#1 Ransomware Guide in 2022

Ransomware is one of the biggest cyber threats a business or an organization can face. Since ransomware attackers can destroy your data or hold it hostage in exchange for large sums of money, it’s vital to know how to protect yourself from a potential attack. This article includes everything you need to know about ransomware — how it operates, types of common attacks, and how to deal with it should you, unfortunately, fall victim.

What is ransomware?

Ransomware is a type of malware that encrypts a device’s files or data and demands a ransom to get it back. 

Once a PC or Mac operating system has been infected, a ransom note appears clearly on the screen. Typically, this type of note will include a detailed message about the encryption and explain how the victim can pay the ransom within a set number of hours if the victim wants to recover their data.

Often, cybercriminals demand their fee in the form of cryptocurrency, such as Bitcoin. They prefer this method because it’s hard to trace. As many people are not familiar with sending cryptocurrencies, attackers usually provide their victims with a step-by-step guide detailing how and where to send the ransom. Essentially, they’re making it easy for victims to pay up.

As far as the size of the ransom is concerned, it varies. Ransoms of a few hundred dollars are common if the target is an individual home user or a small business. Attacks on large organizations often include hefty ransoms, as attackers know that these types of companies can afford to pay up.

Victims must send the payment within a set number of hours, or else the data will be irrecoverable.

Ransomware became very popular during the early 2010s and has only continued to increase in popularity. According to Sophos, the average recovery cost from a ransomware attack skyrocketed from $761,106 in 2020 to a staggering $1.85 million by 2021 (check out the statistics below for more details).

This massive spike emphasizes the importance of taking the necessary precautions to prevent & recover from ransomware attacks whether you’re an independent contractor working from home, or a massive enterprise with hundreds of employees.

Ransomware statistics

To help you understand how widespread and damaging ransomware is, we’ve compiled the following list of eye-opening statistics. All of the data is recent to present you with a realistic representation of the severity of a ransomware attack.

  • The average ransom paid in 2020 was $170,404

  • Only 8% of organizations recover all of their data after paying a ransom; 29% got back half of their data

  • Globally, there were 304 million ransomware attacks in 2020 — a 62% increase from 2019.

  • Ransomware detections increased by 435% in 2020 as compared to 2019.

  • Ryuk, a top form of ransomware software, demands an average of $288,000 to give a single victim back their data.

  • Ransomware attacks have increased by 148% during the COVID-19 pandemic. 

  • Kaspersky defended 178,922 unique users from ransomware attacks in Q1 2020. In addition, Kaspersky’s mobile app detected 4,339 installation packages infected with ransomware trojans.

The number of ransomware attacks worldwide

Source: Statista

How do you get ransomware?

The most common way a system or device becomes infected with ransomware is through phishing. Phishing is a form of social engineering (or fraud) where the attacker sends malicious emails or texts with “urgent” requests to as many people as possible. To gain the trust of a victim, an attacker will typically impersonate a well-known entity or person.

Often, the victim will receive a message containing harmful links or attachments that, if clicked on, will automatically download and install malware onto the victim’s device. This malware can come in many different forms, including ransomware.

In some cases, if you’ve accidentally installed a type of malware, like a keylogger or password-stealing trojan, attackers may steal your login credentials to infiltrate your computer and network and install ransomware.

The most common way a system or device becomes infected with ransomware is through phishing.

Another way ransomware attacks are carried out is by exploiting vulnerabilities in operating systems or programs/apps. Hackers are patient. Often they will wait silently for a hole in a software’s security to open up. Once this happens, they inject a target system with an exploitation kit to take control. From here, it’s only a matter of time before the attackers encrypt valuable data and demand a ransom in return.

Another form of ransomware distribution is malvertising — short for malicious advertising. When browsing a website (including legitimate ones), users can get malware simply by clicking on a displayed malicious ad. Other times, clicking is not even necessary — malware can get on your device just by visiting an infected website.

Statista — Most common ransomware delivery methods in 2020

Source: Statista

Anyone can be a victim of ransomware.

Types of ransomware

There are three broad types of ransomware: screen lockers, file encryptors, and scareware. The first two are forms of malware that are designed to encrypt files and data. The last one (scareware) is mostly harmless and relies on scare tactics to convince targets to pay up. Read more about each ransomware category below.

Screen lockers

Also known as lockers, these are malicious programs that lock your device, preventing you from accessing it. Lockers can infect both desktop computers and mobile devices. If your device becomes infected, you’ll see a message on your screen stating that your device has been locked. 

Often, attackers pretend to be from the FBI or another government organization. Typically, the target will receive a generic message along the lines of: “Your device has been used for illegal purposes.” Of course, this will be followed by a message claiming that a fine of generally a few hundred dollars or euros must be paid in order to re-access your device.

If you wish to regain access to your device without paying, you could try using a System Restore feature or try reinstalling the operating system. To be on the safe side, always make sure to back up important files if you want to recover them!

File encryption ransomware

File encryption ransomware, aka crypto-ransomware, encrypts a target’s files (or only those that it deems essential). If you don’t pay the ransom and don’t have a backup, then you’re pretty much out of luck — it’s almost next to impossible to decrypt files infected with this form of ransomware. 

Note: A system’s “image restore” settings generally won’t recover your files — only basic system settings. Also, paying a ransom does not guarantee that you’ll get your files back. A reputable ransomware prevention software like Bitdefender or Norton can help keep ransomware threats at bay.

File encryption ransomware encrypts a target’s files or only the ones that it deems essential.


Scareware is a form of malware where pop-up messages appear claiming that your device is infected with malware. These same messages prompt you to buy or download a fake antivirus program that may contain malware. 

These types of fake antivirus programs are also referred to as Rogue Security Software. Although they act like legitimate antivirus programs, their actual intent is to make users pay for a bogus solution or infect a user’s device with spyware, adware, or another form of malware

Should you choose to ignore scam messages, they’ll continue to pester you. Although annoying, the good news is your files will remain safe. The best way to remove scareware is via a legitimate anti-ransomware program or app. A reputed antivirus solution will never allow malware to infect your device in the first place!

Ransomware examples

Since the early 2010s — when ransomware first took off — it has been present in many different forms. As the years went by, ransomware software became more and more sophisticated. As so many forms of this malicious software began attacking unsuspecting users, ransomware was categorized in families, each containing its own distinctive traits and names. Check out the most prominent ransomware strains below; some of them still exist today.

  • Sodinokibi — This widespread ransomware family came to light in 2019. Sodinokibi targets Windows operating systems and professionally encrypts vital files.

  • Ryuk — Ryuk has been wreaking havoc on organizations, especially hospitals, since 2018. It infects networks through other forms of malware, such as trojans.

  • Maze — Discovered in 2019, Maze is the first ransomware that’s been known to leak a victim’s stolen data. Maze informs its victims that all of their sensitive files will be released publicly if they don't pay up.

  • Dharma — This widespread genre of ransomware targets high-profile companies and institutions, spreading via spam emails, exploitation kits, and RDP access.

  • Snake — First discovered in January 2020, Snake targets corporate networks and deletes existing system backups so they can’t be used to restore encrypted files.

  • Cryptolocker — Launched in 2013, Cryptolocker is the precursor to modern-day ransomware. At its peak, it was responsible for hijacking up to 500,000 devices.

  • SimpleLocker — Appearing in 2014, this ransomware took advantage of the less secure Android operating systems of the day. It also encrypted the SD cards of target smartphones.

  • TeslaCrypt — Wreaking havoc on systems in 2015, TeslaCrypt mainly targeted gaming files and received regular updates from its creators.

  • Cerber — First appearing in 2016, Cerber exploited a vulnerability in Microsoft-based networks and computers and pioneered the ransomware-as-a-service model.

  • Locky — Released in 2016, Locky targeted Windows platforms and spread through infected Word documents. 

  • SamSam — Targeting mostly US hospitals and educational institutions, this 2016 ransomware family first monitored user activity before locking important files.

  • WannaCry — This is one of the most notorious ransomware families. Hackers conceived it in 2017 using EternalBlue, an NSA-created exploit that hackers managed to steal.

  • NotPetya— This notorious ransomware is behind some of the most destructive cyberattacks in history — the 2017 cyberattacks on Ukraine and other countries.

  • Leatherlocker — In 2017, this ransomware lived inside of two Android apps named Booster & Cleaner and Wallpaper Blur HD and locked home screens rather than encrypting files. 

  • BadRabbit — Discovered in 2017, BadRabbit attacked government organizations from Russia, Ukraine, and the U.S, encrypting critical files on targeted systems.

  • RobbinHood — Using the EternalBlue exploit that was stolen from NASA, RobbinHood is well known for the attack on Baltimore, MD in 2019.

  • GrandCrab — First observed in 2018, GrandCrab supposedly extorted over $2 billion from victims as of mid-2019. It targeted Windows-based systems.

  • Thanos — Sold as RaaS since 2020, it is the first ransomware family to use RIPlace technology which allows it to bypass ransomware prevention mechanisms.

  • ThiefQuest — Discovered in June 2020, it can encrypt files, monitor keystrokes, and steal cryptocurrency-related files from its victims’ devices.

Wikipedia — The interface of the WannaCry ransomware

Source: Wikipedia

Should you pay the ransom?

The FBI and other law enforcement agencies advise against paying hackers ransom money. Receiving money only encourages them to continue their attacks with new and improved ransomware. Still, many organizations disregard this advice as getting their data back outweighs the costs associated with paying the ransom. 

If the cost of losing the locked data is greater than the ransom, many businesses will choose to pay. Hackers also incentivize victims to pay by making the payment window time-restricted and offering a discount for acting fast. As mentioned earlier, ransoms vary anywhere from a few hundred dollars to hundreds of thousands. 

If you must make the moral decision of whether to pay a ransom or not, be aware that paying does not guarantee that you’ll recover your data. It’s not uncommon for ransomware hackers to take your money and not look back. Invest in a cybersecurity suite today to help prevent ransomware from finding its way onto your device.

Paying the ransom does not guarantee that you’ll recover your data.

Ransomware on mobile devices

Mobile devices can acquire ransomware through infected apps. You can find these apps on official app marketplaces, such as Google Play or App Store, or from risky third-party sources. Many ransomware incidents occur after users download a seemingly legit app disguised as a game or utility. The first significant ransomware software, CryptoLocker, even infected mobile devices in its heyday.

When ransomware hijacks a device, it will either lock it entirely or encrypt specific files — just like desktop ransomware. You will see a message saying that your phone has been locked or your data was encrypted for bogus reasons. These hackers will also provide you with instructions on how to pay the ransom so you can regain control of your device and files. 

Mac ransomware

macOS can also get infected with ransomware, just like other operating systems. The first ransomware to hit Mac was KeRanger, which encrypted files after a short hibernation period. That threat has since been taken care of — Apple has released a fix for Mac’s antivirus.

A new type of ransomware, ThiefQuest, was discovered in June 2020. It can encrypt a victim's files, monitor keystrokes, and steal cryptocurrency-related files from infected hosts.

This goes to show that ransomware, like other forms of malware, can penetrate Mac’s defenses, too. Thus, it’s vital to protect your Apple devices with a trusted antivirus for Mac, such as Bitdefender or McAfee.

Ransomware, like other forms of malware, can penetrate Mac’s defenses, too.

How to deal with ransomware (for free)

As soon as you learn that you’ve been infected with ransomware, the first step is to disconnect your internet connection. This will stop it from spreading to other computers through your network. Secondly, take a picture of your screen clearly showing the ransom note that can be passed on to authorities. 

When it’s time to get your data back, unfortunately, most of the time, there’s no easy way unless you have a backup. If you have a backup of your files, then you’re in luck. Before restoring your files using the backup, first remove the threat from your device. You can do this in one of two ways:

  • Reinstall your OS and wipe out your hard drive — this is the safest way.

  • OR, reboot your computer in safe mode using a ransomware removal solution, and use your system image to restore your PC.

Once you’ve done one of the above options, you can safely restore the data from your backup. If you don’t have a backup, you could try searching the web for a decryptor, but there’s no guarantee that it will work. 

When it comes to mobile devices, your best bet at dealing with a ransomware infection is to factory reset your phone. This will take care of the ransomware, but unfortunately, you’ll lose your personal files if you didn’t back them up beforehand.

How to prevent ransomware

How an antivirus prevents ransomware attacks

Source: Heimdal Security

No matter the size of your business or organization, you can prevent ransomware by following a few simple tips. Stopping ransomware in its tracks involves staying vigilant when using the web or sending emails. Always be sure to backup your files and use a reputable anti-ransomware solution. Learn more about ransomware prevention below.

  • Update your operating system and software. Keeping your OS and other software up-to-date ensures you’ll receive the latest patches and fixes designed to protect you against the newer ransomware iterations.

  • Only install programs and apps you trust. If you’re not sure that a program or app is legitimate and secure, it’s best to avoid it. Also, don’t download cracked software as it often contains malware.

  • Stay informed about the latest threats. Reading about the latest cyberattacks is a healthy habit to form. If you’re a business owner, make sure your employees are aware of threats like ransomware and know how to stay safe.

  • Don’t open suspicious email attachments or links. Most ransomware attacks are carried out via email phishing. Avoid opening attachments or clicking on links from suspicious emails.

  • Back up your files regularly. This is the best way to recover your data in the case of a ransomware attack. Follow the 3-2-1 rule — keep three backup copies on two separate media forms, and have one backup in a different location.

  • Get an antivirus program. This cannot be overstated. You must have a complete anti-ransomware suite installed on your system. Ransomware protection programs such as Norton or Kaspersky do a great job of stopping ransomware.


What is a ransomware virus?

Ransomware is malware that takes files or an operating system hostage and demands a ransom for its release. Ransomware is not precisely a type of virus, though. The term “virus” refers to a specific type of malware that can corrupt or destroy data. 

Ransomware can enter your computer or mobile device through malicious email attachments, websites, and apps. Improve your defenses against ransomware attacks by installing an anti-ransomware program.

How do ransomware attacks work?

There are two types of ransomware that can endanger your data: screen lockers and file encryptors. The first type takes control of a device’s operating system, stopping the owner or user from accessing their computer or smartphone. The second type encrypts specific files on a device’s drive; should this happen, you’ll need a decryption key to re-access them. 

Both types of ransomware will paste a message onto your screen advising you about paying a ransom and recovering your files. Fortunately, robust antivirus utilities like Bitdefender are equipped with the dedicated features required to stop ransomware attacks.

Can you remove ransomware?

Ransomware that has infected your computer or smartphone can be removed, but you may not recover your encrypted files in the process. 

To remove a ransomware threat, you can either reinstall your operating system and wipe your drives (or reset your phone if the infected device is a smartphone), or boot the computer in safe mode using a solid anti-ransomware solution to detect and remove threats, and restore a system image if you have one.

What are examples of ransomware?

There have been many strains of ransomware over the years. The resurgence of ransomware started in 2013 with CryptoLocker, which was very lucrative. Since then, many ransomware families have appeared each year, including TeslaCrypt in 2015, Locky in 2016, WannaCry in 2017, Ryuk in 2018, and Sodinokibi in 2019. 

Get a strong antivirus suite to steer clear of dangerous ransomware threats.

Should you pay ransomware?

Law enforcement agencies like the FBI have advised targets not to pay ransoms as this will only encourage hackers to attack others in the future. Yet, many companies and home users find this to be a challenging debate as often the only way to recover sensitive files is to pay the ransom. 

Still, doing so does not guarantee that you’ll get your files back. Also, paying the fee may not even be worth it if your files are not that important. Conversely, if the files are valuable, paying the ransom may be a viable option. To avoid difficult situations like these, get yourself a robust anti-ransomware program.

Octav Fedor (Cybersecurity Editor)

Octav is a cybersecurity researcher and writer at AntivirusGuide. When he’s not publishing his honest opinions about security software online, he likes to learn about programming, watch astronomy documentaries, and participate in general knowledge competitions.