Ransomware is a type of malware that holds a victim’s sensitive data or device hostage, threatening to keep it locked—or worse—unless the victim pays a ransom to the attacker.
The earliest ransomware attacks simply demanded a ransom in exchange for the encryption key needed to regain access to the affected data or use of the infected device. By making regular or continuous data backups, an organization could limit costs from these types of ransomware attacks and often avoid paying the ransom demand.
Ransomware attacks have evolved to include double-extortion and triple-extortion tactics that raise the stakes considerably. Even victims who rigorously maintain data backups or pay the initial ransom demand are at risk.
Double-extortion attacks add the threat of stealing the victim’s data and leaking it online. Triple-extortion attacks add the threat of using the stolen data to attack the victim’s customers or business partners.
Ransomware is one of the most common forms of malicious software, and ransomware attacks can cost affected organizations millions of dollars. Beyond the ransom itself, organizations face regulatory fines, lawsuits and long-term damage to customer trust.
The IBM 2026 X-Force Threat Intelligence Index, found that the number of active ransomware and extortion groups rose 49% year over year, from 73 groups in 2024 to 109 in 2025. Manufacturing, healthcare and energy remain the most targeted sectors, with manufacturing topping the list for the fifth consecutive year.
The report also found that artificial intelligence (AI) is helping attackers find and exploit weaknesses faster, giving them new ways to scale phishing campaigns and speed up malware creation.
Ransom payments are only part of the total cost of a ransomware infection. Ransomware victims and negotiators are reluctant to disclose ransom payments, but threat actors often demand seven-figure and eight-figure amounts. According to the 2025 Cost of a Data Breach Report from IBM and the Ponemon Institute, 63% of organizations that experienced a ransomware attack refused to pay, up from 59% the prior year. With fewer organizations paying, ransom demands have remained high, averaging $5.08 million for attacker-disclosed attacks.
That said, cybersecurity teams are becoming more adept at combating ransomware. The X-Force Threat Intelligence Index also shows that while active ransomware groups jumped 49%, publicly disclosed victim counts rose only 12%, likely due to improvements in threat detection and prevention.
A ransomware attack typically moves through a series of stages before a victim ever sees a ransom demand:
- Stage 1: Initial access
- Stage 2: Post-exploitation
- Stage 3: Understand and expand
- Stage 4: Data collection and exfiltration
- Stage 5: Deployment and extortion
The most common methods or vectors for ransomware attacks are phishing, vulnerability exploitation and compromising remote access protocols like RDP.
Depending on the initial access vector, hackers might deploy an intermediary remote access tool (RAT) or other malware to help gain a foothold in the target system.
During this third stage, attackers focus on understanding the local system and domain that they can currently access. The attackers also work on gaining access to other systems and domains, a process called lateral movement.
Here the ransomware operators switch focus to identifying valuable data and exfiltrating (stealing) it, usually by downloading or exporting a copy for themselves.
While attackers might exfiltrate any data that they can access, they usually focus on especially valuable data—login credentials, customers’ personal information, intellectual property—that they can use for double-extortion.
Crypto ransomware begins identifying and determining the best ways to encrypt data and files. Some crypto ransomware also disables system restore features or deletes or encrypts backups on the victim’s computer or network to increase the pressure to pay for the decryption key.
Non-encrypting ransomware locks the device screen, floods the device with pop-ups or otherwise prevents the victim from using the device.
After the files have been encrypted or the device has been made unusable, the ransomware alerts the victim to the infection. This notification often comes through a .txt file deposited on the computer’s desktop or through a pop-up window.
The ransom note contains instructions on how to pay the ransom, usually in cryptocurrency or a similarly untraceable method. Payment is in exchange for a decryption key or restoration of standard operations.
There are two general types of ransomware:
- Encrypting ransomware or crypto ransomware
- Non-encrypting ransomware or screen-locking ransomware
The most common type, called encrypting ransomware or crypto ransomware, holds the victim’s data hostage by encrypting it. The attacker then demands a ransom in exchange for providing the encryption key needed to decrypt the data.
The less common form of ransomware, called non-encrypting ransomware or screen-locking ransomware, locks the victim’s entire device, usually by blocking access to the operating system. Instead of starting up as usual, the device displays a screen that makes the ransom demand.
These two general types fall into these subcategories:
- Leak or doxware
- Mobile ransomware
- Wipers
- Scareware
Leakware or doxware is ransomware that steals, or exfiltrates, sensitive data and threatens to publish it. While earlier forms of leakware or doxware often stole data without encrypting it, today’s variants usually do both.
Mobile ransomware includes all ransomware that affects mobile devices. Delivered through malicious apps or drive-by downloads, most mobile ransomware is non-encrypting ransomware. Hackers prefer screen-lockers for mobile attacks because automated cloud data backups, standard on many mobile devices, make it easy to reverse encryption attacks.
Wipers, or destructive ransomware, threaten to destroy data if the victim does not pay the ransom. In some cases, the ransomware destroys the data even if the victim pays. This latter type of wiper is often deployed by nation-state actors or hacktivists rather than common cybercriminals.
Scareware is just what it sounds like—ransomware that tries to scare users into paying a ransom. Scareware might pose as a message from a law enforcement agency, accusing the victim of a crime and demanding a fine. Alternatively, it might spoof a legitimate virus infection alert, encouraging the victim to purchase ransomware disguised as antivirus software.
Sometimes, the scareware is the ransomware, encrypting the data or locking the device. In other cases, it’s the ransomware vector, encrypting nothing but coercing the victim to download ransomware.
Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox twice weekly. See the IBM Privacy Statement.
Ransomware attacks can use several methods, or vectors, to infect a network or device. Some of the most prominent ransomware infection vectors include:
- Phishing and other social engineering attacks
- Operating system and software vulnerabilities
- Credential theft
- Other malware
- Drive-by downloads
- Supply chain attacks
Social engineering and other such scams trick victims into downloading and running executable files that turn out to be ransomware. For example, a phishing email might contain a malicious attachment disguised as a harmless-looking .pdf, Microsoft Word document, or other file.
Social engineering attacks might also lure users into visiting a malicious website or scanning malicious QR codes that pass the ransomware through the user’s web browser.
Cybercriminals often exploit existing vulnerabilities to inject malicious code into a device or network.
Zero-day vulnerabilities, which are vulnerabilities either unknown to the security community or identified but not yet patched, pose a particular threat. Some ransomware gangs buy information on zero-day flaws from other hackers to plan their attacks. Hackers have also effectively used patched vulnerabilities as attack vectors, as was the case in the 2017 WannaCry attack.
Cybercriminals can steal authorized users’ credentials, buy them on the dark web or crack them through brute-force attacks. They then use these credentials to log in to a network or computer and deploy ransomware directly.
Remote desktop protocol (RDP), a proprietary Microsoft protocol that enables users to access a computer remotely, is a popular credential-theft target among ransomware attackers.
Hackers often use malware developed for other attacks to deliver ransomware to a device. Threat actors used the Trickbot Trojan, originally designed to steal banking credentials, to spread the Conti ransomware variant throughout 2021.
Hackers can use websites to pass ransomware to devices without the users’ knowledge. Exploit kits use compromised websites to scan visitors’ browsers for web application vulnerabilities they can use to inject ransomware onto a device.
Malvertising—legitimate digital ads that hackers have compromised—can also pass ransomware to devices, even if the user doesn’t click the ad.
Rather than targeting a single organization, attackers compromise a trusted vendor or software provider to gain access to multiple victims at once. A single vulnerability in widely used software can expose thousands of downstream organizations to the same attack.
Cybercriminals don’t necessarily need to develop their own ransomware to exploit these vectors. Some ransomware developers share their malware code with cybercriminals through ransomware as a service (RaaS) arrangements.
The cybercriminal, or “affiliate,” uses the code to carry out an attack and splits the ransom payment with the developer. It’s a mutually beneficial relationship. Affiliates can profit from extortion without having to develop their own malware, and developers can increase their profits without launching more cyberattacks.
Ransomware distributors can sell ransomware through digital marketplaces on the dark web. They can also recruit affiliates directly through online forums or similar avenues. Large ransomware groups have invested significant sums of money in recruitment efforts to attract affiliates.
To date, cybersecurity researchers have identified thousands of distinct ransomware variants, or “families”—unique strains with their own code signatures and functions.
Several ransomware strains are especially notable for the extent of their destruction, how they influenced the development of ransomware or the threats they pose today. They include:
- CryptoLocker
- WannaCry
- Petya and NotPetya
- Ryuk
- DarkSide
- Locky
- REvil
- Conti
- LockBit
- Qilin
First appearing in September 2013, CryptoLocker is widely credited with kick-starting the modern age of ransomware.
Spread through a botnet (a network of hijacked computers), CryptoLocker was one of the first ransomware families to strongly encrypt users’ files. It extorted an estimated USD 3 million before an international law enforcement effort shut it down in 2014.
CryptoLocker’s success spawned numerous copycats and paved the way for variants like WannaCry, Ryuk and Petya.
The first high-profile cryptoworm—ransomware that can spread itself to other devices on a network—WannaCry attacked over 200,000 computers in 150 countries in 2017. The affected computers were vulnerable because administrators had neglected to patch the EternalBlue Microsoft Windows vulnerability.
In addition to encrypting sensitive data, WannaCry ransomware threatened to wipe files if victims did not send payment within seven days. It remains one of the largest ransomware attacks to date, with estimated costs as high as USD 4 billion.
Unlike other crypto ransomware, Petya encrypts the file system table rather than individual files, rendering the infected computer unable to boot Windows.
A heavily modified version, NotPetya, was used to carry out a large-scale cyberattack, primarily against Ukraine, in 2017. NotPetya was a wiper incapable of unlocking systems even after victims paid.
First seen in 2018, Ryuk popularized “big-game ransomware” attacks against specific high-value targets, with ransom demands averaging over USD 1 million. Ryuk can locate and disable backup files and system restore features. A new strain with cryptoworm capabilities appeared in 2021.
Run by a group suspected to be operating out of Russia, DarkSide is the ransomware variant that attacked the Colonial Pipeline on 7 May 2021. In what many consider to be the worst cyberattack on critical US infrastructure to date, DarkSide temporarily shut down the pipeline supplying 45% of the East Coast’s fuel.
In addition to conducting direct attacks, the DarkSide group also licenses its ransomware to affiliates through RaaS arrangements.
Locky is an encrypting ransomware with a distinct method of infection—it uses macros hidden in email attachments (Microsoft Word files) disguised as legitimate invoices. When a user downloads and opens the Microsoft Word document, malicious macros secretly download the ransomware payload to the user’s device.
REvil, also known as Sodin or Sodinokibi, helped popularize the RaaS approach to ransomware distribution.
Known for use in big-game hunting and double-extortion attacks, REvil was behind the 2021 attacks against JBS USA and Kaseya Limited. JBS paid a USD 11 million ransom after the hackers disrupted its entire US beef processing operation. Significant downtime impacted more than 1,000 of Kaseya’s software customers.
The Russian Federal Security Service reported it dismantled REvil and charged several of its members in early 2022.
First observed in 2020, the Conti gang operated an extensive RaaS scheme in which it paid hackers a regular wage to use its ransomware. Conti used a unique form of double-extortion where the gang threatened to sell access to a victim’s network to other hackers if the victim did not pay up.
Conti disbanded after the gang’s internal chat logs leaked in 2022, but many former members are still active in the cybercrime world. One-time Conti associates have gone on to operate or affiliate with some of today’s most active ransomware groups, including Akira and DragonForce.
LockBit is notable for the businesslike behavior of its developers. The LockBit group has been known to acquire other malware strains in much the same way that legitimate businesses acquire other companies.
Despite law enforcement seizing LockBit’s websites in February 2024 and the US government imposing sanctions on senior gang members, LockBit has proven resilient, posting 163 victims in the first quarter of 2026.1
A Russia-linked ransomware-as-a-service operation, Qilin targets critical sectors including healthcare, education and legal services. In Q1 2026, Qilin claimed more victims than the combined output of the bottom 50 ransomware groups tracked that quarter.2
Ransom demands vary widely, and many victims choose not to publicize how much they paid, so it is difficult to determine an average ransom payment amount. Attackers have demanded ransom payments as high as USD 75 million—the largest single ransom payment on record, paid to the Dark Angels ransomware group by a Fortune 50 company in 2024.3
Importantly, the proportion of victims who pay any ransom at all has fallen sharply in recent years. According to the insurance firm Coalition’s 2026 Cyber Claims Report, initial ransom demands in 2025 increased 47% year-over-year. Despite the increase in demands, a record 86% of businesses refused to pay.4
Experts point to better cybercrime preparedness—including increased investment in data backups, incident response plans and threat prevention and detection technology—as a potential driver behind this reversal.
US federal law enforcement agencies unanimously discourage ransomware victims from paying ransom demands. According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering US federal agencies charged with investigating cyberthreats:
“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Law enforcement agencies recommend that ransomware victims report attacks to the appropriate authorities, like the FBI’s Internet Crime Complaint Center (IC3), before paying a ransom.
Some victims of ransomware attacks have a legal obligation to report ransomware infections regardless of whether they pay a ransom. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires critical infrastructure organizations to report ransomware incidents to CISA within 72 hours and ransom payments within 24 hours of payment.
Under certain conditions, paying a ransom can be illegal. The US Office of Foreign Assets Control (OFAC) has stated that paying a ransom to attackers from countries under US economic sanctions—such as North Korea or Iran—violates OFAC regulations. Violators can face civil penalties, fines or criminal charges.
Some US states, such as Florida and North Carolina, have made it illegal for state government agencies to pay a ransom.
Building cyber resilience against ransomware requires both preventive measures and a solid recovery plan.
Cybersecurity experts and federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the US Secret Service recommend that organizations take data security measures to defend against ransomware threats. These measures can include:
- Maintain backup and disaster recovery copies
- Apply patches
- Deploy cybersecurity tools
- Train employees
- Implement access control policies
- Adopt a zero trust approach
- Leverage storage options
- Create a formal incident response plan
- Build a recovery plan
Maintaining backup and disaster recovery copies, including sensitive information and system images, ideally on hard drives or other devices that the IT team can disconnect from the network (air gapping), helps organizations recover in the event of a ransomware attack.
Applying patches regularly helps thwart ransomware attacks that exploit software and operating system vulnerabilities.
Cybersecurity tools such as firewalls, antimalware software, network monitoring tools and threat intelligence platforms help security teams stay ahead of attacks. Endpoint detection and response (EDR) platforms and security information and event management (SIEM) systems enable security teams to intercept ransomware in real-time.
Employee cybersecurity training can help users recognize and avoid phishing, social engineering and other tactics that can lead to ransomware infections.
Implementing access control policies including multifactor authentication, network segmentation and similar measures can prevent ransomware from reaching sensitive data. Identity and access management (IAM) controls can also keep cryptoworms from spreading to other devices on the network.
Adopting a zero trust approach assumes no user or device is trusted by default, even inside the network. Requiring continuous authentication at every access point limits the damage ransomware can do once it gets in.
Formal incident response plans enable security teams to intercept and remediate breaches in less time. According to the IBM 2025 Cost of a Data Breach Report, organizations that used AI and automation in threat detection and response (TDR) saved an average of USD 1.9 million compared to those that did not.
The latest data storage solutions use AI and machine learning (ML) to continuously monitor I/O activity and detect ransomware anomalies before encryption begins. Immutable storage and air-gapped backups that cannot be altered or deleted by attackers are also now a key part of any ransomware recovery strategy.
Having a recovery plan means knowing in advance how to isolate infected systems, notify the appropriate authorities, restore data from clean backups and resume operations. A plan should also address how to communicate with stakeholders in the event of an attack. Organizations that test their recovery plans regularly limit downtime and strengthen overall operational resilience.
While decryptor tools for some ransomware variants are publicly available through projects like No More Ransom5, remediation of an active ransomware infection often needs a multifaceted approach that includes software solutions such as SOAR (security orchestration, automation and response).
1989: The first documented ransomware, known as the “AIDS Trojan” or “P.C. Cyborg” attack, is distributed through floppy disks. It hides file directories on the victim’s computer and demands USD 189 to unhide them. Because this malware works by encrypting file names rather than the files themselves, it is easy for users to reverse the damage without paying a ransom.
1996: While analyzing the AIDS Trojan, computer scientists Adam L. Young and Moti Yung warn of future forms of malware that could use more sophisticated cryptography to hold sensitive data hostage.
2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offers more effective ways to extort money, more cybercriminals begin spreading ransomware worldwide.
2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.
2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.
2015: The Tox ransomware variant introduces the ransomware as a service (RaaS) model.
2017: WannaCry, the first widely used self-replicating cryptoworm, appears.
2018: Ryuk popularizes big game ransomware hunting.
2019: Double-extortion and triple-extortion ransomware attacks become more popular. Almost every ransomware incident that the IBM Security® X-Force® Incident Response team has responded to since 2019 has involved double extortion.
2022: Thread hijacking—in which cybercriminals insert themselves into targets’ legitimate online conversations to spread malware—emerges as a prominent ransomware vector.
2023: As defenses against ransomware improve, many ransomware gangs begin to expand their arsenals and supplement their ransomware with new extortion tactics. In particular, gangs like LockBit and some remnants of Conti begin using infostealer malware that enables them to steal sensitive data and hold it hostage without needing to lock down victims’ systems.
2024: Worldwide law enforcement agencies take down LockBit’s infrastructure in one of the largest ransomware takedowns ever. A ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, exposes the data of more than 190 million people in one of the largest healthcare breaches on record.
2025: A ransomware attack on education software provider PowerSchool exposes the data of 62 million students and 9.5 million teachers across North America. The IBM 2026 X-Force Threat Intelligence Index finds that smaller, harder-to-track ransomware operators are flooding the ecosystem as threat actors turn to AI to automate attacks. X-Force expects this trend to grow as attackers take on more advanced tasks such as reconnaissance and advanced ransomware attacks.
1,2 The State of Ransomware – Q1 2026, Check Point Research. May 11, 2026.
3 Ransomware Q1 2026: Fewer Groups, Bigger Hits, Pre-Staged Access, Cybersecurity Insiders, May 13, 2026.
4 2026 Cyber Claims Report, Coalition, 2026.
5 Decryption tools . No More Ransom.