What is ransomware? Definition and complete guide

How does ransomware work?

The ransomware lifecycle has seven general stages: target selection and reconnaissance; malware distribution and infection; command and control; exploration and lateral movement; exfiltration and encryption; extortion; and resolution.

Stage 1. Target selection and reconnaissance

Attackers choose a target and perform reconnaissance. During this phase, attackers gather information about the victim, its systems and potential employees to target for malware distribution. Techniques might include collecting publicly available data, performing network and port scans, and identifying the victim organization's security controls.

Stage 2. Malware distribution and infection

In this stage, attackers infiltrate a victim's systems and infect them with malware. The most common ransomware attack vectors are social engineering, compromised credentials, remote desktop software, exploitable software vulnerabilities, and malicious websites and malvertising.

• Social engineering. Phishing is the most popular type of social engineering, and it continues to be the top attack vector for all types of malware. Attackers lace legitimate-looking emails with malicious links and attachments to trick users into unwittingly installing malware. Along with phishing emails, smishing, vishing, spear phishing and watering hole attacks are forms of social engineering scams attackers use to deceive people into initiating malware installation.
• Compromised credentials. Gaining access via legitimate credentials is one of the most effective ways attackers install malware on target systems. Attackers use several techniques to access users' credentials, including credential stuffing, purchasing credentials off the dark web, spear phishing and watering hole attacks, and keystroke loggers.
• Remote desktop software. Remote desktop software, such as remote desktop protocol (RDP) and virtual network computing (VNC), enables administrators to access desktops from anywhere in the world. Without adequate protection, however, it is a common entry point for ransomware. Attack techniques include credentialed access, brute-force attacks and offline password cracking.
• Software vulnerabilities. Attackers infiltrate a victim's systems by attacking unpatched or out-of-date software. Any internet-facing system with out-of-date software or hardware is vulnerable to attack, as are web apps and third-party dependencies.
• Malicious website and malvertising. While not as common as a ransomware attack vector today, some threat actors still use websites and ads injected with malicious code to infect victims. Users who click malware-laden links or ads might unknowingly download ransomware.

Stage 3. Command and control

A command-and-control (C&C) server set up and operated by attackers sends encryption keys to the target system, installs additional malware and facilitates other stages of the ransomware lifecycle.

Stage 4. Exploration and lateral movement

This stage involves attackers moving deeper into the victim's network and extending their reach by elevating their privileges and performing lateral movement attacks.

Stage 5. Exfiltration and encryption

In this stage, attackers exfiltrate data to the C&C server to use in extortion attacks down the line. They then encrypt the data and systems using the keys sent from their C&C server.

Stage 6. Extortion

The attackers demand a ransom payment. The organization now knows it is a victim of a ransomware attack.

Stage 7. Resolution

The victimized organization must act to address and recover from the attack. This could involve restoring data from backups, implementing a ransomware recovery plan, paying the ransom, negotiating with attackers or rebuilding systems from the ground up.

What are the different types of ransomware?

Ransomware is defined and categorized by how it is delivered and what it affects. Delivery includes ransomware as a service (RaaS), automated delivery (not as a service) and human-operated delivery. The impact could be data unavailability, data destruction, data deletion or data exfiltration and extortion -- or all of the above in some cases.

The following terms further describe the different types of ransomware:

• Locker ransomware locks victims out of their data or systems entirely.
• Crypto ransomware encrypts all or some of victims' files.
• Scareware tricks victims into believing their devices are infected with ransomware when they might not be. Attackers then fool victims into buying software that purportedly removes the ransomware when it actually steals data or downloads additional malware.
• Extortionware, also known as leakware, doxware and exfiltrationware, involves attackers stealing victims' data and threatening to make it public or sell it on the dark web.
• Wiper malware, also known as wiperware, acts like ransomware, but in reality it is a particularly destructive form of malware that erases data from victims' systems, even if they make ransom payments.
• Double extortion ransomware encrypts victims' data and exfiltrates data to extort victims into paying a ransom, potentially twice.
• Triple extortion ransomware encrypts victims' data, exfiltrates data to extort victims and adds a third threat. Often, this third vector is a DDoS attack. Another common tactic is extorting the victims' customers, partners or suppliers into paying ransoms or urging the initially infected organization to pay for them. This could result in attackers receiving three or more ransom payments for a single attack.
• RaaS, a delivery model rather than type of ransomware, is nonetheless often included in types of ransomware lists. It's a subscription-based model in which ransomware developers sell pay-for-use malware to ransomware operators, who give the developers a percentage of the attack profits.

What are the effects of ransomware on businesses?

Depending on the attack's sophistication, the attacker's motivation and the victim's defenses, the consequences of ransomware can range from minor inconvenience, to expensive and painful recovery, to complete devastation.

When people hear, "We've been hit with ransomware," their minds usually turn to the amount of the ransom demand. The Sophos report found the average ransomware payment in 2024 was just under $4 million, up from $1.5 million the previous year.

The total cost of a ransomware attack, however, far exceeds the ransom price tag. IBM's "Cost of a Data Breach Report 2024" found the average dollar amount attached to a ransomware attack was $5.37 million -- and that doesn't even include the cost of the ransom payment.

The difference can be attributed to multiple factors, including the following:

• Data exposure or loss.
• System downtime.
• Lost productivity.
• Revenue loss.
• Legal and regulatory compliance fines.

Ransomware can also have the following effects:

• Damage to business reputation.
• Lower employee morale.
• Loss of customer trust and loyalty.
• The possibility that an organization will be a target of future related attacks.

Should an organization pay the ransom?

Law enforcement and cybersecurity experts strongly discourage organizations from paying ransoms for the following reasons:

• It encourages attackers.
• Paying can increase ransom requests -- for example, in a double extortion scheme.
• It might create ethical and legal issues -- for example, paying the ransom is prohibited in some states and countries.
• Most importantly, giving in to attack demands might not result in the return of stolen data.

Some businesses still choose to pay the ransom, however. They might think paying results in faster recovery time, reduced revenue loss and reputational damage, lower recovery costs and better protection of customer and employee data.

Read more on ransom payment considerations.

Ransomware reporting and legal issues

Whether or not a payment is made, security experts and government agencies, including CISA and the FBI, recommend that any organization affected by ransomware notify the authorities. This not only enables law enforcement to track attackers and the threat landscape, but in some cases it also enables them to disrupt ransomware operations. Many agencies also offer support to victims, for example, with incident response and digital forensics.

Note that some organizations are legally required to report ransomware attacks. Public organizations in the U.S., for example, must report material cyberattacks within four business days per Securities and Exchange Commission regulations.

Research has shown that reporting a breach to law enforcement could lessen the cost of a ransomware incident. IBM reported the average $5.37 million cost of a ransomware breach decreased to $4.38 million when law enforcement was involved.

Along with deciding whether to report an attack, decision-makers must discuss whether to disclose it to the public. No national ransomware attack notification law exists for private companies, but if attacks involve personally identifiable information, organizations must notify the individuals affected.

Read more about how and when to report ransomware.

Ransomware negotiation services

Organizations that choose to pay the ransom sometimes turn to ransomware negotiation services. These specialized third-party brokers act as intermediaries between attackers and victims. Because they are well versed in ransomware groups and their demands, they are better equipped to handle negotiations than most victimized businesses.

Ransomware negotiators help with the following:

• Verifying the attacker is, indeed, the attacker.
• Lowering ransom costs.
• Pausing attacks in progress, which also gives victims time to assess damages.
• Ensuring that decryption keys work.
• Informing victims of attack details and how to improve their defenses.

Ransomware negotiation services are not always the answer, however. Just as with paying a ransom, negotiations can encourage attackers and won't always result in restored data access.

Read more about what experts have to say about ransomware negotiation strategies.

Ransomware and cyber insurance

Cyber insurance has been available since the 1990s but became more popular for organizations around 2020, as the number of ransomware attacks increased. Cyber insurance could cover losses, such as business interruption, incident response, data recovery and reputational harm, as well as regulatory fines, privacy liability, contractual violations and media liability. Policies might also offer pre-breach services such as security awareness training, vulnerability assessments and tabletop exercises.

While insurance can help lessen the financial burden of a ransomware attack, it isn't always easy to find. Insurance companies and brokers have faced significant losses over the past five years, resulting in premium hikes, coverage denials for some customers and even carriers leaving the market.

Clients looking for cyber insurance should read policies carefully. Look for details on coverage omissions, sublimits, war exclusions and preexisting conditions. Also understand insurers' coverage prerequisites, which often include the following:

• Security controls, such as MFA, endpoint detection and response (EDR) and patching.
• Governance processes, such as an incident response plan and security awareness training.
• Technology and documentation, such as system and data inventories, logs and SIEM data, and business continuity and disaster recovery plans.

Read about the state of cyber insurance and get tips on how to find coverage.

Common ransomware targets

While certain industries, such as critical infrastructure, education and healthcare, tend to make the headlines when they become victims of ransomware, it is important to note that no organization -- regardless of size or industry -- is immune to ransomware attacks.

That said, the Sophos report listed the following as the top 13 ransomware targets by sector:

1. Central and federal government.
2. Healthcare.
3. Energy and utilities infrastructure.
4. Higher education.
5. Financial services.
6. Manufacturing and production.
7. Lower education.
8. Media, entertainment and leisure.
9. Construction and property.
10. Distribution and transport.
11. IT, technology and telecoms.
12. Business, professional and legal services.
13. Retail.
14. Local and state government.

Read more about the top ransomware targets.

How to prevent ransomware attacks

Ransomware prevention is a challenge for organizations of all types and sizes and has no magic-bullet remedy. To protect against ransomware, follow these prevention and mitigation best practices:

• Deploy defense in depth. At minimum, use antimalware and antivirus software, allowlisting/denylisting, firewalls, email and web filtering, network traffic analysis, SIEM and secure remote access technologies, such as zero-trust network access and VPNs. Limit or block RDP and VNC use.
• Use advanced security controls. Consider extended detection and response (XDR), managed detection and response, SASE, user and entity behavior analytics, zero-trust security and cyber deception.
• Implement strong access controls. Use MFA and the principle of least privilege. Conduct regular user permissions and access reviews.
• Protect workloads and endpoints. Use EDR, data loss prevention and browser isolation tools, among others. Deploy tools with features that monitor for signs of malware, such as bulk file encryption and memory-based malware. Detect and monitor USB use, and perform threat hunting.
• Secure email and collaboration tools. Implement email authentication controls, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF), and use email security gateways.
• Stay up to date with patches. Reduce exposure to vulnerabilities by following patch management best practices.
• Use data backups. Follow the 3-2-1 backup rule and consider having secondary and tertiary backups. Be sure to protect backups from ransomware and ensure all backups are inaccessible from the primary IT environment.
• Review incident response procedures. Include ransomware in standard incident response plans and create a ransomware-specific incident response plan. Write playbooks for every stage of incident response, and use ransomware tabletop exercises to test all plans and playbooks.
• Hold security awareness training. Make security awareness training dynamic and engaging, and ensure it includes specifics about ransomware, such as how to identify, prevent, avoid and respond to ransomware.

How to detect ransomware attacks

Even organizations that follow ransomware prevention best practices will inevitably fall victim to attacks. In fact, many experts say companies should consider it not a question of if but of when.

Crucially, however, a security team that detects a ransomware attack in its early stages might be able to isolate and remove malicious actors before they have found, encrypted and exfiltrated sensitive data.

Antimalware tools form an important first line of defense, flagging known ransomware variants based on their digital signatures. Some offerings, such as XDR and SIEM platforms, also scan for behavioral anomalies to catch novel and otherwise unrecognizable ransomware strains. Possible indicators of compromise include abnormal file executions, network traffic and API calls -- any of which could point to an active ransomware attack.

Some organizations use deception-based detection to flush out adversaries, baiting them with fake IT assets that act as tripwires to alert security teams to their presence. While cyber decoys require considerable resources to deploy and maintain, they have exceptionally low false-positive rates, making them valuable weapons in the fight against ransomware.

How to respond to a ransomware attack

Ransomware prevention and early detection efforts notwithstanding, experts say enterprises should still expect the worst to happen and plan accordingly. That means organizing a core cybersecurity incident team that investigates security events and an extended computer security incident response team (CSIRT) that responds to confirmed ransomware incidents.

Ideally, the core CSIRT should consist primarily of cybersecurity practitioners and, possibly, IT operations staff. The extended CSIRT should also include legal experts, PR and communications representatives, and executive leaders.

Once the ransomware response plan is in place, regularly put it through its paces with realistic tabletop and threat modeling exercises. Clearly establish how and when to escalate an incident and which CSIRT members should be involved -- at which stages and in what capacity.

During a confirmed ransomware attack, the following should happen as quickly and efficiently as possible.

Identification and investigation

• Notify all core CSIRT members.
• Determine the type of ransomware, if feasible, and gather as much information as possible about the attack.
• Assess the scope of the ransomware infection within the environment.
• Evaluate the potential impact on the organization, including critical business functions and financial implications.
• Determine, to the extent possible, the source of the infection.

Containment

• Disconnect and quarantine affected systems and devices.
• Ensure backups and backup servers are secure.
• Consider isolating shared databases and file shares.
• Consider taking additional steps, such as blocking known C&C domains.

Eradication

• Remove known malicious artifacts.
• Confirm that backups are clean and unaffected by malware.
• Delete and replace infected systems and services.
• Wipe and restore affected endpoints with clean backup data.
• Check that endpoint security tools are up to date and activated across systems.
• Deploy high-priority security patches, especially on targeted systems, OSes and software.
• Stay alert for signs of reinfection.

Learn more about how to remove ransomware.

Communication

• Communicate the specifics of the incident to appropriate stakeholders, as the incident response plan dictates. These might include internal stakeholders, such as employees and executive leadership, and external stakeholders, such as customers, third-party partners, insurance providers and law enforcement.
• Ensure compliance with relevant cybersecurity disclosure laws.
• Document the incident as it unfolds.

Recovery

• Weigh whether to pay the ransom. Consult with legal counsel, insurers, law enforcement, consultants and negotiation experts as necessary.
• Confirm all systems, data and applications are clean, accessible, operational and monitored -- with no outstanding vulnerabilities that could let attackers back into the environment.

Read more about how to recover from a ransomware attack.

Notable examples of ransomware attacks

Ransomware has bedeviled organizations and individuals for decades. The following are just a handful of the most notable ransomware attacks:

• AIDS Trojan, 1989. A Harvard-educated biologist named Joseph L. Popp sent infected floppy disks to 20,000 people who had recently attended a World Health Organization AIDS conference. IT experts quickly found a decryption key, but Popp's malware -- known as the AIDS Trojan -- went down in history as the first known ransomware campaign.
• CryptoLocker, 2013. Ransomware didn't become a prominent threat until the 2010s, when malware such as CryptoLocker pioneered the use of advanced encryption algorithms to hold victims' data hostage. CryptoLocker operators were also among the first to demand ransom payments in cryptocurrency.
• WannaCry, 2017. In one of the biggest ransomware attacks of all time, the WannaCry cryptoworm compromised hundreds of thousands of computers across 150 countries. Victims included major banks, law enforcement agencies, healthcare organizations and telecommunications firms. The malware uses the EternalBlue exploit -- originally developed by the National Security Agency and leaked by members of the Shadow Brokers hacking group -- to take advantage of a vulnerability in Microsoft's implementation of the server message block protocol. Although Microsoft released a software update that fixed the vulnerability before the attacks, unpatched systems continue to fall prey to WannaCry infections to this day.
• NotPetya, 2017. Like WannaCry, NotPetya takes advantage of the EternalBue exploit. As wiperware, however, it destroys victims' files after encrypting them -- even if they meet ransom demands. NotPetya caused an estimated $10 billion in losses worldwide. One of the highest-profile targets, Danish shipping and logistics giant A.P. Moller-Maersk, lost around $300 million in the incident. The CIA has attributed the ransomware attack to a Russian military espionage agency, and according to cybersecurity vendor ESET, around 80% of NotPetya's targets were in Ukraine.
• REvil, 2021. In one of the largest ransomware episodes ever, the REvil gang's RaaS operation hit managed service provider Kaseya in 2021. More than 1 million devices became infected in the supply chain attack.
• Alphv/BlackCat, 2024. In early 2024, following efforts by the FBI to disrupt the RaaS gang's operations, Alphv/BlackCat began aggressively targeting healthcare organizations. The group's attack on healthcare payment software giant Change Healthcare was particularly catastrophic, resulting in mass disruptions across pharmacies, hospitals and medical practices.

So-called big game hunting, in which ransomware operators target large organizations with deep pockets, has exploded in recent years. High-profile ransomware victims have included Colonial Pipeline, Caesars Entertainment, MGM Resorts, JBS USA, the government of Costa Rica, Travelex, the U.K.'s National Health Service and many more.

Ransomware trends and evolving tactics

Ransomware has evolved dramatically since its inception in 1989, when Popp -- the so-called father of ransomware -- loaded the AIDS Trojan onto floppy disks and sent it to targets through snail mail. The birth of the internet and email opened the door to spray attacks, in which threat actors demanded small ransom payments from as many victims as they could. More recently, targeted ransomware attacks have become the norm, taking down one high-profile organization after another.

Several key developments and trends have contributed to the growing tidal wave of ransomware attacks:

• Locker ransomware, which completely shuts users out of their devices and makes it more likely they will comply with ransom demands.
• Stronger encryption algorithms that are difficult, if not impossible, to break.
• Cryptocurrency, such as bitcoin, which makes it easy for cybercriminals to collect massive ransom fees anonymously.
• RaaS, which enables cybercriminals with limited technical abilities to rent ransomware services and execute attacks.
• Double-extortion attacks, which enable ransomware operators to demand two payments for a single attack.
• Triple-extortion attacks, in which threat actors can extort victims multiple times for a single attack.
• Initial access brokers, third-party criminal groups that acquire illegal access to private networks and sell it to ransomware operators.

AI and the future of ransomware

AI threatens to turbocharge ransomware attacks by enabling operators to execute them at unprecedented speed and scale. According to experts, generative AI (GenAI) and large language models (LLMs) can help attackers more efficiently and effectively accomplish the following:

• Conduct research and reconnaissance.
• Target victims via social engineering and phishing campaigns.
• Uncover and exploit system vulnerabilities.
• Write and deploy malware.
• Identify and exfiltrate sensitive data.
• Adapt to defensive measures to avoid detection.

GenAI can even help operators optimize their ransom demands based on target-specific variables such as cyber insurance coverage and data backups, while AI chatbots can handle negotiations with victims.

In better news, AI and LLMs also promise to bolster ransomware defenses through intelligent behavioral analysis, automated incident response and recovery, and AI agent-driven endpoint protection. With defenders and threat actors using emerging AI technology against each other in equal measure, their decades-long game of cat and mouse is poised to continue.

Sharon Shea is executive editor of Informa TechTarget's SearchSecurity site.

Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity site.