What is Ransomware? Everything You Need to Know in 2025

What is Ransomware?

Ransomware is a type of malicious software used by cybercriminals to steal and lock data, essentially holding it for ransom. The attackers will only release the data after receiving the demanded payment. Organizations that handle sensitive information, such as personal, financial, or intellectual property data, are particularly vulnerable to these attacks.

Though ransomware first appeared in the 1980s, it didn’t gain widespread attention until the early 2000s. Today, it ranks as the third most common cyberattack, responsible for over 10% of all data breaches. The rise of cryptocurrency has made ransomware even more attractive to criminals, as it facilitates easier ransom payments.

Advancing technology enables cybercriminals to refine their methods, rapidly gaining access to and encrypting data. As companies increasingly digitalize, especially due to COVID-related restrictions, more data is stored and accessed remotely, increasing the potential for attacks.

Ransomware is not going away, so continue reading to learn how your business can mitigate its risks.

Types of Ransomware

There are two main categories of ransomware. The more common type, known as encrypting or crypto-ransomware, encrypts the victim’s data, with attackers demanding payment to unlock it. The second type, called non-encrypting or screen-locking ransomware, blocks access to the entire device by locking the operating system. Instead of the device booting normally, it displays a ransom note on the screen.

These two broad types can be further broken down into the following subcategories:

• Leakware (or doxware): This form of ransomware steals sensitive data and threatens to release it. While older versions didn’t always encrypt the data, modern variants often do both.
• Mobile ransomware: This includes all ransomware targeting mobile devices, often delivered through malicious apps or downloads. Most mobile attacks are non-encrypting, as screen-lockers are favored over encryption due to the widespread use of automated cloud backups on mobile devices.
• Wipers: A destructive type of ransomware that threatens to delete data if the ransom isn’t paid. In some cases, the data is destroyed even if the ransom is paid. Wipers are typically used by nation-states or hacktivist groups, rather than regular criminals.
• Scareware: This type aims to frighten users into paying a ransom by posing as a law enforcement message or a fake virus alert. Sometimes, the scareware actually encrypts data or locks the device, while in other cases, it only tricks the victim into downloading more harmful ransomware.

How Does Ransomware Work?

Once a device is infected with ransomware, the attack typically follows these stages:

1. Infection: The malicious software is silently downloaded and installed.
2. Execution: The ransomware searches for specific file types and scans both local files and network-connected systems. Some variants may also delete or encrypt backups.
3. Encryption: The ransomware exchanges encryption keys with a remote server, then encrypts the identified files and locks them from access.
4. User Notification: The user is shown a ransom note, usually in the form of a file with instructions on how to proceed with the payment.
5. Cleanup: The ransomware deletes itself, leaving only the payment instructions behind.
6. Payment: The victim is directed to a website, often on the dark web, that explains how to pay the ransom, typically via cryptocurrency to avoid detection.
7. Decryption: If the ransom is paid, the victim may receive a decryption key to recover the files, although there’s no guarantee the criminals will honor their end of the deal.

Common Features of Ransom Demands

Typically, a ransom request is accompanied by a deadline: victims must pay by a specified time, or their files will remain irretrievably locked. As time elapses, the demanded amount may increase.

Ransomware groups aim to make their financial transactions untraceable. To achieve this, they often insist on payments via cryptocurrencies or other methods that are challenging for authorities to monitor.

Upon receiving the ransom, the attacker either decrypts the files remotely or provides the victim with a decryption key. Generally, once payment is made, the attacker fulfills their obligation to unlock the data. This compliance is crucial for their ongoing operations; if victims perceive that paying does not yield results, future ransom demands will likely go unpaid, jeopardizing the attackers’ revenue stream.

Notable Ransomware Variants

As of now, cybersecurity experts have cataloged thousands of unique ransomware variants or “families,” each characterized by distinct code signatures and functionalities.

Some ransomware strains stand out due to their destructive capabilities, their impact on the evolution of ransomware tactics, or the threats they pose in contemporary contexts.

1. CryptoLocker

Emerging in September 2013, CryptoLocker is often credited with launching the modern ransomware era.

Disseminated through a botnet—a network of compromised computers—CryptoLocker was among the first families to employ robust encryption on users’ files. It extorted around USD 3 million before an international law enforcement operation dismantled it in 2014.

The success of CryptoLocker led to a wave of imitators and set the stage for variants like WannaCry, Ryuk, and Petya.

2. WannaCry

Recognized as the first high-profile cryptoworm—ransomware capable of self-propagation across networks—WannaCry infected over 200,000 computers across 150 nations. The affected systems were vulnerable due to administrators’ failure to patch the EternalBlue vulnerability in Microsoft Windows.

In addition to encrypting sensitive information, WannaCry threatened to erase files if victims did not remit payment within seven days. It remains one of the most significant ransomware incidents recorded, with estimated damages reaching up to USD 4 billion.

3. Petya and NotPetya

Unlike typical crypto-ransomware, Petya encrypts the file system table rather than individual files, preventing infected machines from booting Windows. A modified version known as NotPetya was employed in a large-scale cyberattack primarily targeting Ukraine in 2017. Unlike other ransomware, NotPetya functioned as a wiper and could not unlock systems even after payment was made.

4. Ryuk

First identified in 2018, Ryuk popularized “big-game” ransomware attacks aimed at high-value targets, with average ransom demands exceeding USD 1 million. Ryuk is adept at locating and disabling backup files and system restore options. A new variant featuring cryptoworm capabilities emerged in 2021.

5. DarkSide

Allegedly operated by a group based in Russia, DarkSide was responsible for attacking the Colonial Pipeline on May 7, 2021. This incident is often regarded as one of the most severe cyberattacks on critical US infrastructure, temporarily halting operations at a pipeline that supplies 45% of East Coast fuel.

In addition to direct attacks, DarkSide also licenses its ransomware to affiliates through Ransomware-as-a-Service (RaaS) models.

6. Locky

Locky is encrypting ransomware that employs a distinctive infection method—utilizing macros embedded in email attachments (specifically Microsoft Word files) disguised as legitimate invoices. When users download and open these documents, malicious macros covertly install the ransomware on their devices.

7. REvil

Also known as Sodin or Sodinokibi, REvil played a pivotal role in popularizing the RaaS model for distributing ransomware.

Known for targeting high-profile entities and employing double-extortion tactics, REvil orchestrated attacks against JBS USA and Kaseya Limited in 2021. JBS paid a USD 11 million ransom after hackers disrupted its entire beef processing operation in the US. The attack significantly affected over 1,000 customers of Kaseya’s software.

In early 2024, Russian authorities reported dismantling REvil and charging several of its members.

8. Conti

First observed in 2020, Conti operated an extensive RaaS framework that compensated hackers with regular salaries for utilizing its ransomware. Conti employed a unique form of double extortion by threatening to sell access to victims’ networks to other cybercriminals if they did not comply with payment demands.

Conti disbanded following leaks of its internal communications in 2022; however, many former members remain active within the cybercrime ecosystem. According to the X-Force Threat Intelligence Index, ex-Conti associates are linked to some of today’s most prevalent ransomware variants, including BlackBasta, Royal, and Zeon.

9. LockBit

As one of the most prevalent ransomware variants in 2023 according to the X-Force Threat Intelligence Index, LockBit is recognized for its businesslike approach among developers. The LockBit group has been known to acquire other malware strains similar to how legitimate businesses merge or acquire companies.

Despite law enforcement actions that seized some LockBit websites in February 2024 and sanctions imposed on one of its senior figures by the US government, LockBit continues its assault on victims. Feel free to ask if you need further modifications or additional information!

What are the effects of ransomware on businesses?

The impact of a ransomware attack can vary based on its complexity, the attacker’s goals, and the victim’s level of defense. The consequences may range from minor disruptions to costly recovery efforts or even total devastation.

When people hear “We’ve been hit by ransomware,” their first thought is often about the ransom amount. According to a survey by Sophos, the average ransom paid in 2023 was $1.54 million, a significant rise from $812,380 in 2024.

However, the overall cost of a ransomware attack goes well beyond the ransom itself. IBM’s “Cost of a Data Breach Report 2024” found that the average cost tied to a ransomware incident was $5.13 million, up 13% from the previous year. This figure excludes the ransom payment.

This difference is due to several contributing factors, such as:

• Data loss or exposure.
• Downtime of critical systems.
• Reduced productivity.
• Revenue impacts.
• Legal penalties for non-compliance.

Other effects of ransomware include:

• Harm to business reputation.
• Decreased employee morale.
• Erosion of customer trust and loyalty.
• Increased likelihood of being targeted again in the future.

Ransomware Detection

Effective ransomware detection involves a mix of education and technological tools. Here are some of the best strategies to identify and prevent ransomware attacks:

1. Employee training: Educate staff on how to recognize ransomware warning signs, such as emails that mimic legitimate businesses, suspicious links, and questionable attachments.
2. Honeypots: Deploy honeypots, which are decoy systems that lure attackers. This allows you to detect and neutralize the threat early.
3. Network and endpoint monitoring: Continuous monitoring helps track traffic, scan for attack evidence, and investigate unusual user activity against established baselines.
4. Antivirus and anti-ransomware tools: These tools can whitelist safe sites and alert you when a potential threat is detected.
5. Email filtering: Configure your email systems to block malicious emails and risky file types like executable files before they reach employees’ inboxes.

Ways to protect yourself from ransomware

• Backup your data; Ensure your organization uses an enterprise-level data backup solution that can scale efficiently. In the event of an attack, you can power down the affected device, restore it from the backup, and prevent further spread of the ransomware.
• Keep systems up-to-date: Regularly update and patch your software to block commonly exploited vulnerabilities. Enable automatic patching where possible.
• Enable multi-factor authentication (MFA): Since human error is often the weakest link in security, educate users on phishing and other schemes. MFA adds an extra layer of protection.
• Strengthen network security: Adopt a layered security model from endpoint to email to the DNS layer. Consider using advanced technologies like next-generation firewalls (NGFW) or intrusion prevention systems (IPS).
• Segment network access: Restrict access to critical resources based on sensitivity. Dynamic access control helps ensure that a single breach doesn’t compromise the entire network.
• Monitor network activity: Gain visibility into all activities across your network to catch attacks that slip past the perimeter. Use tools like demilitarized zone (DMZ) subnetworks and security platforms to consolidate and analyze security data for rapid response.
• Prevent initial infection: Most ransomware enters through malicious emails or downloads. Block harmful websites, emails, and attachments using a multi-layered security approach. Ensure the use of approved file-sharing programs.
• Secure your endpoints: Basic antivirus is no longer enough. Implement endpoint privilege management, set network access permissions, and use two-factor authentication.
• Leverage real-time threat intelligence: Stay informed on emerging threats through threat intelligence services like Talos. This will help you stay ahead of evolving security risks.
• Consult incident response experts: Incident response teams offer both preventative and emergency support to help you prepare for, respond to, and recover from ransomware incidents