Ransomware is one of the most pervasive, impactful, and costly forms of cyber threats. Once deployed, it exfiltrates sensitive data allowing the attacker to threaten public disclosure, and prevents victims from interacting with their files, applications or systems until a ransom is paid. Contemporary ransomware can quickly spread throughout an organization, impairing business-critical systems and essential public services. The continued success of ransomware attacks underscores the critical importance of adhering to regulatory frameworks and best practices to prevent, detect, and respond to ransomware attacks more effectively.
How does ransomware work?
In a ransomware attack, malicious software infiltrates a computer system, encrypts the victim’s data, and demands a ransom payment for the decryption key to restore access to the data. Often, attackers use previously compromised credentials to log in rather than initiating a hack. The attack might begin with the delivery of ransomware through phishing emails, malicious attachments, compromised websites, or by exploiting vulnerabilities in software and systems. From there, attackers can move laterally within an organization, pivoting to servers and compromising more credentials. The impact can be widespread and go well beyond the initial compromise.
Once executed, the ransomware encrypts files on the infected system using algorithms that are difficult to break without the decryption key, rendering the data inaccessible to the user. The ransom note is often displayed on the victim’s screen with instructions on how to pay, usually via cryptocurrency like Bitcoin. The attackers may threaten to delete the data, increase the ransom amount, or publish sensitive information publicly if the ransom is not paid within a specified time frame. Victims may attempt to restore data from backups, if available, or seek professional help to decrypt the files. However, attackers almost always attempt to exfiltrate data; even if companies have backed up their data, the threat of publication can often compel cooperation.
Once the ransom is paid, victims might receive a decryption key to unlock the files. Paying the ransom does not guarantee that the attackers will provide the decryption key or that they will not attack again.
Ransomware is costly and damaging
Over the years, ransomware attacks have increased in complexity, scope and scale. Today’s ransomware actors are highly sophisticated and organized, with many well-funded “ransomware gangs” backed by criminal syndicates or rogue nation-states.
Around 73% of global organizations were victimized by ransomware attacks in 2023. The average total cost of a ransomware breach is $5.3 million. Recent headline-making ransomware incidents include:
- An attack against an oil pipeline operator by the DarkSide ransomware syndicate that caused supply disruptions, panic buying and gasoline shortages in several U.S. states
- An attack by the Clop ransomware group exploited a vulnerability in the MOVEit Transfer tool, impacting numerous large organizations across various sectors.
- An attack by the ALPHV/BlackCat targeted two of the biggest U.S. hotel and casino chains, shutting infrastructure and operations and costing millions.
Ransomware can damage a company’s reputation and result in revenue loss, regulatory fines, legal settlements and other expenses. Worse still, it can disrupt critical infrastructure and threaten public health and safety.
Ransomware is big business
Ransomware is incredibly lucrative for cybercriminals. In 2023, nearly 80% of ransom payments were $1 million or more, reflecting a shift toward targeting larger organizations with higher ransom demands. This surge was driven by large-scale Ransomware as a Service (RaaS) operations that make it easy for anyone with internet access to orchestrate a ransomware attack. With a RaaS “business model,” a ransomware “service provider” sells or leases malware services to “affiliates” who carry out attacks. The affiliates require no special knowledge, dedicated IT infrastructure or tools to perpetrate an advanced attack.
In 2024, ransomware attacks have continued to escalate in both frequency and complexity, with over 2,500 tracked ransomware attacks in the first half of 2024 alone and more than 14 publicly claimed attacks every day.
Many cyber criminals are no longer content to simply hold data for ransom. Many now carry out double extortion schemes, threatening to publicly disclose stolen data if victims don’t pay up quickly. In distributed denial of service (DDoS) attacks, double and triple extortion attacks up the ante, subjecting organizations to additional business loss, reputational damage, legal exposure and fines.
Regulations and cyber insurance
Governments and industry regulators worldwide are taking notice and issuing guidelines to defend critical infrastructure against ransomware and other attacks. In 2021, the Biden administration issued an executive order intended to strengthen the nation’s cybersecurity, and several European and Asia-Pacific nations introduced laws intended to protect essential infrastructure against ransomware and other cyber threats. Cyber insurance providers are taking notice as well. In response to rising ransomware claims, most insurers are raising rates, adding exclusions and slashing payouts. According to the Global Insurance Market Index, U.S. cyber insurance prices skyrocketed 79% in 2022 and were up 11% in the first quarter of 2024.
Effective compliance strategies include implementing strong access controls, regular data backups, and incident response plans, all of which contribute to reducing the impact of attacks and maintaining data integrity and availability.
How to prevent ransomware
Conventional endpoint security tools like anti-virus software don’t adequately protect against modern ransomware attacks. Traditional anti-virus solutions use signature patterns to identify and block known malware variants. But contemporary ransomware continuously morphs and can’t be detected using signature-based methods; it is impossible for traditional endpoint security vendors to keep pace with the evolving ransomware landscape. Similarly, once data is exfiltrated and encrypted, endpoint detection and response (EDR) tools can do very little to assist beyond providing forensics.
Ransomware attacks follow common patterns of other data breaches: an attacker gains a foothold in a network and then escalates privileges to spread malware to other parts of the organization. To defend against modern ransomware, organizations should take a multi-layered, defense-in-depth approach to security, including robust identity security controls to contain breaches and blast radius. By combining flexible identity and access management (IAM) capabilities like multi-factor authentication (MFA) methods with comprehensive endpoint identity security controls and privileged access management (PAM) solutions, organizations can launch an effective anti-ransomware strategy.
Endpoint identity security can be used to continuously authenticate the user on the endpoint with strong MFA, enforce role-based least privilege, tightly control the behavior of untrusted applications thus defusing both known and unknown ransomware variants. Used in conjunction with endpoint detection and response (EDR) solutions, endpoint privilege management solutions can prevent privilege escalation and contain threats to the endpoint. An endpoint privilege manager can also remove local admin rights from endpoints for additional defense against ransomware. (Some ransomware strains exploit privileged accounts and link Windows admin accounts to carry out attacks.)
Organizations can also use PAM solutions to enforce the principle of Least Privilege and minimize the blast radius of ransomware. PAM solutions help stop the spread of malware with session protection and isolation. PAM solutions also let organizations discover, manage and secure the privileged accounts used to access an organization’s most sensitive systems—those that would be most impacted by a ransomware attack. They help organizations mitigate credential theft and abuse by rotating and updating privileged credentials based on policy. The best PAM solutions support single sign-on (SSO) functionality and MFA to positively confirm privileged user identities, eliminate poor password hygiene and prevent unauthorized access.
Identity security requirements for ransomware
The 2023 Stop Ransomware Guide by the Cybersecurity & Infrastructure Security Agency (CISA) outlines identity security requirements and recommended actions essential for building a defense-in-depth strategy against ransomware attacks.
| Function | Function Category | Recommended Action (selected) |
| Prepare | System backups |
|
| Incident response plans (IRP) |
|
|
| Implement a zero trust architecture |
|
|
| Prevent
& Mitigate |
Asset management |
|
| Implement password policies & management |
|
|
| Separating user and privileged accounts |
|
|
| Implement MFA (+ passwordless) |
|
|
| Implement IAM systems |
|
|
| No root access accounts for day-to-day operations |
|
|
| Vendor cybersecurity requirements |
|
|
| Cloud environments |
|
|
| Respond & Recover |
|
|
Additional considerations
Security organizations should institute an air-gapped data protection strategy to improve recovery efforts in the event of a ransomware attack. Replicating data to cloud storage or frequently backing up data to removable media provides better protection against ransomware.
It is always a good idea to have a trusted partner analyze a team’s ability to detect and respond to ransomware. Consulting firms and security solution providers offer Red Team services to help simulate ransomware attacks and assess readiness.
Learn more about ransomware
- Six Takeaways from Recent Ransomware Attacks
- Best Practices for Ransomware Protection eBook
- Ransomware Protection: Help Secure Your Organization from Attacks
- Analyzing Ransomware and Potential Mitigation Strategies
