What is the virus that locks all files?

Ransomware is a type of malicious software, or malware, that encrypts a victim’s files and demands payment in order to restore access. This form of digital extortion has become an increasingly common threat in recent years. Ransomware works by exploiting vulnerabilities in operating systems or software to secretly install itself on a victim’s device. Once installed, it searches for and encrypts files, often targeting valuable data such as documents, photos, databases, and more. The encryption used is designed to be nearly impossible to break without the decryption key held by the attackers. Victims are presented with a ransom note demanding payment, usually in cryptocurrency such as Bitcoin, in exchange for the key. If the ransom is not paid in the allotted time, the files remain locked forever.

How does ransomware infect devices?

Ransomware typically spreads through phishing emails containing malicious attachments or links. An unsuspecting user may open an attachment or click a link that appears legitimate but actually contains ransomware code designed to download and execute on the victim’s machine. Other distribution methods include exploit kits that leverage software vulnerabilities to silently push ransomware onto computers, compromised websites that infect visitors, and removable drives containing malware that auto-runs when plugged in. Once on a system, ransomware often leverages legitimate administration tools to disable security software and backup processes to prevent recovery. Advanced strains can even scan networks for connected drives and resources to encrypt.

What are the main types of ransomware?

Some of the major families and strains of ransomware include:

  • CryptoLocker – One of the earliest ransomware threats, first appearing in 2013. Known for its use of strong RSA-2048 encryption.
  • CryptoWall – Emerging in early 2014, CryptoWall was distributed via exploit kits and could infect entire networks.
  • Locky – Active during 2016-2017, Locky stood out for its rapid spread via massive email campaigns containing malicious Microsoft Office documents.
  • WannaCry – Made headlines in 2017 when it was used in a global attack affecting over 200,000 systems across 150 countries. It exploited a Windows vulnerability leaked from the NSA.
  • Ryuk – Targets large organizations and encrypts entire networks, demanding huge ransoms up to millions of dollars paid in Bitcoin.
  • Sodinokibi – Also known as REvil, it auctioned off stolen data if ransoms went unpaid and targeted MSPs to encrypt client networks.

These are just a few examples among many ransomware strains and variants that have emerged over time. Attacks continue to grow more sophisticated and costly for victims.

What does a ransomware attack look like from a victim’s perspective?

For a victim, a ransomware attack unfolds in the following general stages:

  1. Infection – The ransomware code is first installed on the victim’s system, often without any obvious signs of intrusion.
  2. Lockdown – At a pre-configured time or trigger, the ransomware activates and initiates encryption of files. The software may delete volume snapshots and disable recovery tools.
  3. Ransom Demand – The victim receives a message (often with a countdown timer) demanding ransom payment to receive a decryption key. The message usually contains instructions for payment.
  4. Extortion – The victim must decide whether or not to pay the ransom. The encrypted files remain inaccessible during this period, crippling business operations.
  5. Resolution – If the ransom is paid, the attackers may provide the decryption keys. There is no guarantee files will be restored. If not paid, the data likely remains encrypted forever unless backups exist.

For victims without reliable backups, paying the ransom may be the only way to recover files. However, this funds criminal enterprises and leads to even more attacks.

What are the consequences of a ransomware attack?

Both individuals and organizations around the world have been impacted by ransomware attacks. Consequences may include:

  • Loss of access to critical data and systems
  • Revenue and productivity losses from downtime
  • Costs associated with recovery, such as paying ransom, replacing hardware, or reinstalling software
  • Reputational damage and loss of customer trust
  • Legal and compliance issues stemming from data loss or delays
  • Psychological impact on ransomware victims

A report by Emsisoft found the global cost of ransomware could be as high as $20 billion in 2019 alone. Attacks on hospitals, schools, and other public sector entities can also have life-threatening implications.

How much does a ransomware attack cost on average?

Estimating the total cost of a ransomware attack can be difficult due to all the direct and indirect factors involved. According to research by the Ponemon Institute sponsored by IBM Security:

  • The average total cost of recovery from a ransomware attack is $761,106 for large companies and $46,800 for small and medium-sized businesses.
  • The average ransom paid by organizations is $239,111.
  • Downtime costs account for nearly two-thirds (65%) of total expenses, averaging $283,281.
  • Data loss accounts for the largest share (43%) of downtime costs.
  • Detection and escalation costs average $1,220,000 for large organizations.

Keep in mind that costs vary widely depending on factors like the specific strain, industry, company size, and effectiveness of defenses. Some estimates place the average ransomware payment as high as $650,000.

Who is responsible for ransomware attacks?

Ransomware developers and distributors belong to cybercriminal groups and organizations motivated by financial gain. Some of the major players include:

  • Maze Group – Believed to be responsible for the Pensacola and Cognizant attacks in 2020.
  • REvil – Russian-based group behind ransomware strains like Sodinokibi.
  • Wizard Spider – Operators of the Ryuk ransomware affecting enterprises.
  • CyberExtortion Gang – Veteran cybercrime group distributing the CryptoMix variant.
  • Lazarus Group – Alleged North Korean state-sponsored hackers linked to WannaCry attacks.

It can be challenging to attribute ransomware attacks since perpetrators often use pseudonyms and technical means to cover their tracks. However, research continues to connect strains and payments to known cybercriminal rings.

How can individuals and businesses recover from ransomware?

Recovering from a ransomware attack typically involves the following steps:

  1. Disconnect infected systems – Isolate and power down affected devices to prevent further encryption or spread.
  2. Evaluate impact – Identify which files and systems were compromised and how severely business operations are disrupted.
  3. Notify authorities – Contact law enforcement and cybersecurity professionals for assistance in response and investigation.
  4. Prioritize recovery – Determine the most essential data and functions that need to be restored first.
  5. Use backups – With offline, read-only, and redundant backups, restore systems from an unaffected state.
  6. Rebuild systems – Wipe infected systems fully and reinstall software, apps, and operating systems from scratch.
  7. Improve defenses – Close any vulnerabilities that allowed infection and reinforce security tools to prevent reinfection.

Having comprehensive backups separated from networked systems offers the best chance of recovering without paying ransom. However, rebuilding systems can still incur major costs for large organizations.

How can ransomware infections be prevented?

Preventing ransomware comes down to managing cyber risk through defense-in-depth strategies including:

  • User awareness training to avoid phishing and risky behaviors
  • Email security and spam filters to block malicious messages
  • Software patching to eliminate exploit vulnerabilities
  • Strong, unique passwords for all user accounts
  • Multi-factor authentication for logins where possible
  • Principle of least privilege restrictions
  • Secure system configurations and lockdown of unnecessary ports/services
  • Next-generation endpoint security with behavior monitoring
  • Network segmentation to control lateral movement
  • Frequent, isolated backups stored offline

Speedy detection and response to potential infections, aided by solutions like antivirus software and endpoint detection and response (EDR), can also limit ransomware damage.

Should ransomware ransom demands be paid?

Whether to pay ransomware demands is a complex decision with pros and cons to consider:

Potential pros:

  • Quickest way to regain access to encrypted data
  • May be only option if backups unavailable
  • Lower financial cost than rebuilding systems

Potential cons:

  • No guarantee files will be recovered
  • Perpetuates the ransomware business model
  • May make organization a bigger target for future attacks
  • Payments can involve legal risks and violate regulations

Victims need to weigh these factors carefully for their specific situation. Cyber insurance policies may cover ransom payments, but not all policies do. The FBI recommends not paying ransoms. Ultimately, investing in preventative security delivers far more value than paying ransoms.

How is ransomware evolving as a threat?

Ongoing trends in ransomware attacks include:

  • Increasingly sophisticated tactics – Using penetration testing tools, social engineering, and vulnerabilities in supporting infrastructure to infect systems.
  • Higher ransom demands – Criminals tailor demands based on the target’s perceived ability to pay, sometimes extracting millions.
  • Targeting of critical infrastructure – Attacks disrupting key sectors like healthcare, schools, and food/energy supply chains.
  • Attacks on managed service providers – Infecting MSPs in order to access and ransom their customers’ networks.
  • Data theft and extortion – Stealing sensitive data and threatening to publish it if ransom goes unpaid.
  • Ransomware-as-a-service – Offering ransomware toolkits and infrastructure to less technical criminals.

Ransomware shows no signs of stopping, as adversaries become more agile and persistent in the face of security efforts. Organizations must remain vigilant and regularly test and update their cyber protections.


Ransomware remains one of the most serious cyber threats facing individuals, businesses, and organizations around the world. As attacks continue to grow in frequency, impact, and sophistication, ransomware has the potential to undermine institutions, economies, and even public safety. Preventing ransomware requires a coordinated effort combining security awareness, vulnerable patching, updated defenses, system redundancies, and measures like encryption and network segmentation. Understanding the methods and motivations of attackers is also key to guarding against and responding to ransomware outbreaks in the future. While an effective technical strategy is essential, human-driven solutions like workforce education and backup protocols represent the last line of defense for containing the effects of ransomware.