Ransomware is malicious software that encrypts victim's files or locks them out of systems, demanding ransom payment (typically cryptocurrency) for decryption keys or restored access. Modern ransomware attacks often include double extortion—encrypting data AND stealing it, threatening to publish sensitive information if ransom isn't paid. Ransomware represents the most financially damaging cyber threat, costing businesses billions annually through ransom payments, downtime, recovery costs, and reputational damage.

Should I pay the ransom if attacked?

Law enforcement (FBI, CISA) and security experts strongly advise against paying ransoms. Reasons: no guarantee attackers provide working decryption keys (40% never receive keys after paying), payment funds criminal enterprises enabling future attacks, paying makes you target for repeat attacks, may violate sanctions if paying designated terrorist organizations, and paying doesn't guarantee stolen data won't be sold/published anyway. However, some organizations pay when facing existential threat. Better approach: robust backups eliminating need to pay.

How does ransomware spread?

Common ransomware infection vectors include: phishing emails with malicious attachments or links (most common), exploiting unpatched vulnerabilities in internet-facing systems, Remote Desktop Protocol (RDP) attacks using weak/stolen credentials, malicious software downloads from compromised websites, infected USB drives, and supply chain attacks through compromised software updates. Modern ransomware often involves initial access brokers who compromise networks, then sell access to ransomware operators who deploy encryption.

Blog

Ransomware Attack Guide 2024: Types, Prevention, Recovery & Real Examples

John Price

January 27, 2024

Ransomware has evolved from nuisance malware into the most financially devastating cyber threat facing organizations worldwide. In 2023, ransomware attacks cost businesses an estimated $20 billion globally, with average ransom demands exceeding $1 million and total recovery costs (including downtime, lost productivity, and reputation damage) averaging $4.54 million per incident. This comprehensive guide explains what ransomware is, how attacks unfold, major ransomware families and their tactics, whether organizations should pay ransoms, prevention strategies, recovery procedures, and building organizational resilience against the ransomware epidemic.

What is Ransomware? Clear Definition

Ransomware is malicious software designed to deny access to computer systems or data until a ransom is paid. Modern ransomware typically encrypts victim files using strong cryptography, rendering data inaccessible, then demands cryptocurrency payment (usually Bitcoin or Monero) in exchange for decryption keys.

Evolution of ransomware threats:

Traditional (2010s): Simple encryption-only attacks
Double extortion (2019+): Encrypt AND steal data, threatening publication
Triple extortion (2020+): Add DDoS attacks and customer notification threats
Quadruple extortion (2022+): Target victims' customers, partners, and suppliers

How Ransomware Attacks Work: Step-by-Step

Phase 1: Initial Access (Day 0)

Common entry vectors:

Phishing emails: Malicious attachments or links (40% of attacks)
RDP exploitation: Brute force or stolen credentials (30%)
Vulnerability exploitation: Unpatched systems (15%)
Supply chain compromise: Via trusted software/vendors (10%)
Insider threats: Malicious or compromised employees (5%)

Phase 2: Persistence and Privilege Escalation (Days 1-3)

Attacker activities:

Establish persistence (scheduled tasks, registry modifications)
Disable security tools (antivirus, EDR, backup software)
Escalate to administrator/domain admin privileges
Identify high-value targets (databases, file shares, backups)

Phase 3: Lateral Movement and Reconnaissance (Days 3-14)

Network exploration:

Map network topology and identify critical systems
Steal credentials from memory and Active Directory
Move laterally to additional systems
Locate and catalog sensitive data for exfiltration
Identify backup systems and disaster recovery solutions

Phase 4: Data Exfiltration (Days 10-30)

Data theft (double extortion):

Exfiltrate sensitive data to attacker infrastructure
Target: customer data, financial records, intellectual property, employee PII
Typical volume: 100GB-10TB stolen before encryption
Purpose: Leverage for additional ransom and pressure

Phase 5: Deployment and Encryption (Day 14-45)

The attack:

Delete or encrypt backups preventing recovery
Deploy ransomware to maximum systems simultaneously
Encrypt files using strong cryptography (AES-256, RSA-4096)
Display ransom note with payment instructions
Typical deployment window: 2-4 AM local time (weekend nights preferred)

Phase 6: Ransom Negotiation (Hours-Weeks Post-Encryption)

Extortion tactics:

Initial ransom demand ($100K-$50M depending on victim size)
Deadline pressure (72-hour payment windows common)
Price escalation if deadline missed
Threat of data publication on leak sites
Sample decryption of files proving capability

Types of Ransomware

1. Crypto-Ransomware (Most Common)

How it works: Encrypts files making them inaccessible

Examples: LockBit, ALPHV/BlackCat, Royal, Play

Target files: Documents, databases, images, videos, backups

Payment demand: $50K-$50M cryptocurrency

Decryption: Requires unique decryption key from attackers

2. Locker Ransomware

How it works: Locks users out of systems entirely (no encryption)

Examples: Petya, WinLocker

Impact: System unusable but data technically intact

Less common now: Easier to bypass than crypto-ransomware

3. Ransomware-as-a-Service (RaaS)

Business model: Ransomware developers rent malware to affiliates

Revenue split: Affiliates keep 60-80%, developers 20-40%

Major RaaS operations: LockBit, BlackCat/ALPHV, Hive (dismantled 2023)

Lower barrier to entry: Non-technical criminals can launch sophisticated attacks

4. Double Extortion Ransomware

Dual threats: Encryption + data theft

Additional leverage: Threaten to publish stolen data on leak sites

Success rate: Higher payment rates than encryption-only

Notable groups: Maze (first double extortion 2019), Conti, LockBit, ALPHV

Famous Ransomware Attacks: Case Studies

WannaCry (May 2017)

Impact: 300,000+ computers in 150 countries
Method: EternalBlue exploit (stolen NSA tool)
Victims: UK NHS, FedEx, Renault, Telefónica
Damage: Estimated $4 billion globally
Notable: Worm-like self-propagation spreading rapidly
Stopped by: Researcher discovered kill switch domain

Colonial Pipeline (May 2021)

Victim: Largest US fuel pipeline (45% East Coast supply)
Attacker: DarkSide ransomware group
Ransom paid: $4.4 million (75 Bitcoin) - partially recovered by FBI
Impact: 6-day shutdown causing fuel shortages and panic buying
Entry: Compromised VPN account without MFA
Aftermath: Led to stricter critical infrastructure cybersecurity regulations

JBS Foods (June 2021)

Victim: World's largest meat processor
Attacker: REvil ransomware group
Ransom paid: $11 million
Impact: US plants shut down, meat shortages threatened
Notable: Critical infrastructure target demonstrating food supply chain vulnerability

Kaseya VSA (July 2021)

Attack type: Supply chain ransomware
Attacker: REvil ransomware group
Method: Compromised Kaseya remote management software
Impact: 1,500+ businesses affected through single software vendor
Ransom demand: $70 million for universal decryptor
Significance: Demonstrated supply chain attack scalability

MGM Resorts (September 2023)

Impact: 10-day outage affecting Las Vegas properties
Attacker: ALPHV/BlackCat ransomware
Method: Social engineering via LinkedIn information
Damage: $100 million in lost revenue and recovery
Decision: MGM refused to pay; rival Caesars paid ~$15M
Entry: Phone call to help desk impersonating employee

Should You Pay the Ransom?

Reasons NOT to Pay (FBI/CISA Guidance)

No guarantee of decryption: 40% never receive working keys after paying
Funds criminal operations: Money enables future attacks
Makes you a target: 80% of payers get attacked again within months
Legal implications: May violate sanctions paying designated terrorist groups
Data still compromised: Payment doesn't guarantee stolen data deletion
Ethical issues: Perpetuates ransomware business model

Why Some Organizations Pay

Existential threat: Business cannot survive extended downtime
No backups: Recovery impossible without decryption keys
Faster recovery: Decryption faster than rebuild (sometimes)
Data exposure pressure: Prevent customer/patient data publication
Cyber insurance: Some policies cover ransom payments

Payment Statistics (2023)

56% of organizations paid ransoms (down from 70% in 2022)
Average ransom payment: $1.54 million
Average total cost including downtime: $4.54 million
Only 52% received full data restoration after paying

Ransomware Prevention: Comprehensive Defense

1. Backup Strategy (Most Critical)

3-2-1 backup rule:

3 copies: Production data + 2 backups
2 different media: Disk + tape/cloud
1 offsite: Air-gapped or immutable cloud backup

Backup best practices:

Test restores monthly—backups worthless if they don't work
Immutable backups preventing ransomware deletion
Air-gapped backups disconnected from network
Frequent backups (hourly for critical systems)
Separate backup credentials from domain accounts

2. Email Security

Advanced email filtering blocking malicious attachments
Sandboxing suspicious attachments before delivery
Link protection scanning URLs in real-time
User training recognizing phishing (monthly simulations)
Disable macros in Office documents by default

3. Endpoint Protection

Next-gen antivirus with behavioral detection
EDR (Endpoint Detection & Response) monitoring suspicious activity
Application whitelisting (only approved software runs)
Disable PowerShell/scripting for standard users
Remove local admin rights from users

4. Network Segmentation

Separate guest, corporate, and server networks
Isolate critical systems (backups, domain controllers)
Micro-segmentation preventing lateral movement
Zero Trust architecture (verify every connection)

5. Patch Management

Automated patching for workstations (monthly at minimum)
Rapid patching for critical vulnerabilities (within 7 days)
Virtual patching via IPS for unpatchable systems
Maintain inventory of all systems and software

6. Access Controls

Multi-factor authentication (MFA) everywhere
Least privilege access (users get minimum necessary permissions)
Disable RDP exposure to internet
Strong password policies (12+ characters, password managers)
Regular access reviews removing unused accounts

Ransomware Response: What to Do When Hit

Immediate Actions (Hour 0-2)

Isolate affected systems: Disconnect from network immediately
Activate incident response: Execute IR plan, engage response team
Preserve evidence: Don't reboot systems, capture memory/logs
Identify patient zero: Where did infection start?
Assess scope: How many systems encrypted?
Notify stakeholders: Management, legal, cyber insurance, law enforcement

Investigation Phase (Hours 2-24)

Identify ransomware variant: Analyze ransom note, file extensions
Determine entry point: How did attackers get in?
Eradicate attacker access: Remove malware, reset compromised credentials
Assess backup viability: Are backups intact and clean?
Check for data exfiltration: Was data stolen (double extortion)?
Engage forensics firm: Professional investigation and evidence collection

Recovery Phase (Days 1-14+)

DO NOT pay immediately: Evaluate alternatives first
Restore from backups: Validate backups clean before restoration
Rebuild affected systems: Clean rebuild rather than cleaning infections
Implement additional security: Fix vulnerabilities enabling attack
Gradual reconnection: Bring systems back online systematically
Monitor for reinfection: Threat may persist if eradication incomplete

Post-Incident Phase (Ongoing)

Lessons learned: What failed? How can we prevent recurrence?
Update IR plan: Incorporate lessons into procedures
Compliance notifications: Report breach per regulations (GDPR, HIPAA, etc.)
Customer communication: Transparent disclosure if data compromised
Security improvements: Implement prevention measures identified

Top Ransomware Families (2024)

LockBit

Type: RaaS, double extortion
Active since: 2019
Status: Most active despite law enforcement disruption (Feb 2024)
Tactics: Fast encryption, StealBit data exfiltration tool
Targets: All industries, opportunistic

ALPHV/BlackCat

Type: RaaS written in Rust programming language
Notable: First major Rust-based ransomware
Tactics: Highly configurable, triple extortion
Recent victims: MGM Resorts, MeridianLink

Royal

Type: Private operation (not RaaS)
Tactics: Targeted attacks, callback phishing
Notable: Aggressive negotiation, high ransom demands
Targets: Healthcare, critical infrastructure

Play

Type: Targeted ransomware
Tactics: Data theft via WinSCP, FortiOS exploitation
Notable: Known for exploiting 1-day vulnerabilities quickly

Ransomware Recovery Costs Beyond Ransom

Direct Costs

Ransom payment: $50K-$50M average $1.54M
Incident response: $50K-500K+ for forensics
Legal fees: $100K-1M+ (especially if data breach)
Public relations: $50K-500K crisis management
Notification costs: $5-20 per affected individual

Indirect Costs

Downtime: Average 21 days, $8,500 per minute for enterprises
Lost revenue: Sales impossible during outage
Productivity loss: Employees unable to work
Customer churn: 60% consider switching providers after breach
Reputation damage: Long-term brand impact
Regulatory fines: GDPR up to €20M or 4% revenue

Cyber Insurance and Ransomware

What Cyber Insurance Typically Covers

Ransom payment (if approved)
Forensic investigation costs
Legal fees and regulatory defense
Customer notification expenses
Business interruption losses
Public relations and crisis management

Insurance Requirements Tightening

MFA mandatory: All remote access
EDR required: Endpoint detection and response on all devices
Backup validation: Tested backups proven restorable
Patch management: Critical patches within 30 days
Incident response plan: Documented and tested procedures
Security training: Annual awareness training for employees

Premium increases: Cyber insurance premiums rose 50-100% (2020-2023) due to ransomware losses

Frequently Asked Questions

Can ransomware spread through WiFi?

Yes, if ransomware has worm-like capabilities (like WannaCry) or attackers manually spread it across the network. However, most modern ransomware doesn't automatically spread via WiFi—attackers move laterally through the network using stolen credentials and exploits. Proper network segmentation and access controls prevent WiFi-based spread.

Does ransomware steal data or just encrypt it?

Modern ransomware (2019+) typically does BOTH—encrypts data rendering it inaccessible AND steals copies threatening publication (double extortion). Approximately 70% of ransomware attacks now involve data theft before encryption. This means even if you restore from backups, attackers still have your sensitive data as leverage.

How long does it take to recover from ransomware?

Recovery time varies widely: organizations with good backups: 2-7 days, those without backups who pay ransom: 1-3 weeks (decryption is slow), organizations choosing full rebuild: 2-6 weeks, and complex environments or extensive damage: 1-3 months. Average across all scenarios is 21 days. Having tested backups dramatically reduces recovery time.

Conclusion: Building Ransomware Resilience

Ransomware represents an existential threat to organizations of all sizes—from small businesses to critical infrastructure providers. The question is no longer "if" but "when" your organization will face a ransomware attack. Those who survive and thrive share common characteristics: resilient backup strategies enabling rapid recovery without paying ransoms, security fundamentals implemented consistently (MFA, patching, email filtering, EDR), security awareness training reducing phishing susceptibility, incident response plans tested regularly, and cyber insurance covering potential losses.

The single most important defense against ransomware is comprehensive, tested backups stored securely offline or in immutable storage. Organizations with robust backup capabilities can refuse ransomware demands, recover operations quickly, and avoid funding criminal enterprises. Those without backups face impossible choices—pay criminals with no guarantee of recovery, or attempt expensive and time-consuming rebuilds from scratch.

subrosa provides comprehensive ransomware defense services including ransomware readiness assessments evaluating backup strategies, security controls, and incident response capabilities, incident response services providing 24/7 emergency support for active ransomware attacks, security architecture consulting implementing defense-in-depth against ransomware, backup strategy and testing ensuring recoverability, and managed detection and response providing continuous monitoring detecting ransomware before encryption. Schedule a consultation to discuss ransomware resilience for your organization.

RANSOMWARE PROTECTION

Don't let ransomware destroy your business

Test your defenses before attackers do. Our ransomware readiness assessments identify gaps and build resilience.

Get Ransomware Assessment