Trace Id is missing
Skip to main content
Microsoft Security

What is ransomware?

Learn what ransomware is, how it works, and how to protect your business from this type of cyberattack.
Protect yourself from ransomware

Understanding ransomware

Ransomware is a type of malicious software, or malware, that cybercriminals use to block access to, destroy, or publish a victim’s critical data unless a ransom is paid. Traditional ransomware targets both individuals and organizations, but two recent developments, human-operated ransomware and ransomware as a service, have become a bigger threat to enterprises and other large organizations.

With human-operated ransomware, a group of attackers use their collective intelligence to gain access to enterprise networks. Before installing the ransomware, they research the company to understand vulnerabilities and, in some cases, uncover financial documents that help them set the ransom figure.

In a ransomware-as-a-service model, a set of criminal developers create the ransomware and then hire other cybercriminal affiliates to hack an organization’s network and install the ransomware. The two groups split the profits at an agreed-on rate.

All ransomware takes a significant toll on the attacked individuals and organizations. It can take days, weeks, or even months to bring affected systems back online, resulting in lost productivity and sales. Organizations might also suffer damage to their reputation with customers and the community.

Key takeaways

  • Ransomware is a type of malware that encrypts data and demands a ransom payment to decrypt it.
  • It can spread through phishing emails, malicious websites, and exploit kits.
  • In human-operated ransomware, a group of attackers use their collective intelligence to gain access to enterprise networks.
  • The two main types of ransomware are crypto ransomware, which encrypts sensitive data and files, and locker ransomware, which locks victims out of their devices.
  • Ransomware attacks can cause significant financial, reputational, and operational damage to individuals and businesses.
  • There are steps you can take to protect yourself from ransomware attacks, such as using strong security software, backing up your data, and promoting cybersecurity awareness at your organization.

Types of ransomware

Ransomware comes in two main forms: crypto ransomware and locker ransomware, which are further divided into several subtypes.

Crypto ransomware
In a crypto ransomware attack, the attacker encrypts a victim’s sensitive data or files so that they can’t access them unless they pay a requested ransom. In theory, once the victim pays, the attacker turns over a decryption key that gives them access to the files or data, however, there’s no guarantee. Many organizations have permanently lost access to their files even after paying the ransom.

Locker ransomware
In locker ransomware, bad actors lock a victim out of their device and present them with an on-screen ransom note with instructions for how to pay a ransom to regain access. This form of ransomware typically doesn’t involve encryption, so once the victim regains access to their device, any sensitive files and data are preserved. Locker ransomware is commonly used on mobile devices.

These two main forms of ransomware fall into the following subtypes:

Scareware
Scareware uses fear to get people to pay a ransom. In these types of cyberattacks, the bad actors pose as a law enforcement agency and send a message to the victim accusing them of a crime and demanding a fine.

Doxware
In Doxware, bad actors steal personal information and threaten to reveal it publicly if a ransom isn’t paid.

Double extortion ransomware
In double extortion ransomware, attackers not only encrypt files but also steal sensitive data and threaten to release it publicly if the ransom isn’t paid.

Wipers
Wipers threaten to destroy the victim’s data if they don’t pay the ransom.

How ransomware works

Most ransomware attacks follow a three-step process.

1. Gain access
Bad actors use various methods to gain access to a company’s sensitive data. One of the most common is phishing, which is when cybercriminals use email, texts, or phone calls to trick people into providing their credentials or downloading malware. Bad actors also target employees and other users with malicious websites that use what’s called an exploit kit to automatically download and install malware onto the victim’s device.

2. Encrypt data
Once the ransomware attackers gain access to the sensitive data, they copy it and destroy the original file along with any backups they’ve been able to access. They then encrypt their copy and create a decryption key.

3. Demand a ransom
After making the data inaccessible, the ransomware delivers a message via an alert box that explains that the data has been encrypted and requests money, typically in cryptocurrency, in exchange for the decryption key. The bad actors behind these attacks might also threaten to release the data to the public if the victim refuses to pay.

Impact of a ransomware attack

Beyond the immediate disruption of operations, the consequences of a ransomware attack can include significant financial losses, reputational damage, and long-term operational challenges.

Financial Implications
The cost of paying a ransom can be substantial, often reaching into the millions of dollars, and there’s no guarantee that the attackers will provide the decryption key or that it'll work properly.

Even when organizations refuse to pay the ransom, there can still be large financial costs. The disruption caused by a ransomware attack can lead to prolonged downtime, affecting productivity and potentially resulting in lost revenue. Recovering from an attack involves additional expenses, including the cost of forensic investigations, legal fees, and investments in improved security measures.

Reputational Damage
Customers and partners might lose trust in a business that's been compromised, leading to a decline in customer loyalty and potential loss of future business. High-profile attacks often attract media attention, which can damage a company's reputation and brand image.

Operational Challenges
Even with backups, there's a risk of data loss or corruption, which can impact business continuity and operational efficiency. Businesses might also face legal and regulatory penalties for failing to protect sensitive data, especially if they are subject to data protection regulations like the General Data Protection Regulation in the European Union or the California Consumer Privacy Act.

Real-world ransomware examples

Many of the most high-profile human-operated ransomware attacks are conducted by ransomware groups, which operate using a ransomware-as-a-service business model.

 
  • Since its emergence in 2019, LockBit has targeted various sectors, including financial services, healthcare, and manufacturing. This ransomware is known for its ability to self-propagate within networks, making it particularly dangerous. LockBit’s affiliates have been responsible for numerous high-profile attacks, using sophisticated techniques to encrypt data and demand ransoms. 
  • BlackByte’s attacks often involve double extortion, where cybercriminals encrypt and exfiltrate data, threatening to publish the stolen data if the ransom isn't paid. This ransomware has been used to target critical infrastructure sectors, including government and financial services.
  • The group behind the Hive ransomware, which was active between June 2021 and January 2023, employed double extortion and typically targeted public institutions and critical infrastructure, including healthcare facilities. In a significant victory against cybercrime, the FBI infiltrated Hive’s network in 2022, capturing decryption keys and preventing over USD130 million in ransom demands. 
  • The Akira ransomware is a sophisticated malware that's been active since early 2023 and targets both Windows and Linux systems. Bad actors use Akira to gain initial access through vulnerabilities in VPN services, particularly those without multifactor authentication. Since its emergence, Akira has impacted over 250 organizations and claimed approximately USD42 million in ransomware proceeds.
 
Prevention

Ransomware prevention and protection strategies

Protect your endpoints and clouds

The best form of protection is prevention. Many ransomware attacks can be identified and blocked with a trusted endpoint detection and response solution, such as Microsoft Defender for Endpoint. Extended detection and response (XDR) solutions, like Microsoft Defender XDR, go beyond endpoint protection to help you secure your devices, email, collaboration apps, and identities. And with so much business conducted in the cloud, it’s important to protect all your cloud infrastructure and apps with a solution like Microsoft Defender for Cloud.

Hold regular trainings

Keep employees informed about how to spot the signs of phishing and other ransomware attacks with regular trainings. To reinforce learnings and identify opportunities for additional training, follow up with periodic phishing simulations. This will help your employees learn safer practices for work and also how to be safer when using their personal devices.

Adopt a Zero Trust model

A Zero Trust model assumes that every access request, even those coming from inside the network, is a potential threat. Zero Trust principles include verifying explicitly through continuous authentication, enforcing least-privilege access to minimize permissions, and assuming breach by implementing strong containment and monitoring measures. This extra scrutiny decreases the likelihood that a malicious identity or device will access resources and install ransomware.

 Join an information-sharing group

Information-sharing groups, frequently organized by industry or geographic location, encourage similarly structured organizations to work together toward cybersecurity solutions. The groups also offer organizations different benefits, such as incident response and digital forensics services, threat intelligence, and monitoring of public IP ranges and domains.

Maintain offline backups

Because some ransomware will try to seek out and delete any online backups you might have, it’s a good idea to keep an updated offline backup of sensitive data that you regularly test to make sure it’s restorable if you’re ever hit by a ransomware attack.

Keep software up to date

In addition to keeping any antimalware solutions updated, be sure to download and install any other system updates and software patches as soon as they’re available. This helps minimize any security vulnerabilities that a cybercriminal might exploit to gain access to your network or devices.

Create an incident response plan

An incident response plan will provide you with steps to take in different attack scenarios so that you can get back to operating normally and safely as soon as possible.

Responding to a ransomware attack

If you find yourself the victim of a ransomware attack, there are options for recourse and removal.

Isolate the infected data
As soon as you’re able, isolate the compromised data to help prevent the ransomware from spreading to other areas of your network.

Run an antimalware program
Once you’ve isolated any infected systems, use an antimalware program to remove the ransomware.

Decrypt files or restore backups
If possible, use decryption tools provided by law enforcement agencies or security researchers to decrypt files without paying the ransom. If decryption isn't possible, restore files from your backups.

Report the attack
Contact your local or federal law enforcement agencies to report the attack. In the United States, these are your FBI local field office, the IC3, or the Secret Service. Although this step likely won’t solve any of your immediate concerns, it’s important because these authorities actively track and monitor different attacks. Providing them with details about your experience could be useful in their efforts to find and prosecute a cybercriminal or a cybercriminal group.

Be cautious about paying the ransom
Although it might be tempting to pay the ransom, there’s no guarantee that the cybercriminals will keep their word and grant you access to your data. Security experts and law enforcement agencies recommend that victims of ransomware attacks don’t pay the requested ransoms, because doing so could leave victims open to future threats and would actively support a criminal industry.
RESOURCES 

Explore Microsoft Security

Safeguard your organization from complex ransomware with unified AI-powered threat protection solutions and proven best practices.
A woman in a green shirt looking at a computer.
Solution

Protect against ransomware

Expose and respond to sophisticated cyberattacks across your multicloud, multiplatform environment.
Learn more
A man sitting at a desk with a laptop.
Solution

Outpace threats with AI-powered, unified SecOps

Get XDR and security information and event management—all in one platform.
Learn more
A laptop on a table.
Product

Protect your entire enterprise with Microsoft Defender XDR

Defend your endpoints, identities, cloud apps, and data from cyberattacks.
Learn more
A man with glasses and a beard holding papers in front of a laptop.
Product

Protect your small business with Microsoft Defender for Business

Help protect against sophisticated ransomware attacks across devices with next-generation antivirus and enterprise-grade, AI-powered endpoint detection and response.
Learn more
A woman and a man looking at a laptop.
Threat protection portal

Cybersecurity and AI news

Discover the latest trends and best practices in cyberthreat protection and security AI.
Get the latest resources
Back to RESOURCES section

Frequently asked questions

  • Ransomware is a type of malware that encrypts valuable data and demands a ransom payment in exchange for decrypting it.
  • Unfortunately, nearly anyone with an online presence can become the victim of a ransomware attack. Personal devices and enterprise networks are both frequent targets of cybercriminals.
  • Traditional ransomware attacks occur when an individual is tricked into engaging with malicious content, such as opening an infected email or visiting a harmful website that installs ransomware on their device.
    In a human-operated ransomware attack, a group of attackers target and breach an organization’s sensitive data, usually through stolen credentials.
    Typically, for both social-engineered ransomware and human-operated ransomware, a victim or organization will be presented with a ransom note that details the data that was stolen and the cost of having it returned. Paying the ransom, however, doesn't guarantee that the data will actually be returned or that future breaches will be prevented.
  • The effects of a ransomware attack can be devastating. At both the individual and organizational levels, victims could feel forced to pay high ransoms with no guarantee that their data will be returned to them or that further attacks won’t occur. If a cybercriminal leaks an organization’s sensitive information, its reputation could be tarnished and seen as untrustworthy. And, depending on the type of information leaked and size of the organization, thousands of individuals could be at risk of becoming victims of identity theft or other cybercrimes.
  • Cybercriminals who infect victims’ devices with ransomware want money. They tend to set ransoms in cryptocurrencies because of their anonymous and untraceable nature. When an individual is targeted, the ransom might be hundreds or thousands of US dollars. Human-operated ransomware campaigns often demand millions of US dollars.
  • Victims should report ransomware attacks to their local or federal law enforcement agencies. In the United States, these are your FBI local field office, the IC3, or  the Secret Service. Security experts and law enforcement officials recommend that victims don't pay ransoms—if you’ve already paid, immediately contact your bank and local authorities. Your bank might be able to block the payment if you paid with a credit card.

Follow Microsoft Security