What is ransomware?

Secondary ransomware attacks combine encryption with data theft. Attackers may restore access and extract data for sale on the Dark Web or elsewhere. Threat actors often use data extraction as a threat, making victims more likely to pay.

Ransomware is a growing threat, especially in the healthcare sector which receives 18.6% of US attacks. Globally, 72% of companies reported a form of ransomware attack in 2023, up from 55% in 2018. And global ransomware costs exceeded $1 billion in 2024. Robust protection is essential.

How ransomware works

Ransomware attacks can be automated or controlled manually by individual attackers.

Attacks tend to follow a similar playbook:

Compromising and infecting target networks

Stage one of a ransomware attack compromises the target network.

Attackers start by using reconnaissance to research their target and detect weaknesses. They gather lists of credentials and personal information to use in phishing attacks. Cybercriminals may also scan for technical vulnerabilities to detect backdoors or exploits. Reconnaissance also maps target networks, enabling attackers to maximize their impact and spread malware efficiently.

The next stage is infiltration and creating a presence in target networks. Attackers have various methods to achieve this. They could implant malware via email attachments, malicious download links, fake websites, backdoors in compromised apps, or weaknesses in remote access protocols.

In all cases, attackers have the same ultimate goal: to execute malicious software on the victim's network. When the payload is deployed, criminals can move to the next phase of a ransomware attack.

Data encryption

After gaining access, ransomware attacks move laterally within the network. Attackers locate critical data containers or other high-value assets. Encryption keys controlled by the threat actor lock down data, preventing access for the legitimate owner.

Encryption is not indiscriminate. Attackers must be careful to ensure networks and devices remain stable. Skilled attackers know how to encrypt valuable information and files while keeping systems functional.

At this point, sophisticated attackers may take an additional step. Locating and deleting backup files makes system restoration harder without the decryption key. This strengthens their attacks and forces victims to consider paying the ransom.

Announcing the ransomware attack

The next stage in ransomware attacks brings the attack to the attention of the victim. Typically, ransomware agents announce demands via the victim's screen. For example, attackers might change the Windows background to include details about their financial terms.

Some attacks are more subtle, leaving text files in encrypted directories. Attackers may make direct contact via emails or even phone calls. In every case, victims face a choice: whether to pay or not. Most modern variants are crypto-ransomware attacks. These attacks demand payment in cryptocurrencies that are hard to trace.

Decryption and system restoration

If all goes well, victims send the right amount of cryptocurrency, and attackers supply the decryption key and a decryptor application. Victims enter the key into the decryptor, restoring access to data and files.

This is a best-case scenario, though. In 92% of attacks, victims receive decryption keys but do not regain access to all of the encrypted data. Full restoration is far from certain, even if victims follow every requirement.

Note: This is a generalized description of a ransomware attack. As we will see, attacks vary. Some variants spread rapidly to connected devices. Others scan and extract data.

Organizations need ransomware prevention tools to asses each incident and determine how attackers are targeting their systems. If not, ransomware leads to many undesirable consequences. For example, a single ransomware attack can cause:

• Reputational damage. Customers lose trust in businesses that put their data at risk. Damage can be amplified in cases where attacks spread to user accounts and devices.
• Direct losses. The average ransomware demand in 2024 was $2.73 million and the average cost per incident reached $1.85 million. However, payments can reach as much as $40 million.
• Data breaches. Data theft may accompany ransom payments, increasing the attack's total cost and worsening the reputational harm.
• System downtime. The average ransomware attack results in 11.6 days of system downtime, although outages can last for months. Depending on the economic sector involved this can add millions to the total cost.
• Regulatory penalties. If regulators determine a ransomware attack resulted from security lapses, they may impose financial or legal penalties. For example, HHS imposed a $240,000 HIPAA fine on health provider Providence Medical Institute after a ransomware incident.

Types of ransomware

Unfortunately, criminals have many ways to lock target devices and demand ransom payments. Companies need security strategies to counter every applicable threat vector.

Common ransomware attack types include:

• Crypto ransomware. This ransomware attack encrypts data using a private encryption key and demands ransom payments in cryptocurrency. Bitcoin is the most popular cryptocurrency owing to its anonymity and ease of use, but attackers may also use Ethereum or Monero. Authorities struggle to track Bitcoin payments, making it hard to trace the identities of attack groups.
• Locker ransomware. Locker ransomware takes a slightly less focused approach. In this ransomware variant, attackers lock down entire devices—not just data or files. Victims cannot access infected devices. They only see a screen displaying the ransom note and details about the payment method.
• Scareware. Scareware attacks rely on fear to motivate ransom payments. A scareware agent rarely encrypts files. Instead, it sends antivirus warnings or alarming fake ransomware alerts. Victims send payments to mitigate threats that do not exist—and may compromise their security in the process. Scareware attacks often follow conventional ransomware incidents, as these are moments when organizations are vulnerable to additional coercion.
• Wipers. Wiper attacks are technically not classic ransomware attacks but share similar traits. In these attacks, threat actors use malicious software to wipe or encrypt important files. The aim is usually to inflict disruption and damage to targeted organizations.
• RaaS (Ransomware-as-a-Service). RaaS allows less-skilled criminals to mount extensive ransomware attacks. Affiliates can purchase ransomware kits from Dark Web vendors. Attacks mounted via these kits are as hard to detect as those mounted by professional attackers. RaaS is a critical reason behind the rapid growth of ransomware as a network security threat.
• Leakware (DoxWare). Leakware agents specialize in extracting data and threatening targets with exposure if they fail to pay ransoms. These ransomware attacks may not rely on encryption at all. Instead, they act quickly, scanning for relevant data and removing it to a secure location. Doxware is a critical threat to organizations that handle personally identifiable information (PII), such as healthcare bodies, government organizations, or financial service providers.
• Fileless ransomware. Fileless ransomware attacks do not depend on separate malware agents. They go directly to applications that process and store sensitive data. Using legitimate applications makes fileless attacks hard to detect. Attackers may also encrypt data in system memory, making these attacks even more disruptive.
• IoT ransomware. With the rise of smart devices and distributed networks, cybercriminals increasingly target internet-of-things infrastructure. IoT ransomware locks IoT devices, preventing access until users pay a ransom. This is particularly urgent if the IoT devices form part of manufacturing or energy production systems.
• Double or triple extortion attacks. These ransomware variants couple encryption with data theft. In double extortion attacks, criminals steal data, which they use as an insurance policy if victims do not pay the ransom. Triple extortion attacks also expand the scope of ransomware incidents by targeting the victims' customers or partners. Attackers may also threaten catastrophic DDoS attacks to extract higher ransom payments.
  
  

Organizations do not encounter general categories in the real world. Instead, security teams must deal with specific ransomware agents based on the latest threat intelligence. Examples of notorious ransomware variants include:

Maze

Active since 2019. Maze pioneered the combination of data theft and encryption, threatening to sell data in Dark Web auctions if victims failed to pay. At first, this variant leveraged malicious email attachments. However, Maze underscores how ransomware evolves. Later forms exploited RDP vulnerabilities or even compromised VPNs.

Privilege escalation is a critical feature of Maze. The ransomware agent moves throughout target networks, stealing credentials and escalating access levels. Numerous backdoors also make removal more difficult.

The group behind Maze officially announced its disbandment in 2020. However, related Sekhmet and Egregor ransomware agents use similar techniques. Maze may have morphed into a RaaS product to extend its reach.

REvil

Famous for targeting huge corporations, REvil is another high-profile ransomware threat. These Russia-based ransomware variants use double extortion to extract data. This allows attackers to demand extremely high ransom payments. According to attackers, project income regularly exceeded $2.5 million, with a total group income of over $2 billion.

DearCry

Identified in 2021 and linked to the Chinese Hafnium group, DearCry focuses on Microsoft Exchange server vulnerabilities. When inside the server, DearCry applies almost unbreakable AES-256 encryption with a RSA-2048 key. Targets can do nothing as attackers rebrand data with a .CRYPT extension and put it out of action.

Dharma/CrySis

Dharma targets Remote Desktop Protocol Users via the RDP service port. Brute-forcing techniques enable ransomware attackers to exploit open RDP ports on the public cloud. After that, they can access Windows systems, implant malware with AES-256 encryption capabilities, and use credentials extractors to move laterally throughout the network.

Agents like Dharma and DarkSide differ from other crypto-ransomware variants as they present direct threats to cloud operations. Detecting and neutralizing these agents is a security priority for all organizations that depend on remote access to cloud deployments.

How can you detect ransomware?

Cyber-attackers design ransomware agents to bypass detection systems. Nevertheless, there are ways to detect ransomware attacks before encryption takes place.

Comprehensive endpoint protection is critical. Endpoint Detection and Response (EDR) tools monitor traffic passing to and from network assets. They include anti-malware and antivirus software with access to regularly updated threat intelligence.

EDR uses multiple techniques to detect ransomware attacks. Firstly, security tools look for the malware signatures that characterize known ransomware threats. Signatures are not enough on their own though, as attackers can modify agents to make each attack unique.

As a result, EDR also checks for unusual user behavior that signifies ransomware attacks. For example, repeated access requests to read, edit, and move files may indicate malicious activity. Network traffic patterns can also change, suggesting the presence of data extraction.

With early warning, security teams can strengthen data encryption practices, enforce better password security, and scan for malicious software. They can quarantine ransomware agents during the preparation phase before encryption occurs.

EDR is a developing technology. AI and machine learning are improving systems to scan traffic and anticipate threats. Companies should invest in the latest versions to optimize their endpoint security strategy.

Ransomware protection methods

Detection is not sufficient on its own. Organizations need comprehensive ransomware protection strategies to prevent infiltration and infection and limit the ability of attackers to access critical data.

Common ransomware prevention measures include:

• Data backups. Ransomware makes data unusable and disrupts business operations. Companies can maintain application availability and keep systems running via regular backups stored in secure locations.
• Anti-phishing training. Clicking on malicious attachments or visiting fake websites are common entry points for ransomware agents. As a result, companies should regularly train users to avoid unsolicited attachments and screen all links thoroughly.
• Network segmentation. To succeed, ransomware attackers need maximum freedom to move within targeted networks. Organizations should limit lateral movement by segmenting their networks and tightly managing user privileges. Apply the principle of least privilege, preventing access without a legitimate business reason.
• Updates and patches. Ransomware attackers rely on backdoors and exploits to gain access. Make entry harder by routinely updating operating systems and applications that face the public internet. Connect patch management to threat intelligence to apply updates when new vulnerabilities emerge.
• Secure remote access. Insecure RDP connections are a common source of ransomware infection. Protect all remote access systems with Virtual Private Network encryption and robust firewalls. Limit RDP connections to users who need them, and use Device Posture Checks to ensure remote users are who they claim to be.
• Protect mobile devices. Work tablets and smartphones can also fall victim to a ransomware attack. Ensure employees use devices for professional tasks, and block unauthorized third-party app databases.

How to remove ransomware

Prevention is not the only piece of the ransomware security puzzle. Companies can also take action when a ransomware incident occurs to reduce the damage and safeguard data.

Security teams need to handle each ransomware incident carefully to avoid further infection and thoroughly remove agents. Attackers may use backdoors to ensure persistence, making removal a complicated challenge.

Removal measures include:

• Applying quarantine procedures. Separate infected devices and files from other network assets. Files should be quarantined in secure sandbox environments to decrypt data and prevent malware transmission. Security teams should completely remove devices from network environments pending decontamination processes.
• Making independent backups. Copy infected files to a separate and secure environment. Security teams or third parties may be able to decrypt data without paying a ransom. However, decrypting files in their original location is risky as it can damage data and devices.
• Keeping devices active. Powering down infected devices is a bad idea. Ransomware can make devices unstable and prevent access in the future.
• Enlisting third-party assistance. Security collectives offer decryptor tools against many ransomware agents. For example, the No More Ransom Project provides solutions for common agents like Lockbit 3.0 and the Akira ransomware variant. ID Ransomware is another free service that helps identify ransomware agents and find relevant solutions.
• Wipe or rebuild affected systems. Security teams must ensure all devices are ransomware-free. This may require wiping and rebooting devices, or full rebuilds may be necessary, depending on the scope of the infection.

Avoid ransomware threats with robust network security

Ransomware is a severe and immediate threat to data security and business operations. Companies need consistent and comprehensive security strategies to prevent infection and remove ransomware when incidents occur.

NordLayer will help you manage ransomware risks. Our multi-factor authentication systems verify every access request, ensuring attackers won't be able to use stolen credentials to access networks. Users can also apply network segmentation and manage user privileges to limit lateral movement.

Meanwhile, NordLayer's threat scanning and device posture checks proactively monitor for malicious websites, downloads, and unknown devices. Security teams can catch ransomware agents before they encrypt any data. Our Business VPN also encrypts remote access connections, making RDP-based ransomware attacks far harder.

Act now before attackers strike. Apply cutting-edge security measures to secure your data and minimize ransomware risks.