Every day, cybersecurity specialists detect over 200,000 new ransomware strains. This means that each minute brings no less than 140 strains capable of avoiding detection and inflicting irreparable damage. But what is ransomware in the end? Briefly, ransomware is one of the most common and most dangerous cyber threats of today, with damaging consequences for individuals and businesses alike.

In this article, I explain what is ransomware, how it is used, and I will walk you through the most notorious examples of ransomware families.

What Is Ransomware?

Ransomware is a sophisticated piece of malware (malicious software) that encrypts all the data on a victim’s PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victims receive a message telling them that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time limit for the payment to be completed, otherwise, the files could be lost forever. It should be noted that there is no guarantee that even if the victim pays the ransom, he/she will receive the decryption key.

How Does Ransomware Work?

There are three steps ransomware operators will need to complete in order to access – and later take over – a victim’s computer.

1. Ransomware Delivery and Deployment

Cybercriminals simply look for the easiest way to infect a system or network and use that backdoor to spread the malicious content. Nevertheless, these are the most common infection methods used by cybercriminals:

2. Encryption

Ransomware is practically the combination of cryptography with malware. Ransomware operators use asymmetric encryption, a.k.a. public-key cryptography, a process that employs a set of keys (one public key and one private key) to encrypt and decrypt a file and protect it from unauthorized access or use. The keys are uniquely generated for the victim and only made available after the ransom is paid.

It is almost impossible to decrypt the files that are being held for ransom without access to a private key. However, certain types of ransomware can be decrypted using specific ransomware decryptors.

what is ransomware

There are two known types of ransomware:

  1. Encrypting ransomware, which incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLockerLockyCrytpoWall, and more.
  2. Locker ransomware, which locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.

Some locker versions can even infect the Master Boot Record (MBR). The MBR is the section of a PC’s hard drive that enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya families. Crypto-ransomware, as encryptors are usually known, is the most widespread ones.

3. Payment Demand

After encryption, a warning pops up on the screen with instructions on how to pay for the decryption key. Everything happens in just a few seconds, so victims are completely dumbstruck as they stare at the ransom note in disbelief.



The appearance of Bitcoin and the evolution of encryption algorithms helped turn ransomware from a minor threat used in cyber vandalism, to a full-fledged money-making machine. Usually, threat actors request payment in Bitcoins because this cryptocurrency cannot be tracked by cybersecurity researchers or law enforcement agencies.

Top Targets for Ransomware

Cybercriminals soon realized that companies and organizations were far more profitable than users, so they went after the bigger targets: police departmentscity councils, and even schools and hospitals. To give you some perspective, nearly 70% of infected businesses opted to pay the ransom and recover their files. More than half of these businesses had to pay a ransom worth $10,000 to $40,000 dollars in order to recover their data. But for now, let’s find out how online criminals target various types of Internet users. This may help you better understand why things happen as they do right now.

Public institutions

Public institutions, such as government agencies, manage huge databases of personal and confidential information that cybercriminals can sell, making them a favorite among ransomware operators. Because the staff is not trained to spot and avoid cyberattacks and public institutions often use outdated software and equipment, means that their computer systems are packed with security holes just begging to be exploited.

Unfortunately, a successful infection has a big impact on conducting usual activities, causing huge disruptions. Finally, successfully attacking public institutions feeds the cybercriminals’ egos (they may want money above all else, but they won’t hesitate to reinforce their position in the community about attacking a high-profile target).

Under such circumstances, ransomware victims experience financial damage either by owning up to large ransomware payouts or by bearing the price of recovering from these attacks.


In short, because that’s where the money is. Threat actors know that a successful infection can cause major business disruptions, which will increase their chances of getting paid. Since computer systems in companies are often complex and prone to vulnerabilities, they can easily be exploited through technical means.  Additionally, the human factor is still a huge liability that can also be exploited through social engineering tactics. Small businesses are often unprepared to deal with advanced cyberattacks and have a relaxed BYOD (bring your own device) policy.

It is worth mentioning that ransomware can affect not only computers but also servers and cloud-based file-sharing systems, going deep into a business’s core. Cybercriminals know that businesses would rather not report an infection for fear of legal consequences and brand damage.

ransomware damage statistics Read the rest of the infographic.

Home users

Since they usually don’t have data backups, home users are the number one target for ransomware operators. They have little or no cybersecurity education at all, which means they’ll click on almost anything, making them prone to manipulation by cyber attackers. They also fail to invest in need-to-have cybersecurity solutions and don’t keep their software up to date (even if specialists always nag them to). Lastly, due to the sheer volume of Internet users that can become potential victims, more infected PCs mean more money for ransomware gangs.

Top Ransomware Targets by Industry

#1. Government

According to SonicWall’s 2021 Cyber Threat Report, there have been far more hits on government customers than any other industry. By June, government customers “were getting hit with roughly 10 times more ransomware attempts than average”.

Back in May, SEPE, the Spanish government agency for labor systems was taken down following a ransomware attack.

ransomware chart

Image Source

#2. Education

During the first half of 2021, the education field saw even more ransomware attempts than the government sector. In March, the FBI’s Cyber Division has issued a flash alert to warn of an increase in ransomware attacks targeting government entities, educational institutions, private companies, and the healthcare sector. A month later, the Conti ransomware gang encrypted the systems at Broward County Public Schools, threatening to release sensitive personal data of students and staff unless the district paid an enormous $40 million ransom.

#3. Healthcare

Healthcare organizations are the new favorite targets of ransomware attacks. Hospitals have become perennial targets of cyberattacks, including UC San Diego HealthScripps HealthSalusCareNew Hampshire Hospital, and Atascadero State Hospital. As previously stated, healthcare providers lose an average of 7% of their customers after a data breach or ransomware attack, which is the highest when compared to other industries.


Ransomware operators seem to often target retail enterprises because “they are rarely secured well and the benefits are easily monetized.” SonicWall security specialists discovered startling ransomware spikes across retail entities (264%). Just last month, the Coop Supermarket chain had to close 500 of its stores following the Kaseya ransomware attack.

Ransomware Examples

By now you know that there’s plenty of versions out there. With names such as CryptXXX, Troldesh, or Chimera, these strains sound like the stuff hacker movies are made of. So while newcomers may want to get a share of the cash, a handful of families have established their domination. If you find any similarities between this context and how the mafia conducts its business, well, it’s because they resemble in some aspects.


On Friday, May 12, 2017, around 11 AM ET/3 PM GMT, a ransomware attack of “unprecedented level” (Europol) started spreading WannaCry around the world. It used a vulnerability in Windows that allowed it to infect victims PC’s without them taking any action. Until May 24, 2017, the infection has affected over 200,000 victims in 150 countries and it keeps spreading.

wanna cry infection map Source
Read more in the dedicated security alert about the Wanna ransomware campaign.

Petya ransomware

The Petya ransomware family was first discovered in 2016, and its trademark includes infecting the Master Boot Record in order to execute the payload and encrypt the data available locally. A strain similar to Petya started creating havoc in late June 2017, when it emerged, enhanced with self-replicating abilities. We covered this outbreak in a dedicated security alert.

Ryuk Ransomware

Ryuk is a ransomware-as-a-service (RaaS) group that’s been active since August 2018. It is widely known for running a private affiliate program in which affiliates can submit applications and resumes to apply for membership. In the last months of 2020, the gang’s affiliates were attacking approximately 20 companies every week, and, starting November 2020, they coordinated a massive wave of attacks on the US healthcare system.

DarkSide Ransomware

DarkSide is a ransomware program that operates as a ransomware-as-a-service (RaaS) group. It began attacking organizations worldwide in August 2020 and, like other similar threats utilized in targeted cyberattacks, DarkSide not only encrypts the victim’s data but also exfiltrates it from the impacted servers.

In just 9 months of operations, at least $90 million in Bitcoin ransom payments were made to DarkSide, coming from 47 different wallets. The ransomware gang gained around $10 million from that profit attacking chemical distribution organization Brenntag, who paid a $4.4 million ransom, and Colonial Pipeline, who also paid $5 million in cryptocurrency.

Locky ransomware

One of the newest and most daring ransomware families to date is definitely Locky. First spotted in February 2016, this strain made its entrance with a bang by extorting a hospital in Hollywood for about $17,000. But they weren’t the only victims. In fact, two days after we published the Locky alert, we received the following comment from one of our readers:

We were attacked tuesday by this ransomware. 150 Emails spoofed to our mailserver. 149 Mails were blocked by the Barracuda spamfilter. One slipped through and was initialised by a coworker from the saledepartment. In half an hour our fileserver, applicationserver and shared maps on local PC’s was encrypted. After locating the PC where it all started, we took that one from the network and started to restore everything from the backup. In one hour the file server and application server was back working. Except for one local folder with lots of data in that wasn’t on the fileserver was completely destroyed. We succeeded in fixing this as follows. First we installed RECUVA, on this PC and tried to recover the lost map.The fact that the user kept working on it, had as result that most files were’nt recoverable because they were overwritten by cookies and temporary internetfiles. (So when noticing the LOCKY files … stop working). Windows 7 has shadow files. Too bad those files are corrupt because of the LOCKY virus … but … we were able to recover those files with RECUVA, restore them and start SHADOWEXPLORER and go back 6 days to recover a shadowcopy from the lost data folder. In the end we recovered about 99% of lost files ! But as someone said before …. nothing helps to prevent it so backup, backup and backup…

Image source


This file-encrypting malware emerged in early 2014 and its makers often tried to refer to it as CryptoLocker, in order to piggyback on its awareness. Since then, TorrentLocker has relied almost entirely on spam emails for distribution. In order to increase effectiveness, both the emails and the ransom note were targeted geographically. Attackers noticed that attention to detail meant that they could trick more users into opening emails and clicking on malicious links, so they took it a step further. They used good grammar in their texts, which made their traps seem authentic to the unsuspecting victims.

Source: Sophos analysis

TorrentLocker creators proved that they were attentively looking at what’s going on with their targeted “audience” when they corrected a flaw in their encryption mechanism. Until that point, a decryption tool created by a malware researcher had worked. But soon they released a new variant that featured stronger encryption and narrowed the chances for breaking it to zero. Its abilities to harvest email addresses from the infected PC are also noteworthy. Naturally, these emails were used in subsequent spam campaigns to further distribute the TorrentLocker.


Ransomware brought extortion to a global scale, and it’s up to all of us, users, business owners, and decision-makers, to disrupt it.

We now know that:

  • creating malware or ransomware threats is now a business and it should be treated as such;
  • the “lonely hacker in the basement” stereotype died a long time ago;
  • the present threat landscape is dominated by well defined and well-funded groups that employ advanced technical tools and social engineering skills to access computer systems and networks;
  • even more, cyber criminal groups are hired by large states to target not only financial objectives but political and strategic interests.

We also know that we’re not powerless and there’s a handful of simple things we can do to avoid ransomware. Cybercriminals have as much impact on your data and your security as you give them. Stay safe and don’t forget the best protection is always a backup!

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today Offer valid only for companies.

DeepBlueMagic Ransomware Strain Discovered by Heimdal™ – New Ransomware, New Method

Ransomware-as-a-Service (RaaS) – The Rising Threat to Cybersecurity

Ransomware Payouts in Review. Highest Payments, Trends & Stats

Here Are the Free Ransomware Decryption Tools You Need to Use


Thanks for sharing these updates about data security and hacking. Securing your data properly is a must for any person. It is necessary to be sure that your data is properly personalized and secured through a proper safe system security.

Hi, i am using malwarebytes to protect my pc from ransomware, but is malwarebytes safe?

Thanks for sharing this information

Thanks for the genuine article good work keep it up. I would like to offer you guys tons of thanks for the detailed information and most importantly the information about the marketing strategies is top notch.

Elena Georgescu on June 10, 2021 at 5:06 pm

Thank you very much for your beautiful words!

WE STAY AHEAD OF THE TREND AT MAS8SG - mas8sg on December 9, 2020 at 10:40 am

Thank you for a lovely article. I subscribed to your blog and shared this on my Twitter. Thanks again for a great post!

This is a very interesting subject. And people wonder why I don’t click on their emails

Good post thanks!

Please help me my hdd is infect for ransome extention .TODAR and .ADAME
how to decrypt my files

I have never come across such will studied , will written article on ransomware ,its has given me deep knowledge , Thank U Andra keep the good going keep writing and keep helping us.

Nice And Very useful info, This article important and really good the for me is. Keep it up and thanks to the writer. awesome writing, Great article. Thanks!

Ꮋi, Stevе at Bridges.
Wow “Whatt is Ransomware – 15 Easy Stepѕ To Protect Your Ꮪystem
[Updated]” is indeed an original subject
Merely wanted to say that I lіke your blog post.

Thanks for sharing the tips on how to protect your system from ransomware.

This appears very Nice. Thank you to your sharing.

Wow! Great article! Well just making sure that my business is protected, I use boomerang data recovery as well. Other than protecting than ransomware. Just in case if my files are gone.

Thanks for helping us by providing unique things

Great tips! Thanks for this informative post.

Nothing beats a good backup. Always test backups on a monthly or even weekly basis. Also you must make sure your backup has versioning.

Must educate your employees! They’re the target entryway into your network.

Here you are providing such a great news !! Best thing is that always take backup your data after work because when ever any ransomware or virus attack your data is in safe hand and you can work properly. Always enjoying while reading your blog.

very helpful article…thanks for sharing valuable information….you can also find more information at for linksys login router and linksys login with advance settings.

Highly descriptive article, I enjoyed that a
lot. Will there be a part 2?

Howdy! Do you use Twitter? I’d like to follow you if that
would be ok. I’m absolutely enjoying your blog and look forward to new posts.

Hello and thanks for the message!Yes, we do have a Twitter account. You can follow us here: Thanks for reading our blog!

Thanks for any other informative site. The place else could
I get that type of information written in such an ideal approach?

I have a undertaking that I’m just now running on, and
I’ve been on the look out for such information.

This is very interesting, You are an excessively professional blogger.
I have joined your rss feed and sit uup for looking for extra of
your fantastic post. Additionally, I’ve shared your website in my
social networks

Thank you so much for your feedback! We appreciate it!

Many of these shows are based in bigger cities like New York or Los Angeles, which means you get to travel free of charge when you
get in to the finals. ” It was President Theodore Roosevelt who had given it the White House in 1901. This can be very advantageous for you just like you’re fast learner, with just an endeavor, you might learn all you could wanted to simply and free.

Well impressive work Andra. keep on .

Indeed ransomware is a nightmare. Victims of this virus are increasing day by day. Also the amount asked to decrypt the encrypted file is huge. Hope no one become a victim of cryptolocker ransomware snapchat emoji meanings

Do Heimdal do IT Security Management for small businesses? My business doesn’t think it would be targeted as we are so small, but we would rather be safe than sorry! I’ve been looking at a company called Ivanti, but I am unsure of what is the best way to avoid being held at ransom!

Hello Niall! Thank you for your comment. Regarding your question, it depends on what market you are interested in. My colleague, Alex from the Sales team can help you with that. Please contact him at Thank you!

Thanks for this deep insight on cyber security, i thinks that we would get more information on cyber security, Thanks for this pro tips 🙂

Ransomware could cost you an immense data loss and to unlock this data most of the people eventually end up with paying ransom amount. Fortunately, there are free tools to decrypt ransomware files through which you can recover valuable data without paying for it.

Thank you Andra for well presented and detailed information, it was simple to follow and understand, something important to me.
My husband got caught with I think, scareware, on Sunday and we follishly allowed them access to his computer, but managed to back out when payments were requested, we turned off our modem and we’ve since scanned all computers. My question is did we compromise my Sierra o/s Imac?

In theory, if you scanned your systems with a reliable anti-malware solution, you should be fine, but you should use more than one product to ensure that your system hasn’t been compromised. What’s more, I’d recommend doing a system restore from an older backup, if you have one, because there’s no telling what they might have planted on your system.

Great post.luckily i always back up my data in external hard disk. God save computer cannot effect me. One more thank for awareness article about ramdam ware.

I spent my whole time in traffic this morning reading this good stuff. Thank you for this article

Thank you for the kind feedback, Emmanuel! Drive safe!

Great post! Now I know what ransomware all about!.. Thanks Andra,…

Good article here. thank you for that. guys here also a great video to understand wannacry ransomware.
Ramsomware WannaCry Attack you didn’t know before 2017
thank you..!

If the computer has partitioned drives, then ransomware will encrypt only the drive having the windows operating drive.
Then while booting the PC change the boot sequence to UB.
then save and exit.
after that use a USB with linux operating system to boot (Hirens CD) and format the drive with windows operating system. Then reload the windows system.
I feel we can recover the files.
Please advise whether this can help

Thank you.. this article is great.. All the detailed information about ransomware, its types, its life cycle.. The best article i have read so far

This is one of the best and detailed blogs I have seen recently.

Hi, Zaheera,
very nice and informative article, this article help me to improve my knowledge thank-you very much keep updating us.
I have a query, Is it possible to protect my PC by disabling SBMv1 in windows, if yes then how?
waiting for your valuable feedback thanks once again.

Hi nice article about ransomware now I got full detail about ransomware and how to be secure from ransomware thanks for sharing this article and keep updating us

It was a very nice article, I would have thanked you Ms. Andra Zaharia, for creating awareness on ransomware.

mphoentle rangaka on May 17, 2017 at 10:26 am

Thank you for shedding some light, this was extremely helpful.

interesting article thank u very much

Are these ransomware attacks only happening on Windows users?

First of all, lovely article. Love how it’s well explained and very very detailed. I did not flinch for a second while reading it. I was subjected to ransomware, although I had a mac. In short, in order to stay safe from ransomware is people should not be stupid. gonna share few tips I got from reading another short article recently( which is to stop downloading from suspicious links. trust your guts and always backup frequently, no matter how much annoying it is – however worth it in the long run, update your windows and also enable windows defenders. you don’t know how much difference these tips can make. and have been virus free ever since after reading that article.

This is very informative but can anyone tell me what to do to get my COMPWUNLOCKED W/OF PAYING???!!!

ThereseMarie Sollberger on May 16, 2017 at 6:26 pm

I agree, great aeticle, but can anyone tell me how to get around it W/OF PAYING SO I CAN GET MY COMPUTER BACK???!!!!!

If you got time and competency, 0) keep the original hard drive untouched 1) brute force attack the encryption with another computer on a full dump (sector by sector) 2) to a deep recovery file with recuva or R-studio on encrypted drives.

Great post, Got Some new knowledge. It is true that we need more knowledge about cyber security.

What to do when back up server is attacked by some ransomware? Please help.

1. Do not reset your server
2. Try a backup with the extension to non-“bak”
3. The quick freeze your clients (for example,deep freeze)

Got Some new knowledge about cyber security …

so currently im running insider (preview/ beta) version of windows 10 and instead of using mbr partition i used gpt (because it sounds cooler to me). by running preview version of windows some software does not work for me (such as avg), can you tell me:
– can the attackers attack my computer easily? due to new and instable code implementation to the system or will it be the same as normal windows pc?
-about partition kind of ransomware, is gpt actually better or just as mbr?
-im currently running windows defender with your heimdal free (because it sounds cool and the ui is very attractive to me)

thank you for your contributions to cyber security, hope you can answer my questions

For small or non-business, I think an easy block to extortion is never having anything on my computer hard drive, other than the operating programs and emails. USBs are so cheap, all my files are stored on one I keep in my laptop bag. (A red one so it goes faster. The USB not the bag.) I just copy the whole USB to a plug-in hard drive every day or so as a back up. I also copy it to another USB when I remember. This way, there’s really nothing to encrypt; well nothing I care about and I can use any computer at hand. I hope I haven’t overlooked an obvious flaw in this plan.

I’m concerned that since ransomware can be dormant for a significant period, it could exist in all my backups and be restored, then causing the whole thing over again.

Do a full system reinstallation regularly, and have an heterogeneous OS ecosystem (with Windows, Linux, FreeBSD, etc)

Sandeep Ghadge on May 3, 2017 at 8:31 am

Very informative article. Taking regular backups is key to protect the data and in case of attack one can revive from it by recovering the data from backup.

So glad you found it helpful, Sandeep!

Thank you for a lovely article. Also to all who have contributed in the comments box.
How lovely to see a community coming together for greater good.

Thanks for this article, Andra! It was very thorough. I work for Cybereason and we recently released a ransomware protection tool. It’s free and we don’t require registration or personal information in order to download the product. Thought I’d share it as an additional resource –

Hi all

Found this interesting blog recent post on the general guidelines by Microsoft

Nice read.


Andra, this is one of the most detailed articles about ransomware I’ve ever seen!
There is a full list of free ransomware decryption tools developed by different security companies – . I hope it can help someone here

Thank you for the lovely feedback, Magnus! I’m really glad you enjoyed reading it.

Your link is most welcome. We’ve also put together a similar list. You can find it here:

I was about to fell victim to a Ransomware at once, but luckily I had an Anti-Malware called MalwareFox which blocked the installation and notified me. Speaking of which, this is the first time that I see this blog and I noticed that you have a security application, is that an Antivirus? An Anti-Malware? A little bit of both?

Q – Are private data in public (free) cloudsystems (f.e. HVO hubiC, Googledrive etc) save for ransomware?

Q – Do you have to backup data in such cloudsystems to be save for ransomware?

Hi there!
They are safe if you don’t keep them synced locally all the time. If you do get infected with ransomware and your Google Drive is synced locally, it will infect the data in it as well.
In terms of backup, experts recommend that you have at least 2 data back-ups, in 2 different locations: one on an external drive and one in the cloud (that’s not synced locally, for certainty). But 3 backups is ideal to have. More info here:

Tejender Thapliyal on January 17, 2017 at 1:12 pm

Hi, this is very interesting and a good material. Is there any website or tool to track bitcoin account/bitcoin ID? please also suggest how to track the culprits.

Ransomware attacks are increasing year on year… businesses and their employees should have the knowledge on how to make back-ups for critical data, how to update software on the devices that are used for work and how to implement high-end information security solutions. Businesses that are not prepared for ransomware attacks will have a pretty rough time, it claims that around 55% of businesses surveyed said it had taken them several days to restore access to encrypted data after being attacked.

Great job, Andra! (and the Whole Heimdal team) Having good anti-malware/virus software is very important in defending against digital malfeasance, so check out the reviews, do the research, and get the one you think is best for you installed and running ASAP. There are some excellent choices available and they don’t all work the same way.

Thank you very much, Keith! I really appreciate the feedback and thanks for joining our effort to help everyone become more aware of the importance of basic cyber security.

Are you a soft target for ransomeware. Take the risk analysis quiz.

Surendra Singh Pal on November 11, 2016 at 8:57 am

very well written and helpful for Non IT users and IT Pro as well

a Malware/Adware that can convert all JPEG File to .9213 Extension.
Anybody have solution for that……

In-fact what I wanted to know about Ransom-ware is lucidly written and full kudos to her to make me knowledgeable. It is a complete insight blog and a never miss.

found a quick solution for ransomware. from f8 access command prompt and use diskpart to format C drive. restart computer and from f8 you can now use the reset my computer option.

maybe i could have used sytem restore first as the the lock had been removed from c drive with the format.

hope that helps

Indeed ransomware is a nightmare. Victims of this virus are increasing day by day. Also the amount asked to decrypt the encrypted file is huge. Hope no one become a victim of cryptolocker ransomware.

Philip Fullerton on July 25, 2015 at 12:27 pm

Make sure to protect your password frequently at least once a month. Very useful tips. Thank you for sharing it Aurelian. The 9 easy steps to keep your system safe from ransonware article is very helpful. Technology can helps us to protect our home but we should always be careful. The treats are everywhere.

Leave a Reply

Your email address will not be published. Required fields are marked *