What is ransomware?

The earliest ransomware attacks simply demanded a ransom in exchange for the encryption key needed to regain access to the affected data or use of the infected device. By making regular or continuous data backups, an organization could limit costs from these types of ransomware attacks and often avoid paying the ransom demand.

In recent years, ransomware attacks have evolved to include double-extortion and triple-extortion tactics that raise the stakes considerably. Even victims who rigorously maintain data backups or pay the initial ransom demand are at risk.

Double-extortion attacks add the threat of stealing the victim’s data and leaking it online. Triple-extortion attacks add the threat of using the stolen data to attack the victim’s customers or business partners.

Ransomware is one of the most common forms of malicious software, and ransomware attacks can cost affected organizations millions of dollars.

20% of all cyberattacks recorded by the IBM® X-Force® Threat Intelligence Index in 2023 involved ransomware. And these attacks move quickly. When hackers gain access to a network, it takes less than four days to deploy ransomware. This speed gives organizations little time to detect and thwart potential attacks.

Ransomware victims and negotiators are reluctant to disclose ransom payments, but threat actors often demand seven-figure and eight-figure amounts. And ransom payments are only part of the total cost of a ransomware infection. According to the IBM Cost of a Data Breach report, the average cost of a ransomware breach is USD 5.68 million, which does not include ransom payments.

That said, cybersecurity teams are becoming more adept at combatting ransomware. The X-Force Threat Intelligence Index found that ransomware infections declined by 11.5% between 2022 and 2023, likely due to improvements in threat detection and prevention.

There are two general types of ransomware. The most common type, called encrypting ransomware or crypto ransomware, holds the victim’s data hostage by encrypting it. The attacker then demands a ransom in exchange for providing the encryption key needed to decrypt the data.

The less common form of ransomware, called non-encrypting ransomware or screen-locking ransomware, locks the victim’s entire device, usually by blocking access to the operating system. Instead of starting up as usual, the device displays a screen that makes the ransom demand.

These two general types fall into these subcategories:

Leakware or doxware is ransomware that steals, or exfiltrates, sensitive data and threatens to publish it. While earlier forms of leakware or doxware often stole data without encrypting it, today’s variants usually do both.

Mobile ransomware includes all ransomware that affects mobile devices. Delivered through malicious apps or drive-by downloads, most mobile ransomware is non-encrypting ransomware. Hackers prefer screen-lockers for mobile attacks because automated cloud data backups, standard on many mobile devices, make it easy to reverse encryption attacks.

Wipers, or destructive ransomware, threaten to destroy data if the victim does not pay the ransom. In some cases, the ransomware destroys the data even if the victim pays. This latter type of wiper is often deployed by nation-state actors or hacktivists rather than common cybercriminals.

Scareware is just what it sounds like—ransomware that tries to scare users into paying a ransom. Scareware might pose as a message from a law enforcement agency, accusing the victim of a crime and demanding a fine. Alternatively, it might spoof a legitimate virus infection alert, encouraging the victim to purchase ransomware disguised as antivirus software.

Sometimes, the scareware is the ransomware, encrypting the data or locking the device. In other cases, it’s the ransomware vector, encrypting nothing but coercing the victim to download ransomware.

Ransomware attacks can use several methods, or vectors, to infect a network or device. Some of the most prominent ransomware infection vectors include:

Social engineering attacks trick victims into downloading and running executable files that turn out to be ransomware. For example, a phishing email might contain a malicious attachment disguised as a harmless-looking .pdf, Microsoft Word document, or other file.

Social engineering attacks might also lure users into visiting a malicious website or scanning malicious QR codes that pass the ransomware through the user’s web browser.

Cybercriminals often exploit existing vulnerabilities to inject malicious code into a device or network.

Zero-day vulnerabilities, which are vulnerabilities either unknown to the security community or identified but not yet patched, pose a particular threat. Some ransomware gangs buy information on zero-day flaws from other hackers to plan their attacks. Hackers have also effectively used patched vulnerabilities as attack vectors, as was the case in the 2017 WannaCry attack.

Cybercriminals can steal authorized users' credentials, buy them on the dark web, or crack them through brute-force attacks. They then use these credentials to log in to a network or computer and deploy ransomware directly.

Remote desktop protocol (RDP), a proprietary Microsoft protocol that allows users to access a computer remotely, is a popular credential-theft target among ransomware attackers.

Hackers often use malware developed for other attacks to deliver ransomware to a device. Threat actors used the Trickbot Trojan, originally designed to steal banking credentials, to spread the Conti ransomware variant throughout 2021.

Hackers can use websites to pass ransomware to devices without the users’ knowledge. Exploit kits use compromised websites to scan visitors’ browsers for web application vulnerabilities they can use to inject ransomware onto a device.

Malvertising—legitimate digital ads that hackers have compromised—can also pass ransomware to devices, even if the user doesn’t click the ad.

Cybercriminals don’t necessarily need to develop their own ransomware to exploit these vectors. Some ransomware developers share their malware code with cybercriminals through ransomware as a service (RaaS) arrangements.

The cybercriminal, or “affiliate,” uses the code to carry out an attack and splits the ransom payment with the developer. It’s a mutually beneficial relationship. Affiliates can profit from extortion without having to develop their own malware, and developers can increase their profits without launching more cyberattacks.

Ransomware distributors can sell ransomware through digital marketplaces on the dark web. They can also recruit affiliates directly through online forums or similar avenues. Large ransomware groups have invested significant sums of money in recruitment efforts to attract affiliates.

A ransomware attack typically proceeds through these stages.

To date, cybersecurity researchers have identified thousands of distinct ransomware variants, or “families”—unique strains with their own code signatures and functions.

Several ransomware strains are especially notable for the extent of their destruction, how they influenced the development of ransomware or the threats they pose today.

First appearing in September 2013, CryptoLocker is widely credited with kick-starting the modern age of ransomware.

Spread through a botnet (a network of hijacked computers), CryptoLocker was one of the first ransomware families to strongly encrypt users' files. It extorted an estimated USD 3 million before an international law enforcement effort shut it down in 2014.

CryptoLocker's success spawned numerous copycats and paved the way for variants like WannaCry, Ryuk and Petya.

The first high-profile cryptoworm—ransomware that can spread itself to other devices on a network—WannaCry attacked over 200,000 computers in 150 countries. The affected computers were vulnerable because administrators had neglected to patch the EternalBlue Microsoft Windows vulnerability.

In addition to encrypting sensitive data, WannaCry ransomware threatened to wipe files if victims did not send payment within seven days. It remains one of the largest ransomware attacks to date, with estimated costs as high as USD 4 billion.

Unlike other crypto ransomware, Petya encrypts the file system table rather than individual files, rendering the infected computer unable to boot Windows.

A heavily modified version, NotPetya, was used to carry out a large-scale cyberattack, primarily against Ukraine, in 2017. NotPetya was a wiper incapable of unlocking systems even after victims paid.

First seen in 2018, Ryuk popularized ‘big-game ransomware’ attacks against specific high-value targets, with ransom demands averaging over USD 1 million. Ryuk can locate and disable backup files and system restore features. A new strain with cryptoworm capabilities appeared in 2021.

Run by a group suspected to be operating out of Russia, DarkSide is the ransomware variant that attacked the Colonial Pipeline on 7 May 2021. In what many consider to be the worst cyberattack on critical US infrastructure to date, DarkSide temporarily shut down the pipeline supplying 45% of the East Coast's fuel.

In addition to conducting direct attacks, the DarkSide group also licenses its ransomware to affiliates through RaaS arrangements.

Locky is an encrypting ransomware with a distinct method of infection—it uses macros hidden in email attachments (Microsoft Word files) disguised as legitimate invoices. When a user downloads and opens the Microsoft Word document, malicious macros secretly download the ransomware payload to the user's device.

REvil, also known as Sodin or Sodinokibi, helped popularize the RaaS approach to ransomware distribution.

Known for use in big-game hunting and double-extortion attacks, REvil was behind the 2021 attacks against JBS USA and Kaseya Limited. JBS paid a USD 11 million ransom after the hackers disrupted its entire US beef processing operation. Significant downtime impacted more than 1,000 of Kaseya’s software customers.

The Russian Federal Security Service reported it dismantled REvil and charged several of its members in early 2022.

First observed in 2020, the Conti gang operated an extensive RaaS scheme in which it paid hackers a regular wage to use its ransomware. Conti used a unique form of double-extortion where the gang threatened to sell access to a victim’s network to other hackers if the victim did not pay up.

Conti disbanded after the gang’s internal chat logs leaked in 2022, but many former members are still active in the cybercrime world. According to the X-Force Threat Intelligence Index, one-time Conti associates have been linked to some of the most widespread ransomware variants today, include BlackBasta, Royal and Zeon.

One of the most common ransomware variants in 2023 according to the X-Force Threat Intelligence Index, LockBit is notable for the businesslike behavior of its developers. The LockBit group has been known to acquire other malware strains in much the same way that legitimate businesses acquire other companies.

While law enforcement seized some of LockBit’s websites in February 2024 and the US government imposed sanctions on one of the gang’s senior leaders, LockBit continues to attack victims. 

Ransom demands vary widely, and many victims choose not to publicize how much they paid, so it is difficult to determine an average ransom payment amount. That said, most estimates put it in the high six-figure to low seven-figure range. Attackers have demanded ransom payments as high as USD 80 million according to the IBM Definitive Guide to Ransomware.

Importantly, the proportion of victims who pay any ransom at all has fallen sharply in recent years. According to cyber extortion incident response firm Coveware, only 37% of victims paid a ransom in 2023, compared to 70% in 2020.¹

Experts point to better cybercrime preparedness—including increased investment in data backups, incident response plans and threat prevention and detection technology—as a potential driver behind this reversal.

US federal law enforcement agencies unanimously discourage ransomware victims from paying ransom demands. According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering US federal agencies charged with investigating cyberthreats:

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered.”

Law enforcement agencies recommend that ransomware victims report attacks to the appropriate authorities, like the FBI's Internet Crime Complaint Center (IC3), before paying a ransom.

Some victims of ransomware attacks have a legal obligation to report ransomware infections regardless of whether they pay a ransom. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.

Under certain conditions, paying a ransom can be illegal.

The US Office of Foreign Assets Control (OFAC) has stated that paying a ransom to attackers from countries under US economic sanctions—such as North Korea or Iran—violates OFAC regulations. Violators can face civil penalties, fines or criminal charges.

Some US states, such as Florida and North Carolina, have made it illegal for state government agencies to pay a ransom.

Cybersecurity experts and federal agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the US Secret Service recommend that organizations take precautionary measures to defend against ransomware threats. These measures can include:

• Maintaining backups of sensitive data and system images, ideally on hard drives or other devices that the IT team can disconnect from the network in the event of a ransomware attack.
  
  
• Applying patches regularly to help thwart ransomware attacks that exploit software and operating system vulnerabilities.
  
  
• Cybersecurity tools such as antimalware software, network monitoring tools, endpoint detection and response (EDR) platforms and security information and event management (SIEM) systems can help security teams intercept ransomware in real-time.
  
  
• Employee cybersecurity training can help users recognize and avoid phishing, social engineering and other tactics that can lead to ransomware infections.
  
  
• Implementing access control policies including multifactor authentication, network segmentation and similar measures can prevent ransomware from reaching sensitive data. Identity and access management (IAM) controls can also keep cryptoworms from spreading to other devices on the network.
  
  
• Formal incident response plans enable security teams to intercept and remediate breaches in less time. The Cost of a Data Breach report found that organizations with formal plans and dedicated incident response teams identify breaches 54 days faster than organizations that have neither. This speedier detection time lowers remediation costs, saving organizations an average of nearly USD 1 million.

While decryptor tools for some ransomware variants are publicly available through projects like No More Ransom², remediation of an active ransomware infection often requires a multifaceted approach.

See the IBM Security Definitive Guide to Ransomware for an example of a ransomware incident response plan modeled after the National Institute of Standards and Technology (NIST) incident response lifecycle. 

1989: The first documented ransomware, known as the “AIDS Trojan” or "P.C. Cyborg” attack, is distributed through floppy disks. It hides file directories on the victim's computer and demands USD 189 to unhide them. Because this malware works by encrypting file names rather than the files themselves, it is easy for users to reverse the damage without paying a ransom.

1996: While analyzing the AIDS Trojan, computer scientists Adam L. Young and Moti Yung warn of future forms of malware that could use more sophisticated cryptography to hold sensitive data hostage. 

2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offers more effective ways to extort money, more cybercriminals begin spreading ransomware worldwide.

2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.

2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.

2015: The Tox ransomware variant introduces the ransomware as a service (RaaS) model.

2017: WannaCry, the first widely used self-replicating cryptoworm, appears.

2018: Ryuk popularizes big game ransomware hunting.

2019: Double-extortion and triple-extortion ransomware attacks become more popular. Almost every ransomware incident that the IBM Security® X-Force® Incident Response team has responded to since 2019 has involved double extortion.

2022: Thread hijacking—in which cybercriminals insert themselves into targets’ legitimate online conversations to spread malware—emerges as a prominent ransomware vector.

2023: As defenses against ransomware improve, many ransomware gangs begin to expand their arsenals and supplement their ransomware with new extortion tactics. In particular, gangs like LockBit and some remnants of Conti begin using infostealer malware that allows them to steal sensitive data and hold it hostage without needing to lock down victims’ systems.