What is Ransomware?

Ransomware is a type of malicious software that encrypts files on a device or blocks access to the system. It typically operates by making data or systems inaccessible to the user, then demanding payment often in cryptocurrency to restore access or decrypt the affected files.   

The term "ransomware," believed to have first emerged around 2005, initially referred only to malicious software that encrypted files. Over time, however, its scope expanded with the appearance of new variants such as locker ransomware, which locks users out of their screens, and crypto ransomware, which encrypts files—broadening the definition and impact of the term.

The modern form of ransomware can be traced back to 2013, with the emergence of the malicious software known as CryptoLocker. Although methods of targeting, revenue generation, and modes of propagation varied at the time, today’s generation of ransomware largely took shape beginning with this period. According to IBM, ransomware can generally be categorized into two main types: those that rely on encryption-based attacks and those that restrict access to the device itself.

1. Locker Ransomware

This type of ransomware completely blocks users from accessing their devices, typically by locking the screen. First detected in Russia in 2009, locker ransomware became a global threat by 2010. It can infect a device when users visit malicious websites, often laced with harmful advertisements that serve as a channel for injecting malicious code.

Once activated on a computer, locker ransomware displays a pop-up message indicating that the device has been locked and that a ransom must be paid to regain access. Payment is usually demanded through methods such as gift cards or services like MoneyPak.

On mobile devices, this type of ransomware is typically disguised as a legitimate app. When a user downloads and launches the malicious application from an app store, the device’s screen becomes locked. Key characteristics of locker ransomware include:

• Attack Vectors: It can spread through fake emails, malicious links, unsafe downloads, and fraudulent updates. .
• Impact: Completely blocks access to the operating system or home screen, rendering the device unusable.
• Messages and Threats: Often displays warnings stating that payment must be made within a specific timeframe to unlock the device, threatening data deletion if ignored.
• Consequences: While a code to unlock the device may be promised upon payment, there is no guarantee that access will be restored.

2. Crypto Ransomware 

Crypto ransomware has become increasingly widespread, largely due to the anonymity and ease of transfer provided by cryptocurrencies like Bitcoin. These types of malware use strong encryption methods to lock users’ important files and demand a ransom in exchange for the decryption key. Crypto ransomware specifically targets files that are not backed up or are of critical importance. It can spread rapidly across other devices through a network, and even if the ransom is paid, there is no guarantee that the decryption key will actually be provided. 

• Attack Vectors: Crypto ransomware is delivered through fake emails, malicious attachments, unsafe links, external devices, and files downloaded from untrusted sources.
• Impact: Files are encrypted using strong algorithms such as AES or RSA, making decryption nearly impossible. File names or extensions may also be modified. 
• Messages and Demands: The user is presented with a ransom demand message. 
• Consequences: While a decryption key is theoretically promised upon payment, there is no guarantee it will be provided. Due to the use of robust encryption techniques and the advantage of attacker anonymity, crypto ransomware can lead to significant financial losses and poses a serious threat to both individuals and organizations.

In today’s digital landscape, where cybersecurity is largely maintained in online environments, the lack of proper documentation within the information security community has contributed to the rise in ransomware incidents.

• LockBit:

LockBit, one of the major cybercriminal groups offering Ransomware-as-a-Service (RaaS), enables malicious actors to launch attacks that not only encrypt victims’ data and demand payment but also threaten to publish the stolen information if the ransom is not paid. Between January 2020 and May 2023, LockBit was used in approximately 1,700 ransomware attacks across the United States, resulting in a total of $91 million in ransom payments to hackers. In February 2024, law enforcement authorities gained control of the web infrastructure used by LockBit.

• BlackCat

Also known as ALPHV or Noberus, the BlackCat ransomware family emerged in 2021. Based on the Ransomware-as-a-Service (RaaS) model, its developers provide malicious software to affiliated actors. Initial access is typically gained through stolen credentials. To pressure victims into paying the ransom, the group operated a public data leak site. In 2023, BlackCat targeted multiple global organizations, including Reddit, and in 2024, Change Healthcare—making it one of the most active ransomware operations. In 2024, the U.S. Department of State offered a $10 million reward for information leading to the identification of ALPHV/BlackCat leaders. Following the 2024 attack on Change Healthcare, a representative of the group announced its shutdown. As of early 2025, a review of activity confirmed that the group had effectively disappeared.

• WannaCry

WannaCry was a ransomware attack that targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in Bitcoin cryptocurrency. The attack spread using EternalBlue, an exploit developed by the U.S. National Security Agency (NSA) and leaked by a group known as The Shadow Brokers just one month prior. By exploiting a critical security vulnerability in the operating system, WannaCry affected more than 300.000 computers across 150 countries and caused an estimated $4 billion in global financial damage.

It is critical for companies to have a comprehensive incident response plan in place to counter ransomware attacks. However, many organizations fall short in this area, often over-relying on technology vendors or internal IT teams while lacking adequate preparation. A well-structured response plan minimizes financial losses, clearly defines critical roles, and facilitates the rapid recovery of operations. It is also essential for ensuring compliance with regulatory requirements and cyber insurance policies. Such a plan is a core component of maintaining business continuity and implementing an effective cybersecurity strategy.

An effective ransomware response plan should include phases such as risk assessment, threat detection, classification, system protection, data recovery, and reporting. The plan must be continuously updated through regular training and post-incident evaluations.

To mitigate the financial impact of such attacks, companies have attempted to avoid paying ransoms by implementing preventive measures such as regular data backups. However, in recent years, ransomware has evolved to include extortion-like tactics, increasing the level of risk. As a result, even victims who maintain up-to-date backups or choose to pay the ransom may no longer be fully protected.

1. Define Objectives and Scope

Early warning systems and robust security solutions are essential for promptly detecting ransomware threats. Systems capable of recognizing abnormal activity and malicious software must be implemented.

2. Establish an Incident Response Team

An incident response team should be formed to address ransomware attacks. This team should include IT specialists, cybersecurity personnel, legal advisors, and senior executives. Roles and responsibilities for each team member must be clearly defined.

3. Identify Threats and Risks

Early warning systems and robust security solutions are essential for promptly detecting ransomware threats. Systems capable of recognizing abnormal activity and malicious software must be implemented.

4. Plan for Data Recovery and Restoration

A detailed plan should be established to enable rapid recovery of data and systems following an attack. Data must be backed up regularly, and recovery procedures should be tested periodically to ensure effectiveness.

5. Establish Communication Protocols

Clear internal and external communication strategies should be defined for use during an attack. Guidelines must specify how frequently and through which channels communication will occur with employees and third parties. Communication lines should remain open throughout the response process.

6. Seek Legal Guidance

Organizations should work closely with legal advisors to understand the legal implications of ransomware attacks and, when necessary, coordinate with law enforcement authorities. While some affected entities may choose to pay the ransom, doing so carries substantial legal and ethical risks. Therefore, no direct communication with the attackers should occur without first consulting both technical and legal experts. This ensures that any decisions made are evaluated in light of industry-specific regulations, reporting obligations, legal liabilities, and potential long-term consequences.

7. Maintain Thorough Documentation and Reporting

Every action taken during a ransomware incident should be documented in detail. These records are essential for post-incident analysis and ensuring regulatory compliance. The response plan should be reviewed regularly, and employees should be kept informed through ongoing training programs.

Additionally, tabletop exercises and simulations should be conducted to test the effectiveness of the plan. As ransomware threats continue to evolve, companies must go beyond response planning and actively monitor for anomalies that may indicate emerging risks. To ensure all processes are conducted effectively and in alignment with their intended purpose, it is critical to seek support from experts in cybersecurity, digital forensics, and legal advisory—both in preparation for potential incidents and during post-incident evaluations.