How Ransomware Attacks Work: Impact, Examples, and Response

What Is a Ransomware Attack?

Ransomware, an advanced form of cyberattack, is one of the biggest threats that security teams around the world are facing. Ransomware is a form of malware that, usually using encryption, blocks or limits access to data until a ransom is paid. 

The ransomware threat has evolved. While early ransomware used easily-reversible encryption, today’s ransomware gangs often deploy AES-256 to encrypt an organization’s files. Many ransomware attacks exfiltrate network data prior to encryption, which means malicious actors can also threaten to release the organization’s sensitive data. The organization is then at risk of a double-extortion attack.

Find out how your organization can reduce the risk of becoming a ransomware  victim. Watch the recording, here.

Ransomware Trends and Statistics

Since 2020, more than 130 different ransomware strains have been detected (Ransomware in a Global Context Report): 

  • The GandCrab ransomware family was the most prevalent at 78.5%. 
  • 95% of all the ransomware samples are Windows-based executable files or dynamic link libraries. 

In the last decade, we’ve seen ransomware attacks increase exponentially:  

  • Ransomware is part of 10% of all cybersecurity breaches (Verizon Data Breach Investigations Report). 
  • Approximately 37% of global organizations said they were the victim of some form of ransomware attack (2021 Ransomware Study). 
  • The FBI’s Internet Crime Complaint Center reported 2,084 ransomware complaints in only 6 months, with a 62% year-over-year increase.

A few emerging ransomware trends: 

  • Supply chain attacks: instead of attacking a single victim, supply chain attacks extended the blast radius. A prime example of a 2021 ransomware attack is the Kaseya attack, which affected at least 1,500 of its managed service provider customers.
  • Double extortion: With double extortion, attackers also exfiltrate the data to a separate location. There, it can be used for other purposes, including leaking the information to a public website, if a payment is not received.
  • Ransomware as a service (RaaS): RaaS is a pay-for-use malware. It enables attackers to use a platform that provides the necessary ransomware code and operational infrastructure to launch and maintain a ransomware campaign.
  • Attacking unpatched systems: While there are ransomware attacks that do make use of novel zero-day vulnerabilities, most continue to abuse known vulnerabilities on unpatched systems.
  • Phishing: Various forms of phishing emails were more often than not a root cause of ransomware.
New call-to-action

Ransomware Attack Examples 


CryptoLocker was a notorious ransomware attack that first appeared in 2013. It spread primarily through spam emails that contained malicious attachments, such as fake invoices or shipping notifications. When a victim opened the attachment, the malware would start encrypting files on their computer and any connected network drives using RSA-2048 key encryption. 

Once the encryption was complete, the victim would see a ransom note demanding payment in Bitcoin to obtain the decryption key. If the victim did not pay within a set timeframe, the attackers threatened to delete the decryption key, making the files permanently inaccessible. CryptoLocker caused significant damage, with estimates of over $3 million in ransom payments made.


Locky is another ransomware strain that was prevalent in 2016 and 2017. It was typically spread through spam emails with Word document attachments containing malicious macros. When the victim opened the attachment and enabled the macros, Locky would start encrypting files on the victim’s computer and any connected network drives using AES encryption. Like other ransomware attacks, it demanded payment in Bitcoin to obtain the decryption key.


Petya was a ransomware attack that first appeared in 2016 and caused significant damage. It spread through exploit kits, phishing emails, and remote desktop protocol (RDP) attacks. Once the malware infected a computer, it overwrote the master boot record (MBR) of the hard drive, preventing the computer from booting up. 

It then displayed a ransom note demanding payment in Bitcoin to obtain the decryption key. However, in some cases, even if the victim paid the ransom, they were unable to recover their files, leading some to speculate that the attackers’ true motive may have been to cause chaos and disruption.


Ryuk is a ransomware strain that first appeared in 2018 and is believed to be operated by a Russian cybercriminal group. It targets large organizations, including healthcare providers, government agencies, and financial institutions. 

Ryuk typically gains access to a network through a phishing email or exploit kit, and once inside, it starts encrypting files using a combination of AES and RSA encryption. It then demands a high ransom payment in Bitcoin, often in the millions of dollars. 

Ryuk is a sophisticated and targeted ransomware attack, and the group behind it is known for their patience and careful planning, often spending months infiltrating a network before launching the attack.


WannaCry was a ransomware attack that caused a worldwide outbreak in May 2017. It spread through a vulnerability in older versions of Microsoft Windows that had been exploited by the NSA and later leaked by a hacker group. 

The malware used worm-like capabilities to spread rapidly through networks, encrypting files with AES-128 encryption. It demanded payment in Bitcoin, and the attack affected hundreds of thousands of computers worldwide, including healthcare providers, government agencies, and corporations.


GandCrab was a prolific ransomware strain that first appeared in early 2018. It spread through exploit kits, phishing emails, and RDP attacks, infecting victims’ computers and encrypting files using a combination of AES-256 and RSA-2048 encryption. 

GandCrab demanded ransom payments in various cryptocurrencies, including Bitcoin, Dash, and Monero, and the attackers were known for their aggressive tactics, threatening to leak sensitive data if the victim did not pay.


SamSam is a ransomware strain that has been active since 2015 and has primarily targeted healthcare organizations, educational institutions, and government agencies. It spreads through RDP attacks, where attackers gain access to a network by brute-forcing weak passwords. Once inside a network, SamSam uses custom-built malware to encrypt files, demanding ransom payments in Bitcoin. 

SamSam is notable for its targeted approach, with attackers often spending months studying a network’s vulnerabilities before launching an attack. SamSam has caused significant damage, with estimates of over $30 million in ransom payments made. The group behind SamSam is believed to be based in Iran, and some members have been indicted by the U.S. Department of Justice.

How Do Ransomware Attacks Work? 

It’s important to understand that ransomware isn’t a single event but rather a series of events. There are many different types of ransomware but most ransomware attacks tend to follow a similar pattern. Let’s walk through the distinct stages of a ransomware kill chain designed to disrupt and disable systems and to force organizations to pay large sums to recover data and get back online (the term “kill chain referring to the steps an enemy follows during an attack):  

Stage 1: Setting Up the Ransomware Attack

This first stage is where the attacker sets up the ransomware to infiltrate your system. This can be done in several ways including sending out phishing email attacks, setting up malicious websites, exploiting weaknesses in RDP connections, or attacking software vulnerabilities directly. It only takes one user to make a mistake and execute the ransomware code, infiltrating the system, so the more users in your network means the more vulnerable you are to a ransomware attack.  

Stage 2: Ransomware Infiltration 

At this stage, the ransomware has infiltrated your system unbeknownst to you. The malicious code will set up a communication line back to the attacker. The ransomware attacker may download additional malware using this communication line. It’s important to note that the ransomware may lay hidden and dormant for days, weeks, or months before the attacker chooses the optimal time to unleash the attack. Additionally, the ransomware can  move laterally across other systems in your organization to access as much critical data as possible. At this point, many ransomware variants now also target backup systems to eliminate the chance for you as the victim to restore data. 

Stage 3: Activation of the Ransomware

This is when the attacker activates, or executes, the ransomware attack remotely. This can happen at any time the attacker chooses and catches your organization completely off guard. 

Stage 4: Holding Data Hostage through Encryption

Ransomware holds data hostage through encryption. Different ransomware variants use different encryption methods which range from encrypting the master boot record of a file system to encrypting individual files or entire virtual machines. Some ransomware variants also target backup systems that may delete or encrypt the backups to prevent recovery. Decrypting the data on your own is highly unlikely, so your organization will have three choices: lose the data, recover from a replica or backup, or pay the ransom.

Stage 5: Ransom Request

You’re officially the victim and the ransomware has encrypted the data. You’re presented with information on how to pay a ransom via a cryptocurrency transaction. At this stage, not only will data be inaccessible, but applications and entire systems can be disabled by the encryption. Operations can be severely impacted without access to data or services (imagine mission-critical infrastructure, and supply chains we alluded to earlier in the article).

Figure 1: WannaCry Ransomware Example. Source: UpGuard
Figure 2: GandCrab Ransomware Example. Source: UpGuard.

Stage 6: Recovery or Ransom

If you do not have an effective recovery method, you will most likely be stuck paying ransom. Even if the data can be recovered, at least partially, the cost of doing so may exceed the cost of paying the ransom. However, if your organization has an effective recovery plan in place, you may be able to recover the data quickly with minimal disruption and no need to pay a ransom, eliminating the negative publicity of downtime and paying an exorbitant ransom.

Stage 7: Clean Up

It’s important to note that paying a ransom or even recovering data from a backup or replica does not necessarily eliminate the ransomware on the system. The malicious files and code may still be present and need to be removed. Doing an “autopsy” of the attack itself will likely reveal the type of ransomware and make it easier to locate and purge from the system. 

The Business Impact of a Ransomware Attack

Ransomware attacks can cripple, or even cause catastrophic harm to company data and its operations, especially in organizations where the data is mission critical, such as in hospitals, emergency call centers, communications, energy, government and more. Furthermore, a ransomware attack can cause both reputation damage and even tremendous financial loss, with estimates that ransomware will cost as much as $6 trillion per year starting in 2021 (Cybersecurity Ventures). 

Negative impacts of a ransomware attack on businesses include:

  • Ransom payments which can reach hundreds of thousands of dollars in cryptocurrency, as well as other direct financial losses. 
  • Loss of productivity due to shutdown of critical business systems.
  • Loss of files and data, which may represent hundreds of hours of work.
  • Loss of customer data, which damages customer trust and reputation, and represents legal and compliance exposure.

According to Kaspersky it takes organizations at least a week to recover their data in most cases. Then of course there is the financial loss of needing to completely format infected machines, reinstall all software and restore the data, not to mention adding protection in place to stop it from happening again. 

Additionally, here are some more statistics related to the financial losses of ransomware attacks: 

  • In 95% of the cases where there were ransomware-related costs, the median loss was $11,150. However, losses ranged from a low of $70 to a high of $1.2 million (Verizon Data Breach Investigations Report). 
  • Twelve percent of victims paid out on ransomware attacks in the third quarter of 2021 (Corvus Risk Insights Index).
  • In the first six months of 2021, there was $590 million in ransomware-related activity (U.S. Treasury’s Financial Crimes Enforcement Network – FinCEN).

Steps for Responding to an Ransomware Attack 

Here are key steps for responding to a ransomware attack:

  1. Isolate the infected device: If you suspect that a device has been infected with ransomware, isolate it from the network immediately to prevent the malware from spreading to other devices.
  2. Assess the damage: Determine the extent of the damage by identifying which files have been encrypted or locked and whether backups exist for those files. If possible, try to determine which ransomware strain has been used, as this information can help in the recovery process.
  3. Notify relevant parties: Notify relevant parties, including IT staff, senior management, and law enforcement if necessary. Depending on the severity of the attack, you may need to involve a third-party cybersecurity firm to assist with recovery and investigation.
  4. Do not pay the ransom: While it may be tempting to pay the ransom to regain access to your files, paying the ransom is not recommended. There is no guarantee that the attackers will provide a decryption key, and paying the ransom only encourages further attacks.
  5. Restore from backups: If you have backups of the affected files, restore them from a clean backup. Make sure to verify the integrity of the backups before restoring them to ensure that they are not infected with malware.
  6. Eradicate: Use malware removal tools to remove the ransomware from infected devices. Ensure that all patches and updates are installed to prevent further attacks.
  7. Improve security: Once the immediate threat has been contained, review and improve your organization’s security measures to prevent future attacks. This may include implementing stronger passwords, using two-factor authentication, and ensuring that all software is up-to-date and patched.
  8. Report the incident: Report the incident to the relevant authorities, including local law enforcement and regulatory agencies if applicable. This can help to track the attackers and prevent future attacks.

How to Remove Ransomware?

Here are general steps for removing ransomware:

  1. Identify the ransomware strain: Identify which ransomware strain has infected the device, as different strains may require different removal methods. You can use online resources, such as antivirus software websites or cybersecurity forums, to identify the specific ransomware.
  2. Use antivirus software: Run a full scan of the infected device using antivirus software or other malware removal tools. If the antivirus software is unable to remove the ransomware, you may need to use a specialized removal tool specific to the ransomware strain.
  3. Remove the ransomware manually: If the ransomware is still present after running antivirus software, you may need to remove it manually. This may involve editing the registry or using the command prompt, so it’s important to follow instructions carefully to avoid causing further damage to the device.

What Can Your Organization Do to Prevent Ransomware Attacks? 

The good news is that with good cyber hygiene – including employee training, robust configuration management and security systems in place – organizations can mitigate ransomware vulnerabilities and prepare for the worst-case scenario.

Here are a couple of IT best practices that every organization should implement: 

  • Stay up-to-date with the latest operating software at all times. WannaCry, one of the most famous ransomware variants in existence, is an example of a ransomware worm. Rather than relying upon phishing emails or RDP to gain access to target systems, WannaCry spread itself by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol.
    • At the time of the famous WannaCry attack in May 2017, a patch existed for the EternalBlue vulnerability used by WannaCry. This patch was available a month before the attack and labeled as “critical” due to its high potential for exploitation. However, many organizations and individuals did not apply the patch in time, resulting in a ransomware outbreak that infected 200,000 computers within three days.
  • Implement backups – Because paying the ransom does not guarantee that you will get the private key to restore your data, therefore in case of an attack, you can return files to their original state. Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
  • Continuously evaluate your security posture to ensure that you have the right protections in place. 

Safeguard the Point of Entry with Advanced Email Security

To prevent ransomware attacks, it is critical to protect every channel through which content is entering into the organization. With email still being the dominant entry point for cybersecurity attacks, it continues to remain a weak point in many businesses’ security infrastructure. Even the most experienced users are not immune to cyber attackers who continue to develop more sophisticated techniques to deliver ransomware via email. 

Despite the availability of many email security solutions on the market, most organizations remain exposed: 

  • Traditional sandboxing technology, used by many of the email security solutions, has become outdated and not up to par to meet the challenges posed by sophisticated hackers, who employ several levels of attacks with multiple evasion techniques.
  • Most email security solutions are slow and unable to scale up to support required performance needs, thus security professionals are forced to choose between delaying all email traffic to scanning less than 100% of emails, and only remediating threats after delivery. This imposes a huge risk on the security of their organizations.

An advanced email security solution like Perception Point can address these challenges and provide complete protection against ransomware:

  • Dynamic scanning – Many of the email security solutions are built to just statically scan content (simple AV) or use CDR (Content Disarm & Reconstruction technology). AV technology is dependent on what is already known while the latter tampers files and changes them. Dynamic scanning is the process of actually detonating files & URLs inside an isolated environment in order to detect malicious code execution.
  • Recursive unpacking — the ability to find threats underlying any nesting level inside the content. This is a key capability in protecting against evasion attempts – without that, an attack can go undetected, when the attacker buries a threat deep inside the content. 
  • Speed and scale – a common problem with incumbent security solutions is managing scale at the required speed. Legacy solutions have indeed migrated to the cloud but are not designed for scaling. When workloads grow, they are forced to be selective on what they scan – which increases the risk for the infiltration of malicious content, and this is exactly what attackers are waiting to exploit.
  • Engine optimization – advanced threat protection solutions require engine optimization, which should be performed continuously, as organizations are constantly exposed to and need to efficiently protect themselves from new types of threats. If not optimized, security performance degrades over time, which is a commonly experienced problem. Engine optimization is a combination of the email security solution’s agility – the ability to define new rules and policies on the go, together with a skilled cybersecurity workforce that is able to identify the threats and perform these optimizations on an ongoing basis. 

Learn more about Perception Point Advanced Email Security

ransomware webinar

1Petya is a family of encrypting ransomware that was first discovered in 2016 – a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. This ransomware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts a hard drive’s file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.