Trace Id is missing
Skip to main content
Microsoft Security

What is ransomware?

Learn more about ransomware, how it works, and how you can protect yourself and your business from this type of cyberattack.

Ransomware defined

Ransomware is a type of malicious software, or malware, that threatens a victim by destroying or blocking access to critical data or systems until a ransom is paid. Historically, most ransomware targeted individuals, but more recently, human-operated ransomware, which targets organizations, has become the larger and more difficult threat to prevent and reverse. With human-operated ransomware, a group of attackers use their collective intelligence to gain access to an organization’s enterprise network. Some attacks of this kind are so sophisticated that the attackers use internal financial documents they’ve uncovered to set the ransom price.

Ransomware attacks in the news

Unfortunately, mentions of ransomware threats in the news are now a common occurrence. Recent high-profile ransomware attacks have affected critical infrastructure, healthcare, and IT service providers. As these attacks have become bolder in scope, their effects have become more unpredictable. Here’s a look at some ransomware attacks and how they’ve affected organizations:

  • In March 2022, Greece’s postal system became the victim of ransomware. The attack temporarily disrupted mail delivery and affected financial transaction processing.
  • One of India’s largest airlines experienced a ransomware attack in May 2022. The incident led to flight delays and cancellations, as well as hundreds of stranded passengers.
  • A large Human resources company was hit by a ransomware attack in December 2021, at which point its payroll and time-off system for clients that use its cloud service were affected.
  • In May 2021, a U.S. fuel pipeline shut down its services to prevent further breaches after a ransomware attack compromised thousands of its employees’ personal information. The effects sent gas prices soaring throughout the east coast.
  • A German chemical distribution company suffered a ransomware attack in April 2021. More than 6,000 individuals’ birth dates, Social Security numbers, and driver’s license numbers, as well as some medical data, were stolen.
  • The largest meat supplier in the world became the target of a ransomware attack in May 2021. After temporarily taking its website offline and halting productions, the company ended up paying an USD$11 million ransom in Bitcoin.

How does ransomware work?

Ransomware attacks rely on seizing control of an individual’s or organization’s data or device(s) as a means of demanding money. In years past, social-engineered attacks were the most prevalent, but recently, human-operated ransomware has become popular to criminals because of the potential for a huge payout.

Social-engineered ransomware 
These attacks use phishing—a form of deception in which an attacker poses as a legitimate company or website—to trick a victim into clicking a link or opening an email attachment that will install ransomware on their device. The attacks often feature alarmist messages that prompt a victim to act out of fear. For example, a cybercriminal might pose as a well-known bank and send an email alerting someone that their account has been frozen because of suspicious activity, urging them to click a link in the email to address the issue. Once they clink the link, ransomware is installed.

Human-operated ransomware
Human-operated ransomware often begins through stolen account credentials. Once the attackers have gained access to an organization’s network in this way, they use the stolen account to determine the credentials of accounts with wider scopes of access and look for data and business-critical systems with the potential for high financial payoff. They then install ransomware on these sensitive data or business-critical systems, for example, by encrypting sensitive files so that the organization can’t access them until it pays a ransom. Cybercriminals tend to ask for payment in a cryptocurrency because of its anonymity.

These attackers target large organizations that can pay a higher ransom than the average individual, sometimes asking for millions of dollars. Because of the high stakes involved with a breach of this scale, many organizations opt to pay the ransom rather than have their sensitive data leaked or risk further attacks from the cybercriminals, even though payment does not guarantee the prevention of either outcome.

As human-operated ransomware attacks have grown, the criminals behind the attacks have become more organized. In fact, many ransomware operations now use a Ransomware as a Service model, meaning that a set of criminal developers create the ransomware itself and then hire other cybercriminal affiliates to hack an organization’s network and install the ransomware, splitting the profits between the two groups at an agreed-on rate.

Different types of ransomware attacks

Ransomware comes in two main forms: crypto ransomware and locker ransomware.

Crypto ransomware
When an individual or organization is the victim of a crypto ransomware attack, the attacker encrypts a victim’s sensitive data or files so that they can’t have access unless they pay a requested ransom. In theory, once the victim pays, they receive an encryption key to gain access to the files or data. Even if a victim pays the ransom, however, there’s no guarantee that the cybercriminal will send the encryption key or relinquish control. Doxware is a form of crypto ransomware that encrypts and threatens to reveal a victim’s personal information publicly, usually with the goal to humiliate or shame them into paying the ransom.

Locker ransomware
In a locker ransomware attack, a victim is locked out of their device and unable to log in. The victim will be presented with an on-screen ransom note explaining that they’ve been locked out and including instructions for how to pay a ransom to regain access. This form of ransomware typically doesn’t involve encryption, so once the victim regains access to their device, any sensitive files and data are preserved.

Responding to a ransomware attack

If you find yourself the victim of a ransomware attack, you do have options for recourse and removal.

Be cautious about paying the ransom
Although it might be tempting to pay the ransom in the hopes of removing the problem, there’s no guarantee that the cybercriminals will keep their word and grant you access to your data. Security experts and law enforcement agencies recommend that victims of ransomware attacks don’t pay the requested ransoms, because doing so could leave victims open to future threats and would actively support a criminal industry. If you’ve already paid, immediately contact your bank—it may be able to stop payment if you paid with a credit card.

Isolate the infected data
As soon as you’re able, isolate the compromised data to help prevent the ransomware from spreading to other areas of your network.

Run an antimalware program
Many ransomware attacks can be dealt with by installing an antimalware program to remove the ransomware. Once you’ve chosen a reputable antimalware solution, such as Microsoft Defender, be sure to keep it up to date and always running so you have protection against the latest attacks.

Report the attack
Contact your local or federal law enforcement agencies to report the attack. In the United States, these are your FBI local field office, the IC3, or the Secret Service. Although this step likely won’t solve any of your immediate concerns, it’s important because these authorities actively track and monitor different attacks. Providing them with details about your experience could be a useful piece of information in the bigger picture of finding and prosecuting a cybercriminal or a cybercriminal group.

Ransomware protection

With ransomware attacks higher than ever before and so much of people’s personal information contained digitally, the potential fallout from an attack is daunting. Thankfully, there are many ways to keep your digital life just that—your digital life, not someone else’s. Here’s how to gain peace of mind with proactive ransomware protection.

Install an antimalware program
The best form of protection is prevention. Many ransomware attacks can be detected and blocked with a trusted antimalware service, such as Microsoft Defender for Endpoint, Microsoft Defender XDR, or Microsoft Defender for Cloud. When you use an antimalware program, your device first scans any files or links that you attempt to open to help ensure they’re safe. If a file or website is malicious, the antimalware program will alert you and suggest that you not open it. These programs can also remove ransomware from a device that’s already infected.

Hold regular trainings
Keep employees informed about how to spot the signs of phishing and other ransomware attacks with regular trainings. This will not only teach them safer practices for work but also how to be safer when using their personal devices.

Move to the cloud
When you move your data to a cloud-based service, like Azure Cloud Backup Service or Azure Block Blob Storage Backup, you’ll be able to easily back up data for safer keeping. If your data is ever compromised by ransomware, these services help ensure that recovery is both immediate and comprehensive.

Adopt a Zero Trust model
A Zero Trust model evaluates all devices and users for risk before permitting them to access applications, files, databases, and other devices, decreasing the likelihood that a malicious identity or device could access resources and install ransomware. As an example, implementing multifactor authentication, one component of a Zero Trust model, has been shown to reduce the effectiveness of identity attacks by more than 99 percent. To evaluate your organization’s Zero Trust maturity stage, take Microsoft’s Zero Trust Maturity Assessment.

Join an information-sharing group
Information-sharing groups, frequently organized by industry or geographic location, encourage similarly structured organizations to work together toward cybersecurity solutions. The groups also offer organizations different benefits, such as incident response and digital forensics services, news about the latest threats, and monitoring of public IP ranges and domains.

Maintain offline backups
Because some ransomware will try to seek out and delete any online backups you may have, it’s a good idea to keep an updated offline backup of sensitive data that you regularly test to make sure it’s restorable if you’re ever hit by a ransomware attack. Unfortunately, maintaining an offline backup won’t fix the issue if you’ve been hit with a crypto ransomware attack, but it can be an effective tool to use in a locker ransomware attack.

Keep software up to date
In addition to keeping any antimalware solutions updated (consider choosing automatic updates), be sure to download and install any other system updates and software patches as soon as they’re available. This helps minimize any security vulnerabilities that a cybercriminal might exploit to gain access to your network or devices.

Create an incident response plan
Just like having an emergency plan in place for how to exit your home if there’s a fire keeps you safer and more prepared, creating an incident response plan for what to do if you’ve been hit with a ransomware attack will provide you with actionable steps to take in different attack scenarios so that you can get back to operating normally and safely as soon as possible.

Help protect it all with Microsoft Security

Microsoft Sentinel

Get a full view across your enterprise with a cloud-native security incident and event management solution (SIEM).

Microsoft Defender XDR

Secure your endpoints, identities, email, and apps with extended detection and response (XDR).

Microsoft Defender for Cloud

Defend your multicloud and hybrid environments from development to runtime.

Microsoft Defender Threat Intelligence

Understand threat actors and their tooling with a complete, continuously updated map of the internet.

Combat ransomware threats

Stay ahead of threats using automatic attack disruption and response with Microsoft Security.

Microsoft Digital Defense Report

Familiarize yourself with the current threat landscape and how to build a digital defense.

Build an anti-ransomware program

Explore how Microsoft created the Optimal Ransomware Resiliency State to eliminate ransomware.

Use a playbook to block ransomware

Articulate and visualize what everyone’s role is in the process of blocking ransomware.

Frequently asked questions

  • Unfortunately, nearly anyone with an online presence can become the victim of a ransomware attack. Personal devices and enterprise networks are both frequent targets of cybercriminals.

    Investing in proactive solutions, however, like threat-protection services, is a viable way to prevent ransomware from ever infecting your network or devices. Therefore, individuals and organizations with antimalware programs and other security protocols in place, such as a Zero Trust model, before an attack occurs are the least likely to become victims of a ransomware attack.

  • Traditional ransomware attacks occur when an individual is tricked into engaging with malicious content, such as opening an infected email or visiting a harmful website that installs ransomware on their device.

    In a human-operated ransomware attack, a group of attackers target and breach an organization’s sensitive data, usually through stolen credentials.

    Typically, for both social-engineered ransomware and human-operated ransomware, a victim or organization will be presented with a ransom note that details the data that was stolen and the cost of having it returned. Paying the ransom, however, does not guarantee that the data will actually be returned or that future breaches will be prevented.

  • The effects of a ransomware attack can be devastating. At both the individual and organizational levels, victims could feel forced to pay high ransoms with no guarantee that their data will be returned to them or that further attacks won’t occur. If a cybercriminal leaks an organization’s sensitive information, its reputation could be tarnished and seen as untrustworthy. And, depending on the type of information leaked and size of the organization, thousands of individuals could be at risk of becoming victims of identity theft or other cybercrimes.

  • Cybercriminals who infect victims’ devices with ransomware want money. They tend to set ransoms in cryptocurrencies because of their anonymous and untraceable nature. In a social-engineered ransomware attack targeting an individual, the ransom may be hundreds or thousands of dollars. In a human-operated ransomware attack targeting an organization, the ransom could be millions of dollars. These more sophisticated attacks against organizations may use confidential financial information that the cybercriminals found when breaching the network as grounds for setting a ransom that they believe the organization can afford.

  • Victims should report ransomware attacks to their local or federal law enforcement agencies. In the United States, these are your FBI local field office, the IC3, or the Secret Service. Security experts and law enforcement officials recommend that victims do not pay ransoms—if you’ve already paid, immediately contact your bank and local authorities. Your bank may be able to block the payment if you paid with a credit card.

Follow Microsoft Security