Experience the transformative power of zero trust.
Get the full report
What is Zero Trust?
What is Security Service Edge (SSE)?
What is Secure Access Service Edge (SASE)?
What is Zero Trust Network Access (ZTNA)?
What is Secure Web Gateway (SWG)?
What is Cloud Access Security Broker (CASB)?
What is a Cloud Native Application Protection Platform (CNAPP)?
Zero Trust Resources
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Transform your organization with 100% cloud native services
Propel your business with zero trust solutions that secure and connect your resources
Stop Cyberattacks
Protect Data
Zero Trust App Access
VPN Alternative
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust SD-WAN
Build and Run Secure Cloud Apps
Zero Trust Cloud Connectivity
Zero Trust for IoT/OT
Zero Trust for Private 5G
Find a product or solution
Find a product or solution
Learn how Zscaler delivers zero trust with a cloud native platform built on the world’s largest security cloud.
Propel your transformation journey
Achieve your business and IT initiatives
A typical ransomware attack happens in four phases.
The first phase, delivery, is usually carried out by a phishing email designed to entice a user to open it. The email often appears to be from a trusted source, such as a well-known brand. Shipping companies, banks, and large retailers are commonly “spoofed” in phishing emails with messages about a delay in delivery, fraudulent purchases, low balances, and so on.
These emails are designed to look like they’re from familiar senders, but they include malicious files such as PDFs or Google Drive links. These files contain malware loaders that, once the file is opened, drop the malicious content onto the victim’s system and set up the attack.
In the next phase, exploitation, the attack spreads once the malware has been successfully loaded. This phase typically begins after the recipient opens an email attachment that transmits malware to a device.
If the infected device is on a network, the malware identifies the domain controller with which the device is communicating. Once identified, it steals credentials, allowing it to move throughout the network and infect other devices.
The next phase is the callback, wherein the malware payload attempts to communicate with its command-and-control (C2) servers where the stolen data is sent.
The C2 servers then send the payload instructions on how to carry out the final phase: detonation. During this phase, the malware steals data and installs the ransomware, encrypting and locking the system or data so an individual or company can’t access it. The victim typically has a limited amount of time to pay the ransom before the data is lost forever, and sometimes, the ransom demands increase in the hours before the payment is due.
If the ransom is paid, victims are supposed to get a decryption key that allows them to retrieve their data back, but they don’t always get the key—and even when they do, it doesn’t always work.
In recent attacks, some criminals have begun stealing the data before encrypting it, and then threatening to expose it. This way, even if victims have good backups, they're more likely to pay the ransom.
Cybersecurity and Infrastructure Security Agency
Ransomware may be the tool of choice among today’s cybercriminals, but it’s not new. In fact, it’s been around in various forms for decades.
The first known ransomware was introduced in 1989 by Dr. Joseph Popp. He mailed floppy disks titled "AIDS Information Introductory Diskette" to World Health Organization AIDS conference attendees in Stockholm. These disks contained malicious code that installed itself onto MS-DOS systems and began counting the number of times users started up their machines.
On the 90th time, Dr. Popp’s trojan hid all the directories and encrypted all the files on the drive, making them unusable. Victims then saw a note claiming to be from PC Cyborg Corporation stating that the owner’s software lease had expired and that they had to send $189 to an address in Panama to regain access.
The next wave of ransomware-style cyberattacks was dubbed "scareware." Users would receive a warning about a catastrophic error on their computer, followed by a command to pay for and download software to clean or fix their device. Of course, the software was merely more malware designed to steal information from the computer.
As file sharing became more popular, another common form of ransomware developed, dubbed the Police Locker attack. Often hidden on peer-to-peer download sites or websites hosting pirated or adult material, this attack would change the user's desktop to display a note claiming that law enforcement had locked the computer due to suspected illegal activity. Fear led many victims to pay a few hundred dollars to have their computers unlocked. However, in many of these attacks, the locker could have been removed by simply restarting the system.
Among the myriad types of ransomware and ransomware groups, some of the most common and well-known are:
So, how safe are you against ransomware attacks? Run a free Internet Threat Exposure Analysis to find out.
Paul Webber, Senior Director Analyst, Gartner
In the beginning, ransom demands were typically a few hundred dollars because the targets were still mostly home users. Victims of ransomware would pay with standard currency, meaning the criminals responsible had a much greater chance of being identified.
The rise of cryptocurrencies—digital currencies based on anonymity and encryption—has seen a reversal of fortune for these attackers. Cryptocurrencies such as bitcoin make transactions nearly impossible to trace, allowing bad actors to cover their tracks.
Ransomware as a service is a byproduct of ransomware's popularity and success. Like many legal SaaS offerings, RaaS tools are usually subscription-based. They're often inexpensive and readily available on the dark web, providing a platform for anyone—even those without programming skills—to launch an attack. If a RaaS attack is successful, the ransom money is divided between the service provider, the coder, and the subscriber.
This is the age-old question when it comes to ransomware. To pay, or not to pay?
Of course, many organizations are willing to pay given the risk of their data being exposed, but is that the right way to handle the situation? Gartner data says that “80% of (organizations who pay) suffer another ransomware attack.” Perhaps it’s not a best practice to pay, but what’s the alternative—letting the bad actors expose your data to the world?
Unfortunately, there’s no definite correct answer. Gartner analyst Paul Proctor effectively asserts that it’s up to you: “It comes down to when business outcomes are impacted by the lack of the stolen data. The organization must weigh if the business loss is worth rolling the dice on making a payment.”
You only need to check the news every other day to understand how ransomware is impacting businesses across all industries. But, in case you’ve been living under a rock, here are some of the ways which ransomware can hurt your bottom line:
You Will Lose Money and/or Data
The most obvious complication brought on by ransomware lies in the fact that those who deploy it are seeking to hold your data hostage (hence “ransom”) until you pay them a sum of money for its return. This factor alone plays into a dangerous catch-22 for your business, particularly if you work in healthcare, the public sector, finance, or other industries housing boatloads of sensitive data.
If you ignore a bad actors’ demands, you risk exposing your data to the public, or worse, to other threat groups who will pay large sums for it. But, even if you pay the ransom, odds are you will not get your data back. This is why ransomware prevention is key.
Your Reputation Will Suffer
Whether you choose to pay the ransom or not, you're obligated to report the crime, and eventually, your organization will end up on a headline. Many have experienced this already, and the list will continue to grow as long as ransomware keeps evolving and companies keep failing to prepare for it.
Often, businesses who fall victim to ransomware lose business due to a loss of trust from their customers. While the company may not be 100% to blame, it’s likely that’s where customers and potential consumers will pin it.
You May Face Legal Repercussions
Yes, paying the ransom on a ransomware attack is illegal. In a 2020 ruling, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in most cases.
As if the loss of data and capital and the harm to public image weren’t bad enough, legal fees may also cost you as a result of ransomware.
Gartner has named “new ransomware models” as the top risk organizations face. According to the firm's Emerging Risks Monitor Report, concerns about ransomware have become even greater than those about the pandemic.
If it wasn’t clear before, it’s clear now—you need to know not only how to prepare for a ransomware attack, but how to prevent one altogether.
Stopping every ransomware attack that comes your way is impossible, but through rigorous due diligence, awareness training, and with the right technology, you can minimize the threat these attacks pose to your business.
Ransomware can be ousted, but it must be done carefully and cautiously by following a step-by-step process.
Step 1. Isolate the Infected Device
This means disconnecting said device from any wired or wireless connections to quarantine the ransomware and prevent it from spreading. Be sure to immediately remove the malware from the system if the ransom hasn’t been demanded yet.
Step 2. Find Out What Kind of Ransomware You’re Dealing With
With the help of a security professional or tool, learn which strain of ransomware needs to be removed. This knowledge will give you a better understanding of how to mitigate the ransomware that’s made its way into your system.
Step 3. Remove the Ransomware
Remove the infection from your hard drive with a ransomware removal tool, the help of an IT security professional, or your own manual process. Then, use a ransomware decryptor or decryption tool to retrieve the encrypted data being held hostage.
Step 4. Restore the System with a Backup
Use a system store or recover files from the compromised OS. As a part of this process, it’s important to ensure that you’ve backed your data up, as this will be the only way to access it once ransomware has encrypted it. This is a best practice for ransomware and data breaches alike.
To keep up with the ever-evolving and ever-looming threat of ransomware, you need an effective anti-ransomware strategy, including principles and tools that:
Pairing modern solutions with a proactive defensive approach is widely regarded as the most effective ransomware protection model in today's cybersecurity playbook.
Zscaler offers cloud native ransomware protection to secure organizations against ransomware through the Zscaler Zero Trust Exchange™, a platform that:
With an AI-driven sandbox quarantine built on a cloud native proxy architecture, files can be quarantined and fully analyzed before delivery, virtually eliminating the risk of patient zero infections. In contrast to legacy passthrough approaches, suspicious or never-before-seen files are guaranteed to be held for analysis and will not reach your environment.
A cloud native, AI-driven solution like Zscaler Cloud Sandbox (part of the Zero Trust Exchange) delivers benefits beyond those of legacy anti-malware solutions, including:
2. Inspects All Encrypted Traffic
Zscaler operates a cloud native proxy architecture that lets you perform complete SSL inspection at scale without worrying about performance or expanding the processing power of costly appliances.
Using a global cloud distributed across more than 150 data centers on six continents, SSL traffic can be thoroughly inspected for hidden ransomware threats with no dips in performance—even if user bandwidth dramatically increases.
3. Follows Off-Network Connections
The Zero Trust Exchange can deliver the two aforementioned strategies—AI-driven sandbox quarantine and complete SSL inspection—to users regardless of their location or device. Every connection over any network gets identical protection to uncover and thwart both known and unknown threats, keeping your organization free from patient zero ransomware infections.
This approach to preventing ransomware starts with user connections being secured. Off network users simply add Zscaler Client Connector, our lightweight endpoint agent, to their laptops or mobile devices (with support for Android, iOS, macOS, and Windows) to enjoy the protection of the same security tools, policy enforcement, and access controls they would get in your headquarters.
Any way you slice it, ransomware attack prevention starts with zero trust and the Zero Trust Exchange.
The State of Encrypted Attacks 2021
Download the reportThree Secrets to Stopping Ransomware Cold
Watch the webinarRansomware in 2022: What You Need to Know and How to Prepare
Watch the webinarThe World’s Most Effective Ransomware Protection
Learn moreHow to Protect Your Data from Ransomware and Double-Extortion
Read the blog
