What is ransomware?
Explore IBM's ransomware solution Subscribe to Security Topic Updates
Person looking at the laptop screen
What is ransomware?

Ransomware is a type of malware that holds a victim’s data or device hostage, threatening to keep it locked—or worse—unless the victim pays a ransom to the attacker.

According to the IBM Security X-Force Threat Intelligence Index 2023, ransomware attacks represented 17 percent of all cyberattacks in 2022.

The earliest ransomware attacks simply demanded a ransom in exchange for the encryption key needed to regain access to the affected data or use of the infected device. By making regular or continuous data backups, an organization could limit costs from these types of ransomware attacks and often avoid paying the ransom demand.

But in recent years, ransomware attacks have evolved to include double-extortion and triple-extortion attacks that raise the stakes considerably. Even victims who rigorously maintain data backups or pay the initial ransom demand are at risk. Double-extortion attacks add the threat of stealing the victim’s data and leaking it online. On top of that, triple-extortion attacks threaten to use the stolen data to attack the victim’s customers or business partners.

The 2023 X-Force Threat Intelligence Index found that ransomware's share of all cybersecurity incidents declined by 4 percent from 2021 to 2022. The decrease is likely due to defenders being more successful in detecting and preventing ransomware attacks. But this positive finding was eclipsed by a massive 94 percent reduction in the average attack timeline—from 2 months to fewer than 4 days. This gives organizations very little time to detect and thwart potential attacks.

Ransomware victims and negotiators are reluctant to disclose ransom payment amounts. However, according to the Definitive Guide to Ransomware, ransom demands have grown to seven- and eight-figure amounts. And ransom payments are only part of the total cost of a ransomware infection. According to IBM’s Cost of a Data Breach 2023 report, the average cost of a data breach caused by a ransomware attack was USD 5.13 million. Ransomware attacks were expected to cost victims an estimated USD 30 billion overall in 2023.

IBM Guide to Ransomware

Stay informed about the latest trends within cybercrime with IBM's definitive guide to ransomware.

Related content

Register for the Cost of a Data Breach report

Types of ransomware

There are two general types of ransomware. The most common type, called encrypting ransomware or crypto ransomware, holds the victim’s data hostage by encrypting it. The attacker then demands a ransom in exchange for providing the encryption key needed to decrypt the data.

The less common form of ransomware, called non-encrypting ransomware or screen-locking ransomware, locks the victim’s entire device, usually by blocking access to the operating system. Instead of starting up as usual, the device displays a screen that makes the ransom demand.

These two types can be further divided into these subcategories:

  • Leakware/Doxware is ransomware that steals, or exfiltrates, sensitive data and threatens to publish it. While earlier forms of leakware or doxware often stole data without encrypting it, today’s variants often do both.

  • Mobile ransomware includes all ransomware that affects mobile devices. Delivered via malicious apps or drive-by download, mobile ransomware is typically non-encrypting ransomware because automated cloud data backups, standard on many mobile devices, make it easy to reverse encryption attacks.

  • Wipers/destructive ransomware threatens to destroy data if the ransom isn't paid—except in cases where the ransomware destroys the data even if the ransom is paid. This latter type of wiper is often suspected to be deployed by nation-state actors or hactivists rather than common cybercriminals.

  • Scareware is just what it sounds like—ransomware that tries to scare users into paying a ransom. Scareware might pose as a message from a law enforcement agency, accusing the victim of a crime and demanding a fine. Alternatively, it might spoof a legitimate virus infection alert, encouraging the victim to purchase antivirus or antimalware software. Sometimes, the scareware is ransomware, encrypting the data or locking the device; in other cases, it’s the ransomware vector, encrypting nothing but coercing the victim to download ransomware.
Register for the Definitive Guide to Ransomware 2023
How ransomware infects a system or device

Ransomware attacks can use several methods, or vectors, to infect a network or device. Some of the most prominent ransomware infection vectors include:

  • Phishing emails and other social engineering attacks: Phishing emails manipulate users into downloading and running a malicious attachment. This attachment might contain the ransomware disguised as a harmless looking .pdf, Microsoft Word document, or other file. They can also lure users into visiting a malicious website that passes the ransomware through the user’s web browser. In IBM's Cyber Resilient Organization Study 2021, phishing and other social engineering tactics caused 45 percent of all ransomware attacks reported by survey participants, making them the most common of all ransomware attack vectors.

  • Operating system and software vulnerabilities: Cybercriminals often exploit existing vulnerabilities to inject malicious code into a device or network. Zero-day vulnerabilities, which are vulnerabilities either unknown to the security community or identified but not yet patched, pose a particular threat. Some ransomware gangs buy information on zero-day flaws from other hackers to plan their attacks. Hackers have also effectively used patched vulnerabilities as attack vectors, as was the case in the 2017 WannaCry attack.
  • Credential theft: Cybercriminals may steal authorized users' credentials, buy them on the dark web, or crack them through brute force. They may then use these credentials to log in to a network or computer and deploy ransomware directly. Remote desktop protocol (RDP), a proprietary protocol developed by Microsoft to allow users to access a computer remotely, is a popular credential-theft target among ransomware attackers.

  • Other malware: Hackers often use malware developed for other attacks to deliver a ransomware to a device. The Trickbot trojan, for example, originally designed to steal banking credentials, was used to spread the Conti ransomware variant throughout 2021.

  • Drive-by downloads: Hackers can use websites to pass ransomware to devices without the users’ knowledge. Exploit kits use compromised websites to scan visitors’ browsers for web application vulnerabilities they can use to inject ransomware onto the device. Malvertising—legitimate digital ads that have been compromised by hackers—can pass ransomware to devices, even if the user doesn’t click the ad.

Cybercriminals don’t necessarily need to develop their own ransomware to exploit these vectors. Some ransomware developers share their malware code with cybercriminals via ransomware-as-a-service (RaaS) arrangements. The cybercriminal, or ‘affiliate,’ uses the code to carry out an attack, and then splits the ransom payment with the developer. It’s a mutually beneficial relationship: Affiliates can profit from extortion without having to develop their own malware, and developers can increase their profits without launching additional cyberattacks.

Ransomware distributors can sell ransomware via digital marketplaces, or recruit affiliates directly through online forums or similar avenues. Large ransomware groups have invested significant sums of money to attract affiliates. 

Stages of a ransomware attack

A ransomware attack typically proceeds through these stages.

Stage 1: Initial access

The most common access vectors for ransomware attacks continue to be phishing and vulnerability exploitation.

Stage 2: Post-exploitation

Depending on the initial access vector, this second stage may involve an intermediary remote access tool (RAT) or malware prior to establishing interactive access.

Stage 3: Understand and expand

During this third stage of the attack, attackers focus on understanding the local system and domain that they currently have access to. The attackers also work on gaining access to other systems and domains (called lateral movement).

Stage 4: Data collection and exfiltration

Here the ransomware operators switch focus to identifying valuable data and exfiltrating (stealing) it, usually by downloading or exporting a copy for themselves. While attackers might exfiltrate any and all the data they can access, they usually focus on especially valuable data—login credentials, customers’ personal information, intellectual property—that they can use for double-extortion.

Stage 5: Deployment and sending the note

Crypto ransomware begins identifying and encrypting files. Some crypto ransomware also disables system restore features, or deletes or encrypts backups on the victim's computer or network to increase the pressure to pay for the decryption key. Non-encrypting ransomware locks the device screen, floods the device with pop-ups or otherwise prevents the victim from using the device.

Once files have been encrypted or the device has been disabled, the ransomware alerts the victim of the infection. This notification often comes through a .txt file deposited on the computer's desktop or through a pop-up. The ransom note contains instructions on how to pay the ransom, usually in cryptocurrency or a similarly untraceable method. Payment is in exchange for a decryption key or restoration of standard operations.

Notable ransomware variants

Since 2020, cybersecurity researchers have identified more than 130 distinct, active ransomware families or variants—unique ransomware strains with their own code signatures and functions. 

Over the years, many ransomware variants have circulated. Several strains are especially notable for the extent of their destruction, how they influenced the development of ransomware, or the threats they still pose today.
 

CryptoLocker


First appearing in September 2013, CryptoLocker is widely credited with kick-starting the modern age of ransomware. Spread using a botnet (a network of hijacked computers), CryptoLocker was one of the first ransomware families to strongly encrypt users' files. It extorted an estimated USD 3 million before an international law enforcement effort shut it down in 2014. CryptoLocker's success spawned numerous copycats and paved the way for variants like WannaCry, Ryuk and Petya.
 

WannaCry


The first high-profile cryptoworm—ransomware that can spread itself to other devices on a network. WannaCry attacked over 200,000 computers in 150 countries. The affected computers were vulnerable because administrators had neglected to patch for the EternalBlue Microsoft Windows vulnerability. In addition to encrypting sensitive data, WannaCry ransomware threatened to wipe files if payment was not received within seven days. It remains one of the largest ransomware attacks to date, with estimated costs as high as USD 4 billion.
 

Petya and NotPetya


Unlike other crypto ransomware, Petya encrypts the file system table rather than individual files, rendering the infected computer unable to boot Windows. A heavily modified version, NotPetya, was used to carry out a large-scale cyberattack, primarily against Ukraine, in 2017. NotPetya was a wiper incapable of unlocking systems even after the ransom was paid.
 

Ryuk


First seen in 2018, Ryuk popularized ‘big-game ransomware’ attacks against specific high-value targets, with ransom demands averaging over USD 1 million. Ryuk can locate and disable backup files and system restore features; a new strain with cryptoworm capabilities was discovered in 2021.
 

DarkSide


Run by a group suspected to be operating out of Russia, DarkSide is the ransomware variant that attacked the U.S. Colonial Pipeline on 7 May 2021. This variant is considered the worst cyberattack on critical U.S. infrastructure to date. As a result, the pipeline supplying 45 percent of the U.S. East Coast's fuel was temporarily shut down. In addition to launching direct attacks, the DarkSide group also licenses its ransomware out to affiliates via RaaS arrangements.
 

Locky


Locky is an encrypting ransomware with a distinct method of infection—it uses macros hidden in email attachments (Microsoft Word files) disguised as legitimate invoices. When a user downloads and opens the Microsoft Word document, malicious macros secretly download the ransomware payload to the user's device.
 

REvil/Sodinokibi


REvil, also known as Sodin or Sodinokibi, helped popularize the RaaS approach to ransomware distribution. Known for use in big-game hunting and double-extortion attacks, REvil was behind the 2021 attacks against the noteworthy JBS USA and Kaseya Limited. JBS paid a USD 11 million ransom after its entire U.S. beef processing operation was disrupted, and more than 1,000 of Kaseya’s software customers were impacted by significant downtime. The Russian Federal Security Service reported it had dismantled REvil and charged several of its members in early 2022.

Ransom payments

Until 2022, most ransomware victims met their attackers ransom demands. For example, in IBM's Cyber Resilient Organization Study 2021, 61 percent of participating companies that experienced a ransomware attack within two years of the study said they paid a ransom.

But recent reports signal a change in 2022. Cyber extortion incident response firm Coveware released findings that just 41 percent of 2022 ransomware victims paid a ransom, compared to 51 percent in 2021 and 70 percent in 2020. And Chainanalysis, a blockchain data platform provider, reported that ransomware attackers extorted nearly 40% less money from victims in 2022 than in 2021 (link resides outside ibm.com). Experts point to better cybercrime preparedness (including data backups) and increased investment in threat prevention and detection technology as potential drivers behind this reversal.
 

Law enforcement guidance


U.S. federal law enforcement agencies unanimously discourage ransomware victims from paying ransom demands. According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering U.S. federal agencies charged with investigating cyberthreats:

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered.”

Law enforcement agencies recommend that ransomware victims report attacks to the appropriate authorities, like the FBI's Internet Crime Complaint Center (IC3), before paying a ransom. Some victims of ransomware attacks may be legally required to report ransomware infections regardless of whether a ransom is paid. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.

Under certain conditions, paying a ransom may be illegal. A 2020 advisory from the U.S. Treasury's Office of Foreign Assets Control (OFAC) highlights this. It states that paying a ransom to attackers from countries under U.S. economic sanctions—such as Russia, North Korea or Iran—would be a violation of OFAC regulations. Violators could face civil penalties, fines or criminal charges.

Ransomware protection and response

To defend against ransomware threats, federal agencies like CISA, NCIJFT and the U.S. Secret Service recommend that organizations take certain precautionary measures, such as:

  • Maintaining backups of sensitive data and system images, ideally on hard drives or other devices that can be disconnected from the network.

  • Applying patches regularly to help thwart ransomware attacks that exploit software and operating system vulnerabilities.

  • Updating cybersecurity tools including anti-malware and antivirus software, firewalls, network monitoring tools and secure web gateways. Also, using enterprise cybersecurity solutions such as security orchestration, automation and response (SOAR)endpoint detection and response (EDR), security information and event management (SIEM) and extended detection and response (XDR). These solutions help security teams detect and respond to ransomware in real-time.

  • Employee cybersecurity training to help users recognize and avoid to phishing, social engineering and other tactics that can lead to ransomware infections.

  • Implementing access control policies including multi-factor authentication, zero trust architecture, network segmentation and similar measures. These measures can prevent ransomware from reaching particularly sensitive data, and keep cryptoworms from spreading to other devices on the network.

While decryptor tools for some ransomware variants are publicly available through projects like No More Ransom, remediation of an active ransomware infection often requires a multifaceted approach. See IBM Security's Definitive Guide to Ransomware for an example of a ransomware incident response plan modeled after the National Institute of Standards and Technology (NIST) Incident Response Life Cycle.

A brief ransomware timeline

1989: The first documented ransomware attack, known as the AIDS Trojan or "P.C. Cyborg attack," was distributed via floppy disks. It hid file directories on the victim's computer and demanded USD 189 to unhide them. But because it encrypted file names rather than the files themselves, it was easy for users to reverse the damage without paying a ransom.

1996: While analyzing the flaws of the AIDS Trojan virus, computer scientists Adam L. Young and Moti Yung warned of future forms of malware. They said that future malware could use more sophisticated public key cryptography to hold sensitive data hostage. 

2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offered more effective ways to extort money, more cybercriminals began spreading ransomware worldwide.

2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.

2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.

2015: The Tox ransomware variant introduces the ransomware-as-a-service (RaaS) model.

2017: WannaCry, the first widely used self-replicating cryptoworms, appears.

2018: Ryuk popularized big game ransomware hunting.

2019: Double- and triple-extortion ransomware attacks begin to rise. Almost every ransomware incident that the IBM Security X-Force Incident Reponse team has responded to since 2019 has involved double extortion.

2022: Thread hijacking—in which cybercriminals insert themselves into targets’ online conversations—emerges as a prominent ransomware vector.

Related solutions
IBM Security® QRadar® Suite

Outsmart attacks with a connected, modernized security suite. The QRadar portfolio is embedded with enterprise-grade AI and offers integrated products for endpoint security, log management, SIEM and SOAR—all with a common user interface, shared insights and connected workflows.

Explore QRadar Suite
Ransomware protection solutions

Stop ransomware from interrupting business continuity, and recover quickly when attacks occur with a zero trust approach. This approach can help you detect and respond to ransomware faster and minimize the impact of ransomware attacks.

Explore ransomware protection solutions
IBM Security® X-Force® Incident Response

Use our defensive security services, which include subscription-based incident preparation, detection and emergency response programs, to help you detect, respond and contain an incident before significant damage can occur.

Explore X-Force Incident Response
IBM Security® X-Force® Red

Employ our offensive security services, which include penetration testing, vulnerability management and adversary simulation, to help identify, prioritize and remediate security flaws covering your entire digital and physical ecosystem.

Explore X-Force Red
Cybersecurity services

Transform your business and manage risk with a global industry leader in cybersecurity consulting, cloud and managed security services.

Explore cybersecurity services
Resources X-Force Threat Intelligence Index

Find actionable insights that help you understand how threat actors are waging attacks, and how to proactively protect your organization.

Definitive Guide to Ransomware

Learn the critical steps to protect your business before a ransomware attack can penetrate your defenses, and to achieve optimal recovery if adversaries breach the perimeter.

Cost of a Data Breach

Read the report, now in its 18th year, to get the latest insights into the expanding threat landscape, and recommendations for saving time and limiting losses.

What is SIEM?

Find out how security information and event management (SIEM) offers real-time monitoring and analysis of events as well as tracking and logging of security data for compliance or auditing purposes.

Safer citizens, stronger communities

Explore how Los Angeles partners with IBM Security to create first-of-its-kind cyberthreat sharing group to protect against cybercrime.

IBM Security Framing and Discovery Workshop

Work with senior IBM security architects and consultants to prioritize your cybersecurity initiatives in a no-cost, virtual or in-person, 3-hour design thinking session.

Take the next step

Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.

Explore QRadar SIEM Book a live demo