Should you pay the ransom?

Law enforcement agencies generally advise against paying ransoms as it funds criminal operations and does not guarantee data recovery. However, each situation is unique, and organizations should make this decision with input from legal counsel, incident response experts, and executive leadership. If backups are unavailable and the data is critical, some organizations choose to pay as a business decision.

How much do ransomware attacks cost?

The average total cost of a ransomware attack, including downtime, recovery, and remediation, exceeds $4.5 million according to industry reports. Ransom demands range from thousands to tens of millions of dollars depending on the target's size and perceived ability to pay. Downtime costs often exceed the ransom amount, with organizations averaging 22 days of disruption.

Can antivirus stop ransomware?

Traditional signature-based antivirus is largely ineffective against modern ransomware, which uses polymorphic techniques to evade detection. Endpoint Detection and Response (EDR) platforms are far more effective because they detect ransomware based on behavioral patterns rather than signatures. EDR can identify and stop ransomware during the early stages of the attack lifecycle before encryption begins.

What industries are most targeted by ransomware?

Healthcare, education, government, manufacturing, and financial services are the most frequently targeted industries. Healthcare organizations face heightened risk because system downtime can affect patient safety, increasing pressure to pay quickly. Manufacturing faces operational technology risks where encrypted systems can halt production lines.

How do ransomware attackers choose their targets?

Most ransomware groups are opportunistic, targeting organizations with exploitable vulnerabilities or weak security controls. Initial access brokers scan the internet for exposed RDP, vulnerable VPN appliances, and unpatched systems, then sell that access to ransomware operators. Some groups specifically target organizations with cyber insurance or known revenue, but most attacks begin with automated vulnerability scanning.

All Glossary Terms

ransomware

What Is Ransomware? Types, Prevention & Response

Ransomware is malicious software that encrypts files and demands payment for their release. This guide covers how ransomware works, major attack types, prevention strategies, and response procedures.

Updated February 15, 20269 min read

What Is Ransomware?

Ransomware is a category of malware that renders an organization's data or systems unusable until a ransom is paid. Modern ransomware typically encrypts files using strong cryptographic algorithms, making them inaccessible without a decryption key held by the attacker. Ransom demands are usually paid in cryptocurrency, most commonly Bitcoin or Monero, to obscure the attacker's identity. Ransomware has evolved from a nuisance affecting individual computers into a sophisticated criminal enterprise that generates billions of dollars annually. Attacks now routinely target hospitals, municipalities, schools, critical infrastructure, and enterprises of all sizes. The Ransomware-as-a-Service model has lowered the barrier to entry, allowing less skilled criminals to launch attacks using platforms developed and maintained by sophisticated threat actors who take a percentage of each ransom payment. This industrialization has led to an explosion in attack volume and sophistication that shows no signs of slowing.

How Ransomware Attacks Work

Most ransomware attacks follow a predictable lifecycle that begins well before encryption occurs. Initial access is gained through phishing emails, exploited vulnerabilities in public-facing systems, compromised Remote Desktop Protocol connections, or stolen VPN credentials purchased from initial access brokers on the dark web. After gaining a foothold, attackers conduct reconnaissance to understand the network topology, identify high-value systems, and locate backup infrastructure. Privilege escalation uses techniques like credential dumping, Kerberoasting, or exploiting Active Directory misconfigurations to gain domain administrator access. With elevated privileges, attackers disable security tools, delete shadow copies and backup catalogs, and exfiltrate sensitive data to use as additional leverage. The encryption phase is the final step, deploying ransomware simultaneously across as many systems as possible using group policy, PsExec, or other remote administration tools. The entire attack lifecycle from initial access to encryption typically spans 3-21 days, providing a critical detection window for organizations with effective monitoring.

Types of Ransomware

Several distinct ransomware categories pose different threats. Crypto ransomware is the most common type, encrypting files and demanding payment for the decryption key. Variants like LockBit, BlackCat, and Royal use strong encryption that cannot be broken without the attacker's key. Double extortion ransomware encrypts data and exfiltrates it, threatening to publish stolen information on leak sites if the ransom is not paid. This tactic is now standard practice for most major ransomware groups. Triple extortion adds a third pressure point, contacting the victim's customers, partners, or patients directly and threatening to expose their data. Locker ransomware locks users out of their devices entirely rather than encrypting individual files. While less common in enterprise attacks, it remains prevalent in mobile malware. Wiper malware disguised as ransomware, such as NotPetya, destroys data permanently regardless of whether a ransom is paid. These attacks are often attributed to nation-state actors pursuing destructive objectives rather than financial gain.

Ransomware Prevention Strategies

Effective ransomware prevention requires a layered defense strategy. Maintain offline, immutable backups that are tested regularly for restoration. Follow the 3-2-1-1 rule: three copies of data, on two different media types, with one copy offsite and one copy offline or immutable. Implement endpoint detection and response across all systems to detect and block ransomware behavior before encryption completes. EDR tools can identify suspicious patterns like mass file modification, shadow copy deletion, and known ransomware process behaviors. Deploy multi-factor authentication on all remote access points, email accounts, and privileged accounts, as stolen credentials remain the primary initial access vector. Patch internet-facing systems within 48 hours of critical vulnerability disclosure, prioritizing VPN appliances, email gateways, and web applications. Segment your network to limit lateral movement so that compromising one system does not grant access to the entire environment. Train employees to recognize phishing attempts and establish clear reporting procedures. Conduct regular penetration testing to identify the attack paths ransomware operators would exploit.

Ransomware Response & Recovery

When ransomware strikes, the first priority is containment. Isolate affected systems from the network immediately by disabling network interfaces or disconnecting cables, but do not power off systems as this destroys volatile forensic evidence in memory. Activate your incident response plan and engage your IR retainer provider if the attack exceeds internal capabilities. Determine the scope by identifying which systems are encrypted, which data may have been exfiltrated, and whether the attacker still has active access to the environment. Preserve forensic evidence including ransom notes, encrypted file samples, and network logs for investigation and potential law enforcement engagement. Report the incident to the FBI's IC3, CISA, or relevant authorities, as they may have decryption keys or intelligence about the specific threat actor. Evaluate recovery options: restore from backups if available and verified clean, or consider negotiation as a last resort with guidance from experienced negotiators and legal counsel. Do not pay ransoms without expert guidance, as payment does not guarantee data recovery and may fund further criminal activity. After recovery, conduct a thorough post-incident review to close the vulnerabilities that enabled the attack and improve defenses.

Frequently Asked Questions

Related Resources

serviceManaged Threat Intelligence

serviceManaged Detection & Response

glossaryWhat Is Incident Response?