Cyberark Glossary >


Ransomware is a type of malware designed to extort victims for financial gain. Once activated, ransomware prevents users from interacting with their files, applications or systems until a ransom is paid, usually in the form of an untraceable currency like Bitcoin. In some cases, the victim is instructed to pay the perpetrator by a set time or risk losing access forever. In other cases, the perpetrator intermittently raises the ransom demands until the victim pays.

Ransomware infections are common and costly. According to security research firm CyberSecurity Ventures, by 2021, a business will fall victim to a ransomware attack every 11 seconds and global annual ransomware damage costs will reach $20 billion. While ransomware impacts businesses and institutions of every size and type, attackers often target large enterprises and governments with deeper pockets.

Because ransomware attacks are carried out by cybercriminals, most law enforcement agencies and security experts discourage ransom payments. According to the FBI, paying ransom does not guarantee you will regain access to your encrypted data. Some victims who pay ransom never receive decryption keys. Some are extorted for additional money after the initial ransom is paid. Even worse, some victims who pay ransom are attacked again in the future by the same criminal.

Ransomware is Continuously Evolving

Ransomware has evolved significantly over the years. Early “computer locker” attacks would lock up a computer by disabling keyboard or mouse functionality. In most cases, you could simply ignore ransom demands and restore the computer to its previous working state using off-the-shelf malware removal tools.

Today’s ransomware sophisticated and invasive. They can spread quickly throughout an organization, incapacitating users and disrupting business operations. Some ransomware programs go a step further, initiating distributed denial of service attacks. All platforms are affected by this, including Windows endpoints, Windows servers and even Macs. Others steal confidential data or compromising information and threaten to release it publicly.

Some examples of noteworthy ransomware attacks in recent years include:

  • The 2017 NotPetya attack irreversibly encrypted the master boot records of computers running the Windows operating system. It is said to have caused more than $10 billion in damages worldwide. The attack hobbled global enterprises like Merck, Maersk and FedEx, which attributed a $300 million loss to the incident.
  • The 2017 WannaCry cryptoworm outbreak infected over 200,000 computers in over 150 countries, wreaking havoc on organizations like Britain’s National Health Service, which was forced to close critical healthcare facilities, cancel surgeries and turn away patients for days. By one estimate, the total economic impact of the WannaCry attack was $4 billion.
  • The 2019 RobbinHood attack crippled the city of Baltimore’s IT services for almost a month, disabling email, voicemail, a parking fines database and a system used to pay water bills, property taxes and vehicle citations.
RobbinHood Ransom Note

RobbinHood Ransom Note

Best Practices for Ransomware Protection

Security experts recommend the following practices to defend against and recover from ransomware attacks:

  • Routinely back up all enterprise servers and PCs. While data backups can’t prevent ransomware, you can use them to recover from certain types of ransomware attacks. Many experts recommend backing up data to the cloud to protect against sophisticated ransomware attacks that identify and destroy or encrypt local backup files.
  • Use anti-virus and endpoint detection and response tools to block (blacklist) known ransomware variants at the point of entry.
  • Remove local administrator rights from standard user accounts to reduce attack surfaces and prevent the spread of ransomware throughout an organization, since some ransomware attacks attempt to gain local admin rights to inflict damage.
  • Use application greylisting to proactively defend against previously unknown ransomware variants. With a greylisting approach, you can restrict read, write and modify permissions for unknown applications to prevent ransomware from encrypting data. You can also use greylisting to block access to network drives to prevent ransomware attacks from propagating across the enterprise.

Learn More About Ransomware