Ransomware is a type of malware that encrypts a victim's personal data or restricts system access until a ransom is paid. Perpetrators typically demand payment in difficult to trace digital currencies like Bitcoin. If the ransom is not paid, the attacker may threaten to delete the files permanently or publish sensitive information publicly.
What is Ransomware?
Modern ransomware, also known as cryptoviral extortion, uses strong encryption to hold data hostage. While early versions like the 1989 AIDS Trojan were simple enough for researchers to bypass, contemporary variants use sophisticated public key cryptography. This makes it computationally impossible to retrieve files without the specific decryption key held by the attacker.
Attackers often target businesses and individuals through deceptive methods such as phishing emails and malicious attachments. Once the malware executes, it runs a payload that locks the system or encrypts specific file extensions before displaying a ransom note.
Why Ransomware matters
Ransomware is a primary threat to business continuity because it targets the data required for daily operations. For marketers and SEO practitioners, an attack on a database or marketing application can lead to significant downtime that costs more than the ransom itself.
- Growing volume of attacks: The scale of the threat is massive, with [181.5 million attacks recorded globally in the first half of 2018 alone] (Wikipedia).
- High financial stakes: Ransomware payments are reaching new heights, with [payments totalling a record $1.25 billion in 2023] (Wikipedia).
- Targeting of critical sectors: Certain industries face higher risks. For example, [67% of healthcare institutions reported attacks during the first three quarters of 2024] (Fortinet).
- Massive remediation costs: Even if a ransom is not paid, the cost of recovery is high. The [average cost to remediate an attack, including downtime and device costs, was estimated at $761,106 in 2020] (Wikipedia).
- Ransom demands are rising: Individual demands have increased significantly for high value targets, with [average demands in the healthcare sector exceeding $5.2 million] (Fortinet).
Lifecycle of an attack
Researchers identify a six stage process for modern ransomware operations. Attackers use this systematic approach to maximize their chances of receiving payment.
- Reconnaissance: Attackers study potential targets to identify technical weaknesses or high value data.
- Infection: The malware accesses the network through phishing, malicious links, or drive by downloads.
- Escalation: The attackers gain deeper control of the system to integrate the ransomware.
- Scanning: The malware maps the network to identify as many devices and files as possible for maximum impact.
- Encryption: Critical files are locked using advanced algorithms to deny user access.
- Ransom: A note is delivered to the victim demanding payment for the restoration of access.
Types of Ransomware
The corpus identifies several distinct variations of ransomware based on how they restrict access and what they threaten to do.
| Type | Mechanism | Threat |
|---|---|---|
| Encrypting (Crypto) | Uses advanced algorithms to lock data. | Files remain unreadable without a paid key. |
| Scareware | Uses social engineering and fake virus warnings. | Coerces victims into buying unneeded software. |
| Screen Locking | Blocks the user interface entirely. | Demands payment to restore screen access. |
| Leakware / Doxware | Exfiltrates (steals) sensitive host data. | Threatens to publish private info or trade secrets. |
| RaaS | Ransomware-as-a-Service model. | Sold or rented to affiliates on a subscription basis. |
Notable ransomware variants
Several high profile software packages have caused global disruption or generated millions in illicit profits.
- WannaCry: This 2017 worm travelled between computers automatically without user interaction, [infecting over 230,000 computers across 150 countries] (Wikipedia).
- CryptoLocker: A successful early variant that [procured an estimated $3 million before authorities took it down] (Wikipedia).
- Akira: A variant targeting both Windows and Linux that often steals data without encrypting it to pressure victims.
- DarkSide: The malware used in the Colonial Pipeline attack, which [successfully extorted approximately 75 Bitcoin, valued at nearly $5 million] (Wikipedia).
- RansomHub: A 2024 RaaS group known for evading endpoint detection systems and targeting the US and Brazil.
Best practices for defense
Recovery is not always possible after an infection, making prevention the primary defense strategy.
- Maintain offline backups: Store critical data on external drives or devices that have no network access. This prevents ransomware from spreading to your backups.
- Use append-only permissions: Configure cloud or NAS storage so the computer can only add data, not delete or overwrite existing backups.
- Apply security updates: Install patches immediately to close vulnerabilities like EternalBlue, which was used to spread major worms.
- Utilize snapshots: Use file systems like ZFS or Windows Volume Shadow Copy that create immutable copies of data for easy rollback.
- Block known payloads: Use security software to prevent recognized malware signatures from launching on the network.
- Segment your network: Keep critical computers isolated from the general network to limit the spread of an infection.
Common mistakes
Mistake: Paying the ransom immediately. Fix: Consult security experts first. There is no guarantee you will get your files back, and some variants like the 2017 Petya update were unable to unlock systems even after payment.
Mistake: Relying solely on local backups. Fix: Ensure you have the "offline" component. Many ransomware strains actively search for and delete hot backups connected to the network.
Mistake: Assuming mobile devices are safe. Fix: Implement endpoint detection and response (EDR) on all devices. [Mobile ransomware like Fusob accounted for 56% of mobile infections between 2015 and 2016] (Wikipedia).
Mistake: Opening unexpected email attachments. Fix: Practice strict cyber hygiene. Malspam (malware spam) remains the most common delivery method for ransomware payloads.
FAQ
Can I recover my files without paying? In some cases, yes. This occurs if there are implementation mistakes in the malware, leaked keys, or if researchers have released a free decryption tool. Projects like No More Ransom offer tools for specific variants like TeslaCrypt or Jigsaw. However, many modern attacks cannot be reverted without the attacker's key.
What is Ransomware-as-a-Service (RaaS)? It is a business model where developers sell or rent ransomware code to other criminals on a subscription basis. Groups like REvil and RansomHub have used this model to scale their operations by recruiting affiliates who carry out the actual attacks.
Why is Bitcoin used for ransoms? Digital currencies are used because they are difficult to trace compared to traditional bank transfers. This makes it harder for law enforcement to identify and prosecute the perpetrators.
Who are the main targets of ransomware? Attackers often target "low-hanging fruit" like small businesses (SMBs) with weak security. They also target industries with a high sense of urgency, such as healthcare and finance, where downtime is devastating.
What is the difference between ransomware and leakware? Ransomware typically denies you access to your data by encrypting it. Leakware, or doxware, steals your data and threatens to publish it. This prevents victims from using backups as a solution, as the threat is about public disclosure rather than data loss.
