Zscaler Announces Intent to Acquire Airgap Networks to extend Zero Trust SASE

Learn More

What Are Ransomware Attacks?

Ransomware attacks are a type of malware attack in which threat actors may encrypt files, exfiltrate (steal) data and threaten to publish it, or both, to coerce the victim into making a ransom payment, usually in cryptocurrency. Attackers generally promise to provide decryption keys and/or delete stolen data once paid. Ransomware has become a highly popular means of extortion by cybercriminals as remote and hybrid work models have exposed endpoints to new vulnerabilities.

Get the Zscaler ThreatLabz 2023 Ransomware Report

How Do Ransomware Attacks Work?

A typical ransomware attack sequence looks like this:

Initial Compromise

Many ransomware attacks begin with phishing emails, often masquerading as messages from trusted retailers, banks, or other entities regarding delivery delays, fraudulent purchases, low balances, and so on. Such emails include infected files or links that, when opened, drop malicious software onto the victim’s computer or mobile device to set up an attack.

Lateral Movement

Once malware infects a device, the attack spreads. If the infected device is on a network, the malware will attempt to compromise a domain controller or otherwise steal credentials that enable it to move laterally throughout the network and infect other devices.


The malware will execute once it has sufficient access, exfiltrating and/or stealing the victim’s data. Finally, the victim will receive a ransom demand, typically with a time limit before the data is sold, leaked, or unrecoverable. If the victim pays, they’re supposed to receive a decryption key that lets them retrieve their data, but they don’t always—and even when they do, it doesn’t always work.

Consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network.

Cybersecurity and Infrastructure Security Agency

How Have Ransomware Attacks Evolved?

Ransomware began in 1989, when attendees of an international AIDS conference received “AIDS Information” floppy disks laden with a trojan virus. After 90 system reboots on an infected system, the trojan would hide all directories, encrypt all files on the infected hard drive, and display a note from "PC Cyborg Corporation" requesting a $189 payment to an address in Panama to restore access.

The next wave of ransomware-style cyberattacks came in the early 1990s with “scareware,” so called for its use of fear-based social engineering techniques. Infected computers would display an error message, followed by an offer to buy and download software to fix the issue. Of course, the software was more malware, often designed to steal data.

The rise of file sharing popularized a category of ransomware called police lockers, screen lockers, or simply lockers. Often hidden on sites hosting peer-to-peer downloads or adult content, lockers would display a message explaining that the system had been locked (frequently citing a law enforcement or government agency such as the FBI, suspected illegal activity, etc.) until the user paid a fine. Many lockers simply restricted mouse movement, and a system restart could restore normal functions, but fear led many victims to pay.

The Link Between Ransomware and Cryptocurrency

Early on, ransom demands typically peaked at a few hundred dollars from individual users. Moreover, ransom payments were usually made with ordinary payment cards, making the transactions far easier to track and the threat actors easier to catch.

Today, innovations in cybercrime and crypto technology have helped ransomware explode in popularity. In particular, bitcoin and other cryptocurrency—digital currency based on anonymity and encryption—have enabled bad actors to cover their tracks by making transactions nearly untraceable.

Ransomware as a Service (RaaS)

A byproduct of that heightened popularity and success, RaaS tools are often subscription-based and inexpensive, just like legal SaaS offerings. Many are readily available on the dark web, and they enable even people without programming skills to launch a cyberattack and earn a portion of its gains.

Double Extortion Ransomware

Eventually, better data backup and decryption technology began to move the needle in victims’ favor. In response, in 2019, a criminal group called TA2102 perpetrated the first high-profile double extortion ransomware attack, both encrypting and exfiltrating the victim’s data before threatening to leak it unless paid US$2.3 million in bitcoin. This way, even if the victim had managed to restore their data, they would still suffer a severe data breach unless they paid.

Encryption-less Ransomware

In 2022 and 2023, an insidious trend emerged that redefined ransomware at its core. Both an evolution and a sort of regression, encryption-less ransomware attacks don’t encrypt victims’ files. Instead, attackers focused only on exfiltrating sensitive data as leverage for extortion.

Victims of these attacks tend to be in industries that handle highly sensitive PII, such as the legal and healthcare sectors. Because their key concern is preventing leaks of their sensitive data, many will pay the ransom regardless of encryption. Because the data isn’t encrypted, it’s quicker and easier to recover, often translating to faster ransom payouts.

Learn more about encryption-less ransomware and other trends in the Zscaler ThreatLabz 2023 Ransomware Report.

Types/Examples of Ransomware Attacks

Among the myriad types of ransomware and ransomware groups, some of the most common and well-known are:

  • CryptoLocker: This ransomware, characterized by its strong encryption and massive botnet, was so successful in 2013 and 2014 that it continues to inspire copycat attacks.
  • Dridex: A prominent trojan known for stealing banking credentials via phishing emails, it’s associated with types of ransomware like WastedLocker, BitPaymer, and DoppelPaymer.
  • WannaCry: A cryptoworm that targets the Microsoft Windows operating system, it has impacted more than 300,000 systems (and counting) worldwide since its release in 2017.
  • NotPetya: Surfacing soon after WannaCry, NotPetya first appeared to be ransomware, but was actually virulent ”destructionware” credited to the Russian hacker group Sandworm.
  • Ryuk: This ransomware strain has been tied to a number of groups that have impacted the healthcare industry, the public sector, and education, particularly US school systems.
  • REvil: Notorious for breaches in the legal, entertainment, and public sectors, REvil launched a barrage of attacks between May 2020 and October 2021, including the Kaseya VSA attack.
  • DarkSide: This variant, responsible for the 2021 Colonial Pipeline attack, is one of the most famous examples of double extortion ransomware. This attack is typically utilized as a service.
  • GandCrab: VirusTotal’s 2021 Ransomware in a Global Context report cited GandCrab as the most prevalent ransomware attack, accounting for 78.5% of samples taken for the report.

How safe are you against ransomware attacks? Run a free Internet Threat Exposure Analysis to find out.

What Are the 7 Main Ransomware Attack Vectors?

Ransomware attackers are always working to find new ways to innovate their attacks, but several strategies stand out as the most popular (and effective) means of infiltrating systems. These are the most common ransomware attack vectors:

  • Phishing: Deceptive emails or similar messages, usually laden with infected links or attachments, trick users into letting ransomware onto their system.
  • Drive-by downloads: Attackers exploit software, OS, or browser vulnerabilities to enable stealthy downloads of ransomware when victim interact with compromised websites or links.
  • Software vulnerabilities: Attackers exploit weaknesses in applications or systems, giving them entry points into a network, where they can deploy ransomware directly.
  • Malicious websites: Attackers create fake or copycat sites that users mistake for legitimate ones, which host ransomware that they entice visitors into downloading under false pretenses.
  • Watering hole attacks: Attackers compromise legitimate websites used by their intended victims, and then use social engineering to trick visitors into downloading ransomware.
  • Remote Desktop Protocol (RDP) attacks: Hackers gain illicit access to RDP connections, generally by cracking or stealing login credentials, to deploy ransomware directly onto a target network.
  • Malvertising (malicious advertising): Attackers place infected ads on otherwise legitimate website, which infect systems with ransomware when victims interact with the ad.

Should You Pay the Ransom?

Many a ransomware victim’s most difficult question: “To pay, or not to pay?”

Many organizations are willing to pay to protect their data, but is that the right decision? Multiple reports since 2021 have found that some 80% of organizations that do so still suffer a repeat attack. Beyond that, as Zscaler CISO Brad Moldenhauer put it, “There is a real argument to be made that paying digital ransoms could aid and abet terrorism and certainly does so for cybercrime.”

There are other angles to consider, as well:

  • There’s no guarantee you’ll recover all your data—assuming that was the attacker’s intent to begin with (read about NotPetya).
  • In some circumstances and jurisdictions, paying a ransom is illegal. Read more.
  • In the case of double extortion, even if your remediation efforts recover your data, choosing not to pay means letting the threat actors expose your data to the world.

Often, the choice comes down to your organization’s unique circumstances, including how your operations, users, and customers are affected by a breach and the possibility that you won’t recover your data.

What Are the Effects of Ransomware on Businesses?

Ransomware is impacting organizations of all kinds worldwide, with more attacks each year, and it can have ill effects on revenue, public opinion, and more.

Lost Capital and/or Data

Making the choice between losing data and losing money is a dangerous dilemma, particularly in industries that handle sensitive data. If you ignore ransom demands, you risk a data leak. And even if you pay, there’s no guarantee you’ll get your data back.

Reputational Damage

Whether you pay or not, you're obligated to report the crime, which can lead to media coverage. When attacks hit the news, victim organizations risk losing business, customer trust, or both, even if the organizations themselves are arguably not at fault.

Legal Repercussions

In a growing number of US states, paying a ransom is illegal in most cases, and other jurisdictions worldwide are considering the same. In addition, a breach can result in added regulatory scrutiny, which may lead to fines and other legal costs.

Steps to Take to Remove Ransomware

Ransomware can be overcome, but you have to take it a step at a time:

Step 1: Isolate infected devices, disconnecting them from any wired or wireless connections—even disconnecting them from AC power, if necessary—to help prevent the ransomware infection from spreading. If you discover ransomware before it executes, you may be able to remove it from the system before the attacker can make a ransom demand.

Step 2: Find out what you’re facing and if a decryptor tool exists, which may help you recover encrypted data. You shouldn’t count on it, however. Decryptors are often ineffective against sophisticated ransomware, and they won’t help much in the case of double extortion.

Step 3: Recover your lost data, usually by restoring it from a backup. Maintaining regular backups is the only way to guarantee you can recover all your data once it’s encrypted. If for any reason you cannot recover your data, carefully consider the potential legal and financial consequences before complying with any ransom demands.

Step 4: Remove the ransomware with the help of a security professional, who should conduct a thorough root cause investigation to determine the vulnerability that enabled the attack.

Step 5: Evaluate the cause of the infection and take steps to shore up your defenses wherever they failed, whether that’s a backdoor exploit, a flaw in your email filtering, a lack of sufficient user training, or something else. Repeat attacks can and do happen, and you can be better prepared.

Ransomware Prevention Is Key

The reality is that once your data is encrypted or exfiltrated, one way or another, you lose. That’s why prevention is the real key to ransomware defense.

Stopping every ransomware attack that comes your way is likely impossible, but with due diligence, cybersecurity awareness training, and the right technology, you can minimize your risk. You need an effective anti-ransomware strategy, including principles and tools that:

  • Use an AI-driven sandbox to quarantine and inspect suspicious content
  • Inspect all TLS/SSL-encrypted traffic
  • Implement always-on protection by following off-network connections

Pairing modern solutions with a proactive defensive approach is widely regarded as the most effective ransomware protection model in today's cybersecurity playbook.

How Zscaler Can Help

Zscaler offers cloud native ransomware protection to secure organizations against ransomware through the Zscaler Zero Trust Exchange™, a platform that:

Uses AI-Driven Sandbox Quarantine

Zscaler can quarantine and fully analyze suspicious or never-before-seen files before delivery, virtually eliminating the risk of patient zero infections. In contrast to legacy passthrough approaches, such files won’t reach your environment unless first deemed safe.

A cloud native, AI-driven solution like Zscaler Sandbox (part of the Zero Trust Exchange) delivers benefits beyond those of legacy antivirus/anti-malware solutions, including:

  • Complete control over quarantine actions, with granular policy defined by groups, users, and content type
  • Real-time security verdicts on unknown files powered by machine learning
  • Fast, secure file downloads, with any files identified as malicious marked for quarantine

Inspects All Encrypted Traffic

Zscaler operates a cloud native proxy architecture that lets you perform full TLS/SSL inspection at scale without worrying about the performance limitations of costly appliances. 

Using a global cloud distributed across more than 150 data centers on six continents, the Zscaler cloud thoroughly inspects TLS/SSL traffic for hidden ransomware threats with no dips in performance—even if user bandwidth dramatically increases.

Follows Off-Network Connections

The Zero Trust Exchange delivers AI-driven sandboxing and TLS/SSL inspection to users anywhere, on any device. Every connection over any network gets identical protection to uncover and thwart both known and unknown cyberthreats, keeping your organization free from patient zero ransomware infections.

This approach to preventing ransomware starts with user connections being secured. Off network users simply add Zscaler Client Connector, our lightweight endpoint agent, to their laptops or mobile devices (with support for Android, iOS, macOS, and Windows) to enjoy the protection of the same tools, policy enforcement, and access controls they would get at headquarters.

Effective ransomware attack prevention starts with the Zero Trust Exchange. Want to find out more? Visit our platform page or request a custom demo.

Suggested Resources


What's the Most Common Type of Ransomware Attack?

Most ransomware attacks start with phishing. Threat actors often use deceptive emails, messages, or websites to trick users into downloading malware or divulging login credentials. These techniques are effective because they exploit human vulnerabilities, not technological ones, making them difficult for traditional security measures to detect.

How Is Ransomware Typically Delivered?

Ransomware can be delivered through various vectors, with phishing being most common. Another method, called drive-by download, automatically downloads ransomware to a victim's system when they visit a compromised or malicious website. Attackers may also use exploit kits, which target known software vulnerabilities to deliver ransomware. Some attackers even use fraudulent ads, even on legitimate websites, to lure victims.

How Does a Ransomware Attack Start?

Ransomware attacks most often start when a victim interacts with a malicious link, website, or file, or surrenders privileged information through phishing. Once ransomware is installed on a victim's system, it will exfiltrate and/or encrypt files, and then send a ransom demand promising an exchange for the decryption key or surrender of stolen data.

How Do I Know If I’m the Victim of a Ransomware Attack?

Various telltale signs can indicate you’ve been hit with ransomware. The most obvious are a sudden inability to access files, or receipt of a ransom message. Less obvious signs could be changes to file extensions, additional files appearing on the system, or out-of-the-ordinary network traffic or encryption activity. If you notice any of these, you should disconnect from the internet and immediately consult your IT or security team.

What Do I Do if I Believe My System Has Been Infected by Ransomware?

If you suspect you’ve fallen victim to ransomware, you should immediately take several steps to prevent the spread of the infection. Isolate infected devices by disconnecting them from the internet and network, powering them down if needed. Next, reach out to your IT or security team or other trusted professional, who can help you determine if decryption is possible, restore data from a backup, and potentially remove the ransomware. Finally, you’ll need to evaluate what led to the ransomware infection and shore up your defenses accordingly.

How Serious Is a Ransomware Attack?

Any organization should consider a ransomware attack serious if the organization, its clients, or its employees have anything to lose. Both money and data are at risk the moment ransomware is executed in your environment, and depending on your response, you could face reputational damage, legal repercussions, fines, sanctions, and more.

What Is an Example of a Ransomware Attack?

There are many ransomware families and notable ransomware attacks. One example, the Ryuk ransomware, has targeted healthcare, public sector, and education organizations worldwide. Delivered via phishing emails, Ryuk encrypts victims' files and demands a ransom in exchange for the decryption key. Although not as notorious as massive attacks like NotPetya and WannaCry, Ryuk has nonetheless seen great success in extorting payments from its victims.

What Is the Greatest Ransomware Attack?

One of the most damaging ransomware attacks in history was the May 2017 WannaCry attack. It affected hundreds of thousands of computers in more than 150 countries, affecting critical infrastructure from healthcare to government agencies as well as other businesses. WannaCry encrypted files and demanded ransoms in bitcoin. While far from the first widespread ransomware attack, it was the first to reach such a devastating global scale of disruption.