Why you can trust ZDNET
:ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission.Our process
'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
What is ransomware? Everything you need to know and how to reduce your risk
The ransomware business is booming, and really anyone can be the next victim. Here's how to protect yourself and your organization from an attack. Too late for prevention? We'll show you what to do next.
Ransomware is one of the most dangerous threats businesses and consumers face today. Whether you are an individual or a Fortune 500 company, the experience of getting locked out of your system, having your files encrypted, and being subjected to threats and demands for payment can be harrowing.
While law enforcement and cybersecurity firms are fighting the rise of ransomware groups, this extremely lucrative and illegal business is flourishing. New ransomware gangs are appearing in the field every day, while more established ones rebrand and regroup to confuse efforts to track down and prosecute the perpetrators.
Here is everything you need to know about ransomware, how it works, and what you can do to mitigate the risk of attack.
What is ransomware?
Ransomware is one of the biggest cybersecurity problems on the internet and one of the biggest forms of cybercrime that organizations face today. Ransomware is a form of malicious software -- malware -- that encrypts files and documents on anything from a single PC all the way up to an entire network, including servers.
Once files are encrypted by the ransomware, victims are left with few choices: They can regain access to their encrypted network by paying a ransom to the criminals behind the attack. They can restore data from their backups. They can hope there is a decryption key freely available. Or, they start again from scratch.
Some ransomware infections start with someone inside an organization clicking on what looks like an innocent attachment that, when opened, downloads the malicious payload and encrypts the network.
Other, much larger ransomware campaigns use software exploits and flaws, cracked passwords, and other vulnerabilities to gain access to organizations using weak points such as internet-facing servers or remote desktop logins. The attackers will hunt secretly through the network until they control as much as possible -- before encrypting all they can.
It can be a headache for companies of all sizes if vital files and documents, networks, or servers are suddenly encrypted and inaccessible. Even worse, after you are attacked with file-encrypting ransomware, criminals will announce brazenly that they're holding your corporate data hostage until you pay a ransom in order to get the data back. Some will even publish stolen data on the internet for all to see.
Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and the files on it and demanded the user 'renew their license' with 'PC Cyborg Corporation ' by sending $189 or $378 to a post office box in Panama.
This early ransomware was a relatively simple construct, using basic cryptography that mostly just changed the names of files, making it relatively easy to overcome.
However, it effectively created a new branch of computer crime that grew gradually in scope and ambition. Once dial-up internet became available to consumers, basic ransomware appeared en masse.
One of the most successful variants was "police ransomware," which attempted to extort victims by claiming the PC had been encrypted by law enforcement. It locked the screen with a ransom note warning the user they'd committed illegal online activity, which could get them sent to jail.
However, if the victim paid a fine, the "police" would let the infringement slide and restore access to the computer by handing over the decryption key. Of course, this wasn't anything to do with law enforcement -- these were criminals exploiting innocent people.
Criminals learned from this approach and now the majority of ransomware schemes use advanced cryptography to lock down an infected PC and the files on it.
What are the main types of ransomware?
Ransomware is always evolving, with new variants continually appearing and posing new threats to businesses. However, certain types of ransomware have been much more successful than others.
North Korea's WannaCry was utilized in one of the biggest ransomware attacks to date. In 2017, the ransomware caused chaos across the globe, with more than 300,000 victims in over 150 countries falling victim.
Cerber was once popular as one of the first 'Ransomware-as-a-Service' (RaaS) models, allowing users without technical know-how to conduct attacks in exchange for some of the profits going back to the original authors.
Ransomware comes in many variations, but at its heart, ransomware is designed to lock you out of your system and revoke access to files. Some ransomware will be able to move laterally across networks, encrypt data -- or destroy it -- and may also include surveillance modules.
While ransomware operations come and go, the individuals involved with building and testing the malware regularly move between them or seek new opportunities, meaning there's a steady flow of new ransomware variants to potentially become the next big threat.
What are the major ransomware attacks in 2023?
Dish Network: A February attack against broadcast giant Dish Network led to service outages and the exposure of data belonging to roughly 300,000 people. The company reportedly may have paid out a ransom, as a letter sent to impacted individuals revealed the company "received confirmation that the extracted data has been deleted."
Royal Mail: The UK's Royal Mail delivery service received an $80 million ransom demand following an attack in January that severely disrupted deliveries, nationally and abroad. Company officials refused to pay.
Caesars: Casino operator Caesars suffered a ransomware attack and data breach, including the theft of customer data. Reports suggest that the firm paid out roughly half of a $30 million ransomware demand.
MGM Resorts: The attackers behind a chaotic ransomware attack against MGM Resorts -- which forced many services offline, including point-of-sale systems -- claimed they managed to obtain the credentials necessary to perform the assault with only a phone call. Everything from casino slot machines to hotel room cards stopped functioning.
How much will a ransomware attack cost you?
Obviously, the most immediate cost associated with becoming infected with ransomware -- if it's paid -- is the ransom demand, which can depend on the type of ransomware or the size of your organization.
Ransomware attacks can vary in size but it's becoming increasingly common for hacking gangs to demand millions of dollars to restore access to the network. And the reason hacking gangs can demand this much money is, put simply, because many victims will pay.
That's especially the case if a network being locked with ransomware means the organization can't do business -- it could lose large amounts of revenue for each day, perhaps each hour, the network is unavailable. This downtime can quickly add up to millions of dollars in losses.
If an organization chooses not to pay the ransom, not only will it lose revenue for a period of time that could last weeks, perhaps months, but it will also have to pay a large sum for a security company to come in and restore access to the network, and there may also be costly legal repercussions.
Whichever way the organization deals with a ransomware attack, the incident also will have a financial impact going forward, because to protect against falling victim again, the organization will need to invest in its security infrastructure and handle legal costs, potential class action lawsuits, and regulatory fines.
On top of all of this, there's also the risk of customers losing trust in the organization because of poor cybersecurity, with clients taking their business elsewhere.
To date, the largest ransomware payout to date was made by CNA Financial, one of the top US insurance providers. The organization reportedly paid out $40 million after falling victim to a ransomware attack.
Why should organizations worry about ransomware?
To put it simply: Ransomware can destroy your business. Being locked out of your own files by malware for even just a day will impact your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems can remain offline for so long, not simply because ransomware locks the system, but because of all the time and effort required to clean up and restore networks.
And it isn't just the immediate financial hit of ransomware that will damage a business; consumers become wary of giving their data to companies they believe to be insecure.
Cybercriminals have learned that not only just businesses make lucrative targets for ransomware attacks, but important infrastructures like hospitals and industrial facilities are being disrupted by ransomware. And such disruptions can have big consequences for people.
The education sector also has become an increasingly popular target for ransomware campaigns. Schools and universities became reliant on remote learning due to the coronavirus pandemic -- and cybercriminals noticed. These education networks are used by potentially thousands of people, many using their personal devices, and all it might take for a malicious hacker to gain access to the network is one successful phishing email or cracking the password of one account.
Why are small businesses targets for ransomware?
Small and medium-sized businesses are a popular target because they tend to have poorer cybersecurity than large organizations. Despite that, many SMBs falsely believe they're too small to be targeted --but even a modest ransom of a few hundred dollars is still highly profitable for cybercriminals.
Smaller businesses, and low-hanging fruit, can also make tempting targets because supply chain attacks can provide access to a larger, more lucrative target.
Meanwhile, for criminals, it's an easy way to make money. Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result in instant payments with little chance of prosecution afterward?
Can cyber insurance help?
Cyber insurance is a policy designed to help protect organizations from the fallout of cyberattacks.
However, an increase in claims -- and the potentially high cost of paying out -- has prompted some cyber-insurance providers to exclude ransomware attacks from policies.
What does cryptocurrency have to do with the rise of ransomware?
The rise of cryptocurrencies like Bitcoin has made it easy for cybercriminals to receive payments with less risk of the authorities being able to identify and trace the perpetrators.
Digital wallets are used to store cryptocurrency and -- while not untraceable -- this makes it more difficult to track and seize illegal funds -- especially if the crypto funds are mixed and filtered out through multiple wallets and cryptocurrency exchanges.
Many ransomware groups offer "customer service" to help victims who don't know how to acquire or send cryptocurrency to do so, because what's the point of making ransom demands if users don't know how to pay?
How do you prevent a ransomware attack?
Because large numbers of ransomware attacks start with hackers exploiting insecure internet-facing ports and remote desktop protocols, one of the key things an organization can do to prevent itself from falling victim is to ensure that ports aren't exposed to the internet when they don't need to be.
When it comes to stopping attacks via email, managers should provide employees with training on how to spot suspicious emails. Employees noticing unusual details -- say, an email with sloppy formatting, or a message purporting to be from 'Microsoft Security' sent from an obscure address that doesn't even contain the word Microsoft -- might save networks from infection.
On a technical level, stopping employees from being able to enable macros is a big step toward ensuring that they can't unwittingly run a ransomware file. Endpoint protection, alongside firewalls and behavioral anomaly detection solutions, also can help.
But even if attacks are already inside the network, it isn't too late – if information security teams can spot unusual or suspicious activity before the ransomware attack is launched, it's possible to reduce the scope of the attack or prevent it altogether.
How long does it take to recover from a ransomware attack?
Simply put, ransomware can cripple a whole organization --an encrypted network is more or less useless and not much can be done until systems are restored.
If a business has backups in place, systems can be back online in the time it takes the network to be restored to functionality, although depending on the size of the company, that could range from a few hours to days.
However, while it's possible to regain functionality in the short term, it can sometimes take months for organizations to get all their systems back up and running.
Outside of the immediate impact ransomware can have on a network, the incident can result in an ongoing financial hit. Any period of time offline is bad for a business as it ultimately means the organization can't provide the service it sets out to, and can't make money. But the longer the system is offline, the bigger that hit can be.
And that's assuming your customers want to continue doing business with you: In some sectors, the fact that you've fallen victim to a cyberattack could drive customers away.
How do I remove ransomware?
The 'No More Ransom' initiative -- launched in July 2016 by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies -- offers free decryption tools for ransomware variants to help victims retrieve their encrypted data without succumbing to the will of cyber extortionists.
Available in dozens of languages, and now offering numerous ransomware decryption tools, the program is regularly adding more tools for new ransomware variants.
Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware – many of these will post updates about these tools on their company blogs as soon as they've cracked the code.
Another way of working around a ransomware infection is to ensure your organization regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it's possible to isolate that unit and then get on with your business. Just make sure that cybercriminals aren't able to encrypt your backups, too.
But be warned: If word gets out that your organization is an easy target for cybercriminals because it paid a ransom, you could find yourself the target of other cybercriminals looking to take advantage of your weak security. And remember that you're dealing with criminals here and their very nature means they may not keep their word: There's no guarantee you'll ever get the decryption key, even if they have it. Decryption isn't even always possible.
As ransomware continues to evolve, it's crucial your employees understand the threat it poses, and that organizations do everything possible to avoid infection, because ransomware can be crippling and decryption is not always an option.