Ransomware
What is Ransomware?
Ransomware is a type of malware that disrupts computers, servers, and other devices. After installing itself, ransomware software blocks access, deletes, or otherwise compromises legitimate data and applications. Human-operated ransomware means that a human threat actor employs active hacking techniques, along with the deployment of malware, to advance a ransomware attack. Most ransomware demands payment, or ransom, to “unlock” the computer and grant full access to the device and any related data and applications.
Different Types of Ransomware
There are several different types of ransomware, including:
Crypto Malware or Encryptors block access to data and applications by encrypting files and devices.
Lockers completely block access to a computer system.
Scareware claims to identify other malware like viruses on your computer, and then demands money to remove them.
Doxware steals sensitive information from your computer and threatens to release it online.
Human-Operated Ransomware (“hands-on-keyboard”) are when cybercriminals actively navigate through targeted infrastructure.
Ransomware-as a-Service (RaaS) refers to the practice of an attacker paying a ransomware service operator a subscription fee to use ready-packaged ransomware toolkits/malware. In RaaS, the ransomware owners and their affiliates, the entities who execute the ransomware payload, share the ransom payout.
Why are Ransomware Attacks a Significant Threat?
Ransomware attacks are a serious threat to today's organizations for a few reasons:
1. Attackers take advantage of common vulnerable technologies.
Ransomware operators will typically scan for unsecured, open ports to start their attack. Threat reports continue to cite internet-exposed Remote Desktop Protocol (RDP) endpoints as the number one entry point for ransomware.
Some remote access technologies, such as VPNs, can give attackers a back door to gain broad access to an organization's network and deliver ransomware payloads. Phishing emails with infected attachments or malicious links also continue to play a key role in the ransomware attack chain.
2. Attackers target a variety of verticals, usually with the goal of extracting data or causing operational damage.
Ransomware threats have had an increasingly severe impact on multiple verticals over the past several years. According to the Verizon 2025 Data Breach Investigation Report, ransomware "was present in 44% of all the breaches we reviewed, up from 32%."
Ransomware attacks can also cause significant operational damage. The 2021 Colonial Pipeline attack by the DarkSide hacker group is an infamous example of operational disruption caused by ransomware. The attack took 45% of the U.S. East Coast's fuel supply offline. Attacks on critical infrastructure continue to increase, with the Dragos 2025 OT/ICS Cybersecurity Report finding that ransomware attacks against industrial organizations increased 87 percent over the previous year.
3. Modern ransomware tactics are more damaging.
The way criminals use ransomware is also changing. It's becoming more common for attackers to map entire networks preliminarily. In many cases, they will then auction off this mapped information to the highest bidder. This pattern means that different attackers could return and exploit the same environment—even after the organization believes they have resolved the underlying issues.
4. Ransomware takes advantage of pervasive identity-related vulnerabilities.
We also see an increase in human-operated ransomware that targets identity infrastructure. In these cases, the attacker initiates the attack through an identity-based attack such as social engineering or brute forcing. They then take advantage of privilege escalation techniques. Moving laterally with privileged access, they gain control of critical systems and disable security controls, before finally encrypting key systems and exfiltrating data.
Many organizations struggle to identify these identity-related entry points and protect against lateral movement. This is because today's environments are incredibly complex, with digital identities used for endpoints, servers, cloud services, DevOps systems, and more. Ransomware attacks can take advantage of this lack of identity visibility, traveling laterally across siloed systems via privilege escalation.
What are the Most Notable Ransomware Attack Examples?
Ransomware groups such as DarkSide, LockBit, Lapsus$, WannaCry, Petya, and CryptoLocker are behind some of the most notable ransomware attacks from the past decade.
Here are some examples of the types of attacks these groups perpetrate:
DarkSide
DarkSide is a hacker group leveraging the RaaS model. The group has deployed ransomware attacks across financial, legal, manufacturing, and other sensitive industries.
Famously, the DarkSide ransomware group was responsible for the Colonial Pipeline Company incident in May 2021. The cybercriminal group found stolen credentials that provided access to a dormant Colonial Pipeline VPN account. Unfortunately, this VPN account was still connected to the network. It’s likely that DarkSide re-used these stolen credentials across multiple systems. After the payload's execution, critical pipeline systems and infrastructure went offline. This resulted in the shutdown of nearly 45% of the fuel supply of the East Coast of the United States.
In a slightly unusual move, DarkSide apologized for the disruptions caused by the attack, saying “We are apolitical. We do not participate in geopolitics. Our goal is to make money and not creating problems for society."
LockBit
LockBit is another example of a successful RaaS group. They were the most active global ransomware group and RaaS provider in 2022. Affiliates using LockBit ransomware have caused significant damage to a variety of verticals. The group and its affiliates often target critical infrastructure sectors such as energy, government and emergency services, healthcare, manufacturing, and financial services. The group's success comes from developing a more user-friendly interface for its ransomware. It also has built quite a reputation through unusual publicity stunts such as paying people to get LockBit tattoos.
Lapsus$
Lapsus$ (also known as DEV-0537) is an international hacker group who gained notoriety for breaching prominent tech companies, including NVIDIA, Microsoft, Ubisoft, and Okta.
The modus operandi of the Lapsus$ group hinges on acquiring credentials from privileged employees — either by recruitment or via social engineering. In the case of Okta, they targeted a third-party Technical Support Engineer who had access to some Okta systems. In other instances, the cybercriminal group has targeted help desks, resetting passwords and performing SIM swaps to bypass multi-factor authentication protocols. One of the group’s bolder tactics involves paying employees of large companies to run remote access tools or hand over credentials. Lapsus$ uses a channel on the messaging app Telegram to identify targets, share information, and ultimately recruit accomplices.
WannaCry
WannaCry is a ransomware payload grafted onto a vulnerability discovered by the NSA and leaked by Shadow Brokers. The WannaCry ransomware crypto worm unleashed a worldwide attack in May 2017. Emergency patches by Microsoft, along with discovery of a kill switch, helped stop the spread within a few days. However, it still affected an estimated 200,000 computers across 150 countries. Damages ranged from hundreds of millions to billions of dollars. The hackers leveraged the vulnerabilities (nicknamed EternalBlue and DoublePulsar) and grafted WannaCry (real name WanaCrypt0r) as the payload. WannaCry does not need any user interaction to infect a host. The payload contains its own network scanner that can discover new hosts and self-propagate. Analysts have attributed this to the payload's ability to spread quickly, without anyone clicking on a link or browsing a malicious website.
Petya
Petya is similar to WannaCry, as its attacks also involve the exploitation of the EternalBlue vulnerability. Petya and its variants (such as NotPetya) proliferate through malicious Office attachments and email. Once an attacker installs the malware, it seeks out other systems to exploit. On June 27, 2017, a number of Ukrainian companies received the brunt of Petya ransomware attacks. The attacks targeted power grids, nuclear facilities, and other key infrastructure companies. They knocked radiation monitoring systems at Ukraine’s Chernobyl Nuclear Power Plant offline. The NotPetya variant has been dubbed the “most costly cyber-attack in history.” Damage spiraled into billions of dollars, affecting large businesses and governmental organizations worldwide.
CryptoLocker
CryptoLocker first brought ransomware into the public eye (though it was not the first ransomware). The CryptoLocker ransomware attack, perpetrated by the Gameover Zeus Botnet, occurred from September 2013 to May 2014, infecting more than 250,000 systems. CryptoLocker leveraged a trojan targeting Microsoft Windows computers and spread via infected spam email attachments. While organizations could easily eliminate CryptoLocker from their systems, they could not recover their encrypted files—even after they made the ransom payment.
What are the Most Common Ransomware Attack Vectors?
The top ransomware attacks typically leverage one or more of the following vectors to install themselves on computers and other devices:
Remote Desktop Protocol (RDP): In recent years, RDP has been a top entry point, allowing ransomware operators to gain a foothold in an environment. RDP allows users—and thus, ransomware actors—to remotely control computers or virtual machines over a network connection.
Social Engineering: Criminals contact users and persuade them to install software on their machines.
Email Attachments: Users open an email attachment that contains malware, which then installs on their machine.
Macros: Macros in Microsoft Office and other apps can install ransomware.
Downloads: Certain downloaded software can have a hidden “payload” of ransomware.
Spreading Through Network Drives: Mapped network drives allow the ransomware to spread to other machines.
Malware-Infected Websites: Certain websites can install malware when visited—especially if you have not patched your browsers or turned on proper browser security. This includes popup online ads.
Administrative Access: Root or administrative access can allow malware to spread quickly through your organization.
Fileless (Living Off the Land): Ransomware may use fileless malware techniques to stay hidden as it advances through the network.
Minimize Common Ransomware Attack Vectors with Identity Security Insights.
Reveal account misconfigurations, overprivileged accounts, remote access tools, unused accounts, old passwords, & other common attack vectors.
How to Prevent Ransomware Attacks
By applying the following best practices, individuals and organizations can reduce the risk of ransomware infection. Or at the very least, limit its spread and potential damage if an infection should occur.
Educate Users. Train users in popular social engineering techniques. Inform them about the dangers of macros, Office documents, email attachments, and downloads, and give them techniques to identify these threats.
Secure Macros. Newer versions of MS Office have options to disallow any macros that are not digitally signed. Make sure you enable this option by default.
Patch/Update Software and OS Vulnerabilities. Some malware targets identified vulnerabilities. Ensure you have a thorough patching process that quickly identifies and fixes software and OS flaws.
Apply Least Privilege Policies. Least privilege requires assigning application and data access privileges based on job roles to ensure users do not have more access than they need. This includes removing administrator rights. Most ransomware (albeit not macro-based ransomware and some other forms, such as with WannaCry) requires administrator privileges to launch.
Use Vulnerability Scanning and Patch Management. Regularly scan your IT ecosystem for potential vulnerabilities and have a robust vulnerability management process to fix any issues.
Enforce Stricter Application Controls. Prevent installation or usage of applications unless your IT security team vets and approves them.
Protect Trusted Applications from Misuse. Trusted Application Protection is a security capability that goes beyond simple application control. It involves adding context to the process tree and allowing the restriction of common attack chain tools, such as PowerShell and Wscript. These are spawned from commonly used applications, such as browsers or document handlers.
Apply Network Segmentation. Network segmentation divides resources, keeping any infections contained rather than allowing them to spread throughout the entire network. This is particularly useful in preventing and isolating dangerous server-side ransomware attacks.
Make Regular Backups. If a ransomware attack impacts your systems, you will need to recover applications and data. Have a robust data backup process in place that combines live mirroring, periodic backups, hard drive imaging, and incremental backups.
Have Disaster Recovery Processes. It is vital everyone understands what they need to do in the case of a ransomware attack. Develop a working disaster recovery process for identifying and resolving ransomware attacks, reinstalling machines, and recovering data.
Defend Against Privilege Escalation. Actively find and protect pathways between your organization's various accounts, privileges, and configurations. Defending or reducing these privilege escalation paths prevents potential attackers from leveraging ransomware to move laterally within your systems.
The Impact of Ransomware Attacks on Cyber Insurance
Cyber insurance (i.e., cyber liability insurance or data breach insurance) provides insurance coverage for events including data breaches, downtimes, and ransomware attacks. In the event of a ransomware attack, cyber insurance policies are designed to offset damages. Actual offerings and coverage will vary depending on the policy issuer. A rash of successful ransomware attacks in recent years has roiled the cyber insurance market, with premiums hitting record highs. The large number of ransomware attacks, combined with skyrocketing payouts has even put some cyber insurers out of business altogether. These factors have made insurance agents very hesitant to sell cyber policies. In 2024, Berkshire Hathaway even advised agents to “only sell cyber policies if they absolutely had to do so to satisfy a client, and to expect losses.”
As a result, brokerages and underwriters are demanding stricter cybersecurity postures from their policyholders to qualify for coverage. Many organizations are now struggling to qualify for cyber insurance due to the higher scrutiny insurers are placing on potential and existing policyholders.
What to Do If You're Attacked by Ransomware
Your risk of falling victim to a ransomware attack will depend on how closely your organization adheres to prevention best practices. Unfortunately, threat actors are continuously adapting their attack strategies to overcome even the most advanced defense measures. If the worst does happen and your organization experiences a ransomware attack, here is what to do:
Implement Your Disaster Recovery Program. Limit the further spread of the ransomware and start your disaster recovery process.
Wipe and Reinstall Machines. Close any impacted machines, wipe them, and reinstall the OS and applications.
Recover Uncompromised Data. Use backup data from your last known “good” data set.
Apply a “Lessons Learned” Approach. Revise security procedures and staff training to stop these issues from happening again.
Identify Security Gaps to Brace for the Future. Take measures to develop new organizational policies and deploy new solutions to increase your organization's cyber defenses.
