Threat Intelligence 101

What is Ransomware?

Posted: 28th June 2024
By: Esteban Borges

Ransomware is a direct threat to your data and can shut down your business with one attack. This guide simplifies the complexity to explain how these attacks work, who is at risk and what you need to do to stop this cyber threat. Get into our in-depth analysis to stay ahead of the game and keep your data out of hackers hands.

According to TheRecord, in June 2024, ransomware gangs listed 450 victims on their extortion sites, up from 328 in April, nearing the record of 484 attacks in July 2023. LockBit was responsible for over a third of these attacks, but experts doubt the authenticity of some claims.

By the end of March of 2024, there had been 54 publicly reported ransomware attacks on state and local governments, with incidents accelerating early in the year. February and March saw the highest number of recorded attacks, with over 20 different groups targeting local governments.

Allan Liska, Recorded Future’s ransomware expert highlighted the severity of the situation, stating:

"This likely indicates that we are in a rough year for ransomware attacks on State / Local / Tribal governments."

What is Ransomware and Its Impact

Ransomware is similar to a hostage situation. It’s a malicious software that sneaks into systems, encrypts files and holds them for ransom, paralyzing individuals and organizations alike. With every successful attack, ransomware attackers get better, launching more sophisticated attacks that can spread like wildfire through networks, leaving a trail of destruction behind.

Understanding how ransomware works is key to protecting your digital assets. Implementing ransomware protection through prevention and detection measures, such as setting up backups and using security tools like email protection gateways and Intrusion Detection Systems, is crucial.

The risks are wide and non discriminatory; every connected device, from healthcare to hospitality is a target. The damage can be devastating, not just financially but also through loss of sensitive data and erosion of trust with stakeholders. It’s a threat landscape that requires attention and knowledge to navigate.

What is Ransomware?

How Ransomware Infections Work

How does a ransomware infection sneak past our digital defenses? Often it starts with a simple click on a phishing email or exploitation of an unsecured Remote Desktop Protocol (RDP) connection. These entry points allow ransomware to gain a foothold and connect to command-and-control servers and orchestrate the encryption of files from afar.

Email is the preferred vector for ransomware distribution, it has wide reach and phishing is very effective. These tactics show that you need to have a keen eye and be proactive with your cybersecurity or the cost of complacency can be your company’s downfall.

What to Do with Ransom Demands

Once the trap is set and an active ransomware infection occurs, attackers will make their demands, usually in the form of payment in cryptocurrencies like Bitcoin or Monero for the decryption key. These digital ransoms give attackers anonymity, making it hard for law enforcement to track and catch them. Deciding whether to pay the ransom is a risk – there’s no guarantee of data recovery, and the transaction may lead to more data breaches or may not give you the decryption key.

The decision to pay the ransom is a tough one with implications beyond the immediate financial loss. It’s a stark reminder of the importance of ransomware prevention and having a comprehensive plan in place.

Types of Ransomware Threats

Ransomware comes in many forms, each with its own nasty twist. These are the main types of ransomware:

  • Crypto ransomware or encryptors are famous for encrypting files and demanding a ransom for the decryption key – a process that can be devastating to organizations.
  • Scareware on the other hand pretends to be legitimate software and preys on fear to extort money for non-existent issues.
  • More advanced forms like doxware or leakware add another layer of nastiness by threatening to publish sensitive data online,
  • While locker ransomware locks users out of their devices and puts victims in a corner where paying the ransom seems like the only way out.

Each ransomware variant is a different face of the same threat, that’s why we need robust defense mechanisms.

Most popular types of ransomware

History of Ransomware Attacks

Ransomware’s journey from infancy to what it is today is a story of technological evolution and cunning. The first ransomware variant was the AIDS Trojan in 1989 which infected systems via floppy disks, far from the sophisticated cryptoworms today. With the arrival of CryptoLocker in 2013 the ransomware landscape changed dramatically and the era of crypto ransomware using Bitcoin for transactions began.

It didn’t stop there. The WannaCry outbreak of 2017 showed ransomware can exploit network vulnerabilities and cause global disruption. As ransomware tactics got more coercive, attackers started using double extortion ransomware, threatening to leak encrypted data if the ransom wasn’t paid. This progression shows we need to stay ahead of the curve in our cybersecurity practices especially with the emergence of triple extortion ransomware attacks.

From Simple Lockers to Advanced Crypto Ransomware

The transformation from simple lockers to advanced encrypting ransomware variants was a big jump in the cyber threat landscape. CryptoLocker was a game changer, it set the stage for a new type of malware that didn’t just lock screens but encrypt files, and hold them hostage. These crypto ransomware variants spread not through physical means but through digital means, exploiting system vulnerabilities and using phishing emails to get into the network, often targeting encrypted files.

These modern variants have countdown timers and network-wide encryption, raising the stakes and making recovery harder. The use of cryptocurrency added another layer of complexity, providing anonymity to the attackers and new challenges for tracking ransom payments. This is a stark reminder we need to remain vigilant and utilize advanced security solutions.

Ransomware as a Service (RaaS)

Ransomware as a Service (RaaS) changed the cybercrime landscape, making it possible for anyone to launch devastating attacks. By selling or renting out ransomware to affiliates, even those without technical skills can unleash these digital plagues. The RaaS model where professional hackers manage everything from distribution to payment collection has made cyber extortion easily accessible.

LockBit and DarkSide are notable examples of RaaS, they show how effective and widespread these services are and how big a threat they are to organizations globally. As RaaS continues to evolve with better encryption and evasion techniques, it’s clear the war against ransomware is far from over.

Notable Ransomware Attacks

The ransomware landscape is filled with high profile attacks that are a warning to potential victims. Attacks like WannaCry used EternalBlue exploit to cause global chaos. NotPetya’s attack resulted in billions of dollars in losses, it shows how big an impact these attacks can have on global businesses.

Specialized ransomware groups like DarkSide, Ryuk and REvil, the ransomware operators, have made their mark with targeted attacks causing financial and operational damage to their victims. These attacks, like the Colonial Pipeline attack by DarkSide and the network encryption by Ryuk, shows the high stakes of this digital war.

Breaking Down Major Ransomware Campaigns

Ransomware attacks have become more complex, organizations are facing extended downtime and aggressive extortion tactics. REvil emerging as a RaaS provider in 2019 was a game changer, now attackers without technical skills can launch high impact ransomware attacks. The average downtime for affected organizations is 24 days, that’s how crippling these attacks are.

Ransomware groups have also introduced new extortion tactics like threatening to contact regulatory bodies or directly targeting individuals to pressure victims to pay the ransom. REvil’s model of enabling more attackers has expanded the threat attack surface and made it more urgent for organizations to have robust security.

Law Enforcement

In the war against ransomware, law enforcement plays a big role, but their efforts are often hindered by international jurisdictional issues. Many ransomware attacks come from countries without extradition treaties, that’s a big challenge in prosecuting the attackers. These jurisdictional issues are compounded by the anonymity of cryptocurrencies, making it difficult to trace back the ransom payments to the attackers.

Despite the challenges, law enforcement is forming international partnerships and using technical expertise, but resources are sometimes limited. Reporting ransomware attacks to law enforcement is important as it helps gather information that can disrupt the operations and prevent future attacks.

Defending Against Ransomware

With the rising threat of ransomware, ransomware protection is crucial, encompassing prevention and detection measures. Protecting digital assets is a top priority. Basic to this is good security hygiene, keeping systems up-to-date and employee security awareness training. Email protection strategies, application whitelisting, and proper firewall configuration are key to a solid defense against ransomware.

Organizations can further harden their defenses with:

  • Network segmentation
  • Endpoint security
  • Limited user privileges
  • Adhering to established security protocols

These will reduce the impact of a ransomware attack. Investments in security preparedness can reduce the costs and consequences of ransomware attacks, it’s a must for all organizations.

Read our full guide on How to Prevent Ransomware Attacks to get more insights about this.

Defending with Ransomware Mitigation Solutions

In the ransomware arms race, ransomware mitigation solutions are a critical component of an organization’s arsenal. These tools have behavior monitoring, application control and vulnerability shielding to detect and block threats before they can cause harm.


Recorded Future's ransomware protection solution offers real-time threat intelligence to detect and swiftly respond to threats. Integrating this intelligence with security operations enables proactive measures, safeguarding systems against potential attacks.


Recorded Future also provides continuous monitoring and alerting for unusual activities from threat actors. This includes dark web monitoring and analyzing indicators of compromise. These combined efforts ensure robust and resilient ransomware defenses, protecting digital assets from evolving threats.

Unlock the secrets to ransomware defense with our free eBook: "Ransomware: Understand, Prevent, Recover - Second Edition."

Backup Files: Your Lifesaver

In case of a ransomware attack, having up-to-date backups is like a digital life jacket. Regular data backups combined with 3-2-1 backup strategy is a must. Here’s what 3-2-1 backup strategy means:

  1. Three copies of data: Have three copies of your data, including the original and two backups.
  2. Two different media: Store your backups on two different types of media, external hard drive and cloud storage.
  3. One off-site: Have at least one backup off-site, in a separate location from your main data storage.

Over 93% of ransomware attacks target backup data, so securing backups is crucial.

Using diverse backup methods like external drives and cloud servers is key to data loss prevention. It’s also recommended to backup before attempting ransomware remediation to preserve data integrity. This safety net will allow organizations to bounce back with minimal disruption when a ransomware disaster strikes.

When Ransomware Hits: Response and Recovery

When dealing with an active ransomware infection, it is crucial to take immediate action once the ransom note is displayed. When ransomware hits an organization, the response must be quick and methodical. The first step is to validate the attack and contain the threat from spreading further. Recovery is restoring data from backups and may require a full system rebuild in severe cases, which highlights the importance of having secure and accessible backups.

The decision to pay the ransom is uncertain as it doesn’t guarantee quick or full recovery and the decryption process can be time consuming. Recovery timelines can be long especially when backups are compromised or not available. This is why having a response plan and being able to recover without paying the ransom is critical.

Find and Isolate Infected Systems

After a ransomware attack, speed and clarity is key. A good response plan will allow organizations to contain and remediate the malware. Verifying an infection involves checking:

  • antivirus outputs
  • content filters
  • intrusion prevention systems
  • SIEM tools

Once an infection is confirmed, containment is critical to stop the malware from spreading to other devices. Do the following:

  1. Reset compromised credentials to prevent further access.
  2. Use malware-free backups to restore affected systems after clean up.
  3. Make sure malware is completely removed before reconnecting devices and services.
  4. Monitor for any remaining signs of compromise.

Paying the Ransom

The decision to pay the ransom is an ethical and strategic dilemma for ransomware victims. Paying doesn’t guarantee immunity from further attacks or data recovery. The Maze ransomware is an example of data exposure or sale if ransom demands are not met, adding to the victim’s woes.

Paying the ransom itself could also install more malware and leave systems vulnerable even after data is released. These are high stakes and the odds are not always in your favor. So when faced with a ransom demand, a careful assessment of risks, costs and long term consequences is critical.

Ransomware Evolution

Ransomware is not standing still; it’s evolving, targeting not just traditional IT systems but critical infrastructure and mobile devices. With AI driven automated botnets, attackers are getting better at launching large scale sophisticated attacks. Organizations need to be ready for these next gen ransomware strains which will use automation, advanced targeting, delivery and evasion tactics.

The emerging threat landscape is one where ransomware will merge with other types of cyber threats to create hybrid attacks with unprecedented impact. For example a new strain of Ryuk ransomware now has cryptoworm capabilities which allows it to spread and compromise systems autonomously. To be ready for these future threats, be proactive, integrate the latest security and stay informed about ransomware.

Mobile Ransomware

Mobile devices were once considered a peripheral to the ransomware threat. Now they’re on the front line. In 2023 there was a 50% increase in mobile ransomware incidents compared to the previous year. Cybercriminals are exploiting both official and unofficial app stores to deploy ransomware that locks users out of their devices and personal data.

This is a growing mobile ransomware threat and awareness is key. As more personal and business activity moves to mobile devices the incentives for attackers increase. Protecting these devices requires vigilance, regular updates and installing reputable mobile security to block malicious actors.

Next Gen Ransomware

In preparation for next gen ransomware strains organizations need to adapt and harden their security posture. Ransomware actors will quickly adjust their tactics in response to countermeasures, often enhancing existing tools rather than creating new ones. This is a dynamic landscape so robust endpoint protection and strategic network segmentation is key to defending against emerging threats.

Continuous system monitoring, threat intelligence and endpoint detection and response (EDR) are the building blocks of a solid security framework. By being ahead of the curve and preparing for the unknown, organizations can build resilience against tomorrow’s ransomware and keep their digital assets safe in a changing threat landscape.


How do I protect against ransomware?

The best way to ensure ransomware protection is to keep good security hygiene, back up regularly, use email protection gateways, and employ comprehensive antivirus and anti-ransomware tools. This will reduce the risk of being hit.

Do I pay the ransom if I get hit by ransomware?

No, don’t pay the ransom if you get hit by ransomware. Instead focus on prevention, have a response plan and get help from law enforcement and cybersecurity pros.

How do I know if I have ransomware?

If you can’t access your files, see ransom notes asking for payment and see unauthorized system changes your system may have ransomware. Regularly scanning your system with updated antivirus is recommended to detect infections.

What do I do if I think I’ve been hit by ransomware?

If you think you’ve been hit by an active ransomware infection, immediately disconnect the infected system from the network once the ransom note is displayed, validate the attack, and follow your incident response plan. Report the incident to law enforcement and get professional cybersecurity help.

How does ransomware spread across my network?

Ransomware can spread through phishing emails, unsecured RDP and system vulnerabilities. Segment your network and secure remote access.

Wrapping up

In the war on ransomware knowledge is power. From the early days of simple lockers to today’s double extortion ransomware the threat has evolved into a big problem for individuals and organizations worldwide. This post has covered the ransomware landscape, the mechanics, the attacks and the notable incidents that have shaped our understanding of this cyber threat.

So to protect against ransomware we need to keep good security practices, invest in good backups and deploy ransomware mitigation solutions. When hit by an attack, response is key. As we move forward the key is to stay vigilant and prepare for next gen ransomware. Let’s take what we’ve learned and get to work so we can keep our digital world safe.

Ready to take your ransomware defenses to the next level? Book a demo today to see how Recorded Future's ransomware mitigation solutions can safeguard your organization against evolving threats.

Esteban Borges
Esteban Borges

Esteban is a seasoned security researcher and IT professional with over 20 years of experience, specializing in hardening systems and networks, leading blue team operations, and conducting thorough attack surface analysis to bolster cybersecurity defenses. He's also a skilled marketing expert, specializing in content strategy, technical SEO, and conversion rate optimization. His career includes roles as Security Researcher and Head of Marketing at SecurityTrails, before joining the team at Recorded Future.