What is ransomware?

Ransomware is malicious software that prevents access to files, systems, or networks and demands payment to restore access. The Cybersecurity and Infrastructure Security Agency explains that ransomware is malware used to deny access to systems or data until a ransom is paid, while the FBI Internet Crime Complaint Center defines it as software that “prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.”

Understanding ransomware attacks

Ransomware has moved beyond basic file locking into a coordinated form of cybercrime that combines system access, data theft, and extortion. According to the Verizon Data Breach Investigations Report, “ransomware and extortion techniques are involved in roughly one-third of breaches,” showing how common it has become in modern incidents. Attacks typically begin through phishing, stolen credentials, or exposed remote access, followed by lateral movement across the network before encryption is triggered. Research on Threat-Based Simulation of Data Exfiltration Toward Mitigating Multiple Ransomware Extortions also shows that many campaigns now include data exfiltration before encryption, allowing attackers to threaten public exposure as part of the extortion process. Ransomware now operates as a structured business model, often delivered through ransomware as a service (RaaS), where developers supply the tools and affiliates carry out the attacks.

The impact of ransomware

Ransomware impact goes beyond encrypted files, often disrupting operations, exposing sensitive data, and creating lasting financial and regulatory pressure. The Cybersecurity and Infrastructure Security Agency warns that incidents can lead to costly downtime and loss of critical information, particularly when essential services are targeted. Data from the Federal Bureau of Investigation shows the scale of the issue, with 859,532 cybercrime complaints and $16.6 billion in losses reported in 2024, pointing to the broader environment in which ransomware operates. Reports cited by CyberScoop note that ransomware complaints continue to increase each year, alongside the growth of new variants. Financial damage often extends beyond ransom payments to include downtime, recovery costs, legal exposure, and reputational harm, while in healthcare settings, attacks can delay care and disrupt access to patient data, increasing real-world impact.

How ransomware works

Ransomware attacks typically follow a multi-stage process rather than a single event.

Initial access

Attackers gain entry through phishing emails, stolen credentials, malicious downloads, or vulnerable systems. Opening an attachment or clicking a link can silently install malware.

Lateral movement

Once inside, attackers explore the network, escalate privileges, and identify valuable systems, and this stage may continue for days or weeks without detection.

Data exfiltration

Modern attacks often include stealing sensitive data before encryption which enables double extortion, where attackers threaten to leak data if payment is not made.

Encryption and ransom demand

Attackers deploy ransomware to encrypt files or systems and present a ransom demand, usually requiring cryptocurrency payment within a set timeframe.

Types of ransomware attacks

Ransomware does not follow a single formula. Attackers adjust their approach depending on the target, the level of access they achieve, and how they plan to pressure victims into paying.

Crypto ransomware

Crypto ransomware is the most common type of ransomware, where attackers encrypt files and demand payment for a decryption key. The method has been widely used across industries, including high-impact incidents like the Colonial Pipeline ransomware attack, where systems were encrypted by the DarkSide group, disrupting fuel supply across the eastern United States and forcing the company to temporarily shut down operations, showing how file encryption alone can have a national-level impact when critical infrastructure is targeted.

Double extortion ransomware

Double extortion has become the dominant ransomware model, where attackers encrypt data and steal it and threaten to publish sensitive information if the ransom is not paid. The Medibank data breach of 2022 is a clear example. After stealing health data, attackers released sensitive patient information online when the company refused to pay which shifts the pressure from operational disruption to reputational and privacy damage, even without restoring systems.

Ransomware-as-a-service (RaaS)

Ransomware as a service is a model where developers create ransomware tools and lease them to affiliates who carry out attacks, making it easier to scale operations. Groups like LockBit have operated as RaaS platforms, allowing affiliates to launch attacks globally. In 2023 and 2024, LockBit was linked to hundreds of incidents across multiple sectors, showing how ransomware has grown into a coordinated ecosystem rather than isolated campaigns.

Targeted ransomware (big-game hunting)

Some ransomware groups target high-value organizations such as hospitals, infrastructure providers, or large enterprises, where attacks are carefully planned and may involve weeks of reconnaissance before deployment. The Change Healthcare attack in 2024 disrupted pharmacy services and claims processing across the United States, showing how targeting a single critical provider can impact an entire healthcare network.

Supply chain ransomware

In supply chain attacks, ransomware spreads through a trusted vendor or software provider, allowing attackers to reach multiple organizations at once. A well-known example is the Kaseya ransomware attack in 2021, where attackers exploited a vulnerability in Kaseya’s software to deploy ransomware to managed service providers and their customers, affecting hundreds of organizations simultaneously.

Triple extortion ransomware

Some ransomware groups have moved beyond double extortion by adding extra pressure tactics, including threatening customers and partners or launching distributed denial of service (DDoS) attacks, which overwhelm systems with traffic to force disruption. Security reporting has shown that groups linked to attacks such as the Vastaamo data breach contacted individual patients directly, demanding payment to prevent the release of personal therapy records. That approach extends the attack beyond the organization itself and directly targets its customers or patients.

Why ransomware is harder to stop

Ransomware is difficult to prevent because it combines technical weaknesses with human behavior. The Verizon Data Breach Investigations Report shows that “ransomware is rarely isolated” and is often linked with credential theft, phishing, and third-party access, making it part of a broader attack chain rather than a single event, according to ASIS International. Attackers also use legitimate tools and valid credentials, which makes malicious activity harder to distinguish from normal operations, and in many cases, organizations only detect ransomware after attackers have already moved through the network.

Recognizing and responding to ransomware

Ransomware attacks often begin with subtle warning signs rather than obvious alerts, including unusual login activity, unexpected system changes, disabled security tools, or suspicious emails. Because phishing remains a common entry point, messages with unexpected attachments, urgent requests, or unfamiliar links should be handled with caution. Early detection is critical, as recovery becomes far more difficult once encryption begins. Reducing risk requires layered defenses instead of relying on a single control, with CISA recommending measures such as regular backups, multi-factor authentication, software updates, and network segmentation to limit both the likelihood and impact of attacks. Organizations should also maintain continuous monitoring and incident response processes to detect and contain threats early, while recognizing that user awareness alone is not sufficient since ransomware campaigns are designed to bypass human judgment.

Why ransomware continues to change

Recent data shows how widespread ransomware has become. According to the Federal Bureau of Investigation reporting cited by Reuters, ransomware was “the most pervasive cyber threat to critical infrastructure in 2024,” with complaints rising 9% year over year. Nearly half of those complaints were linked to sectors such as healthcare, manufacturing, government, and financial services, showing how heavily essential systems are being targeted. The FBI also reported total cybercrime losses reaching $16.6 billion in 2024, with ransomware driving broader disruption costs that often go beyond direct payments to include downtime and recovery. Industry reporting, including from IT Pro, shows attacks expanding across both large organizations and mid-sized businesses, with increasing ransom demands and deeper operational impact. As dependence on digital systems grows, attacks on critical infrastructure can halt production, delay healthcare services, and disrupt public systems, with one analysis warning that the “incapacitation or destruction” of these systems can directly affect public health and safety.

FAQs

What does ransomware do?

Ransomware blocks access to files or systems and demands payment to restore access.

How do ransomware attacks start?

They often begin with phishing emails, stolen credentials, or vulnerable systems that attackers exploit to gain access.

Why is ransomware so common?

It is financially motivated and scalable, especially through ransomware-as-a-service models that allow more attackers to participate.

Can ransomware be stopped without paying?

Recovery is sometimes possible using backups or incident response measures, however success depends on how early the attack is detected and how systems are protected.

Which industries are most targeted?

Critical infrastructure sectors such as healthcare, manufacturing, and government are frequent targets due to their reliance on continuous system access.