What is Ransomware ?

Ransomware is a type of malicious software, or malware, that encrypts files on a device, rendering them inaccessible. The attacker then demands a ransom payment in exchange for decrypting the files. Ransomware has been around since 1989 but has become more prevalent and sophisticated in recent years.

The earliest forms of ransomware were relatively simple, locking access to the computer system. Modern ransomware variants encrypt specific files on the system’s hard drive using asymmetric encryption algorithms that generate a pair of keys: a public key to encrypt the files and a private key to decrypt them. The only way to decrypt and access the files again is with the private key held by the attacker.

Ransomware is often delivered through phishing emails containing malicious attachments or links. Once executed on the victim’s system, it encrypts files and displays a ransom note with instructions for how to pay to recover access. The ransom is usually demanded in a cryptocurrency like Bitcoin to avoid being traced.

There are two primary types of ransomware:

  • Locker ransomware locks users out of their computers or files. It locks the entire system and prevents any access.
  • Crypto-ransomware encrypts files on the system, making them inaccessible. It targets specific file extensions like documents, images, videos, and more.

Ransomware has become a lucrative criminal business model. New variants are continuously developed and released to maximize the amount of money extorted from victims. Prevention through cybersecurity best practices like backing up data and employee education are the best defenses against ransomware.

How Ransomware Works

Ransomware is a form of malware that encrypts files or locks access to a device, then demands payment of a ransom to restore access. Ransomware infections typically happen in one of three ways:

Trojan Downloads

Disguised as legitimate software, Trojans are downloaded by unsuspecting users and install ransomware on the system. These are often distributed through malicious code embedded within email attachments, software cracks, or pirated media.

Phishing Emails

Phishing emails contain malicious links or attachments that install ransomware when clicked or opened. The emails are designed to appear as though they’re from a legitimate company to trick the recipient into downloading the payload.

Exploiting Vulnerabilities

Some ransomware takes advantage of vulnerabilities in network systems or software to spread to connected devices. Once a device is infected, the ransomware encrypts files on that system and any network shares it has access to.

Ransomware payloads typically display messages on the screen demanding payment of a ransom, usually in cryptocurrency like Bitcoin, to regain access to the files or system. The ransom amount varies but is often several hundred to several thousand dollars. Paying the ransom, however, does not guarantee that access will be restored.

Ransomware has become a lucrative business for cybercriminals. Through the use of malware kits and affiliate programs, even those without advanced technical skills can easily deploy ransomware campaigns.

As long as ransomware proves profitable, it is likely to continue posing a threat to both individuals and organizations. Maintaining reliable backups, keeping software up to date, and educating users about cyber threats are some of the best defenses against ransomware.

The Different Types of Ransomware

There are three main types of ransomware that cyber security professionals should be aware of: scareware, screen lockers, and encrypting ransomware.


Scareware, also known as deception ransomware, tricks victims into believing their systems have been locked or compromised in order to extort money. Messages claiming that illegal content was detected or system files were encrypted are displayed to frighten the user into paying a “fine.” In reality, no such action has actually occurred. Scareware is usually easy to remove using antivirus software.

Screen Lockers

Screen lockers, or lock screen ransomware, locks users out of their devices by displaying full-screen messages over the login screen. They prevent access to the system by locking the screen, but do not actually encrypt any files. Some well-known examples are Reveton and FbiLocker. While frustrating, screen lockers typically do not do any permanent damage and can often be removed using a malware removal tool.

Encrypting Ransomware

Encrypting ransomware is the most serious type. It encrypts files on infected systems using encryption algorithms that are difficult to break without the decryption key. The ransomware demands payment, often in cryptocurrency, in exchange for the decryption key. If the ransom is not paid, the files remain encrypted and inaccessible.

Some infamous examples of encrypting ransomware are WannaCry, Petya, and Ryuk. Encrypting ransomware requires prevention and backup strategies, as data recovery is very difficult without paying the ransom.

Mobile Ransomware

 Mobile ransomware is a type of malware that can infect your phone and lock you out of your mobile device. Once infected, the malware will encrypt all of your data, and ask for a ransom in order to restore it. If you don’t pay the ransom, the malware can even delete your data.

To defend against ransomware, organizations should focus on employee education, strong security controls, antivirus software, keeping systems up to date, and maintaining secure data backups. Paying ransoms only encourages further criminal activity and does not guarantee that files will be recovered, so should be avoided. With vigilance and proactive defensive measures, the impact of ransomware can be minimized.

Recent Major Ransomware Attacks

Ransomware attacks have become increasingly common and damaging in recent years. Several major incidents highlight how vulnerable organizations have become to these threats.


In May 2017, the WannaCry ransomware attack infected over 200,000 computers across 150 countries. It targeted vulnerabilities in Microsoft Windows operating systems, encrypting files and demanding ransom payments in Bitcoin. The UK’s National Health Service was hit hard, forcing some hospitals to turn away non-emergency patients. Total damages exceeded $4 billion.


Shortly after WannaCry, NotPetya emerged. Disguised as ransomware, NotPetya was actually a wiper virus designed to destroy data. It brought down Ukrainian infrastructure like power companies, airports, and banks. NotPetya spread globally, infecting companies like FedEx, Maersk, and Merck. NotPetya caused over $10 billion in damages, making it the costliest cyberattack in history at the time.


In 2019, Ryuk ransomware targeted over 100 US newspapers. The attack encrypted files, disrupted printing operations, and demanded a $3 million ransom. Several newspapers had to publish smaller editions or switch to online-only for days. Ryuk has since hit other sectors like healthcare, logistics, and finance. Experts tie Ryuk to a sophisticated North Korean state-sponsored group.

Ransomware has rapidly become a national security threat and economic menace. Healthcare, government, media, shipping, and financial services seem to be favored targets, though any organization is at risk. Ransom demands are often six or seven figures, and even if paid, there is no guarantee of data recovery. The only way for companies and governments to defend against ransomware is through vigilance, preparation, and cooperation.

Educating employees, maintaining offline backups, keeping software up to date, and enacting an incident response plan can help reduce vulnerability. But as long as there are profits to be made from ransomware, it will likely remain an ongoing battle.

How to Prevent Ransomware Infections

To prevent ransomware infections, organizations should implement a multi-layered approach focused on employee education, robust security controls, and reliable backups.

Employee Education

Employees are often the targets of ransomware attacks through phishing emails containing malicious links or attachments. Educating staff about these threats, and providing training on spotting potential attacks, is critical. Employees should be wary of unsolicited requests for sensitive information or links and taught not to open attachments from unknown or untrusted senders. Regular reminders and simulated phishing campaigns can help reinforce lessons and identify areas needing improvement.

Network Segmentation and Endpoint Protection

Network segmentation separates parts of the network into smaller networks to better control access and contain infections. If ransomware enters one segment, segmentation prevents it from spreading to the entire network. Robust endpoint protection, including antivirus software, intrusion prevention systems, and regular patching help block ransomware and other malware. Two-factor authentication for remote access and admin accounts provides an extra layer of security.


Frequent and redundant data backups are key to recovering from a ransomware attack without paying the ransom. Backups should be stored offline and offsite in case the network is compromised. Test restoring backups regularly to ensure the process works and data is intact. If ransomware encrypts files, having accessible backups prevents permanent data loss and eliminates the need to pay the ransom.

Additional Controls

Other useful controls include restricting user permissions and privileges, monitoring for signs of compromise like unusual network activity, and planning an incident response strategy in the event of infection. Staying up-to-date with the latest ransomware threats and attack methods, and sharing that knowledge across the organization, helps IT teams implement appropriate defenses.

With strong controls and a focus on education and preparation, organizations can avoid becoming victims of ransomware attacks. But even with the best practices in place, ransomware is an ever-present threat. Regular testing of controls and responses helps minimize damage if an attack succeeds. When implemented together, these layers of defense provide the best protection against ransomware.

Ransomware Incident Response

Ransomware attacks require a quick and strategic response to minimize damage and ensure recovery.

Immediate Response

Upon discovering a ransomware infection, the first step is to isolate the infected systems to prevent the malware from spreading further. Next, determine the scope and severity of the attack to identify which systems and data have been impacted. Secure backup data and disconnect storage devices to protect them from encryption.

With systems isolated, professionals can work to contain and remove the ransomware. Antivirus software and malware removal tools should be used to scan systems and delete malicious files. A full system restore from backup may be required for badly infected machines. During this process, monitor systems for reinfection.

Ransomware variants are constantly evolving to evade detection, so customized tools and techniques may be needed to fully eliminate an advanced strain. In some cases, a ransomware’s encryption may be irreversible without paying the ransom. However, paying ransoms funds criminal activity and does not guarantee data retrieval, so should only be considered as an absolute last resort.

Long-term Recovery

Following a ransomware attack, a comprehensive review of security policies and procedures is needed to strengthen defenses and prevent reinfection. Additional staff training on cyber risks and response may also be required.

To restore encrypted data, organizations can use backup files to overwrite infected systems and recover information. Regular, offline data backups are key to minimizing data loss from ransomware. Multiple versions of backups over time allow restoration to a point before initial infection.

Some data may remain unrecoverable if backup files were also encrypted. In these situations, organizations must determine if lost information can be recreated or obtained from other sources. They may need to accept permanent data loss and plan to rebuild certain systems entirely.

Ransomware attacks can be devastating, but with quick thinking and the right strategies, organizations can overcome them. Staying vigilant and preparing for various scenarios will ensure the most effective response when disaster strikes. Continuous evaluation and improvement of cyber defenses can help reduce risks over the long run.

Ransomware attacks have been on the rise in recent years. According to Cybersecurity Ventures, global ransomware damage costs are predicted to reach $20 billion in 2021, up from $11.5 billion in 2019. Symantec’s Internet Security Threat Report found a 105% increase in ransomware variants from 2018 to 2019.

The most common types of ransomware today are lock screen ransomware, encryption ransomware, and double extortion ransomware. Lock screen ransomware locks users out of their devices. Encryption ransomware encrypts files and demands payment for the decryption key. Double extortion ransomware encrypts files, demands payment, and also threatens to release sensitive stolen data if payment is not made.

Ransomware attacks frequently target healthcare organizations, government agencies, and educational institutions. These organizations often have sensitive data and may be more willing to pay ransoms to avoid disruption and data breaches. However, paying ransoms emboldens cybercriminals to continue and expand ransomware operations.

Most ransomware is delivered through phishing emails, malicious websites, and software vulnerabilities. Phishing emails with malicious attachments or links remain the most popular infection vector. As more organizations strengthen email security, attackers are increasingly exploiting unpatched software vulnerabilities to gain access.

The future of ransomware may include more targeted, data-stealing attacks, higher ransom demands, and the use of cryptocurrencies to avoid tracking. Ransomware-as-a-Service, where cybercriminals rent out ransomware tools and infrastructure to less-skilled attackers, is also on the rise and makes it easier for more people to conduct ransomware campaigns.

To combat the ransomware threat, organizations should focus on employee education, strong email security, regular software patching, and frequent data backups stored offline. With comprehensive security practices in place, the impact of ransomware and other cyber attacks can be greatly reduced.

Government and International Efforts Against Ransomware

Governments and international organizations around the world have taken notice of the rise in ransomware attacks and the damage they cause. Several efforts are underway to help combat ransomware.

The European Union Agency for Cybersecurity, also known as ENISA, has published recommendations and strategies for both preventing and responding to ransomware attacks. Their guidance includes employee education, data backup protocols, and coordinating with law enforcement.

Interpol, the International Criminal Police Organization, has also warned about the threat of ransomware and issued a “Purple Notice” to its 194 member countries on the modus operandi of cybercriminals deploying ransomware. Interpol aims to alert organizations and individuals to ransomware risks and provide recommendations for strengthening cyber defenses.

In the United States, the Department of Justice has taken legal action against attackers deploying certain ransomware strains like REvil and NetWalker. The DOJ works with international partners to identify and charge perpetrators of ransomware attacks when possible. The Cybersecurity and Infrastructure Security Agency, or CISA, provides resources, education and advisories to help protect networks from ransomware.

The G7, a group of some of the world’s largest advanced economies, has affirmed commitments to improving cybersecurity and fighting cyber threats like ransomware. At their 2021 summit, the G7 pledged support for principles of responsible behavior in cyberspace and cooperation on cyber issues.

While government actions and international cooperation are steps in the right direction, public and private sector organizations must also take an active role in defending against ransomware. Backing up data, training employees, and keeping systems up-to-date are critical measures that, when combined with the efforts of governments and global alliances, can help curb the impact of ransomware attacks.


As cybercriminal tactics become more sophisticated, it’s critical for organizations and individuals to understand emerging threats like ransomware.

Although ransomware attacks may feel like a personal violation, remaining calm and methodical is the best approach to resolving the situation with minimal loss. With knowledge, preparation, and the right tools and partners, ransomware does not have to mean game over.

Staying up-to-date on the latest strains, attack vectors, and recommended security practices will ensure you have the power, not the perpetrators.