What is ransomware?

The earliest ransomware attacks simply demanded a ransom in exchange for the encryption key needed to regain access to the affected data or use of the infected device. By making regular or continuous data backups, an organization could limit costs from these types of ransomware attacks and often avoid paying the ransom demand.

Ransomware attacks have evolved to include double-extortion and triple-extortion tactics that raise the stakes considerably. Even victims who rigorously maintain data backups or pay the initial ransom demand are at risk.

Double-extortion attacks add the threat of stealing the victim’s data and leaking it online. Triple-extortion attacks add the threat of using the stolen data to attack the victim’s customers or business partners.

Ransomware is one of the most common forms of malicious software, and ransomware attacks can cost affected organizations millions of dollars. Beyond the ransom itself, organizations face regulatory fines, lawsuits and long-term damage to customer trust.

The IBM 2026 X-Force Threat Intelligence Index, found that the number of active ransomware and extortion groups rose 49% year over year, from 73 groups in 2024 to 109 in 2025. Manufacturing, healthcare and energy remain the most targeted sectors, with manufacturing topping the list for the fifth consecutive year.

The report also found that artificial intelligence (AI) is helping attackers find and exploit weaknesses faster, giving them new ways to scale phishing campaigns and speed up malware creation.

Ransom payments are only part of the total cost of a ransomware infection. Ransomware victims and negotiators are reluctant to disclose ransom payments, but threat actors often demand seven-figure and eight-figure amounts. According to the 2025 Cost of a Data Breach Report from IBM and the Ponemon Institute, 63% of organizations that experienced a ransomware attack refused to pay, up from 59% the prior year. With fewer organizations paying, ransom demands have remained high, averaging $5.08 million for attacker-disclosed attacks.

That said, cybersecurity teams are becoming more adept at combating ransomware. The X-Force Threat Intelligence Index also shows that while active ransomware groups jumped 49%, publicly disclosed victim counts rose only 12%, likely due to improvements in threat detection and prevention.

A ransomware attack typically moves through a series of stages before a victim ever sees a ransom demand:

- Stage 1: Initial access
- Stage 2: Post-exploitation
- Stage 3: Understand and expand
- Stage 4: Data collection and exfiltration
- Stage 5: Deployment and extortion

There are two general types of ransomware:

- Encrypting ransomware or crypto ransomware
- Non-encrypting ransomware or screen-locking ransomware

The most common type, called encrypting ransomware or crypto ransomware, holds the victim’s data hostage by encrypting it. The attacker then demands a ransom in exchange for providing the encryption key needed to decrypt the data.

The less common form of ransomware, called non-encrypting ransomware or screen-locking ransomware, locks the victim’s entire device, usually by blocking access to the operating system. Instead of starting up as usual, the device displays a screen that makes the ransom demand.

These two general types fall into these subcategories:

- Leak or doxware
- Mobile ransomware
- Wipers
- Scareware

Leakware or doxware is ransomware that steals, or exfiltrates, sensitive data and threatens to publish it. While earlier forms of leakware or doxware often stole data without encrypting it, today’s variants usually do both.

Mobile ransomware includes all ransomware that affects mobile devices. Delivered through malicious apps or drive-by downloads, most mobile ransomware is non-encrypting ransomware. Hackers prefer screen-lockers for mobile attacks because automated cloud data backups, standard on many mobile devices, make it easy to reverse encryption attacks.

Wipers, or destructive ransomware, threaten to destroy data if the victim does not pay the ransom. In some cases, the ransomware destroys the data even if the victim pays. This latter type of wiper is often deployed by nation-state actors or hacktivists rather than common cybercriminals.

 Scareware is just what it sounds like—ransomware that tries to scare users into paying a ransom. Scareware might pose as a message from a law enforcement agency, accusing the victim of a crime and demanding a fine. Alternatively, it might spoof a legitimate virus infection alert, encouraging the victim to purchase ransomware disguised as antivirus software.

Sometimes, the scareware is the ransomware, encrypting the data or locking the device. In other cases, it’s the ransomware vector, encrypting nothing but coercing the victim to download ransomware.

Ransomware attacks can use several methods, or vectors, to infect a network or device. Some of the most prominent ransomware infection vectors include:

- Phishing and other social engineering attacks
- Operating system and software vulnerabilities
- Credential theft
- Other malware
- Drive-by downloads
- Supply chain attacks

Social engineering and other such scams trick victims into downloading and running executable files that turn out to be ransomware. For example, a phishing email might contain a malicious attachment disguised as a harmless-looking .pdf, Microsoft Word document, or other file.

Social engineering attacks might also lure users into visiting a malicious website or scanning malicious QR codes that pass the ransomware through the user’s web browser.

Cybercriminals often exploit existing vulnerabilities to inject malicious code into a device or network.

Zero-day vulnerabilities, which are vulnerabilities either unknown to the security community or identified but not yet patched, pose a particular threat. Some ransomware gangs buy information on zero-day flaws from other hackers to plan their attacks. Hackers have also effectively used patched vulnerabilities as attack vectors, as was the case in the 2017 WannaCry attack.

Cybercriminals can steal authorized users’ credentials, buy them on the dark web or crack them through brute-force attacks. They then use these credentials to log in to a network or computer and deploy ransomware directly.

Remote desktop protocol (RDP), a proprietary Microsoft protocol that enables users to access a computer remotely, is a popular credential-theft target among ransomware attackers.

Hackers often use malware developed for other attacks to deliver ransomware to a device. Threat actors used the Trickbot Trojan, originally designed to steal banking credentials, to spread the Conti ransomware variant throughout 2021.

Hackers can use websites to pass ransomware to devices without the users’ knowledge. Exploit kits use compromised websites to scan visitors’ browsers for web application vulnerabilities they can use to inject ransomware onto a device.

Malvertising—legitimate digital ads that hackers have compromised—can also pass ransomware to devices, even if the user doesn’t click the ad.

Rather than targeting a single organization, attackers compromise a trusted vendor or software provider to gain access to multiple victims at once. A single vulnerability in widely used software can expose thousands of downstream organizations to the same attack.

Cybercriminals don’t necessarily need to develop their own ransomware to exploit these vectors. Some ransomware developers share their malware code with cybercriminals through ransomware as a service (RaaS) arrangements.

The cybercriminal, or “affiliate,” uses the code to carry out an attack and splits the ransom payment with the developer. It’s a mutually beneficial relationship. Affiliates can profit from extortion without having to develop their own malware, and developers can increase their profits without launching more cyberattacks.

Ransomware distributors can sell ransomware through digital marketplaces on the dark web. They can also recruit affiliates directly through online forums or similar avenues. Large ransomware groups have invested significant sums of money in recruitment efforts to attract affiliates.

To date, cybersecurity researchers have identified thousands of distinct ransomware variants, or “families”—unique strains with their own code signatures and functions.

Several ransomware strains are especially notable for the extent of their destruction, how they influenced the development of ransomware or the threats they pose today. They include:

- CryptoLocker
- WannaCry
- Petya and NotPetya
- Ryuk
- DarkSide
- Locky
- REvil
- Conti
- LockBit
- Qilin

First appearing in September 2013, CryptoLocker is widely credited with kick-starting the modern age of ransomware.

Spread through a botnet (a network of hijacked computers), CryptoLocker was one of the first ransomware families to strongly encrypt users’ files. It extorted an estimated USD 3 million before an international law enforcement effort shut it down in 2014.

CryptoLocker’s success spawned numerous copycats and paved the way for variants like WannaCry, Ryuk and Petya.

The first high-profile cryptoworm—ransomware that can spread itself to other devices on a network—WannaCry attacked over 200,000 computers in 150 countries in 2017. The affected computers were vulnerable because administrators had neglected to patch the EternalBlue Microsoft Windows vulnerability.

In addition to encrypting sensitive data, WannaCry ransomware threatened to wipe files if victims did not send payment within seven days. It remains one of the largest ransomware attacks to date, with estimated costs as high as USD 4 billion.

Unlike other crypto ransomware, Petya encrypts the file system table rather than individual files, rendering the infected computer unable to boot Windows.

A heavily modified version, NotPetya, was used to carry out a large-scale cyberattack, primarily against Ukraine, in 2017. NotPetya was a wiper incapable of unlocking systems even after victims paid.

First seen in 2018, Ryuk popularized “big-game ransomware” attacks against specific high-value targets, with ransom demands averaging over USD 1 million. Ryuk can locate and disable backup files and system restore features. A new strain with cryptoworm capabilities appeared in 2021.

Run by a group suspected to be operating out of Russia, DarkSide is the ransomware variant that attacked the Colonial Pipeline on 7 May 2021. In what many consider to be the worst cyberattack on critical US infrastructure to date, DarkSide temporarily shut down the pipeline supplying 45% of the East Coast’s fuel.

In addition to conducting direct attacks, the DarkSide group also licenses its ransomware to affiliates through RaaS arrangements.

Locky is an encrypting ransomware with a distinct method of infection—it uses macros hidden in email attachments (Microsoft Word files) disguised as legitimate invoices. When a user downloads and opens the Microsoft Word document, malicious macros secretly download the ransomware payload to the user’s device.

REvil, also known as Sodin or Sodinokibi, helped popularize the RaaS approach to ransomware distribution.

Known for use in big-game hunting and double-extortion attacks, REvil was behind the 2021 attacks against JBS USA and Kaseya Limited. JBS paid a USD 11 million ransom after the hackers disrupted its entire US beef processing operation. Significant downtime impacted more than 1,000 of Kaseya’s software customers.

The Russian Federal Security Service reported it dismantled REvil and charged several of its members in early 2022.

First observed in 2020, the Conti gang operated an extensive RaaS scheme in which it paid hackers a regular wage to use its ransomware. Conti used a unique form of double-extortion where the gang threatened to sell access to a victim’s network to other hackers if the victim did not pay up.

Conti disbanded after the gang’s internal chat logs leaked in 2022, but many former members are still active in the cybercrime world. One-time Conti associates have gone on to operate or affiliate with some of today’s most active ransomware groups, including Akira and DragonForce.

LockBit is notable for the businesslike behavior of its developers. The LockBit group has been known to acquire other malware strains in much the same way that legitimate businesses acquire other companies.

Despite law enforcement seizing LockBit’s websites in February 2024 and the US government imposing sanctions on senior gang members, LockBit has proven resilient, posting 163 victims in the first quarter of 2026.¹

A Russia-linked ransomware-as-a-service operation, Qilin targets critical sectors including healthcare, education and legal services. In Q1 2026, Qilin claimed more victims than the combined output of the bottom 50 ransomware groups tracked that quarter.²

Ransom demands vary widely, and many victims choose not to publicize how much they paid, so it is difficult to determine an average ransom payment amount. Attackers have demanded ransom payments as high as USD 75 million—the largest single ransom payment on record, paid to the Dark Angels ransomware group by a Fortune 50 company in 2024.³

Importantly, the proportion of victims who pay any ransom at all has fallen sharply in recent years. According to the insurance firm Coalition’s 2026 Cyber Claims Report, initial ransom demands in 2025 increased 47% year-over-year. Despite the increase in demands, a record 86% of businesses refused to pay.⁴

Experts point to better cybercrime preparedness—including increased investment in data backups, incident response plans and threat prevention and detection technology—as a potential driver behind this reversal.

US federal law enforcement agencies unanimously discourage ransomware victims from paying ransom demands. According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering US federal agencies charged with investigating cyberthreats:

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”

Law enforcement agencies recommend that ransomware victims report attacks to the appropriate authorities, like the FBI’s Internet Crime Complaint Center (IC3), before paying a ransom.

Some victims of ransomware attacks have a legal obligation to report ransomware infections regardless of whether they pay a ransom. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires critical infrastructure organizations to report ransomware incidents to CISA within 72 hours and ransom payments within 24 hours of payment.

Under certain conditions, paying a ransom can be illegal. The US Office of Foreign Assets Control (OFAC) has stated that paying a ransom to attackers from countries under US economic sanctions—such as North Korea or Iran—violates OFAC regulations. Violators can face civil penalties, fines or criminal charges.

Some US states, such as Florida and North Carolina, have made it illegal for state government agencies to pay a ransom.

Building cyber resilience against ransomware requires both preventive measures and a solid recovery plan.

Cybersecurity experts and federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the US Secret Service recommend that organizations take data security measures to defend against ransomware threats. These measures can include:

- Maintain backup and disaster recovery copies
- Apply patches
- Deploy cybersecurity tools
- Train employees
- Implement access control policies
- Adopt a zero trust approach
- Leverage storage options
- Create a formal incident response plan
- Build a recovery plan

1989: The first documented ransomware, known as the “AIDS Trojan” or “P.C. Cyborg” attack, is distributed through floppy disks. It hides file directories on the victim’s computer and demands USD 189 to unhide them. Because this malware works by encrypting file names rather than the files themselves, it is easy for users to reverse the damage without paying a ransom.

1996: While analyzing the AIDS Trojan, computer scientists Adam L. Young and Moti Yung warn of future forms of malware that could use more sophisticated cryptography to hold sensitive data hostage.

2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offers more effective ways to extort money, more cybercriminals begin spreading ransomware worldwide.

2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.

2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.

2015: The Tox ransomware variant introduces the ransomware as a service (RaaS) model.

2017: WannaCry, the first widely used self-replicating cryptoworm, appears.

2018: Ryuk popularizes big game ransomware hunting.

2019: Double-extortion and triple-extortion ransomware attacks become more popular. Almost every ransomware incident that the IBM Security® X-Force® Incident Response team has responded to since 2019 has involved double extortion.

2022: Thread hijacking—in which cybercriminals insert themselves into targets’ legitimate online conversations to spread malware—emerges as a prominent ransomware vector.

2023: As defenses against ransomware improve, many ransomware gangs begin to expand their arsenals and supplement their ransomware with new extortion tactics. In particular, gangs like LockBit and some remnants of Conti begin using infostealer malware that enables them to steal sensitive data and hold it hostage without needing to lock down victims’ systems.

2024: Worldwide law enforcement agencies take down LockBit’s infrastructure in one of the largest ransomware takedowns ever. A ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, exposes the data of more than 190 million people in one of the largest healthcare breaches on record.

2025: A ransomware attack on education software provider PowerSchool exposes the data of 62 million students and 9.5 million teachers across North America. The IBM 2026 X-Force Threat Intelligence Index finds that smaller, harder-to-track ransomware operators are flooding the ecosystem as threat actors turn to AI to automate attacks. X-Force expects this trend to grow as attackers take on more advanced tasks such as reconnaissance and advanced ransomware attacks.