What Is Ransomware? - Definition, Prevention & More | Proofpoint US

Skip to main content

• us: English: Americas Select a Language us: English: Americas English: Europe, Middle East, Africa English: Asia Pacific Español Deutsch Français Italiano Português 日本語 한국어

• Search
• Partners Channel Partners and Distributors MSP Partners Technology and Alliance Partners
• Support Support Login Sendmail Support Login IP Address Blocked
• Login Training Proofpoint Cybersecurity Academy Partners Partner Hub Products Digital Risk Portal ET Intelligence Email Fraud Defense Proofpoint Essentials

Back Platform Solutions Why Proofpoint Resources Company Get a Demo Contact Us Top Suggestions: Email Security Phishing DLP Email Fraud Prime Threat Protection

• Platform
• Collaboration Security
• Data Security and Governance
• Platform Technologies
• Services

Platform

Cybersecurity for the agentic workspace starts with Proofpoint’s human and agent-centric security platform.

Collaboration Security

Defend humans and agents against modern cyber threats across email and collaboration channels.

Data Security and Governance​

Protect the data that powers human and AI collaboration​.

Platform Technologies

Leverage Proofpoint’s market-leading technologies powering cybersecurity for people, data and AI.

Featured

Join a live Protect event—learn how to protect people, data, and AI

Live Events Collaboration Security

Stop cyber threats with AI-driven multichannel protection.

Discover Collaboration Security Prime Core Email Protection

Activate industry-leading threat protection delivered via API or Gateway.

Email Fraud Defense

Protect your brand reputation, increase deliverability and identify domain lookalikes.

ZenGuide

Turn your workforce into your first line of defense with targeted, behavior-changing security awareness training.

Secure Email Relay

Secure your application email and accelerate DMARC implementation.

Account Takeover Protection

Detect, investigate, and respond to account takeovers.

All Products Featured

Experience Core Email Protection in action—block 99.99% of email threats

Interactive Demo Data Security and Governance

Transform data security with a unified, omnichannel approach.

See why Proofpoint is a leader Enterprise DLP

Transform DLP with a modern platform that prevents data loss across email, cloud, and endpoints.

Adaptive Email DLP

Prevent misdirected emails and hidden exfiltration of sensitive data.

Insider Threat Management

Get visibility into risky behavior by careless, malicious and compromised users.

Data Security Posture Management

Discover, classify and protect sensitive data across cloud and hybrid environments.

Digital Communications Governance

Capture, retain and discover digital communications intelligently to ensure compliance.

All Products Featured

Understand the top data security risks organizations face — and how to stay ahead

Research Report Platform Technologies

Proofpoint technologies powering human and agent-centric security​.

Discover the security risks Proofpoint Nexus

Advanced AI and threat intelligence to detect threats and assess data risk.

Proofpoint Zen

Integrated control points to protect people and data, wherever work happens.

Proofpoint Satori

The power behind agentic security operations.

Explore Proofpoint packages

How to Buy Services

Optimize Proofpoint solutions with expert services.

Advisory Services

Give your team access to expert guidance while they manage daily operations of your Proofpoint platform.

Applied Services

Gain a hightouch strategic partnership with a team of Proofpoint specialists who optimize your security and monitoring.

Featured

"The partnership with Proofpoint, it's an extention of our team." –Celesta Capital

Customer Story

• Use Case
• Industry

Use Case

Comprehensive solutions for today’s cybersecurity threats.

Ensure Acceptable GenAI Use

Empower your workforce with safe GenAI practices.

Secure Microsoft365

Implement the best security and compliance solution for Microsoft 365.

Prevent Loss from Ransomware

Stop attacks by securing ransomware's top vector.

Combat Email and Cloud Threats

Protect your people from email and cloud threats with an intelligent and holistic approach.

Protect Cloud Apps

Keep your people and their cloud apps secure by eliminating threats and data loss.

Change User Behavior

Help your employees identify, resist and report attacks before the damage is done.

Modernize Compliance and Archiving

Manage risk and data retention needs with a modern solution.

Authenticate Your Email

Protect your email deliverability with DMARC.

Featured

Learn about new AI risks—and how to build a secure foundation for enterprise adoption

White Paper Industry

Superior protection for every industry, from small business to large enterprise.

Federal Government

Enable your agency with cybersecurity built for federal government environments.

Higher Education

Protect your campus, people, data, and research with advanced security.

Healthcare

Safeguard your clinicians, patient data, and intellectual property from advanced threats.

Internet Service Providers

Deliver secure, high-performance email protection for your networks and customers with Cloudmark.

State and Local Government

Secure your institutions, services, and communities against cyber threats.

Financial Services

Protect your institution while meeting regulatory and compliance requirements.

Mobile Operators

Secure your messaging environments and protect subscribers at scale.

Small and Medium Businesses

Strengthen your business with enterprise-grade security built to grow with you.

Featured

Discover the security risks healthcare organizations can't afford to ignore

Threat Report Why Proofpoint

More than 80 of the Fortune 100 choose Proofpoint to protect their people, data, and AI.

Why Proofpoint Customer Stories

Learn how organizations use Proofpoint to strengthen their cybersecurity, protect their data, and reduce risk.

Awards

See how our innovation and leadership have been recognized across the industry by leading analysts and publications.

Threat Insight Blog

Stay up to date on emerging cyber threats with insights from our industry-leading threat research team.

Comparing Proofpoint

Evaluating cybersecurity vendors? Check out our side-by-side comparison of Proofpoint vs. competitors.

Evaluating security vendors? Compare us by checking out side-by-side comparisons.

Comparison Overview Proofpoint vs. Abnormal Security Proofpoint vs. Mimecast Proofpoint vs. Check Point Harmony Proofpoint vs. Cisco Proofpoint vs. Symantec Proofpoint vs. Microsoft Purview Proofpoint vs. Legacy DLP Proofpoint vs. SSE Vendors Proofpoint vs. DSPM Vendors

• Resources
• Threat Intelligence

Resources

Research, insights and resources from Proofpoint experts.

Resource Library Blog

Keep up with the latest news and happenings from our industry leading experts.

Cybersecurity Academy

Earn your certification to become a Proofpoint Certified Guardian.

Events

Connect with peers in person and learn from the experts.

Webinars

Browse our webinar library to learn about the latest threats and issues in cybersecurity.

Podcasts

Listen to expert conversations and insights on cybersecurity trends, threats and best practices.

Customer Stories

Read how our customers solve their most pressing cybersecurity challenges

Featured

New Agents, New Attacks: Securing Collaboration in the Agentic Era

Live Webinar Series—Register Now Threat Intelligence

Learn from our expert threat intelligence and insights that you won’t find anywhere else.

Threat Glossary

Learn about the latest security threats and techniques.

Podcasts

Stay informed with our renowned threat researchers.

Power Series

Join our virtual event series on the industry's most pressing topics.

Threat Insight Blog

Gain insight through actionable threat intelligence and expert analysis.

Featured

Proofpoint DISCARDED Tales from the threat research trenches

Podcast Company

Learn more about the team driving human and agent-centric security.

About Proofpoint Leadership

Learn about the executive team leading Proofpoint’s strategy and vision.

News Center

Read the latest press releases, news stories and media highlights about Proofpoint.

AI, Privacy and Trust

Learn about how we handle data and make commitments to privacy and other regulations.

ESG

Learn how we apply our environmental, social, and governance principles to positively impact our community.

Careers

Stand out and make a difference at one of the world's leading cybersecurity companies.

Ready to join a company redefining cybersecurity?

Join our Team Glossary What Is Ransomware? What Is Ransomware? Ransomware Survival Guide Download the Proofpoint Email Protection Data Sheet

Table of Contents

• Ransomware Definition
• History of Ransomware Attacks
• How Ransomware Works and Spreads
• Types of Ransomware
• Examples of Ransomware
• Ransomware Statistics
• Ransomware Trends
• Stages of a Ransomware Attack

• Ransomware’s Impact on Business
• Why You Shouldn’t Pay Ransomware
• Steps for Responding to an Attack
• New Ransomware Threats
• Ransomware Prevention and Detection
• Ransomware Survival Guide
• Ransomware FAQs

Ransomware Definition

Ransomware is a sophisticated form of malware designed to hold your data hostage, effectively locking you out of your files and systems. It encrypts your data using complex algorithms, making it inaccessible without a unique decryption key that only the attackers possess. To regain access, you must pay a ransom, often demanded in cryptocurrency, to maintain the attacker’s anonymity.

Modern ransomware has evolved beyond simple encryption, with emerging types like crypto-ransomware and CryptoWall raising the stakes. Some variants now employ a double extortion technique (ransomware 2.0), encrypting your data and threatening to leak sensitive information if the ransom isn’t paid. This adds extra pressure, particularly for businesses concerned about reputational damage or regulatory compliance.

Ransomware attacks have become increasingly prevalent, targeting organizations of all sizes across various industries. From small businesses to major corporations, no one is immune. These attacks often come with strict deadlines, adding urgency to a stressful situation. If you don’t pay in time, you might lose your data forever or face an increased ransom demand.

While the temptation to pay the ransom can be strong, especially when critical data is at stake, many government agencies, including the FBI, advise against it. Paying the ransom encourages future attacks and doesn’t guarantee the safe return of your data. In fact, on average, about half of the victims who pay the ransom will likely encounter repeat attacks—mainly when the initial infection isn’t thoroughly cleaned from the system.

Cybersecurity Education and Training Begins Here

Start a Free Trial

Here’s how your free trial works:

• Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
• Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
• Experience our technology in action!
• Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks

Fill out this form to request a meeting with our cybersecurity experts.

Thank you for your submission.

History of Ransomware Attacks

Ransomware can be traced back to 1989, when the “AIDS virus” was used to extort funds from ransomware recipients. Payments for that attack were mailed to Panama, at which point a decryption key was sent back to the user.

In 1996, Columbia University’s Moti Yung and Adam Young introduced ransomware known as “cryptoviral extortion.” This idea, born in academia, illustrated the progression, strength, and creation of modern cryptographic tools. Young and Yung presented the first cryptovirology attack at the 1996 IEEE Security and Privacy Conference. Their virus contained the attacker’s public key and encrypted the victim’s files. The malware then prompted the victim to send asymmetric ciphertext to the attacker to decipher and return the decryption key—for a fee.

Attackers have grown creative over the years by requiring nearly untraceable payments, helping cyber criminals remain anonymous. For example, the notorious mobile ransomware Fusob requires victims to pay using Apple iTunes gift cards instead of standard currencies, like dollars.

Ransomware attacks began to soar in popularity with the growth of cryptocurrencies, such as Bitcoin. Cryptocurrency is a digital currency that uses encryption techniques to verify and secure transactions and control the creation of new units. Beyond Bitcoin, there are other popular cryptocurrencies that attackers prompt victims to use, such as Ethereum, Litecoin, and Ripple.

Ransomware has attacked organizations in nearly every vertical, with one of the most famous viruses being the attacks on Presbyterian Memorial Hospital. This attack infected labs, pharmacies, and emergency rooms, highlighting the potential damage and risks of ransomware.

Social engineering attackers have become more innovative over time. The Guardian wrote about a situation where new ransomware victims were asked to have two other users install the link and pay a ransom to decrypt their files.

More information on Locky ransomware Presbyterian Memorial Hospital ransomware attack

How Ransomware Works and Spreads

Ransomware blocks access to data or systems until a ransom is paid, primarily through encryptors (file encryption) or screen lockers (system lockdown). Attackers demand cryptocurrency payments for decryption keys, though success rates vary. Businesses are frequent targets due to higher payout potential, with attacks often starting via phishing emails or voice scams (vishing).

Infection and Spread Mechanisms:

• Phishing and social engineering: Deceptive emails trick users into opening malicious attachments or links. These emails often mimic trusted sources, exploiting urgency or authority to bypass scrutiny. Once activated, ransomware spreads across connected networks.
• Remote Desktop Protocol (RDP) exploits: Poorly secured RDP connections, especially in remote work environments, allow attackers to infiltrate systems. Compromised credentials or unpatched vulnerabilities grant them direct access to deploy ransomware.
• Exploitable vulnerabilities: Outdated software or unpatched systems provide easy entry points. Attackers scan for weaknesses in firewalls, operating systems, or applications to install ransomware silently.
• Infected USB drives: Physical devices loaded with malware bypass network defenses. Inserting an infected USB can trigger automatic ransomware installation, spreading to other connected systems.
• Malvertising and exploit kits: Compromised online ads or websites redirect users to malicious domains. These kits automatically probe devices for vulnerabilities to deliver ransomware payloads.

After initial access, ransomware encrypts files and exfiltrates data for double extortion. Attackers increasingly threaten regulatory leaks or partner disruptions to pressure payments. Cryptocurrency anonymity, remote work expansions, and reliance on legacy systems fuel ransomware’s prevalence. Proactive measures—like zero-trust frameworks and employee training—are critical to counter evolving threats.

Types of Ransomware

The growing prevalence of ransomware has brought about increasingly complex ransomware attacks.

• Scareware: This common type of ransomware displays a fake warning message claiming detection of malware on the victim’s computer. These attacks are often disguised as an antivirus solution demanding payment to remove the nonexistent malware. While scareware might seem less threatening, it can still cause significant stress and financial loss. It’s crucial to verify the legitimacy of any security warnings you receive and to rely on reputable antivirus software.
• Screen lockers: These programs are designed to lock the victim out of their computer, preventing them from accessing files or data. A message is typically displayed that demands payment to unlock it. Screen lockers can be incredibly disruptive, making your entire system unusable. Having a data backup and knowing how to safely boot your system to bypass the lock screen is essential.
• Encrypting ransomware: Also called “crypto-ransomware,” this common ransomware encrypts the victim’s files and demands payment in exchange for a decryption key. This type of ransomware can be devastating, rendering all your files inaccessible. Regular backups and robust cybersecurity measures are your best defense against encrypting ransomware.
• DDoS extortion: A Distributed Denial of Service extortion threatens to launch a DDoS attack against the victim’s website or network unless a ransom payment is fulfilled. The threat of DDoS extortion can be particularly damaging for businesses that rely heavily on their digital presence. It’s crucial to implement DDoS protection and have a well-prepared incident response plan in place to effectively mitigate this threat.
• Mobile ransomware: As the name suggests, mobile ransomware targets devices like smartphones and tablets and demands payment to unlock the device or decrypt the data. Mobile ransomware is becoming a growing concern with the mounting use of mobile devices across personal and business purposes. Regularly updating your mobile operating system and being cautious about app downloads can help protect you from this threat.
• Doxware: While less common, this sophisticated ransomware threatens to publish sensitive, explicit, or confidential information from the victim’s computer unless a ransom is paid. Also known as leakware, this form of ransomware adds increased pressure by threatening your privacy or reputation. Implementing robust data protection measures and being cautious about what information you store digitally can help mitigate the risk of doxware.
• Ransomware-as-a-Service (RaaS): Cyber criminals offer ransomware programs to other hackers or cyber-attackers who use such programs to target victims. RaaS has streamlined the accessibility of such threats, making ransomware attacks more prevalent. This model operates similarly to legitimate software-as-a-service businesses, providing customer support and regular updates to its criminal clientele.

These are just some of the most common types of ransomware. As cyber criminals adapt to cybersecurity strategies, they pivot to new and innovative ways to exploit vulnerabilities and breach computer systems.

Examples of Ransomware

The following notable ransomware attacks offer organizations a solid foundation of each attack’s tactics, exploits, and characteristics. While ransomware codes, targets, and functions vary, attack innovation is typically incremental.

• WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. Proofpoint identified the sample used to find the kill switch and deconstructed the ransomware. Learn more about how Proofpoint helped stop WannaCry.
• CryptoLocker: First detected in 2013, CryptoLocker ransomware used RSA encryption and demanded Bitcoin payments. It spread through phishing emails disguised as FedEx/UPS tracking notices via the Gameover ZeuS botnet. Law enforcement disabled its infrastructure in 2014 and released a decryption tool after attackers extorted millions from victims. Modern variants like 2023’s CryptoLocker 2.0 mimic these tactics but target USB drives and Bitcoin wallets.
• NotPetya: Considered one of the most damaging ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya targeted the same vulnerability as WannaCry to rapidly spread payment demands in Bitcoin to undo the changes. Some have classified it as a wiper since NotPetya cannot undo its changes to the master boot record, which renders the target system unrecoverable.
• Bad Rabbit: Considered a cousin of NotPetya, using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russian and Ukrainian media companies. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. Most cases indicated that it was spread via a fake Flash player update that impacted users via a drive-by attack.
• REvil: REvil is authored by a group of financially motivated attackers. It exfiltrates data before encryption to blackmail targeted victims into paying if they choose not to send the ransom. The attack stemmed from compromised IT management software used to patch Windows and Mac infrastructure. Attackers compromised the Kaseya software used to inject the REvil ransomware onto corporate systems.
• Ryuk: Ryuk is a manually distributed ransomware application mainly used in spear-phishing. Targets are carefully chosen using reconnaissance. Email messages are sent to chosen victims, and all files hosted on the infected system are then encrypted.

Ransomware Statistics

• 59% of organizations experienced a ransomware attack in 2024, with 70% of incidents resulting in data encryption, according to Sophos’ The State of Ransomware 2024.
• Ransomware payments skyrocketed to record highs in 2024. The median ransomware payment surged from less than $200k in early 2023 to $1.5 million in June 2024, according to IBM’s top ransomware stories of 2024.
• 88% of breaches at small businesses stemmed from ransomware, while 64% of victims refused to pay—a 14% increase from 2023, according to Verizon’s latest Data Breach Investigations Report (DBIR).
• 32% of attacks exploited unpatched vulnerabilities (Sophos), while 68% of employees knowingly engaged in risky behaviors, enabling phishing—a top ransomware vector, according to Proofpoint’s 2024 State of the Phish report.
• Cybersecurity Ventures predicts $57 billion in global damages for 2025, escalating to $275 billion annually by 2031 as attacks occur every two seconds.

Ransomware Trends

Ransomware tactics have intensified in sophistication and impact, driven by evolving criminal strategies and shifting defense measures. Key trends reshaping the threat landscape include:

1. Surging Attack Volumes

2024 saw a record 5,263 ransomware attacks—the highest since 2021—with a 25% year-over-year increase in disclosed incidents. Groups like LockBit and RansomHub dominated, while newcomers exploited unpatched vulnerabilities in critical sectors like healthcare and manufacturing.

2. Double and Triple Extortion as Standard

Ninety-three percent of ransomware attacks now involve data exfiltration, with 43% of victims paying ransoms to prevent leaks, according to BlackFog. Attackers increasingly combine encryption with threats to release stolen data or disrupt third-party partnerships, as seen in a 2024 UK healthcare breach exposing 300M patient records.

3. Faster, More Targeted Attacks

Negotiations now begin within hours of infiltration, with attackers using AI-driven phishing and insider threats to bypass defenses. Small-to-midsize businesses (SMBs) faced 41.53% of attacks, as threat actors shifted from high-profile targets.

4. Ransomware-as-a-Service (RaaS) Proliferation

“The professionalization of the ransomware economy is growing as Ransomware-as-a-Service (RaaS) has not only significantly lowered the barriers for even novices to execute a cyberattack successfully but has also connected security researchers with ransomware groups,” summarizes Christian Have, CTO at Logpoint.

5. Targeting Critical Infrastructure

Ransomware attacks on critical infrastructure continue to surge, with industrial, healthcare, and manufacturing sectors facing heightened risk. According to the IT-ISAC, out of approximately 3,500 ransomware incidents tracked last year, 20% targeted critical manufacturing, followed by commercial facilities, healthcare, IT, and financial services.

6. Government Countermeasures

Governments worldwide have stepped up efforts to disrupt ransomware operations through coordinated law enforcement actions and new regulations. In 2024, international operations such as Europol’s Operation Endgame dismantled over 100 servers and 2,000 domains used for ransomware distribution, while the U.S. Department of the Treasury, in partnership with the UK and Australia, sanctioned individuals and entities linked to major cyber crime groups like Evil Corp.

Stages of a Ransomware Attack

While each ransomware attack may have unique characteristics, most follow a similar pattern. Here’s a breakdown of the typical stages:

1. Initial breach: The attack begins when cyber criminals enter your system. This access could happen through a phishing email, an exploited vulnerability, or even a careless click on a malicious link. It’s like leaving a window open in your house—attackers always look for these entry points.
2. Establishing a foothold: Once inside, the attackers work to solidify their position. They might install additional malware or create backdoors for future access. Think of it as the intruders setting up camp in your attic without you knowing.
3. Reconnaissance: Now comfortable in your system, the attackers start exploring. They’re looking for valuable data, understanding your network structure, and identifying potential targets. It’s akin to a burglar quietly moving through your home, checking each room for valuables.
4. Privilege escalation: Attackers seek to increase their system privileges to gain more control. They’re essentially trying to get the master key to your house, allowing them access to previously off-limits areas.
5. Data harvesting: With elevated access, the attackers begin collecting sensitive information. They might copy files, steal credentials, or extract valuable data. This stage is like the thieves filling their bags with your most prized possessions.
6. Preparation for attack: Before launching the ransomware, attackers often take steps to ensure maximum impact. This could involve disabling security software or deleting backups. It’s the equivalent of cutting your phone lines so you can’t call for help.
7. Ransomware deployment: Finally, the ransomware is activated. Files are encrypted, systems are locked, and the ransom demand appears. It’s the moment when you realize your house has been ransacked and the thieves have left a note demanding payment for the return of your assets.

Ransomware attacks can move quickly through these stages, sometimes in a matter of hours. Staying vigilant and having robust security measures in place at each potential stage of attack is crucial for protecting your organization’s digital assets.

Ransomware’s Impact on Business

A business that falls victim to ransomware can lose thousands of dollars in productivity and data loss. Attackers with access to data blackmail victims into paying the ransom by threatening to release data and expose the data breach. Organizations that do not pay fast enough could experience additional side effects such as brand damage and litigation. The impact of ransomware extends beyond immediate financial losses, potentially causing long-term damage to a company’s operations and reputation.

Since ransomware stops productivity, the first step is containment. After containment, the organization can either restore from backups or pay the ransom. However, paying the ransom doesn’t guarantee data recovery and may encourage future attacks. Restoring from backups, while often the recommended approach, can still result in significant downtime and potential data loss.

Law enforcement gets involved in investigations, but tracking ransomware authors requires research time that delays recovery. This delay can exacerbate the financial impact, as every hour of downtime translates to lost revenue and productivity. Additionally, the involvement of law enforcement may lead to public disclosure of the attack, further damaging the company’s reputation.

Root-cause analysis identifies the vulnerability but may also delay recovery. Once the immediate crisis is managed, businesses often face substantial costs in upgrading their security infrastructure to prevent future attacks. This may include investing in advanced cybersecurity solutions, employee training programs, and hiring additional IT security personnel.

The aftermath of an attack can have lasting effects on a business. Customer trust may be eroded, potentially leading to loss of business. In regulated industries, companies may face fines or legal action for failing to protect critical data. The psychological impact on employees shouldn’t be underestimated either, as the stress and uncertainty of an attack can affect morale and productivity long after systems are restored.

Why You Shouldn’t Pay Ransomware

After ransomware encrypts files, it displays a screen to the user announcing that files are encrypted and the ransom amount. Usually, the victim is given a specific period of time to pay, or the ransom increases. Attackers also threaten to expose businesses and publicly announce that they were victims of ransomware.

The most significant risk of paying the ransom is never receiving the cipher keys to decrypt data. Most experts advise against paying the ransom to stop perpetuating the monetary benefits to attackers, but many organizations have no choice. Ransomware authors require cryptocurrency payments, so the money transfer cannot be reversed.

Steps for Responding to an Attack

The payload from ransomware is immediate. The malware displays a message to the user with instructions for payment and information on what happened to the files. Administrators must react quickly because ransomware may spread to scan other network locations for critical files. You can take a few basic steps to properly respond to ransomware—note that expert intervention is usually required for root-cause analysis, cleanup, and investigations.

• Determine which systems are impacted. You must isolate systems so that they cannot affect the rest of the environment. This step is part of containment to minimize damage to the environment.
• Disconnect systems and power them down if necessary. Ransomware spreads rapidly on the network, so any systems must be disconnected by disabling network access or powering them down.
• Prioritize the restoration of systems. This ensures that the most critical ones are returned to normal first. Typically, priority is based on productivity and revenue impact.
• Eradicate the threat from the network. Attackers might use backdoors, so a trusted expert must perform eradication. The expert needs access to logs to perform a root-cause analysis that identifies the vulnerability and all impacted systems.
• Have a professional review the environment for potential security upgrades. It’s common for a ransomware victim to be a target for a second attack. Undetected vulnerabilities can be exploited again.

New Ransomware Threats

Authors constantly change code into new variants to avoid detection. Administrators and anti-malware developers must keep up with these new methods to detect threats quickly before propagating across the network. Here are a few new threats:

• DLL side loading. Malware attempts to avoid detection by using DLLs and services that look like legitimate functions.
• Web servers as targets. Malware on a shared hosting environment can affect all sites hosted on the server. Ransomware, such as Ryuk, targets hosted sites, mainly through phishing emails.
• Spear-phishing is preferred over standard phishing. Instead of sending malware to thousands of targets, attackers perform reconnaissance on potential targets for their high-privilege network access.
• Ransomware-as-a-Service (RaaS) lets users launch attacks without any cybersecurity knowledge. The introduction of RaaS has led to an increase in ransomware attacks.

A primary cause for the increase in threats using ransomware is remote work. An at-home workforce is much more vulnerable to threats. Home users do not have the enterprise-level cybersecurity necessary to protect from sophisticated attacks, and many of these users comingle their personal devices with work devices. Since ransomware scans the network for vulnerable devices, personal computers infected with malware can also infect network-connected business devices.

Ransomware Prevention and Detection

Prevention for ransomware attacks typically involves setting up and testing backups, as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defense, while endpoints are a secondary defense. Intrusion Detection Systems (IDSs) can detect ransomware command-and-control to alert for a ransomware system calling out to a control server. While user training is critical, it’s just one of several layers of defense to protect against ransomware. It typically comes into play after the delivery of ransomware via email phishing.

If other ransomware preventative defenses fail, a fallback measure is to stockpile Bitcoin. This is more prevalent where immediate harm could impact customers or users at the affected organization. Hospitals and the hospitality industry are at particular risk of ransomware, as patients’ lives could be affected or people could be locked in or out of facilities.

How to Prevent Ransomware Attacks

• Defend your email against Ransomware: Email phishing and spam are the primary ways ransomware attacks are distributed. Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, documents, and URLs in emails delivered to user computers.
• Defend your mobile devices against Ransomware: When used with mobile device management (MDM) tools, mobile attack protection products can analyze applications on user devices and immediately alert users and IT to any applications that might compromise the environment.
• Defend your web surfing against Ransomware: Secure web gateways can scan users’ web surfing traffic to identify malicious web ads that might lead them to ransomware.
• Monitor your server and network, and back up critical systems: Monitoring tools can detect unusual file access activities, viruses, network C&C traffic, and CPU loads in time to block ransomware from activating. Keeping a full image copy of critical systems can reduce the risk of a crashed or encrypted machine causing a critical operational bottleneck.

Discover Proofpoint’s ransomware solution

Ransomware Survival Guide

Ransomware attackers collected, on average, $115,123 per incident in 2019, but costs soared to $312,493 in 2020. One recorded event cost an organization $40 million. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand.

Download the Ransomware Survival Guide

Ransomware FAQs

Is Ransomware a Virus?

Ransomware and computer viruses are both forms of malware, but ransomware is not a virus. Ransomware is considered a category of malware, but it does not self-replicate like a virus. Viruses and ransomware damage files but act differently once the payload is delivered.

What Is the WannaCry Ransomware Attack?

The WannaCry ransomware used a Microsoft Windows vulnerability to spread quickly across the internet and encrypt files to hold them hostage. It encrypts files with cryptographically secure algorithms so that targeted victims are forced to pay the ransom in Bitcoin to obtain the private key or recover from backups. The files could not be decrypted, so many organizations were forced to pay the ransom.

What Is DarkSide Ransomware?

The hacking group known as DarkSide created the DarkSide malware that works as ransomware-as-a-service (RaaS). The malware double extorts its targets by first requiring payment to decrypt files and then requiring payment for the exfiltrated sensitive data. It targets servers hosting the Remote Desktop Protocol (RDP) and brute forces the password to gain access to the machine’s local files.

How Long Does It Take to Recover From Ransomware?

The time it takes varies wildly depending on the extent of the damage, the efficiency of the organization’s disaster recovery plan, response times, and the containment and eradication timeframes. Without good backups and disaster recovery plans, organizations could stay offline for days, which is a severe revenue-impacting event.

Get Ahead of Tomorrow’s Threats with Proofpoint

Anticipating the nature of certain cyber threats helps organizations identify where their defenses are weak and which protective measures to prioritize. Most organizations are more resilient through layered strategies that leverage detection and prevention technologies, real-time threat intelligence, and user-focused training programs to reduce the risk of attacks via email and cloud environments. As threats like phishing, BEC, ransomware, and credential theft evolve, it’s important to have the right mix of tools and processes to keep your data and your people protected. Take ownership to protect against threats and make strides to improve your cybersecurity effectiveness.

Leverage the capabilities trusted by 83 of the Fortune 100 companies. Contact Proofpoint to learn more.

Related Resources

Product

Proofpoint Core Email Protection

Platform

The Proofpoint Platform

Threat Report

2024 State of the Phish

The latest news and updates from Proofpoint, delivered to your inbox.

Sign up to receive news and other stories from Proofpoint. Your information will be used in accordance with Proofpoint’s privacy policy. You may opt out at any time.

Ready to Give Proofpoint a Try?

Start with a free Proofpoint trial.

Get Protected Previous Glossary Next Glossary

Turn people into your best defense with Proofpoint

Get in Touch Products

• Collaboration Security
• Data Security and Governance

Partners

• Channel Partners and Distributors
• MSP Partners
• Technology and Alliance Partners

Get Support

• Product Support Login
• Support Services
• IP Address Blocked?

More

• About Proofpoint
• Why Proofpoint
• Careers
• Leadership Team
• News Center
• AI, Privacy and Trust
• Hornetsecurity

Connect with Us

• +1 408 517 4710
• Attend an Event
• Contact Us
• Free Demo Request

© 2026. All rights reserved. Terms and conditions Privacy Policy Sitemap