What is ransomware?
Ransomware holds victims' devices and data hostage until a ransom is paid. Learn how ransomware works, why it has proliferated in recent years, and how organizations defend against it.
Watch the video (1:43) Explore ransomware solutions
Person sits at desk while looking at the open laptop computer before them.
What is ransomware?

Ransomware is a type of malware, or malicious software, that locks up a victim’s data or computing device and threatens to keep it locked — or worse — unless the victim pays the attacker a ransom. In 2021, ransomware attacks represented 21 percent of all cyberattacks (PDF, 4.1 MB) and cost victims an estimated USD 20 billion overall (link resides outside ibm.com).

The earliest ransomware attacks demanded a ransom to unlock the data or a device. But today’s cybercriminals have raised the stakes considerably. The 2022 X-Force Threat Intelligence Index (PDF, 4.1 MB) reports that virtually all ransomware attacks today are ‘double extortion’ attacks that demand a ransom to unlock data and prevent its theft. ‘Triple extortion’ attacks, which add the threat of a distributed denial of service (DDoS) attack, are also on the rise.

These double- and triple-extortion tactics, the increased availability of ‘ransomware-as-a-service’ solutions, and the advent of cryptocurrency as an untraceable form of payment have combined to fuel exponential growth in ransomware incidents. The FBI’s Internet Crime Complaint Center recorded a roughly 243 percent increase in the number of reported ransomware incidents between 2013 and 2020 (link resides outside ibm.com).

Ransomware victims and negotiators are reluctant to disclose ransom payment amounts. However, according to the report Definitive Guide to Ransomware 2022 (PDF, 966 KB) , ransom amounts that used to total only double digits have grown to seven-figure and eight-figure amounts. In more extreme cases, companies may pay as much as USD 40-80 million to have their data released back to their control. And ransom payments aren't the only cost of a ransomware infection. According to IBM’s Cost of a Data Breach 2021 report, the average cost of a ransomware attack not including the ransom payment was USD 4.62 million.

Definitive gude to ransomware 2022 (966 KB)

What causes a ransomware infection?

Ransomware attacks can use several methods, or vectors, to infect a device or network. Some of the most prominent ransomware infection vectors include:

  • Phishing emails and other social engineering attacks: Phishing emails manipulate users into downloading and running a malicious attachment (which contains the ransomware disguised as a harmless looking .pdf, Microsoft Word document, or other file), or into visiting a malicious website that passes the ransomware through the user’s web browser. In IBM's Cyber Resilient Organization Study 2021, phishing and other social engineering caused 45 percent of all ransomware attacks reported by survey participants, making them the most common of all ransomware attack vectors.  
  • Operating system and software vulnerabilities: Cybercriminals often exploit existing vulnerabilities to inject malicious code into a device or network. Zero-day vulnerabilities, which are vulnerabilities either unknown to the security community or identified but not yet patched, pose a particular threat. Some ransomware gangs buy information on zero-day flaws from other hackers to plan their attacks. Hackers have also effectively used patched vulnerabilities as attack vectors, as was the case in the 2017 WannaCry attack discussed below.
  • Credential theft: Cybercriminals may steal authorized users' credentials, buy them on the dark web, or crack them through brute force. They may then use these credentials to log into a network or computer and deploy ransomware directly. Remote desktop protocol (RDP), a proprietary protocol developed by Microsoft to allow users to access a computer remotely, is a popular credential-theft target among ransomware attackers.
  • Other malware: Hackers often use malware developed for other attacks to deliver a ransomware to a device. The Trickbot trojan, for example, originally designed to steal banking credentials, was used to spread the Conti ransomware variant throughout 2021.
  • Drive-by downloads: Hackers can use web sites to pass ransomware to devices without the users’ knowledge. Exploit kits use compromised web sites to scan visitors’ browsers for web application vulnerabilities they can use to inject ransomware onto the device. Malvertising—legitimate digital ads that have been compromised by hackers—can pass ransomware to devices, even if the user doesn’t click the ad.

Cybercriminals don’t necessarily need to develop their own ransomware to exploit these vectors. Some ransomware developers share their malware code with cybercriminals via ransomware-as-a-service (RaaS) arrangements. The cybercriminal, or ‘affiliate,’ uses the code to carry out an attack, and then splits the ransom payment with the developer. It’s a mutually beneficial relationship: Affiliates can profit from extortion without having to develop their own malware, and developers can increase their profits without manually launching cyberattacks.

Ransomware distributors can sell ransomware via digital marketplaces, or recruit affiliates directly through online forums or similar avenues. Large ransomware gangs have invested significant sums of money to attract affiliates. The REvil group, for example, spent USD 1 million as part of a recruitment drive in October 2020 (link resides outside ibm.com).

Definitive Guide to Ransomware 2022 (966 KB)

Ransomware attack stages

Once hackers gain access to a device, a ransomware attack will typically proceed through the following steps.

Step 1: Reconnaissance. Attackers scan the infected system to better understand the device and network, and to identify files they can target - including files containing sensitive information the attacker can use for a double- or triple extortion attack. Most also search for additional credentials that may allow them to move laterally throughout the network, spreading ransomware to more devices along the way.

Step 2: Activation. Crypto ransomware begins identifying and encrypting files. Most encrypting ransomware deploys asymmetric encryption, using a public key to encrypt the ransomware and retaining a private key that can decrypt data. Because victims do not have the private key, they cannot decrypt the encrypted data without the hackers' help. Some crypto ransomware also disables system restore features or deletes or encrypt backups on the victim's computer or network to increase the pressure to pay for the decryption key.

Non-encrypting ransomware locks the device screen, or flood the device with pop-ups, or otherwise prevent victim from using the device.

Step 3: The ransom note. Once files have been encrypted and/or the device has been disabled, the ransomware alerts the victim of the infection, often via a .txt file deposited on the computer's desktop or through a pop-up notification. The ransom note will contain instructions on how to pay the ransom, usually in cryptocurrency or a similarly untraceable method, in exchange for a decryption key or restoration of standard operations.

Types of ransomware

There are two general types of ransomware. The most common type, called ‘encrypting ransomware’ or ‘crypto ransomware,’ holds a user's data hostage by encrypting it. The less common form of ransomware, sometimes called ‘locker ransomware,’ locks a victim’s entire device.

These two types can be further divided into the following subcategories:

  • Leakware/Doxware is ransomware that steals, or exfiltrates, sensitive data and threatens to publish it. While earlier forms of leakware or doxware often stole data without encrypting it, today’s variants often do both.
  • Mobile ransomware includes all ransomware that affects mobile devices. Delivered via malicious apps or drive-by download, mobile ransomware is typically non-encrypting ransomware because automated cloud data backups, standard on many mobile devices, make it easy to reverse encryption attacks.
  • Wipers/destructive ransomware threatens to destroy data if the ransom isn't paid—except in cases where the ransomware destroys the data even if the ransom is paid. This latter type of wiper is often suspected to be deployed by nation-state actors or hactivists rather than common cybercriminals.
  • Scareware is just what it sounds like—ransomware that tries to scare users into paying a ransom. Scareware might pose as message from a law enforcement agency, accusing the victim of a crime and demanding a fine; it might spoof a legitimate virus infection alert, encouraging the victim to purchase antivirus or antimalware software. Sometimes, the scareware is ransomware, encrypting the data or locking the device; in other cases, it’s the ransomware vector, encrypting nothing but coercing the victim to download ransomware.

Notable ransomware variants

Since 2020, cybersecurity researchers have identified more than 130 distinct, active ransomware families or variants—unique ransomware strains with their own code signatures and functions. 

Among the many ransomware variants that have circulated over the years, several strains are especially notable for the extent of their destruction, how they influenced the development of ransomware, or the threats they still pose today.


First appearing in September 2013, CryptoLocker is widely credited with kick-starting the modern age of ransomware. Spread using a botnet (a network of hijacked computers), CryptoLocker was one of the first ransomware families to strongly encrypt users' files. It extorted an estimated USD 3 million before an international law enforcement effort shut it down in 2014. CryptoLocker's success spawned numerous copycats and paved the way for variants like WannaCry, Ryuk, and Petya (described below).


The first high-profile cryptoworm—ransomware that can spread itself to other devices on a network—WannaCry attacked over 200,000 computers (in 150 countries) that administrators had neglected to patch for the EternalBlue Microsoft Windows vulnerability. In addition to encrypting sensitive data, WannaCry ransomware threatened to wipe files if payment was not received within seven days. It remains one of the largest ransomware attacks to date, with estimated costs as high as USD 4 billion.

Petya and NotPetya

Unlike other crypto ransomware, Petya encrypts the file system table rather than individual files, rendering the infected computer unable to boot Windows. A heavily modified version, NotPetya, was used to carry out a large-scale cyberattack, primarily against Ukraine, in 2017. NotPetya was a wiper incapable of unlocking systems even after the ransom was paid.


First seen in 2018, Ryuk popularized ‘big-game ransomware’ attacks against specific high-value targets, with ransom demands averaging over USD 1 million. Ryuk can locate and disable backup files and system restore features; a new strain with cryptoworm capabilities was discovered in 2021.


Run by a group suspected to be operating out of Russia, DarkSide is the ransomware variant that attacked the U.S. Colonial Pipeline on May 7, 2021, considered the worst cyberattack on critical U.S. infrastructure to date. As a result, the pipeline supplying 45 percent of the U.S. East Coast's fuel was temporarily shut down. In addition to launching direct attacks, the DarkSide group also licenses its ransomware out to affiliates via RaaS arrangements.


Locky is an encrypting ransomware with a distinct method of infection—it uses macros hidden in email attachments (Microsoft Word files) disguised as legitimate invoices. When a user downloads and opens the Microsoft Word document, malicious macros secretly download the ransomware payload to the user's device.


REvil, also known as Sodin or Sodinokibi, helped popularize the RaaS approach to ransomware distribution. Known for use in big-game hunting and double-extortion attacks, REvil was behind the 2021 attacks against the noteworthy JBS USA and Kaseya Limited. JBS paid an USD 11 million ransom after its entire U.S. beef processing operation was disrupted, and more than 1,000 of Kaseya’s software customers were impacted by significant downtime. The Russian Federal Security Service reported it had dismantled REvil and charged several of its members in early 2022.

Ransom payments

Paying a ransom is common. In IBM's Cyber Resilient Organization Study 2021, 61 percent of participating companies that reported experiencing a ransomware attack said they paid a ransom.

However, U.S. federal law enforcement agencies unanimously discourage ransomware victims from paying ransom demands. According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering U.S. federal agencies charged with investigating cyberthreats:

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered.”

Law enforcement agencies recommend that ransomware victims report attacks to the appropriate authorities, like the FBI's Internet Crime Complaint Center (IC3), before paying a ransom. Some victims of ransomware attacks may be legally required to report ransomware infections regardless of whether a ransom is paid. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.

Under certain conditions, paying a ransom may be illegal. According to a 2020 advisory from the U.S. Treasury's Office of Foreign Assets Control (OFAC), paying a ransom to attackers from countries under U.S. economic sanctions — such as Russia, North Korea, or Iran — would be a violation of OFAC regulations and could result in civil penalties, fines, or criminal charges.

Ransomware protection and response

To defend against ransomware threats, federal agencies like CISA, NCIJFT, and the U.S. Secret Service recommend organizations take certain precautionary measures, such as:

  • Maintaining backups of sensitive data and system system images, ideally on hard drives or other devices that can be disconnected from the network.
  • Applying patches regularly to help thwart ransomware attacks that exploit software and operating system vulnerability.
  • Updating cybersecurity tools including anti-malware and antivirus software, firewalls and secure web gateways, as well as enterprise cybersecurity solutions—such as endpoint detection and response (EDR) and extended detection and response (XDR) tools—that help security teams detect and respond to ransomware in real-time.
  • Employee cybersecurity training to help users recognize and avoid to phishing, social engineering, and other tactics that can lead to ransomware infections.
  • Implementing access control policies including multi-factor authentication, zero-trust architecture, network segmentation, and similar measures that can prevent ransomware from reaching particularly sensitive data, and keep cryptoworms from spreading to other devices on the network.

While decryptor tools for some ransomware variants are publicly available through projects like No More Ransom (link resides outside ibm.com), remediation of an active ransomware infection often requires a multifaceted approach. See IBM Security's Definitive Guide to Ransomware (PDF, 966 KB) for an example of a ransomware incident response plan modeled after the National Institute of Standards and Technology (NIST) Incident Response Life Cycle.

A brief ransomware timeline

1989: The first documented ransomware attack, known as the AIDS Trojan or "P.C. Cyborg attack," was distributed via floppy disks. It hid file directories on the victim's computer and demanded USD 189 to unhide them. But because it encrypted file names rather than the files themselves, it was easy for users to reverse the damage without paying a ransom.

1996: While analyzing the flaws of the AIDS Trojan virus, computer scientists Adam L. Young and Moti Yung warned of future forms of malware that could use more sophisticated public key cryptography to hold sensitive data hostage. 

2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offered more effective ways to extort money, more cybercriminals began spreading ransomware worldwide.

2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.

2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.

2015: The Tox ransomware variant introduces the ransomware-as-a-service (RaaS) model.

2017: WannaCry, the first widely used self-replicating cryptoworms, appears.

2018: Ryuk popularized big game ransomware hunting

Related solutions

Protect data against ransomware attacks

Learn how to protect your organization’s data from ransomware threats that can hold it hostage.

Network security

Secure network infrastructure against advanced threats and malware.

Extended detection and response (XDR)

A modular and integrated suite of threat detection and response capabilities that runs on an open security platform

IBM Security X-Force Incident Response Retainer

Discover how you can improve cyber incident response preparedness and minimize the impact of breaches.

Orchestrate incident response

Get faster incident response rates with intelligent orchestration and automation.

Managed detection and response

Threat defense starts with around-the-clock prevention, detection and fast response.

Endpoint security

The rise in remote work trends and interconnectivity of endpoints comes with its own set of cybersecurity challenges. To combat these, there is a need for a modern, AI-driven endpoint response and detection tool that can proactively block and isolate malware and ransomware threats and propel endpoint security into a zero-trust world.

Manage and control mobile devices

Have permanent view and control of essentially all your mobile devices, apps and content; run AI-powered security analytics; and maintain security across all your platforms.

Flash storage solutions

Simplify data and infrastructure management with the unified IBM FlashSystem® platform family, which streamlines administration and operational complexity across on-premises, hybrid cloud, virtualized and containerized environments.