Ransomware: understand, prevent, respond

What is ransomware

Ransomware is malicious software that encrypts a victim’s files and demands payment of a ransom in exchange for the decryption key. In 2026, ransomware represents the most costly cyber threat facing organizations, with an average incident cost of $4.88 million.

What makes ransomware particularly devastating is its ability to render entire organizations inoperable within hours. Hospitals that cannot access patient records, manufacturers that cannot run production lines, municipalities that cannot process payments — the operational disruption often exceeds the direct ransom amount many times over. Recovery can take weeks or months, even with a solid backup strategy in place.

Evolution of the model

Ransomware has evolved far beyond simple file encryption:

Generation 1 (2013-2017): basic encryption, Bitcoin ransom demands, email distribution. CryptoLocker, WannaCry.

Generation 2 (2018-2023): double extortion (encryption + data exfiltration), enterprise targeting, ransomware-as-a-service (RaaS). Ryuk, REvil, Conti.

Generation 3 (2024-2026): triple extortion (adding DDoS or threats to customers), exfiltration without encryption, targeting of network appliances, insider recruitment. Qilin, Cl0p, Akira.

Each generation learned from the previous one. Attackers adapted to increased backup adoption by adding data theft. They adapted to law enforcement takedowns by switching to RaaS models that distribute operational risk across many affiliates. They adapted to improved EDR tools by dwelling longer in networks before encrypting, carefully removing backups first.

How ransomware works

  1. Initial access: phishing, vulnerability exploitation, stolen credentials, exposed RDP
  2. Reconnaissance: network mapping, identification of critical data, locating backups
  3. Lateral movement: privilege escalation, Active Directory compromise
  4. Exfiltration: copying sensitive data before encryption begins
  5. Encryption: deploying ransomware across as many systems as possible simultaneously
  6. Extortion: ransom demand, threat to publish stolen data

The reconnaissance and lateral movement phases are often the longest, lasting days to weeks. Attackers invest time to understand the target network, identify the most critical systems, locate and destroy backups, and ensure maximum impact when encryption finally executes. Modern threat intelligence often identifies ransomware groups spending 10-20 days inside a network before triggering the attack.

Key figures for 2026

  • 44% of breaches involve ransomware (Verizon DBIR)
  • $4.88M: average cost of a breach (IBM)
  • Under 60 minutes: average attacker breakout time
  • Qilin: most active group with 1,500+ cumulative victims

The ransom payment dilemma

Paying the ransom does not guarantee recovery. Approximately 20% of organizations that pay never receive a working decryption key. Those that do recover encrypted data still face weeks of restoration work. Many find that the stolen data is published regardless, either through mistake, malice, or because a different affiliate later sells the data independently.

Law enforcement agencies (CISA, FBI, Europol, ANSSI) uniformly advise against paying ransoms. Payment funds criminal operations, encourages further attacks, and provides no legal or operational guarantee of recovery. Organizations should consult legal counsel before making any payment decision, as sanctions exposure is a growing concern when payments inadvertently reach sanctioned entities.

The cyber insurance question

Cyber insurance plays a significant role in ransomware economics. Insurers have tightened underwriting requirements substantially, often mandating MFA, EDR deployment, and tested backup procedures as conditions of coverage. Policies increasingly exclude certain ransom scenarios or cap payouts. Organizations should treat insurance as a financial backstop, not as a substitute for technical defenses.

In this guide

Explore the sub-pages of this silo to go deeper: