a double extortion technique (ransomware 2.0), encrypting your data and threatening to leak sensitive information if the ransom isn’t paid. This adds extra pressure, particularly for businesses concerned about reputational damage or regulatory compliance.

Ransomware attacks have become increasingly prevalent, targeting organizations of all sizes across various industries. From small businesses to major corporations, no one is immune. These attacks often come with strict deadlines, adding urgency to a stressful situation. If you don’t pay in time, you might lose your data forever or face an increased ransom demand.

While the temptation to pay the ransom can be strong, especially when critical data is at stake, many government agencies, including the FBI, advise against it. Paying the ransom encourages future attacks and doesn’t guarantee the safe return of your data. In fact, on average, about half of the victims who pay the ransom will likely encounter repeat attacks—mainly when the initial infection isn’t thoroughly cleaned from the system.

Ransomware can be traced back to 1989, when the “AIDS virus” was used to extort funds from ransomware recipients. Payments for that attack were mailed to Panama, at which point a decryption key was sent back to the user.

In 1996, Columbia University’s Moti Yung and Adam Young introduced ransomware known as “cryptoviral extortion.” This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy Conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.

Attackers have grown creative over the years by requiring nearly untraceable payments, helping cyber criminals remain anonymous. For example, the notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of standard currencies, like dollars.

Ransomware attacks began to soar in popularity with the growth of cryptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Litecoin, and Ripple.

Ransomware has attacked organizations in nearly every vertical, with one of the most famous viruses being the attacks on Presbyterian Memorial Hospital. This attack infected labs, pharmacies, and emergency rooms, highlighting the potential damage and risks of ransomware.

Social engineering attackers have become more innovative over time. The Guardian wrote about a situation where new ransomware victims were asked to have two other users install the link and pay a ransom to decrypt their files.

The growing prevalence of ransomware has brought about increasingly complex ransomware attacks.

• Scareware: This common type of ransomware displays a fake warning message claiming detection of malware on the victim’s computer. These attacks are often disguised as an antivirus solution demanding payment to remove the nonexistent malware. While scareware might seem less threatening, it can still cause significant stress and financial loss. It’s crucial to verify the legitimacy of any security warnings you receive and to rely on reputable antivirus software.
• Screen lockers: These programs are designed to lock the victim out of their computer, preventing them from accessing files or data. A message is typically displayed that demands payment to unlock it. Screen lockers can be incredibly disruptive, making your entire system unusable. Having a data backup and knowing how to safely boot your system to bypass the lock screen is essential.
• Encrypting ransomware: Also called “crypto-ransomware,” this common ransomware encrypts the victim’s files and demands payment in exchange for a decryption key. This type of ransomware can be devastating, rendering all your files inaccessible. Regular backups and robust cybersecurity measures are your best defense against encrypting ransomware.
• DDoS extortion: A Distributed Denial of Service extortion threatens to launch a DDoS attack against the victim’s website or network unless a ransom payment is fulfilled. The threat of DDoS extortion can be particularly damaging for businesses that rely heavily on their digital presence. It’s crucial to implement DDoS protection and have a well-prepared incident response plan in place to effectively mitigate this threat.
• Mobile ransomware: As the name suggests, mobile ransomware targets devices like smartphones and tablets and demands payment to unlock the device or decrypt the data. Mobile ransomware is becoming a growing concern with the mounting use of mobile devices across personal and business purposes. Regularly updating your mobile operating system and being cautious about app downloads can help protect you from this threat.
• Doxware: While less common, this sophisticated ransomware threatens to publish sensitive, explicit, or confidential information from the victim’s computer unless a ransom is paid. Also known as leakware, this form of ransomware adds increased pressure by threatening your privacy or reputation. Implementing robust data protection measures and being cautious about what information you store digitally can help mitigate the risk of doxware.
• Ransomware-as-a-Service (RaaS): Cyber criminals offer ransomware programs to other hackers or cyber-attackers that use such programs to target victims. RaaS has streamlined the accessibility of such threats, making ransomware attacks more prevalent. This model operates similarly to legitimate software-as-a-service businesses, providing customer support and regular updates to its criminal clientele.

These are just some of the most common types of ransomware. As cyber criminals adapt to cybersecurity strategies, they pivot to new and innovative ways to exploit vulnerabilities and breach computer systems.

The following notable ransomware attacks offer organizations a solid foundation of each attack’s tactics, exploits, and characteristics. While ransomware codes, targets, and functions vary, attack innovation is typically incremental.

• WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. Proofpoint was involved in identifying the sample used to find the kill switch and deconstructing the ransomware. Learn more about Proofpoint’s involvement in stopping WannaCry.
• CryptoLocker: This was an early current-generation ransomware requiring cryptocurrency for payment (Bitcoin) and encrypted a user’s hard drive and attached network drives. CryptoLocker spread via an email with an attachment claiming to be FedEx and UPS tracking notifications. A decryption tool was released for this in 2014. However, various reports suggest that upwards of $27 million was extorted by CryptoLocker.
• NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya targeted the same vulnerability as WannaCry to rapidly spread payment demands in Bitcoin to undo the changes. Some have classified it as a wiper since NotPetya cannot undo its changes to the master boot record and renders the target system unrecoverable.
• Bad Rabbit: Considered a cousin of NotPetya, using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russian and Ukrainian media companies. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. Most cases indicated that it was spread via a fake Flash player update that impacted users via a drive-by attack.
• REvil: REvil is authored by a group of financially-motivated attackers. It exfiltrates data before encryption to blackmail targeted victims into paying if they choose not to send the ransom. The attack stemmed from compromised IT management software used to patch Windows and Mac infrastructure. Attackers compromised the Kaseya software used to inject the REvil ransomware onto corporate systems.
• Ryuk: Ryuk is a manually-distributed ransomware application mainly used in spear-phishing. Targets are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files hosted on the infected system are then encrypted.

While the volume of ransomware attacks has fluctuated over the years, these types of cyber-attacks remain among the most common and costly attacks on organizations. Ransomware attack statistics are an alarming call to action for organizations to reinforce cybersecurity measures and security awareness training.

• According to Sophos’s “The State of Ransomware 2022” report, ransomware attacks affected 66% of organizations in 2021, a dramatic year-over-year increase of 78% compared to 2020.
• Proofpoint’s “2023 State of the Phish” report found that 64% of organizations surveyed said they were affected by ransomware in 2022, and more than two-thirds of this group reported multiple incidents. In turn, experts speculate that the actual number of incidents and associated losses last year were much higher than reported.
• The healthcare industry continues to be the most targeted by ransomware, with a ransom payment rate of 85%. However, educational institutions have experienced the greatest increase (28% in 2021) in ransomware attacks, according to BlackFog’s “2022 Ransomware Report.”
• Windows systems represented the vast majority of systems affected, accounting for 95% of ransomware malware attacks, according to Google’s VirusTotal service.
• According to Cybersecurity Ventures, ransomware attacks will cost victims over $265 billion in annual damages by 2031.

Aligned with the latest statistics, ransomware trends continue to evolve. Some of the most compelling trends worth noting include:

• Increased globalized threats
• More targeted and sophisticated attacks
• Growth in multistage extortion techniques
• Higher frequency of ransomware breaches
• Ransom prices plateau as security postures strengthen

Government intervention is another major trend that could shift how ransomware attacks are handled. Gartner predicts that 30% of global governments will likely enact ransomware payment legislation by 2025.

The average discount on ransomware payments appears to be increasing as well. Based on the latest ransomware trends, victims can expect between 20% to 25% discount on ransom payments, with some seeing discounts of up to 60%.

Ransomware is a type of malware designed to extort money from its victims, who are blocked or prevented from accessing data on their systems. The two most prevalent types of ransomware are “encryptors” and “screen lockers.” Encryptors, as the name implies, encrypt data on a system, making the content useless without the decryption key. Screen lockers block access to the system with a “lock” screen, asserting that the system is encrypted.

Figure 1: How Ransomware tries to trick a victim into installing it

Victims are often notified on a lock screen (common to both encryptors and screen lockers) to purchase a cryptocurrency, like Bitcoin, to pay the ransom fee. Once the ransom is paid, customers receive the decryption key and may attempt to decrypt files. Decryption is not guaranteed, as multiple sources report varying degrees of success with decryption after paying ransoms. Sometimes, victims never receive the keys. Some attacks install malware on the computer system even after the ransom is paid and the data is released.

While initially focused on personal computers, encrypting ransomware has increasingly targeted business users, as businesses often pay more than individuals to unlock critical systems and resume daily operations.

Enterprise ransomware infections or viruses typically start with a malicious email. An unsuspecting user opens an attachment or clicks on a malicious or compromised URL.

At that point, a ransomware agent is installed and encrypts critical files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device explaining what happened and how to pay the attackers. If the victims pay, the ransomware promises they’ll get a code to unlock their data.

While each ransomware attack may have unique characteristics, most follow a similar pattern. Here’s a breakdown of the typical stages:

1. Initial breach: The attack begins when cyber criminals enter your system. This access could happen through a phishing email, an exploited vulnerability, or even a careless click on a malicious link. It’s like leaving a window open in your house—attackers always look for these entry points.
2. Establishing a foothold: Once inside, the attackers work to solidify their position. They might install additional malware or create backdoors for future access. Think of it as the intruders setting up camp in your attic without you knowing.
3. Reconnaissance: Now comfortable in your system, the attackers start exploring. They’re looking for valuable data, understanding your network structure, and identifying potential targets. It’s akin to a burglar quietly moving through your home, checking each room for valuables.
4. Privilege escalation: Attackers seek to increase their system privileges to gain more control. They’re essentially trying to get the master key to your house, allowing them access to areas that were previously off-limits.
5. Data harvesting: With elevated access, the attackers begin collecting sensitive information. They might copy files, steal credentials, or extract valuable data. This stage is like the thieves filling their bags with your most prized possessions.
6. Preparation for attack: Before launching the ransomware, attackers often take steps to ensure maximum impact. This could involve disabling security software or deleting backups. It’s the equivalent of cutting your phone lines so you can’t call for help.
7. Ransomware deployment: Finally, the ransomware is activated. Files are encrypted, systems are locked, and the ransom demand appears. It’s the moment when you realize your house has been ransacked and the thieves have left a note demanding payment for the return of your assets.

Ransomware attacks can move quickly through these stages, sometimes in a matter of hours. Staying vigilant and having robust security measures in place at each potential stage of attack is crucial for protecting your organization’s digital assets.

Any device connected to the internet risks becoming the next ransomware victim. Ransomware scans a local device and any network-connected storage, which means a vulnerable device makes the local network a potential victim. If the local network is a business, the ransomware could encrypt important documents and system files that could halt services and productivity.

If a device connects to the internet, it should be updated with the latest software security patches and have anti-malware installed to detect and stop ransomware. Outdated operating systems such as Windows XP that are no longer maintained are at a much higher risk of being a target of cyber crime.

A business that falls victim to ransomware can lose thousands of dollars in productivity and data loss. Attackers with access to data blackmail victims into paying the ransom by threatening to release data and expose the data breach. Organizations that do not pay fast enough could experience additional side effects such as brand damage and litigation. The impact of ransomware extends beyond immediate financial losses, potentially causing long-term damage to a company’s operations and reputation.

Since ransomware stops productivity, the first step is containment. After containment, the organization can either restore from backups or pay the ransom. However, paying the ransom doesn’t guarantee data recovery and may encourage future attacks. Restoring from backups, while often the recommended approach, can still result in significant downtime and potential data loss.

Law enforcement gets involved in investigations, but tracking ransomware authors requires research time that delays recovery. This delay can exacerbate the financial impact, as every hour of downtime translates to lost revenue and productivity. Additionally, the involvement of law enforcement may lead to public disclosure of the attack, further damaging the company’s reputation.

Root-cause analysis identifies the vulnerability but may also delay recovery. Once the immediate crisis is managed, businesses often face substantial costs in upgrading their security infrastructure to prevent future attacks. This may include investing in advanced cybersecurity solutions, employee training programs, and hiring additional IT security personnel.

The aftermath of an attack can have lasting effects on a business. Customer trust may be eroded, potentially leading to loss of business. In regulated industries, companies may face fines or legal action for failing to protect critical data. The psychological impact on employees shouldn’t be underestimated either, as the stress and uncertainty of an attack can affect morale and productivity long after systems are restored.

With more people working from home, threat actors have increased their use of phishing. Phishing is a primary starting point for ransomware infection. The phishing email targets employees, both low- and high-privileged users. Email is inexpensive and easy to use, making it convenient for attackers to spread ransomware.

Document attachments have been normalized in email, so users think nothing of opening a file in an email attachment. The malicious macro runs, downloads ransomware to the local device, and delivers its payload. The ease of spreading ransomware in email is why it’s a common malware attack. Additionally, attackers often disguise malicious files as urgent or important, exploiting human curiosity and urgency to increase the likelihood of infection.

The availability of malware kits has also contributed to widespread ransomware attacks. These exploit kits scan devices for software vulnerabilities and deploy additional malware to further infect a device, producing malware samples on demand. Malware-as-a-service trends have fueled the popularity of these kits. This “democratization” of ransomware has lowered the threshold for cyber criminals, enabling even those with limited technical skills to launch sophisticated attacks.

Beyond email and exploit kits, ransomware can spread through other vectors:

1. Remote Desktop Protocol (RDP) exploits: Attackers often target poorly secured RDP connections, especially with the rise of remote work.
2. Social engineering: Ransomware can spread through various forms of social engineering, including fake software updates and malicious websites.
3. Supply Chain Attacks: By compromising trusted software providers, attackers can distribute ransomware through seemingly legitimate software updates.

The rapid spread of ransomware is further fueled by factors such as increased digital dependency, the rise of hard-to-trace cryptocurrency payments, and the success of high-profile attacks encouraging more cyber criminals to adopt this method.

Sophisticated attacks might use ransomware with authors who build their own versions. Variants use the codebase from an existent ransomware version and alter just enough of the functions to change the payload and method of attack. Ransomware authors can customize their malware to perform any action and use a preferred encryption cipher.

Attackers are not always authors. Some ransomware authors sell their software to others or lease it for use. Ransomware can be leased as malware-as-a-service (MaaS), where customers authenticate into a dashboard and launch their own campaigns. Therefore, attackers are not always coders and malware experts; some pay authors to lease their ransomware.

After ransomware encrypts files, it displays a screen to the user announcing files are encrypted and the ransom amount. Usually, the victim is given a specific period of time to pay, or the ransom increases. Attackers also threaten to expose businesses and publicly announce that they were victims of ransomware.

The most significant risk of paying the ransom is never receiving the cipher keys to decrypt data. Most experts advise against paying the ransom to stop perpetuating the monetary benefits to attackers, but many organizations have no choice. Ransomware authors require cryptocurrency payments, so the money transfer cannot be reversed.

The payload from ransomware is immediate. The malware displays a message to the user with instructions for payment and information on what happened to the files. Administrators must react quickly because ransomware may spread to scan other network locations for critical files. You can take a few basic steps to properly respond to ransomware—note that expert intervention is usually required for root-cause analysis, cleanup, and investigations.

• Determine which systems are impacted. You must isolate systems so that they cannot affect the rest of the environment. This step is part of containment to minimize damage to the environment.
• Disconnect systems and power them down if necessary. Ransomware spreads rapidly on the network, so any systems must be disconnected by disabling network access or powering them down.
• Prioritize the restoration of systems. This ensures that the most critical ones are returned to normal first. Typically, priority is based on productivity and revenue impact.
• Eradicate the threat from the network. Attackers might use backdoors, so a trusted expert must perform eradication. The expert needs access to logs to perform a root-cause analysis that identifies the vulnerability and all impacted systems.
• Have a professional review the environment for potential security upgrades. It’s common for a ransomware victim to be a target for a second attack. Undetected vulnerabilities can be exploited again.

Authors constantly change code into new variants to avoid detection. Administrators and anti-malware developers must keep up with these new methods to detect threats quickly before propagating across the network. Here are a few new threats:

• DLL side loading. Malware attempts to avoid detection by using DLLs and services that look like legitimate functions.
• Web servers as targets. Malware on a shared hosting environment can affect all sites hosted on the server. Ransomware, such as Ryuk, targets hosted sites, mainly using phishing emails.
• Spear-phishing is preferred over standard phishing. Instead of sending malware to thousands of targets, attackers perform reconnaissance on potential targets for their high-privilege network access.
• Ransomware-as-a-Service (RaaS) lets users launch attacks without any cybersecurity knowledge. The introduction of RaaS has led to an increase in ransomware attacks.

A primary cause for the increase of threats using ransomware is remote work. An at-home workforce is much more vulnerable to threats. Home users do not have the enterprise-level cybersecurity necessary to protect from sophisticated attacks, and many of these users comingle their personal devices with work devices. Since ransomware scans the network for vulnerable devices, personal computers infected with malware can also infect network-connected business devices.

Prevention for ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defense, while endpoints are a secondary defense. Intrusion Detection Systems (IDSs) can detect ransomware command-and-control to alert for a ransomware system calling out to a control server. While user training is critical, it’s just one of several layers of defense to protect against ransomware. It typically comes into play after the delivery of ransomware via email phishing.

If other ransomware preventative defenses fail, a fallback measure is to stockpile Bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected organization. Hospitals and the hospitality industry are at particular risk of ransomware, as patients’ lives could be affected or people could be locked in or out of facilities.

How to Prevent Ransomware Attacks

• Defend your email against Ransomware: Email phishing and spam are the primary ways ransomware attacks are distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, documents, and URLs in emails delivered to user computers.
• Defend your mobile devices against Ransomware: When used with mobile device management (MDM) tools, mobile attack protection products can analyze applications on user devices and immediately alert users and IT to any applications that might compromise the environment.
• Defend your web surfing against Ransomware: Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
• Monitor your server and network and back up critical systems: Monitoring tools can detect unusual file access activities, viruses, network C&C traffic, and CPU loads in time to block ransomware from activating. Keeping a full image copy of critical systems can reduce the risk of a crashed or encrypted machine causing a critical operational bottleneck.

How to Remove Ransomware

• Call federal and local law enforcement: Just as someone would call a federal agency for a kidnapping, organizations must contact the same bureau for ransomware. Their forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organizations going forward, and try to find the attackers.

Ransomware Recovery

• Learn about anti-ransomware resources: No More Ransom portal and Bleeping Computer provide tips, suggestions, and even decryptors for selected ransomware attacks.
• Restore data: If organizations have followed best practices and kept system backups, they can restore their systems and resume normal operations.

Ransomware attackers collected, on average, $115,123 per incident in 2019, but costs soared to $312,493 in 2020. One recorded event cost an organization $40 million. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.