What Is Ransomware?

Ransomware is a type of malicious software used by cyber-criminals to hold data for a set ransom price - requiring payment to get back the files. The software usually works by encrypting the data and only offering the decryption key once the ransom has been made. Since its discovery, ransomware has been a rapidly growing and evolving piece of cyber ammunition – infecting individual users and companies alike. A report by NCC group depicts the staggering rise of ransomware cases by 84% in 2023.

Statista reports reports shows that over 72% of companies worldwide were affected by ransomware in 2023.  Ransomware payments in the same year surpassed the $1 billion mark, the highest number ever observed in the history of ransomware. Therefore, it is crucial to understand the history and evolution of ransomware to better prepare and deploy strong anti-ransomware measures for your organization.

What Is Ransomware?

How Does a Ransomware Attack Work?

The First Ransomware

Every villain has an origin story, and ransomware is no different. In 1989, Joseph Popp was a leading biologist who distributed 20,000 ransomware floppy disks to his fellow AIDS researchers. According to CNN, the disks were sent in the mail to attendees of the World Health Organization’s AIDS conference in Stockholm and supposedly contained a computer-based questionnaire that Dr. Popp said would help determine patients’ risk of contracting AIDS.

However, the Harvard-taught researcher infected every disk with malware which later became known as the first “digital AIDS”. The malware was sent to about 90 different countries and laid dormant until the computer was turned on 90 times, then a ransom note appeared on the screen demanding US$189 sent in an envelope to a PO Box in Panama.

Naturally, this cyber-attack was rudimentary at best but it paved the way for the evolution of ransomware into the sophisticated threat that it is today.

Common Types of Ransomware

Ransomware can broadly be distinguished into 5 categories.

  • Scareware: The first type is known as “scareware” and relies on a user’s unfamiliarity with computers or software. This malware immediately targets the user with error codes and system warnings to scare them into clicking on suspicious links for fear of damaging their equipment. The malware gets your financial details by asking for a simple payment to make the alerts disappear.
    • Examples: Fake antivirus software, tech support scams
  • Cryptoware: The most known form of ransomware is “crypto-ransomware” or “cryptoware”. This type of malware takes notes from Dr. Popp’s floppy disk idea and uses encryption to render files inaccessible without a specific cryptographic key that can only be gained after payment of a ransom. Unlike Popp’s artillery, most modern cryptoware attacks ask for payment in the form of bitcoin – which makes it immensely more difficult to track down than a postal address.
    • Examples: CryptoLocker, WannaCry, Locky
  • Locker Ransomware: Popularly known as Lockers, this type of ransomware completely locks the user out of the system, making files and applications inaccessible, sometimes even the desktop. A lock screen displays the ransom demand, often with a countdown clock to increase urgency.
    • Examples: Winlocker, Police-themed ransomware
  • Doxware of Leakware: Also known as extortionware, this ransomware threatens to publish sensitive information, such as personal photos, financial records, or business documents, unless the victim pays the ransom. Due to the significant reputational loss it causes, Doxware is considered one of the most dangerous ransomware attacks in the evolution of ransomware.
    • Examples: Maze, REvil/Sodinokibi
  • Ransomware-as-a-Service (RaaS): Just as the name suggests, RaaS is a business service model where cybercriminals develop and sell ransomware to other criminals. This allows even criminals with limited technical expertise to launch ransomware attacks. The main professional hacker handles all the aspects of the attacks in return for a part of the ransom.
    • Examples: Cerber, Satan, Philadelphia

Major Ransomware Attacks Till Date

Ransomware attackers modify and innovate their usual ammunition using the anonymity and dynamic nature of most cyberspaces.

WannaCry Attack – May 2017

Impact: Over 230,000 computers across 150 countries were infected in a single day.

Financial Loss: Estimated at $4 billion.

The WannaCry ransomware exploded onto the scene in May 2017, infecting at least 75,000 computers across 99 countries and affecting hospitals and businesses. The ransomware targeted computers using Microsoft Windows as an operating system and encrypted essential data then extorted payments in the form of Bitcoin for its return. The ransomware hit around 230,000 computers globally. In 2018, the WannaCry malware also hit Taiwan Semiconductor Manufacturing – the world’s largest contract chipmaker.

Acer Attack – March 2021

Impact: A loss of 60GB of critical information.

Ransom Demand: $50 million, highest at that time.

The Taiwanese computer giant, Acer was the victim of a ransomware attack in March of 2021 wherein a US$50 million ransom was demanded - the largest ransom ask made of any victim at that time. The REvil ransomware gang took credit for the breach and published images of financial statements and other documents allegedly stolen from the company as a means of claiming responsibility for the attack.

Brenntag Attack – May 2021

Impact: 150GB of data stolen during the breach.

Financial losses: $4.4 million ransom paid in Bitcoin.

The German chemical distributor Brenntag SE reportedly paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang on May 11 to obtain a decryptor for files encrypted by the hackers during a recent ransomware attack on the company. Threat actors encrypted devices on the network and claimed to have stolen 150GB of data during their attack – which they proved by creating a private data leak page with a description of data taken and screenshots of files.

Colonial Pipeline Attack – May 2021

Impact: Blocked pipeline compensation required approximately 13,000 mid-sized fuel tankers per day.

Financial losses: A ransom of approximately $4.4 million in cryptocurrency.

At the beginning of May, the Colonial Pipeline Company announced that they had fallen victim to a ransomware attack. The company suspended its affected IT assets, as well as its main pipeline – which is responsible for transporting 100 million gallons of fuel every day between Texas and New York. Over the course of assisting the Colonial Pipeline Company with its recovery efforts, the FBI confirmed that the DarkSide ransomware gang had been responsible for the attack.

Accenture Attack – August 2021

Impact: An astounding 6 terabytes (TB) of data was stolen.

Financial losses: Ransom amount of $50 million

The global IT consultancy giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the company's systems. As reported by Bleeping Computer, the ransomware gang claimed to have stolen six terabytes of data from Accenture's network and demanded a US$50 million ransom. In September, the company denied claims made by the LockBit gang that they also stole credentials belonging to Accenture customers that would enable them to compromise their networks.

Ultimate Kronos Group Attack – December 2021

Impact: Approximately 2,000 customers affected.

Financial losses: Agreement to pay a $6 million settlement.

One of the largest human resources companies disclosed a crippling ransomware attack in December 2021 that impacted the payroll systems for multiple workers across industries. According to NBC News, the company said that its programs that rely on cloud services—including those used by Whole Foods, Honda, and local governments to pay their employees—would be unavailable for several weeks. In a statement, the city of Cleveland alerted that sensitive information may have been compromised in the attack – such as employee names, addresses, and the last four digits of social security numbers.

Nvidia Attack - February 2022

Impact: Compromised employee credentials and company information.

Financial losses: The disruption still led to a $63 million loss of advertising revenues in the fourth quarter and $11 million in remediation costs.

Nvidia, the world’s largest semiconductor chip company, was compromised by a cyber-attack in February of 2022. The California-based company confirmed that the threat actor had started leaking employee credentials and proprietary information online. Lapsus$ - a hacking gang, took responsibility for the attack and claimed they had access to 1TB of crucial company data then demanded a $1 million ransom and a percentage of an unspecified fee from Nvidia. In January, Lapsus$ also claimed the credit for the ransomware attack on Impresa - Portugal’s largest media conglomerate.

Costa Rican Attack – April 2022

Impact: Over 600TB of stolen data leaked online.

Financial losses: Reports suggest daily losses of around $30 million.

The Costa Rican president declared a state of emergency after the Conti ransomware attack threw the country into chaos in April of this year. The attack affected healthcare systems amid covid-19 testing and will likely have lasting effects on the country.

Nikkei Group Asia Attack – May 2022

Impact: Customer data is compromised.

Financial losses: Exact losses are yet to be revealed.

Lastly, the media giant Nikkei Group’s Singapore-based headquarters was also the victim of a ransomware attack in May of 2022. Unauthorized access to their internal servers was noticed and the company discovered a breach - stating that it was likely that customer data has been affected. This comes after the 2019 incident in which an employee was given fraudulent instructions to transfer a sum of money to a third party through a BEC swindle - costing the organization approximately $29 million.

Most of these attacks were carried out by hacking groups that tend to use Ransomware-as-a-service models. These are similar to software-as-a-service frameworks, except they facilitate the installation and running of malware into a network. Users of this service pay to launch ransomware developed by operators.

UK’s Royal Mail Attack - January 2023

Impact: Data from the company’s system including parcel tracking website, online payment system, and several other services.

Financial losses: $80 million ransom demand was unmet.

The most notorious group in the history of ransomware, LockBitlaunched an attack on Royal Mail, the United Kingdom's national postal service in January 2023. It attacked and paralyzed several systems of the company, leaving millions of letters and parcels stuck and undelivered. LockBit demanded a ransom of $80 million, which is 0.5% of the company’s revenue, in exchange for the decryption of the files. Royal Mail declined the demand, and the ransomware group published the data as threatened in the end and became one of the

MOVEit Attack - May 2023

Impact: 600 organizations and nearly 40 million people believed to be so far.

Financial losses: Over $100 million in ransom payments.

One of the largest incidents of the year, CL0P attacked the file-transferring software MOVEit in May 2023 by exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362). Several billion-dollar companies including the BBC, Zellis, British Airways, Ofcom, Ernst and Young, and Transport for London, were impacted by this ransomware attack. The total impact of this ransomware attack is yet to be known as several companies are not sure if they were exposed to the software or not.

Caesars and MGM Casinos Cyber Attack - September 2023

Impact: Personal information of some MGM customers and data of 41,397 Maine residents stolen were from Caesars.

Financial losses: Caesars decided to pay the extortionists $15 million while MGM declined and recovered its infrastructure on its own which resulted in a loss of $100 million.

The ALPHV/BlackCat group’s claimed affiliate, Scattered Spider attacked Caesars and MGM, two of the biggest U.S. hotel and casino chains. The attack resulted in the shutdown the companies’ entire infrastructure, including the main website and mobile app, online reservations, ATMs, slot machines, and credit card machines. The attack was launched by using social engineering to identify an IT employee on LinkedIn. While Caesars consented to pay, MGM declined to pay any ransom and instead focused on recovering its infrastructure.

R00TK1T Attack on Malaysia - January 2024

Impact: User data of YouTutor is compromised.

Financial losses: Yet to demand ransom.

Following their cyber-attack campaign announcement against Malaysian infrastructure on the 26th of January, the R00TK1T hacking group attacked network solutions and system integrator, Aminia, online education website, YouTutor, and telecommunication company, Maxis. Maxis had denied the breach and, but it did identify an incident involving third-party vendor systems. The hacking group is hell bent on making the company accept the breach, or they would unleash further chaos on their network. The group has further warned that they are collectively targeting all companies in Malaysia and will not stop until their message is heard.

Ransomware Known to Date

For most ransomware attacks to be successful, they have to rely on an advanced form of ransomware. According to Statista, there were 78 newly discovered ransomware families in 2021 - representing a 39% year-over-year decrease compared to the 127 newly discovered ransomware families detected in the previously measured period.

Year Number of new ransomware families found
2015 29
2016 247
2017 327
2018 222
2019 95
2020 127
2021 78
2022 26

Sourced from Statista

The trend of new ransomware found is constantly fluctuating depending on a number of factors which include emerging technologies, vulnerabilities in global systems and the general cybersecurity practices followed and legislated in that time.

Organization Affected by Ransomware

2023 marks the year with the highest number of organizations affected by ransomware attacks. According to Statista, over 72% of organizations globally have fallen victim to ransomware attacks in 2023, a gradual rise over the last five years. In addition, each year since 2018, more than half of the respondents in the same survey reported that their organizations faced ransomware attacks. In terms of industries worldwide, the manufacturing industry seems to be frequently hit by ransomware attacks, with compromised credentials being the leading cause behind these attacks in 2023.

Statistic: Annual share of organizations affected by ransomware attacks worldwide from 2018 to 2023 | Statista
Find more statistics at Statista

Businesses worldwide affected by ransomware 2018-2023

Published by Ani Petrosyan, Mar 28, 2024

As of 2023, over 72 percent of businesses worldwide were affected by ransomware attacks. This figure represents an increase on the previous five years and was by far the highest figure reported. Overall, since 2018, more than half of the total survey respondents each year stated that their organizations had been victimized by ransomware.

Most targeted industries

In 2023, the healthcare industry in the United States was once again most targeted by ransomware attacks. This industry also suffers most data breaches as a consequence of cyberattacks. The critical manufacturing industry ranked second by the number of ransomware attacks, followed by the government facilities industry.

Ransomware in the manufacturing industry

The manufacturing industry, along with its subindustries, is constantly targeted by ransomware attacks, causing data loss, business disruptions, and reputational damage. Often, such cyberattacks are international and have a political intent. In 2023, compromised credentials were the leading cause of ransomware attacks in the manufacturing industry.

Ransomware is constantly evolving and advancing in its ways to infiltrate networks. While it may seem impossible for individuals to do anything when big companies are breached, people can implement proper cybersecurity measures on a smaller scale to ensure that they won’t be the next victim of a ransomware attack.

This is malware that targets computers running the Microsoft Windows operating system and is typically spread as an email attachment. This malware is often used in phishing scams The CryptoLocker ransomware was used to attack the Italian Vaccine system in September 2021.

Sangfor Engine Zero with its multi-stage AI analysis engine can detect CryptoLocker variants and is available on both Next Generation Firewall (Network Secure) and Endpoint Secure platforms. Engine Zero is used on the Network Secure firewall to detect CryptoLocker malware files that may be embedded in email attachments and used on Endpoint Secure to detect and remove CryptoLocker malware files on the endpoint before they can be activated.

The Petya ransomware variant was seen first in 2016 and targets Microsoft Windows-based systems. The malware encrypts a computer’s master file table, replacing the master boot record with a ransom note and rendering the computer unusable until the ransom is paid. It evolved later to include direct file encryption capabilities as a failsafe and the modified version named “NotPetya”. This malware was among the first ransomware variants to be offered as part of a ransomware-as-a-service operation.

This new malware is based on Conti ransomware and was first believed to be a potential wiper malware. According to Bleeping Computer, the Onyx ransomware facilitates the destruction of files larger than 2MB instead of encrypting them - which prevents those files from being decrypted even if a ransom is paid. The destructive nature of the malware makes cybersecurity specialists adamant that victims should not pay the ransom submitted. Reports suggest Onyx targeted around 13 victims from six different countries.

The US Cybersecurity and Infrastructure Security Agency released a warning about the hive ransomware, stating that FBI information revealed it had victimized over 1,500 companies worldwide and received over US$130 million in ransom payments until its disruption in 2023. Hive threat actors gain access to networks by distributing phishing emails with malicious attachments or using single-factor logins via remote network connection protocols.

Hive

Sourced from the US Cybersecurity and Infrastructure Security Agency page

According to the FBI, the Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as Ransomware as a Service (RaaS). Its threat actors request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars. The malware installs itself in a temporary folder named “.zeppelin” and then spreads throughout the infected device encrypting files. Once spread, it begins to encrypt files. Afterward, a note appears in the notepad informing the victim that they have been attacked and that ransom must be paid for the return of their data.

The Cybersecurity and Infrastructure Security Agency (CISA) released another advisory about this ransomware which relies on vulnerabilities in Remote Desktop Protocols (RDP) to gain access to a network. After encrypting the data, a ransom note is left with communication instructions in every folder containing an encrypted file with details of payments to a specific Bitcoin wallet address. Some reports cite figures around 24 victims worldwide identified since January 2023.

Retaining its dominance with over 1000 attacks reported in 2023, LockBit remains the biggest threat in the history of ransomware. They're known for their aggressive tactics and targeting a wide range of organizations, including critical infrastructure. On February 20, 2024, LockBit was taken down by an international operation involving FBI and law enforcement agencies but resurfaced by opening a new data leak portal on the TOR network.

This group emerged in 2023 and has quickly climbed the ranks in ransomware history with about 81 victims under their belt already. Its ransomware evolution is kept under strong observation as it is a new entrant, and their tactics and targets are still unfolding. They're known for targeting large corporations. Advisories are released to inform everyone about this new emerging internet ransomware virus.

Active since 2019, Cl0p is a well-established group known for double extortion tactics. This involves encrypting the victim's data with a strong cipher (often AES-256) and then stealing a copy of the data before encryption. They often threaten to leak it if the ransom isn't paid. They often target companies with revenues exceeding $5 million. Estimates are that CL0P may have compromised over 8,000 organizations globally,

BlackCat is another formidable group that vies for dominance. It uses the strong AES algorithm to encrypt victim's files, making decryption without the key nearly impossible. Their reputation attracts affiliates, and they maintain an extensive attack arsenal. Their attacks have caused significant financial harm to organizations. BlackCat compromised roughly 200 organizations in just a few months spanning between 2021 and 2022.

The Sangfor Solution for Ransomware Attacks

Ransomware is constantly evolving and advancing in its ways to infiltrate networks. While it may seem impossible for individuals to do anything when big companies are breached, people can implement proper cybersecurity measures on a smaller scale to ensure that they won’t be the next victim of a ransomware attack.

Sangfor Technologies is a world-class cybersecurity and cloud computing company that offers intensive and advanced Anti-Ransomware prevention and state-of-the-art IT infrastructure. Ransomware detection and avoidance have never been simpler with this integrated solution that pieces together several advanced Sangfor products:

Sangfor Anti-Ransomware Solution

Sangfor Network Secure, Sangfor Endpoint Secure, and Sangfor Engine Zero together make up the Sangfor security solution for ransomware. The solution uses Sangfor Network Secure, an advanced next-generation network security firewall (NGFW) for comprehensive and integrated surveillance and protection of your entire security network to root out any malicious threats. Together with Sangfor Endpoint Secure (Endpoint Protection Platform), the solution identifies malicious files both at the network level and at endpoints. In addition, with Sangfor Engine Zero, the solution delivers a 99.76% detection rate of known and unknown malware across the internet.

View Product
Sangfor Anti-Ransomware Solution

Sangfor Network Secure: Next-Generation Firewall (NGFW)

Sangfor Network Secure is a Next Generation Firewall (NGFW) offering comprehensive and reliable protection for your organization's network and systems. Its key values include cost-effectiveness, AI and TI-powered security, effortless security operations, and unique features such as cloud deception, WAF, and so on. Sangfor Network Secure is recognized as a ‘Visionary’ vendor in 2022 Gartner Magic Quadrant for the 2nd consecutive year, 8th year in Gartner Magic Quadrant for Network Firewalls, ‘Voice of the Customer’ in Customers Speak through Gartner® Peer Insights™. It is crowned as the 2023 Asia-Pacific Next Generation Firewall Company of the Year by Frost & Sullivan.

View Product
Next-Generation Firewall (NGFW)

Sangfor Cyber Command: Network Detection and Response (NDR) Solution

The groundbreaking network detection and response solution from Sangfor, Cyber Commandprovides automated responses to threats that infiltrate your system. It bolsters an organization's IT security through vigilant monitoring of all network traffic, correlating security events from various sources, and applying AI-based network traffic analysis and behavior analysis, all aided by global threat intelligence. Gartner has recognized Sangfor Technologies with Cyber Command as a representative vendor for NDR in its Market Guide for the second time in a row.

View Product
Cyber Command NDR

Sangfor Endpoint Secure: Endpoint Protection Platform (EPP)

Sangfor Endpoint Secure is a potent ransomware prevention solution as it installs advanced ransomware honeypot technology to quickly identify and kill file encryption processes before major damage is done. It detects suspicious ransomware-related processes and blocks them in as little as 3 seconds to ensure minimal impact on users’ assets. Sangfor Endpoint Secure achieves a detection accuracy rate of 99.83% by deploying ransomware indicators of compromise collected from over 12 million devices.

View Product
Sangfor Endpoint Secure

Frequently Asked Questions

Ransomware is a type of malicious software that encrypts files or locks users out of their systems until a ransom is paid, typically in cryptocurrency. A ransomware attack occurs when a computer or network is infected with ransomware, leading to data encryption or system lockdown until a ransom is paid. Some of the known ransomware examples include WannaCry, NotPetya, Ryuk and so on. Ransomware evolution with advanced techniques for intrusion and ransom extortion is becoming a major threat to organizations worldwide.

There are several different types of ransomwares throughout the ransomware history, each with its unique characteristics and methods of operation. Some of the examples of ransomware types include: 

  • Encrypting Ransomware: CryptoLocker, WannaCry, Locky.
  • Locker Ransomware: Winlocker, Police-themed ransomware.
  • Mobile Ransomware: Android/Simplocker, Pegasus (iOS).
  • Ransomware-as-a-Service (RaaS): Cerber, Satan, Philadelphia.
  • Scareware: Fake antivirus software, tech support scams.
  • Doxware/Leakware: Maze, REvil/Sodinokibi.

Over the evolution of ransomware, cybercriminals have become sophisticated using various methods to infect computers with ransomware. Some common methods include phishing emails, malicious links, exploit kits, malvertising, remote desktop protocol (RDP) attacks, drive-by downloads, file sharing networks, and pirated software.

Some of the most notorious ransomware attacks in ransomware history include: WannaCry attack in 2017 affecting 200,000 computers across 150 countries causing a net loss of $4 billion, NotPetya (Petya) in 2017 causing a loss of $10 billion, Colonial Pipeline attack in 2021 leading to financial losses of $4.4 million, and REvil extorted $200 million between 2019 to 2021.

Ransomware first appeared in the late 1980s, with the earliest documented case being the AIDS Trojan (also known as PC Cyborg) in 1989. This ransomware was distributed via floppy disks and targeted healthcare organizations. The AIDS Trojan encrypted files on infected systems and demanded payment of $189 to a PO Box in Panama to receive a decryption key. Since the first attack, the ransomware evolution has been growing at a faster rate, much faster than what organizations expected.

Early forms of ransomware were relatively simplistic compared to modern variants. Because of the evolution of ransomware over time, they have become more sophisticated and widespread, with advancements in encryption algorithms, distribution methods (such as email phishing and exploit kits), and ransom payment mechanisms (such as Bitcoin and other cryptocurrencies).