What is ransomware?

Ransomware is a form of malware that threatens to destroy or withhold the victim’s data or files unless a ransom is paid to the attacker to decrypt and restore access to the data

Person sits at desk while looking at the open laptop computer before them.

How ransomware works

Malware with a ransom note 
Ransomware is malicious software used by threat actors that aims to extort money from victims. This form of cyber aggression is one of the most prolific criminal business models in existence today. Ransomware attacks can cost an organization millions of dollars and can require hundreds of hours to rebuild the devices and restore data destroyed during an attack.

Organizations often learn about their cyber-attack when they receive a notification from an infected machine informing them that their data has been targeted. There are typically a few steps within a typical ransomware attack. First, the system or control server is compromised to install the malware. Next, the malware takes control of the machine by encrypting data with the ransomware. Then, the compromised machine displays a message with the “ransom note” with the attacker’s demands for the individual or corporation, telling them that their encrypted files will not be accessible until the ransom is paid. 

Ransom payments
Payment is frequently demanded in the form of cryptocurrency, credit card, or gift cards, but that doesn’t ensure that the victim will regain access. If the victim chooses to pay the ransom, the attackers could provide the decryption key to restore access to the victim’s data. Sometimes the victim can pay, and the attackers don’t provide the decryption key, resulting in both data and financial loss. Sometimes a victim chooses not to pay the ransom and relies on system rebuilds and data backups to restore their IT operations. Victims who are targeted once are often targeted by the same cyber criminals again, particularly if they’ve shown a willingness to pay before. 

According to the report “Combatting Destructive Malware”, on average, a single ransomware attack costs large multinational companies USD 239 million and destroys 12,316 computer workstations. The cyber threat landscape is constantly evolving and expanding with new ransomware due to the complexity of networks, the cloud, remote virtualization, and the IoT.

What causes a ransomware infection?

There are several ways that ransomware can get into your computer or system. One of the most common is email phishing and spam with messages that include a malicious attachment or link leading to a compromised website. Once the user opens the attachment or clicks the link, the ransomware can infect the computer and spread to the entire network.

Another ransomware attack vector is through an exploit kit that takes advantage of a vulnerability, or security hole, in the system or program. WannaCry is an example of a ransomware infection that affected hundreds of systems worldwide through an exploit in the Microsoft Windows operating system in 2018. It can also take the form of a fake software update, prompting users to enable admin capabilities and execute the malicious code.

Phishing, social engineering and other tactics
Ransomware has been around since 1989, and the attack landscape is constantly expanding as the world’s network and infrastructure gets more complex, from cloud to mobile to IoT.

Ransomware often enters organizations via phishing emails that contain malicious attachments or links to malicious sites. For example, Locky Ransomware infects victims through a Microsoft Word document with embedded malicious macros.

Ransomware can be difficult to combat, but a combination of user education, proactive and practiced incident response planning, and basic security hygiene such as aggressive patch management and endpoint protection solutions can help. The practice of cyber resilience encompasses data protection, data recovery, resilience best practices, and ransomware training for end-users.  For organizations that have moved data to the cloud, or use the cloud as their backup location, using tools such as cloud data encryption can help reduce the risk and cost of a ransomware attack.

Types of ransomware attacks


There are two main classes of ransomware, and both are intended to disrupt business operations for financial gain for the attackers.

Crypto ransomware

Crypto ransomware prevents access to files or data through encryption with a different randomly generated symmetric key for each file. The symmetric key is then encrypted with a public asymmetric key; attackers then demand the ransom payment for access to the asymmetric key.


Doxware is a form of crypto ransomware where victims are threatened with not only losing access to their files, but also having their private files and data made public through “doxing”.

Locker ransomware

Locker ransomware locks the computer or device by preventing users from logging in; an infected machine can display an official looking message warning the user. This type of malware does not actually encrypt files on the device.

If you have an infected computer

The Department of Homeland Security issued an alert on ransomware (link resides outside IBM) and recent variants with advice for organizations and individuals. Their top recommendation is to have a secure data backup and recovery process.

The DHS advised organizations to:

  • Implement a backup and recovery plan for all critical data;
  • Regularly test backups to limit the impact of a data breach and accelerate the recovery process; and
  • Isolate critical backups from the network for maximum protection if network-connected backups are affected by ransomware.

Recovering from ransomware is all about maintaining control of your data as efficiently and securely as possible.  Regulations such as GDPR in Europe and the California Consumer Privacy Act are imposing new requirements for data breach notifications that affect how you should handle a ransomware attack. The FBI recommends reporting any ransomware attacks to federal law enforcement so they can coordinate with local United States law enforcement agencies to track attacks and identify attackers.

If you are experiencing a cybersecurity incident, contact the IBM Security X-Force team for immediate help.


Related solutions

Protect data against ransomware attacks

Learn how to protect your organization’s data from ransomware threats that can hold it hostage.

Network security

Secure network infrastructure against advanced threats and malware.

Security information and event management (SIEM)

Get centralized visibility to detect, investigate, and respond to cybersecurity threats.

IBM Security X-Force Incident Response Retainer

Discover how you can improve cyber incident response preparedness and minimize the impact of breaches.

Orchestrate incident response

Get faster incident response rates with intelligent orchestration and automation.

Managed detection and response

Threat defense starts with around-the-clock prevention, detection and fast response.

Respond faster

Avoid paying ransomware by isolating immutable data copies. In the event of an attack, copies can be quickly restored to recover with confidence.

Manage and control mobile devices

Have permanent view and control of essentially all your mobile devices, apps and content; run AI-powered security analytics; and maintain security across all your platforms.

Flash storage solutions

Simplify data and infrastructure management with the unified IBM FlashSystem® platform family, which streamlines administration and operational complexity across on-premises, hybrid cloud, virtualized and containerized environments.