Ransomware is a type of malware (malicious software) that locks a victim’s data or device and threatens to keep it locked—or worse—unless the victim pays a ransom to the attacker. According to the IBM Security X-Force Threat Intelligence Index 2023, ransomware attacks represented 17 percent of all cyberattacks in 2022.
The earliest ransomware attacks simply demanded a ransom in exchange for the encryption key needed to regain access to the affected data or use of the infected device. By making regular or continuous data backups, an organization could limit costs from these types of ransomware attacks and often avoid paying the ransom demand.
But in recent years, ransomware attacks have evolved to include double-extortion and triple-extortion attacks that raise the stakes considerably—even for victims who rigorously maintaining data backups or pay the initial ransom demand. Double-extortion attacks add the threat of stealing the victim’s data and leaking it online; on top of that, triple-extortion attacks threaten to use the stolen data to attack the victim’s customers or business partners.
The 2023 X-Force Threat Intelligence Index found that ransomware's share of all cybersecurity incidents declined by 4 percent from 2021 to 2022, likely because defenders were more successful detecting and preventing ransomware attacks. But this positive finding was eclipsed by a massive 94 percent reduction in the average attack timeline—from 2 months to fewer than 4 days, giving organizations very little time to detect and thwart potential attacks.
Ransomware victims and negotiators are reluctant to disclose ransom payment amounts. However, according to the report Definitive Guide to Ransomware 2022 (PDF, 966 KB), ransom demands have grown to seven- and eight-figure amounts. And ransom payments are only part of the total cost of a ransomware infection. According to IBM’s Cost of a Data Breach 2022 report, the average cost of a data breach caused by a ransomware attack—not including the ransom payment—was USD 4.54 million. Ransomware attacks are expected to cost victims an estimated USD 30 billion overal in 2023 (link resides outside ibm.com).
There are two general types of ransomware. The most common type, called encrypting ransomware or crypto ransomware, holds the victim’s data hostage by encrypting it. The attacker then demands a ransom in exchange for providing the encryption key needed to decrypt the data.
The less common form of ransomware, called non-encrypting ransomware or screen-locking ransomware, locks the victim’s entire device, usually by blocking access to the operating system. Instead of starting up as usual, the device displays a screen that makes the ransom demand.
These two types can be further divided into the following subcategories:
- Leakware/Doxware is ransomware that steals, or exfiltrates, sensitive data and threatens to publish it. While earlier forms of leakware or doxware often stole data without encrypting it, today’s variants often do both.
- Mobile ransomware includes all ransomware that affects mobile devices. Delivered via malicious apps or drive-by download, mobile ransomware is typically non-encrypting ransomware because automated cloud data backups, standard on many mobile devices, make it easy to reverse encryption attacks.
- Wipers/destructive ransomware threatens to destroy data if the ransom isn't paid—except in cases where the ransomware destroys the data even if the ransom is paid. This latter type of wiper is often suspected to be deployed by nation-state actors or hactivists rather than common cybercriminals.
- Scareware is just what it sounds like—ransomware that tries to scare users into paying a ransom. Scareware might pose as message from a law enforcement agency, accusing the victim of a crime and demanding a fine; it might spoof a legitimate virus infection alert, encouraging the victim to purchase antivirus or antimalware software. Sometimes, the scareware is ransomware, encrypting the data or locking the device; in other cases, it’s the ransomware vector, encrypting nothing but coercing the victim to download ransomware.
Ransomware attacks can use several methods, or vectors, to infect a network or device. Some of the most prominent ransomware infection vectors include:
- Phishing emails and other social engineering attacks: Phishing emails manipulate users into downloading and running a malicious attachment (which contains the ransomware disguised as a harmless looking .pdf, Microsoft Word document, or other file), or into visiting a malicious website that passes the ransomware through the user’s web browser. In IBM's Cyber Resilient Organization Study 2021, phishing and other social engineering tactics caused 45 percent of all ransomware attacks reported by survey participants, making them the most common of all ransomware attack vectors.
- Operating system and software vulnerabilities: Cybercriminals often exploit existing vulnerabilities to inject malicious code into a device or network. Zero-day vulnerabilities, which are vulnerabilities either unknown to the security community or identified but not yet patched, pose a particular threat. Some ransomware gangs buy information on zero-day flaws from other hackers to plan their attacks. Hackers have also effectively used patched vulnerabilities as attack vectors, as was the case in the 2017 WannaCry attack discussed below.
- Credential theft: Cybercriminals may steal authorized users' credentials, buy them on the dark web, or crack them through brute force. They may then use these credentials to log into a network or computer and deploy ransomware directly. Remote desktop protocol (RDP), a proprietary protocol developed by Microsoft to allow users to access a computer remotely, is a popular credential-theft target among ransomware attackers.
- Other malware: Hackers often use malware developed for other attacks to deliver a ransomware to a device. The Trickbot trojan, for example, originally designed to steal banking credentials, was used to spread the Conti ransomware variant throughout 2021.
- Drive-by downloads: Hackers can use web sites to pass ransomware to devices without the users’ knowledge. Exploit kits use compromised web sites to scan visitors’ browsers for web application vulnerabilities they can use to inject ransomware onto the device. Malvertising—legitimate digital ads that have been compromised by hackers—can pass ransomware to devices, even if the user doesn’t click the ad.
Cybercriminals don’t necessarily need to develop their own ransomware to exploit these vectors. Some ransomware developers share their malware code with cybercriminals via ransomware-as-a-service (RaaS) arrangements. The cybercriminal, or ‘affiliate,’ uses the code to carry out an attack, and then splits the ransom payment with the developer. It’s a mutually beneficial relationship: Affiliates can profit from extortion without having to develop their own malware, and developers can increase their profits without launching additional cyberattacks.
Ransomware distributors can sell ransomware via digital marketplaces, or recruit affiliates directly through online forums or similar avenues. Large ransomware groups have invested significant sums of money to attract affiliates. The REvil group, for example, spent USD 1 million as part of a recruitment drive in October 2020 (link resides outside ibm.com).
A ransomware attack typically proceeds through the following stages.
The most common access vectors for ransomware attacks continue to be phishing and vulnerability exploitation.
Depending on the initial access vector, this second stage may involve an intermediary remote access tool (RAT) or malware prior to establishing interactive access.
During this third stage of the attack, attackers focus on understanding the local system and domain that they currently have access to, and on gaining access to other systems and domains (called lateral movement).
Here the ransomware operators switch focus to identifying valuable data and exfiltrating (stealing) it, usually by downloading or exporting a copy for themselves. While attackers might exfiltrate any and all the data they can access, they usually focus on especially valuable data—login credentials, customers’ personal information, intellectual property—that they can use for double-extortion.
Crypto ransomware begins identifying and encrypting files. Some crypto ransomware also disables system restore features, or deletes or encrypts backups on the victim's computer or network to increase the pressure to pay for the decryption key. Non-encrypting ransomware locks the device screen, floods the device with pop-ups or otherwise prevents victim from using the device.
Once files have been encrypted and/or the device has been disabled, the ransomware alerts the victim of the infection, often via a .txt file deposited on the computer's desktop or through a pop-up notification. The ransom note contains instructions on how to pay the ransom, usually in cryptocurrency or a similarly untraceable method, in exchange for a decryption key or restoration of standard operations.
Since 2020, cybersecurity researchers have identified more than 130 distinct, active ransomware families or variants—unique ransomware strains with their own code signatures and functions.
Among the many ransomware variants that have circulated over the years, several strains are especially notable for the extent of their destruction, how they influenced the development of ransomware, or the threats they still pose today.
CryptoLocker
First appearing in September 2013, CryptoLocker is widely credited with kick-starting the modern age of ransomware. Spread using a botnet (a network of hijacked computers), CryptoLocker was one of the first ransomware families to strongly encrypt users' files. It extorted an estimated USD 3 million before an international law enforcement effort shut it down in 2014. CryptoLocker's success spawned numerous copycats and paved the way for variants like WannaCry, Ryuk, and Petya (described below).
WannaCry
The first high-profile cryptoworm—ransomware that can spread itself to other devices on a network—WannaCry attacked over 200,000 computers (in 150 countries) that administrators had neglected to patch for the EternalBlue Microsoft Windows vulnerability. In addition to encrypting sensitive data, WannaCry ransomware threatened to wipe files if payment was not received within seven days. It remains one of the largest ransomware attacks to date, with estimated costs as high as USD 4 billion.
Petya and NotPetya
Unlike other crypto ransomware, Petya encrypts the file system table rather than individual files, rendering the infected computer unable to boot Windows. A heavily modified version, NotPetya, was used to carry out a large-scale cyberattack, primarily against Ukraine, in 2017. NotPetya was a wiper incapable of unlocking systems even after the ransom was paid.
Ryuk
First seen in 2018, Ryuk popularized ‘big-game ransomware’ attacks against specific high-value targets, with ransom demands averaging over USD 1 million. Ryuk can locate and disable backup files and system restore features; a new strain with cryptoworm capabilities was discovered in 2021.
DarkSide
Run by a group suspected to be operating out of Russia, DarkSide is the ransomware variant that attacked the U.S. Colonial Pipeline on May 7, 2021, considered the worst cyberattack on critical U.S. infrastructure to date. As a result, the pipeline supplying 45 percent of the U.S. East Coast's fuel was temporarily shut down. In addition to launching direct attacks, the DarkSide group also licenses its ransomware out to affiliates via RaaS arrangements.
Locky
Locky is an encrypting ransomware with a distinct method of infection—it uses macros hidden in email attachments (Microsoft Word files) disguised as legitimate invoices. When a user downloads and opens the Microsoft Word document, malicious macros secretly download the ransomware payload to the user's device.
REvil/Sodinokibi
REvil, also known as Sodin or Sodinokibi, helped popularize the RaaS approach to ransomware distribution. Known for use in big-game hunting and double-extortion attacks, REvil was behind the 2021 attacks against the noteworthy JBS USA and Kaseya Limited. JBS paid an USD 11 million ransom after its entire U.S. beef processing operation was disrupted, and more than 1,000 of Kaseya’s software customers were impacted by significant downtime. The Russian Federal Security Service reported it had dismantled REvil and charged several of its members in early 2022.
Until 2022, most ransomware victims met their attackers ransom demands. For example, in IBM's Cyber Resilient Organization Study 2021, 61 percent of participating companies that experienced a ransomware attack within two years of the study said they paid a ransom.
But recent reports signal a change in 2022. Cyber extortion incident response firm Coveware released findings that just 41 percent of 2022 ransomware victims paid a ransom, compared to 51 percent in 2021 and 70 percent in 2020 (link resides outside ibm.com). And Chainanalysis, a blockchain data platform provider, reported that ransomware attackers extorted nearly 40% less money from victims in 2022 than in 2021 (link resides outside ibm.com). Experts point to better cybercrime preparedness (including data backups) and increased investment in threat prevention and detection technology as potential drivers behind this reversal.
Law enforcement guidance
U.S. federal law enforcement agencies unanimously discourage ransomware victims from paying ransom demands. According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering U.S. federal agencies charged with investigating cyberthreats:
“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered.”
Law enforcement agencies recommend that ransomware victims report attacks to the appropriate authorities, like the FBI's Internet Crime Complaint Center (IC3), before paying a ransom. Some victims of ransomware attacks may be legally required to report ransomware infections regardless of whether a ransom is paid. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.
Under certain conditions, paying a ransom may be illegal. According to a 2020 advisory from the U.S. Treasury's Office of Foreign Assets Control (OFAC), paying a ransom to attackers from countries under U.S. economic sanctions — such as Russia, North Korea, or Iran — would be a violation of OFAC regulations and could result in civil penalties, fines, or criminal charges.
To defend against ransomware threats, federal agencies like CISA, NCIJFT, and the U.S. Secret Service recommend organizations take certain precautionary measures, such as:
- Maintaining backups of sensitive data and system system images, ideally on hard drives or other devices that can be disconnected from the network.
- Applying patches regularly to help thwart ransomware attacks that exploit software and operating system vulnerability.
- Updating cybersecurity tools including anti-malware and antivirus software, firewalls, network monitoring tools, and secure web gateways, as well as enterprise cybersecurity solutions—such as security orchestration, automation and response (SOAR), endpoint detection and response (EDR), security information and event management (SIEM), and extended detection and response (XDR)—that help security teams detect and respond to ransomware in real-time.
- Employee cybersecurity training to help users recognize and avoid to phishing, social engineering, and other tactics that can lead to ransomware infections.
- Implementing access control policies including multi-factor authentication, zero-trust architecture, network segmentation, and similar measures that can prevent ransomware from reaching particularly sensitive data, and keep cryptoworms from spreading to other devices on the network.
While decryptor tools for some ransomware variants are publicly available through projects like No More Ransom (link resides outside ibm.com), remediation of an active ransomware infection often requires a multifaceted approach. See IBM Security's Definitive Guide to Ransomware (PDF, 966 KB) for an example of a ransomware incident response plan modeled after the National Institute of Standards and Technology (NIST) Incident Response Life Cycle.
1989: The first documented ransomware attack, known as the AIDS Trojan or "P.C. Cyborg attack," was distributed via floppy disks. It hid file directories on the victim's computer and demanded USD 189 to unhide them. But because it encrypted file names rather than the files themselves, it was easy for users to reverse the damage without paying a ransom.
1996: While analyzing the flaws of the AIDS Trojan virus, computer scientists Adam L. Young and Moti Yung warned of future forms of malware that could use more sophisticated public key cryptography to hold sensitive data hostage.
2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offered more effective ways to extort money, more cybercriminals began spreading ransomware worldwide.
2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.
2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.
2015: The Tox ransomware variant introduces the ransomware-as-a-service (RaaS) model.
2017: WannaCry, the first widely used self-replicating cryptoworms, appears.
2018: Ryuk popularized big game ransomware hunting.
2019: Double- and triple-extortion ransomware attacks begin to rise. Almost every ransomware incident that the IBM Security X-Force Incident Reponse team has responded to since 2019 has involved double extortion.
2022: Thread hijacking—in which cybercriminals insert themselves into targets’ online conversations—emerges as a prominent ransomware vector.
Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.
Stop ransomware from interrupting business continuity, and recover quickly when attacks occur—with a zero trust approach that helps you detect and respond to ransomware faster and minimize the impact of ransomware attacks.
Secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time with this sophisticated yet easy-to-use endpoint detection and response (EDR) solution.
Find actionable insights that help you understand how threat actors are waging attacks, and how to proactively protect your organization.
Learn the critical steps to protect your business before a ransomware attack can penetrate your defenses, and to achieve optimal recovery if adversaries breach the perimeter.
Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.
Security information and event management (SIEM) offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.
Los Angeles partners with IBM Security to create first-of-its-kind cyberthreat sharing group to protect against cybercrime.
Work with senior IBM security architects and consultants to prioritize your cybersecurity initiatives in a no-cost, virtual or in-person, 3-hour design thinking session.