Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.


What is ransomware? Everything you need to know and how to reduce your risk

The ransomware business is booming, and really anyone can be the next victim. Here's how to protect yourself and your organization from an attack. Too late for prevention? We'll show you what to do next.
Written by Danny Palmer, Senior Writer and  Charlie Osborne, Contributing Writer
Ransomware, concept. Hacker anonymous holds key and demands money. User give money. Big folder with encrypted data. Padlock on files after hacker attack. Network piracy danger.
bagira22/Getty Images

Ransomware is one of the most dangerous threats businesses and consumers face today. Whether you are an individual or a Fortune 500 company, the experience of getting locked out of your system, having your files encrypted, and being subjected to threats and demands for payment can be harrowing.

While law enforcement and cybersecurity firms are fighting the rise of ransomware groups, this extremely lucrative and illegal business is flourishing. New ransomware gangs are appearing in the field every day, while more established ones rebrand and regroup to confuse efforts to track down and prosecute the perpetrators. 

Here is everything you need to know about ransomware, how it works, and what you can do to mitigate the risk of attack. 

What is ransomware?

Ransomware is one of the biggest cybersecurity problems on the internet and one of the biggest forms of cybercrime that organizations face today. Ransomware is a form of malicious software -- malware -- that encrypts files and documents on anything from a single PC all the way up to an entire network, including servers. 

Once files are encrypted by the ransomware, victims are left with few choices: They can regain access to their encrypted network by paying a ransom to the criminals behind the attack. They can restore data from their backups. They can hope there is a decryption key freely available. Or, they start again from scratch.

Some ransomware infections start with someone inside an organization clicking on what looks like an innocent attachment that, when opened, downloads the malicious payload and encrypts the network.


An example of a ransomware attack.

Rawf8/Getty Images

Other, much larger ransomware campaigns use software exploits and flaws, cracked passwords, and other vulnerabilities to gain access to organizations using weak points such as internet-facing servers or remote desktop logins. The attackers will hunt secretly through the network until they control as much as possible -- before encrypting all they can.

It can be a headache for companies of all sizes if vital files and documents, networks, or servers are suddenly encrypted and inaccessible. Even worse, after you are attacked with file-encrypting ransomware, criminals will announce brazenly that they're holding your corporate data hostage until you pay a ransom in order to get the data back. Some will even publish stolen data on the internet for all to see. 

How did ransomware evolve?

While ransomware has exploded in recent years, it's not a new phenomenon: the first instance of what we now know as ransomware appeared as early as 1989.

Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and the files on it and demanded the user 'renew their license' with 'PC Cyborg Corporation ' by sending $189 or $378 to a post office box in Panama.


The PC Cyborg's demand for payment -- by snail mail.

Image: Sophos

This early ransomware was a relatively simple construct, using basic cryptography that mostly just changed the names of files, making it relatively easy to overcome.

However, it effectively created a new branch of computer crime that grew gradually in scope and ambition. Once dial-up internet became available to consumers, basic ransomware appeared en masse.

One of the most successful variants was "police ransomware," which attempted to extort victims by claiming the PC had been encrypted by law enforcement. It locked the screen with a ransom note warning the user they'd committed illegal online activity, which could get them sent to jail.

However, if the victim paid a fine, the "police" would let the infringement slide and restore access to the computer by handing over the decryption key. Of course, this wasn't anything to do with law enforcement -- these were criminals exploiting innocent people.


An example of "police ransomware" threatening a user.


Criminals learned from this approach and now the majority of ransomware schemes use advanced cryptography to lock down an infected PC and the files on it.

What are the main types of ransomware?

Ransomware is always evolving, with new variants continually appearing and posing new threats to businesses. However, certain types of ransomware have been much more successful than others.

Ransomware comes in many variations, but at its heart, ransomware is designed to lock you out of your system and revoke access to files. Some ransomware will be able to move laterally across networks, encrypt data -- or destroy it -- and may also include surveillance modules. 

While ransomware operations come and go, the individuals involved with building and testing the malware regularly move between them or seek new opportunities, meaning there's a steady flow of new ransomware variants to potentially become the next big threat. 

What are the major ransomware attacks in 2023?

  • Dish Network: A February attack against broadcast giant Dish Network led to service outages and the exposure of data belonging to roughly 300,000 people. The company reportedly may have paid out a ransom, as a letter sent to impacted individuals revealed the company "received confirmation that the extracted data has been deleted."
  • Royal Mail: The UK's Royal Mail delivery service received an $80 million ransom demand following an attack in January that severely disrupted deliveries, nationally and abroad. Company officials refused to pay. 
  • Caesars: Casino operator Caesars suffered a ransomware attack and data breach, including the theft of customer data. Reports suggest that the firm paid out roughly half of a $30 million ransomware demand. 
  • MGM Resorts: The attackers behind a chaotic ransomware attack against MGM Resorts -- which forced many services offline, including point-of-sale systems -- claimed they managed to obtain the credentials necessary to perform the assault with only a phone call. Everything from casino slot machines to hotel room cards stopped functioning. 

How much will a ransomware attack cost you?

Obviously, the most immediate cost associated with becoming infected with ransomware -- if it's paid -- is the ransom demand, which can depend on the type of ransomware or the size of your organization.

Ransomware attacks can vary in size but it's becoming increasingly common for hacking gangs to demand millions of dollars to restore access to the network. And the reason hacking gangs can demand this much money is, put simply, because many victims will pay.

That's especially the case if a network being locked with ransomware means the organization can't do business -- it could lose large amounts of revenue for each day, perhaps each hour, the network is unavailable. This downtime can quickly add up to millions of dollars in losses.

Also: Faced with likelihood of ransomware attacks, businesses still choosing to pay up

If an organization chooses not to pay the ransom, not only will it lose revenue for a period of time that could last weeks, perhaps months, but it will also have to pay a large sum for a security company to come in and restore access to the network, and there may also be costly legal repercussions. 

Whichever way the organization deals with a ransomware attack, the incident also will have a financial impact going forward, because to protect against falling victim again, the organization will need to invest in its security infrastructure and handle legal costs, potential class action lawsuits, and regulatory fines.

On top of all of this, there's also the risk of customers losing trust in the organization because of poor cybersecurity, with clients taking their business elsewhere.

Paying the ransom is discouraged by cybersecurity and law enforcement because it encourages cyber criminals to continue to launch ransomware campaigns. There are even instances where a victim has paid a ransom, only for the same attackers to return with another attack and demand another ransom payment.

What was the largest ransomware payout?

To date, the largest ransomware payout to date was made by CNA Financial, one of the top US insurance providers. The organization reportedly paid out $40 million after falling victim to a ransomware attack.

Why should organizations worry about ransomware?

To put it simply: Ransomware can destroy your business. Being locked out of your own files by malware for even just a day will impact your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems can remain offline for so long, not simply because ransomware locks the system, but because of all the time and effort required to clean up and restore networks.

And it isn't just the immediate financial hit of ransomware that will damage a business; consumers become wary of giving their data to companies they believe to be insecure.

Also: Ransomware and phishing attacks continue to plague these businesses

Cybercriminals have learned that not only just businesses make lucrative targets for ransomware attacks, but important infrastructures like hospitals and industrial facilities are being disrupted by ransomware. And such disruptions can have big consequences for people. 

The education sector also has become an increasingly popular target for ransomware campaigns. Schools and universities became reliant on remote learning due to the coronavirus pandemic -- and cybercriminals noticed. These education networks are used by potentially thousands of people, many using their personal devices, and all it might take for a malicious hacker to gain access to the network is one successful phishing email or cracking the password of one account.

Why are small businesses targets for ransomware?

Small and medium-sized businesses are a popular target because they tend to have poorer cybersecurity than large organizations. Despite that, many SMBs falsely believe they're too small to be targeted --but even a modest ransom of a few hundred dollars is still highly profitable for cybercriminals.

Smaller businesses, and low-hanging fruit, can also make tempting targets because supply chain attacks can provide access to a larger, more lucrative target. 

Why is ransomware so successful?

There's one key reason why ransomware has boomed: because it works. All it takes for ransomware to gain entry to your network is for one user to slip up and launch a malicious email attachment, a weak password to be cracked, or a business leaving vulnerable software unpatched

If organizations weren't giving in to ransom demands, criminals would move on to something else. 

Also: Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware

Meanwhile, for criminals, it's an easy way to make money. Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result in instant payments with little chance of prosecution afterward?

Can cyber insurance help?

Cyber insurance is a policy designed to help protect organizations from the fallout of cyberattacks. 

Some cyber insurance policies will cover paying the ransom itself -- leading some cybersecurity experts to warn that cyber-insurance payouts covering the cost of paying ransoms are adding to the problem, because cyber criminals know that if they hit the right target, they'll get paid. 

In the first half of 2023, Coalition found that cyber-insurance claim increases were driven by ransomware, with a 12% year-on-year increase. 

Also: SMBs don't see need for cyber insurance since they won't experience security incidents

However, an increase in claims -- and the potentially high cost of paying out -- has prompted some cyber-insurance providers to exclude ransomware attacks from policies.  

What does cryptocurrency have to do with the rise of ransomware?

The rise of cryptocurrencies like Bitcoin has made it easy for cybercriminals to receive payments with less risk of the authorities being able to identify and trace the perpetrators.

Digital wallets are used to store cryptocurrency and -- while not untraceable -- this makes it more difficult to track and seize illegal funds -- especially if the crypto funds are mixed and filtered out through multiple wallets and cryptocurrency exchanges. 

Many ransomware groups offer "customer service" to help victims who don't know how to acquire or send cryptocurrency to do so, because what's the point of making ransom demands if users don't know how to pay? 


Globe3 ransom demand for three Bitcoin -- including a "how to" guide for those who don't know how to buy it.

Emsisoft Lab

How do you prevent a ransomware attack?

Because large numbers of ransomware attacks start with hackers exploiting insecure internet-facing ports and remote desktop protocols, one of the key things an organization can do to prevent itself from falling victim is to ensure that ports aren't exposed to the internet when they don't need to be.

When remote ports are necessary, organizations should ensure that login credentials are complex. Applying multi-factor authentication to these accounts also can act as a barrier to attacks, as there will be an alert if any attempt is made at unauthorized access.

Networks should be patched with the latest security updates because many forms of ransomware – and other malware – are spread via the use of common, known vulnerabilities.

When it comes to stopping attacks via email, managers should provide employees with training on how to spot suspicious emails. Employees noticing unusual details -- say, an email with sloppy formatting, or a message purporting to be from 'Microsoft Security' sent from an obscure address that doesn't even contain the word Microsoft -- might save networks from infection. 

Also: 6 simple cybersecurity rules you can apply now

There's also something to be said for enabling employees to learn from making mistakes while within a safe environment and through phishing training exercises. 

On a technical level, stopping employees from being able to enable macros is a big step toward ensuring that they can't unwittingly run a ransomware file. Endpoint protection, alongside firewalls and behavioral anomaly detection solutions, also can help.

At the very least, employers should invest in antivirus software and keep it up to date, so that it can warn users about potentially malicious files. Backing up important files and making sure those files can't be compromised during an attack is also key because that makes it possible to recover the network without paying a ransom.

But even if attacks are already inside the network, it isn't too late – if information security teams can spot unusual or suspicious activity before the ransomware attack is launched, it's possible to reduce the scope of the attack or prevent it altogether.

How long does it take to recover from a ransomware attack?

Simply put, ransomware can cripple a whole organization --an encrypted network is more or less useless and not much can be done until systems are restored.

If a business has backups in place, systems can be back online in the time it takes the network to be restored to functionality, although depending on the size of the company, that could range from a few hours to days.

However, while it's possible to regain functionality in the short term, it can sometimes take months for organizations to get all their systems back up and running.

Also: The top cloud storage services

Outside of the immediate impact ransomware can have on a network, the incident can result in an ongoing financial hit. Any period of time offline is bad for a business as it ultimately means the organization can't provide the service it sets out to, and can't make money. But the longer the system is offline, the bigger that hit can be.

And that's assuming your customers want to continue doing business with you: In some sectors, the fact that you've fallen victim to a cyberattack could drive customers away.

How do I remove ransomware?

The 'No More Ransom' initiative -- launched in July 2016 by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies -- offers free decryption tools for ransomware variants to help victims retrieve their encrypted data without succumbing to the will of cyber extortionists. 

Available in dozens of languages, and now offering numerous ransomware decryption tools, the program is regularly adding more tools for new ransomware variants. 

Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online

Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware – many of these will post updates about these tools on their company blogs as soon as they've cracked the code.

Another way of working around a ransomware infection is to ensure your organization regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it's possible to isolate that unit and then get on with your business. Just make sure that cybercriminals aren't able to encrypt your backups, too.

Should I pay the ransom?

There are those who advise victims to simply pay the ransom, citing it to be the quickest and easiest way to retrieve their encrypted data. And many organizations do pay, even if law enforcement agencies warn against it.

But be warned: If word gets out that your organization is an easy target for cybercriminals because it paid a ransom, you could find yourself the target of other cybercriminals looking to take advantage of your weak security. And remember that you're dealing with criminals here and their very nature means they may not keep their word: There's no guarantee you'll ever get the decryption key, even if they have it. Decryption isn't even always possible.

Can you get ransomware on your smartphone?

Absolutely. Ransomware attacks against Android devices have increased massively, as cybercriminals realize that many people aren't aware that smartphones can be attacked and the contents (often more personal than the stuff we keep on PCs) can be encrypted for ransom by malicious code. Various forms of Android ransomware have emerged to plague mobile users.

In fact, any internet-connected device is a potential target for ransomware.

Can ransomware infect the Internet of Things?

The Internet of Things already has a poor reputation for security. As more and more of these connected devices make their way onto the market, they're going to provide billions of new attack vectors for cybercriminals, potentially allowing hackers to hold your connected home or connected car hostage. An encrypted file is one thing, but what about finding a ransom note displayed on your smart refrigerator or your car's dashboard?

Also: The best smart home devices, tested and reviewed

There's even the potential that hackers could infect medical devices, putting lives directly at risk.

As ransomware continues to evolve, it's crucial your employees understand the threat it poses, and that organizations do everything possible to avoid infection, because ransomware can be crippling and decryption is not always an option.

Editorial standards