Ransomware is a type of malware, or malicious software, that locks up a victim’s data or computing device and threatens to keep it locked — or worse — unless the victim pays the attacker a ransom. In 2021, ransomware attacks represented 21 percent of all cyberattacks (PDF, 4.1 MB) and cost victims an estimated USD 20 billion overall (link resides outside ibm.com).
The earliest ransomware attacks demanded a ransom to unlock the data or a device. But today’s cybercriminals have raised the stakes considerably. The 2022 X-Force Threat Intelligence Index (PDF, 4.1 MB) reports that virtually all ransomware attacks today are ‘double extortion’ attacks that demand a ransom to unlock data and prevent its theft. ‘Triple extortion’ attacks, which add the threat of a distributed denial of service (DDoS) attack, are also on the rise.
These double- and triple-extortion tactics, the increased availability of ‘ransomware-as-a-service’ solutions, and the advent of cryptocurrency as an untraceable form of payment have combined to fuel exponential growth in ransomware incidents. The FBI’s Internet Crime Complaint Center recorded a roughly 243 percent increase in the number of reported ransomware incidents between 2013 and 2020 (link resides outside ibm.com).
Ransomware victims and negotiators are reluctant to disclose ransom payment amounts. However, according to the report Definitive Guide to Ransomware 2022 (PDF, 966 KB) , ransom amounts that used to total only double digits have grown to seven-figure and eight-figure amounts. In more extreme cases, companies may pay as much as USD 40-80 million to have their data released back to their control. And ransom payments aren't the only cost of a ransomware infection. According to IBM’s Cost of a Data Breach 2021 report, the average cost of a ransomware attack not including the ransom payment was USD 4.62 million.
Ransomware attacks can use several methods, or vectors, to infect a device or network. Some of the most prominent ransomware infection vectors include:
Cybercriminals don’t necessarily need to develop their own ransomware to exploit these vectors. Some ransomware developers share their malware code with cybercriminals via ransomware-as-a-service (RaaS) arrangements. The cybercriminal, or ‘affiliate,’ uses the code to carry out an attack, and then splits the ransom payment with the developer. It’s a mutually beneficial relationship: Affiliates can profit from extortion without having to develop their own malware, and developers can increase their profits without manually launching cyberattacks.
Ransomware distributors can sell ransomware via digital marketplaces, or recruit affiliates directly through online forums or similar avenues. Large ransomware gangs have invested significant sums of money to attract affiliates. The REvil group, for example, spent USD 1 million as part of a recruitment drive in October 2020 (link resides outside ibm.com).
Once hackers gain access to a device, a ransomware attack will typically proceed through the following steps.
Step 1: Reconnaissance. Attackers scan the infected system to better understand the device and network, and to identify files they can target - including files containing sensitive information the attacker can use for a double- or triple extortion attack. Most also search for additional credentials that may allow them to move laterally throughout the network, spreading ransomware to more devices along the way.
Step 2: Activation. Crypto ransomware begins identifying and encrypting files. Most encrypting ransomware deploys asymmetric encryption, using a public key to encrypt the ransomware and retaining a private key that can decrypt data. Because victims do not have the private key, they cannot decrypt the encrypted data without the hackers' help. Some crypto ransomware also disables system restore features or deletes or encrypt backups on the victim's computer or network to increase the pressure to pay for the decryption key.
Non-encrypting ransomware locks the device screen, or flood the device with pop-ups, or otherwise prevent victim from using the device.
Step 3: The ransom note. Once files have been encrypted and/or the device has been disabled, the ransomware alerts the victim of the infection, often via a .txt file deposited on the computer's desktop or through a pop-up notification. The ransom note will contain instructions on how to pay the ransom, usually in cryptocurrency or a similarly untraceable method, in exchange for a decryption key or restoration of standard operations.
There are two general types of ransomware. The most common type, called ‘encrypting ransomware’ or ‘crypto ransomware,’ holds a user's data hostage by encrypting it. The less common form of ransomware, sometimes called ‘locker ransomware,’ locks a victim’s entire device.
These two types can be further divided into the following subcategories:
Since 2020, cybersecurity researchers have identified more than 130 distinct, active ransomware families or variants—unique ransomware strains with their own code signatures and functions.
Among the many ransomware variants that have circulated over the years, several strains are especially notable for the extent of their destruction, how they influenced the development of ransomware, or the threats they still pose today.
First appearing in September 2013, CryptoLocker is widely credited with kick-starting the modern age of ransomware. Spread using a botnet (a network of hijacked computers), CryptoLocker was one of the first ransomware families to strongly encrypt users' files. It extorted an estimated USD 3 million before an international law enforcement effort shut it down in 2014. CryptoLocker's success spawned numerous copycats and paved the way for variants like WannaCry, Ryuk, and Petya (described below).
The first high-profile cryptoworm—ransomware that can spread itself to other devices on a network—WannaCry attacked over 200,000 computers (in 150 countries) that administrators had neglected to patch for the EternalBlue Microsoft Windows vulnerability. In addition to encrypting sensitive data, WannaCry ransomware threatened to wipe files if payment was not received within seven days. It remains one of the largest ransomware attacks to date, with estimated costs as high as USD 4 billion.
Unlike other crypto ransomware, Petya encrypts the file system table rather than individual files, rendering the infected computer unable to boot Windows. A heavily modified version, NotPetya, was used to carry out a large-scale cyberattack, primarily against Ukraine, in 2017. NotPetya was a wiper incapable of unlocking systems even after the ransom was paid.
First seen in 2018, Ryuk popularized ‘big-game ransomware’ attacks against specific high-value targets, with ransom demands averaging over USD 1 million. Ryuk can locate and disable backup files and system restore features; a new strain with cryptoworm capabilities was discovered in 2021.
Run by a group suspected to be operating out of Russia, DarkSide is the ransomware variant that attacked the U.S. Colonial Pipeline on May 7, 2021, considered the worst cyberattack on critical U.S. infrastructure to date. As a result, the pipeline supplying 45 percent of the U.S. East Coast's fuel was temporarily shut down. In addition to launching direct attacks, the DarkSide group also licenses its ransomware out to affiliates via RaaS arrangements.
Locky is an encrypting ransomware with a distinct method of infection—it uses macros hidden in email attachments (Microsoft Word files) disguised as legitimate invoices. When a user downloads and opens the Microsoft Word document, malicious macros secretly download the ransomware payload to the user's device.
REvil, also known as Sodin or Sodinokibi, helped popularize the RaaS approach to ransomware distribution. Known for use in big-game hunting and double-extortion attacks, REvil was behind the 2021 attacks against the noteworthy JBS USA and Kaseya Limited. JBS paid an USD 11 million ransom after its entire U.S. beef processing operation was disrupted, and more than 1,000 of Kaseya’s software customers were impacted by significant downtime. The Russian Federal Security Service reported it had dismantled REvil and charged several of its members in early 2022.
Paying a ransom is common. In IBM's Cyber Resilient Organization Study 2021, 61 percent of participating companies that reported experiencing a ransomware attack said they paid a ransom.
However, U.S. federal law enforcement agencies unanimously discourage ransomware victims from paying ransom demands. According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering U.S. federal agencies charged with investigating cyberthreats:
“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim's files will be recovered.”
Law enforcement agencies recommend that ransomware victims report attacks to the appropriate authorities, like the FBI's Internet Crime Complaint Center (IC3), before paying a ransom. Some victims of ransomware attacks may be legally required to report ransomware infections regardless of whether a ransom is paid. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.
Under certain conditions, paying a ransom may be illegal. According to a 2020 advisory from the U.S. Treasury's Office of Foreign Assets Control (OFAC), paying a ransom to attackers from countries under U.S. economic sanctions — such as Russia, North Korea, or Iran — would be a violation of OFAC regulations and could result in civil penalties, fines, or criminal charges.
To defend against ransomware threats, federal agencies like CISA, NCIJFT, and the U.S. Secret Service recommend organizations take certain precautionary measures, such as:
While decryptor tools for some ransomware variants are publicly available through projects like No More Ransom (link resides outside ibm.com), remediation of an active ransomware infection often requires a multifaceted approach. See IBM Security's Definitive Guide to Ransomware (PDF, 966 KB) for an example of a ransomware incident response plan modeled after the National Institute of Standards and Technology (NIST) Incident Response Life Cycle.
1989: The first documented ransomware attack, known as the AIDS Trojan or "P.C. Cyborg attack," was distributed via floppy disks. It hid file directories on the victim's computer and demanded USD 189 to unhide them. But because it encrypted file names rather than the files themselves, it was easy for users to reverse the damage without paying a ransom.
1996: While analyzing the flaws of the AIDS Trojan virus, computer scientists Adam L. Young and Moti Yung warned of future forms of malware that could use more sophisticated public key cryptography to hold sensitive data hostage.
2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offered more effective ways to extort money, more cybercriminals began spreading ransomware worldwide.
2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.
2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.
2015: The Tox ransomware variant introduces the ransomware-as-a-service (RaaS) model.
2017: WannaCry, the first widely used self-replicating cryptoworms, appears.
2018: Ryuk popularized big game ransomware hunting
Los Angeles partners with IBM Security to create first-of-its-kind cyberthreat sharing group to protect against cybercrime.
Commercial International Bank S.A.E. enhances processes and security while moving toward the goal of zero trust.
Learn how to protect your organization’s data from ransomware threats that can hold it hostage.
Secure network infrastructure against advanced threats and malware.
A modular and integrated suite of threat detection and response capabilities that runs on an open security platform
Discover how you can improve cyber incident response preparedness and minimize the impact of breaches.
Get faster incident response rates with intelligent orchestration and automation.
Threat defense starts with around-the-clock prevention, detection and fast response.
Avoid paying ransomware by isolating immutable data copies. In the event of an attack, copies can be quickly restored to recover with confidence.
Have permanent view and control of essentially all your mobile devices, apps and content; run AI-powered security analytics; and maintain security across all your platforms.
Simplify data and infrastructure management with the unified IBM FlashSystem® platform family, which streamlines administration and operational complexity across on-premises, hybrid cloud, virtualized and containerized environments.
IBM's in-house team of cybersecurity experts and remediators mines billions of data points to expose today’s most urgent security statistics and trends.
A prescriptive approach to ransomware attacks and insight into powerful risk mitigation techniques
Cybersecurity technology and best practices protect critical systems and sensitive information from an ever-growing volume of continually evolving threats.