What is ransomware?

 Ransomware is a type of malware that holds a victim’s sensitive data or device hostage, threatening to keep it locked—or worse—unless the victim pays a ransom to the attacker. 

 The earliest ransomware attacks simply demanded a ransom in exchange for the encryption key needed to regain access to the affected data or use of the infected device. By making regular or continuous data backups, an organization could limit costs from these types of ransomware attacks and often avoid paying the ransom demand. 

In recent years, ransomware attacks have evolved to include double-extortion and triple-extortion tactics that raise the stakes considerably. Even victims who rigorously maintain data backups or pay the initial ransom demand are at risk.

Double-extortion attacks add the threat of stealing the victim’s data and leaking it online. Triple-extortion attacks add the threat of using the stolen data to attack the victim’s customers or business partners.

 Ransomware is one of the most common forms of malicious software, and ransomware attacks can cost affected organizations millions of dollars.

20% of all cyberattacks recorded by the IBM® X-Force® Threat Intelligence Index in 2023 involved ransomware. And these attacks move quickly. When hackers gain access to a network, it takes less than four days to deploy ransomware. This speed gives organizations little time to detect and thwart potential attacks.

Ransomware victims and negotiators are reluctant to disclose ransom payments, but threat actors often demand seven-figure and eight-figure amounts. And ransom payments are only part of the total cost of a ransomware infection. According to the IBM Cost of a Data Breach report, the average cost of a ransomware breach is USD 5.68 million, which does not include ransom payments.

That said, cybersecurity teams are becoming more adept at combatting ransomware. The X-Force Threat Intelligence Index found that ransomware infections declined by 11.5% between 2022 and 2023, likely due to improvements in threat detection and prevention.

 There are two general types of ransomware. The most common type, called encrypting ransomware or crypto ransomware, holds the victim’s data hostage by encrypting it. The attacker then demands a ransom in exchange for providing the encryption key needed to decrypt the data.

The less common form of ransomware, called non-encrypting ransomware or screen-locking ransomware, locks the victim’s entire device, usually by blocking access to the operating system. Instead of starting up as usual, the device displays a screen that makes the ransom demand.

These two general types fall into these subcategories:

 Leakware or doxware is ransomware that steals, or exfiltrates, sensitive data and threatens to publish it. While earlier forms of leakware or doxware often stole data without encrypting it, today’s variants usually do both. 

Test your network, applications, and infrastructure for weaknesses with our penetration testing solutions. Our team of experts will simulate real-world attack scenarios to identify vulnerabilities and help you fix them.

 Wipers, or destructive ransomware, threaten to destroy data if the victim does not pay the ransom. In some cases, the ransomware destroys the data even if the victim pays. This latter type of wiper is often deployed by nation-state actors or hacktivists rather than common cybercriminals. 

 Scareware is just what it sounds like—ransomware that tries to scare users into paying a ransom. Scareware might pose as a message from a law enforcement agency, accusing the victim of a crime and demanding a fine. Alternatively, it might spoof a legitimate virus infection alert, encouraging the victim to purchase ransomware disguised as antivirus software.

Sometimes, the scareware is the ransomware, encrypting the data or locking the device. In other cases, it’s the ransomware vector, encrypting nothing but coercing the victim to download ransomware.