What is Ransomware? A Guide to Prevention and Response

Ransomware banner

Imagine you’re in the middle of an important project, and suddenly, your computer screen goes blank. A message pops up demanding an exorbitant payment in cryptocurrency to unlock your most personal and critical files.

This is not a scene from a thriller movie; it’s a real-life scenario of a ransomware attack.

Read this guide to understand what ransomware is and how to protect yourself against it to protect your business or organization from this increasingly common cybercrime.

Key Takeaways

  • Ransomware is a form of digital extortion that locks up data and demands ransom.

  • It spreads through malicious downloads, phishing emails, and software vulnerabilities.

  • Businesses need strong ransomware protection measures to protect against costly downtime & disruptions caused by attacks.

What is Ransomware?

Illustration of a computer screen with a locked padlock symbol representing ransomware encryption

Ransomware acts as a digital bully, locking up your data and demanding a ransom for its release. Think of it as digital extortion, where your files are held hostage until you pay up. The primary objective of these attacks is monetary gain, achieved by demanding a ransom to decrypt or unblock the data.

Modern ransomware has evolved to become a formidable threat. It now comes loaded with countdown timers, demands higher ransom amounts, and has infection routines that help it spread across networks and servers. The attackers hold the decryption key needed to unlock the encrypted files.

How Ransomware Infects Systems

Ransomware infiltrates systems through a variety of methods, often leading to ransomware infections. Attackers frequently utilize email as a cost-effective and convenient mechanism. They bank on the fact that individuals often open email attachments containing malicious code without being cautious, making it a top choice for spreading ransomware. Additionally, ransomware can infiltrate your system when you visit shady websites or click on compromised ads.

A particularly notorious example is the WannaCry ransomware attack, which exploited a Microsoft Windows vulnerability to spread across the internet and encrypt files on infected systems.

The Impact of Ransomware on Businesses

Ransomware attacks can have devastating effects on businesses. On average, ransomware attacks cost businesses around $1.82 million according to Sophos, not including the ransom itself. A case in point is the SamSam ransomware attack on the City of Atlanta, which cost them $2.6 million, highlighting the importance of having strong ransomware protection measures in place.

Recent incidents, such as the WannaCry and DarkSide attacks on the U.S. Colonial Pipeline, have resulted in considerable disruptions. The latter even shut down a pipeline that supplies 45 percent of the U.S. East Coast’s fuel. These examples underscore the importance of keeping your operating system and software updated to prevent such attacks.

Most Common Types of Ransomware

Photo of a computer with a ransomware warning message on the screen

Ransomware’s evolution has led to the emergence of various ransomware variants, each possessing unique tactics and impacts. The most common types wreaking havoc are:

  • Crypto ransomware

  • Locker ransomware

  • Doxware (or leakware)

  • Scareware

  • Ransomware-as-a-Service (RaaS)

Crypto Ransomware

Crypto ransomware behaves like a digital kidnapper. It locks up your files and demands a ransom in cryptocurrency to unlock them. An infamous example is CryptoLocker, which leveraged a botnet to spread rapidly and significantly impacted the development of ransomware.

What makes crypto ransomware distinct is:

  • Its use of advanced encryption algorithms

  • A preference for payment in cryptocurrency

  • The ability to spread through various means like malicious downloads, phishing, or exploiting software vulnerabilities.

Locker Ransomware

Locker ransomware can be likened to a digital padlock. It locks users out of their devices and then demands payment for access restoration. This type of ransomware can infiltrate a system through social engineering, compromised credentials, or by exploiting software vulnerabilities.

A typical locker ransomware attack involves the following steps:

  1. Identifying a target

  2. Spreading the malware

  3. Connecting to a command and control server

  4. Encrypting files

  5. Demanding a ransom from the victim

The key difference between locker and crypto ransomware is that locker ransomware locks you out of your entire system, while crypto ransomware encrypts specific files without blocking your overall system access.

Doxware (or Leakware)

Doxware, also known as leakware, adopts a distinctive strategy. It threatens to leak sensitive information unless a ransom is paid. This type of ransomware usually targets sensitive data like personal data, financial records, and confidential documents.

There have been notable doxware attacks, such as the Maze Ransomware Attack on a Medical Research Facility and The Dark Overlord Attack in 2016. These attacks can lead to financial loss, compromised privacy, reputational damage, and even legal and regulatory consequences.


Scareware mirrors the actions of a digital prankster. It tricks users into believing that their system is infected and demands payment for a fake solution. This form of ransomware plays on users’ emotions and cognitive biases, creating a sense of immediate danger to coax users into giving out personal details or buying fake antivirus software.

Examples of scareware attacks include NightMare, which displayed a shocking image and loud noises to scare the victim, and XPAntivirus, which deceived users into believing their computer was infected with viruses and offered a fake solution.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) functions akin to a rental service for cybercriminals. It allows them to easily access ransomware tools and services from developers, making their attacks simpler. In this setup, ransomware operators team up with affiliates who pay to use the ransomware and carry out attacks, while developers are responsible for creating the ransomware and offering support to these affiliates.

The ease of access provided by RaaS, along with the potential financial gains from ransom shares, has contributed to the surge in ransomware attacks.

The Evolution of Ransomware Attacks

Illustration of the evolution of ransomware attacks from early examples to modern variants

Ransomware has come a long way since Joseph L. Popp’s first known campaign, in 1989, with the AIDS Trojan. Its evolution accelerated in the 2000s with the rise of the internet, with the first actual cases of ransomware reported in Russia between 2005 and 2006. The introduction of cryptocurrency in 2009 further propelled the prevalence of ransomware due to the anonymity it offered for ransom payments.

Over time, the sophistication of ransomware attacks has escalated, with variants such as WannaCry and Ryuk notably altering the landscape. Some of the tactics used by attackers include:

  • Spreading through sneaky URLs and exploiting vulnerabilities using the EternalBlue exploit (WannaCry)

  • Encrypting network drives and disabling Windows System Restore (Ryuk)

  • Big game hunting

  • Double extortion

  • Using law enforcement ransomware

  • Demanding untraceable payments

These techniques showcase the advancing tactics of ransomware attackers in ransomware attacks, highlighting the growing concern about ransomware threats and the emergence of new ransomware variants.

Identifying and Responding to a Ransomware Attack

In case of a suspected ransomware attack, swift action is imperative. Look out for signs such as file renaming or changing extensions, and slow system performance, which could indicate an active ransomware infection.

If a device is suspected of being infected, it should be shut down and disconnected from the internet. A manual scan of the system should be conducted for any strange behavior, and next-generation firewalls should be used to identify and quarantine the device.

The recovery process from a ransomware attack includes the following steps:

  1. Refrain from paying the ransom.

  2. Use anti-malware software to remove the ransomware.

  3. Restore systems from backups.

  4. Implement a solid ransomware recovery plan.

How to Protect Against Ransomware

Illustration of multi-layered cybersecurity measures protecting against ransomware

Proactivity is key to averting ransomware attacks. This means implementing strong cybersecurity measures like real-time protection, anti-exploit technology, antivirus, and endpoint protection, and staying informed about the latest threats and how to prevent them.

Regular data backups, including backup files, are significant. They facilitate quick recovery and minimize downtime during a ransomware attack. Ensuring that systems and software are regularly updated can also prevent vulnerabilities that attackers could exploit.

Employee training is another critical aspect, as it helps individuals spot and avoid sneaky tactics like phishing emails.

Make sure to take extra mobile device security measures, especially while traveling, as tactics like juice jacking are becoming more common.

Legal and Ethical Considerations: To Pay or Not to Pay?

When affected by a ransomware attack, businesses grapple with the difficult choice of paying or not paying the ransom. Paying the ransom can have serious implications beyond just giving in to the criminals. It could also end up supporting terror organizations, money laundering, and even nation-states with bad intentions.

Paying the ransom might also make the victim look vulnerable to other cybercriminals, putting them at risk of being targeted again.

The FBI does not support the idea of paying a ransom to address a ransomware attack. This stance is consistent with their long-standing policy. Less than half of ransomware victims are able to restore their systems after paying the ransom. Additionally, many are left without their data even after complying with the demands.

Ransomware Trends and Future Threats

Photo of cyber security experts discussing ransomware trends and future threats

The ransomware landscape perpetually evolves, giving rise to new trends and threats over time. One such trend is the rise of double extortion, where attackers not only encrypt data but also threaten to leak sensitive information unless a ransom is paid. The infamous REvil ransomware is known for using double-extortion tactics.

Another rising trend is the concept of big game hunting, where ransomware operators target large companies with deep pockets.

The continued growth of Ransomware-as-a-Service (RaaS) is also contributing to the increase in ransomware attacks, making it easier for cybercriminals to carry out attacks.


In a world becoming increasingly digital, understanding ransomware and how to protect against it has never been more crucial. From defining ransomware and its impact on businesses to discussing common types and how they infect systems, we’ve taken a deep dive into the world of ransomware.

We’ve also touched on the history and evolution of ransomware attacks, how to identify and respond to them, and the legal and ethical considerations surrounding ransom payments.

Hire John to Speak About Cyber Threats

“FBI John” Iannarelli is a former FBI Special Agent and now a keynote speaker on cybersecurity, including cyber terrorism, cyber attacks, and cyber threats such as hacking and phishing.

Frequently Asked Questions

What is ransomware?

Ransomware is a type of malware that locks you out of your device and data by encrypting files. Cybercriminals demand a ransom for decryption. Be cautious of suspicious links and downloads to prevent ransomware attacks.

How does ransomware get on your device?

Ransomware can get on your device through phishing emails with malicious attachments or drive-by downloading from infected websites. Once hackers gain access, they can inject the ransomware payload.

Can you get rid of ransomware?

Yes, if the ransomware is detected before a ransom is demanded, you can delete the malware and stop the ransomware virus. However, the data that has been encrypted before detection will remain encrypted. It’s important to use antimalware/anti-ransomware software to quarantine and remove the malicious software.

Scroll to Top