What is Ransomware? Things You Need to Know About This Threat

Ransomware is one of the biggest cybersecurity threats facing businesses in the current environment. While this form of cyberattack has been around for a while, its prevalence has surged in recent years.

These types of attacks are popular among cybercriminals because they are relatively easy to pull off, can cause a huge amount of disruption and offer lucrative rewards. Our research recorded a 63 percent rise in the number of ransomware attacks disclosed during the second quarter of 2025 compared with the previous year.

This marked the biggest increase since we started our survey in 2020, reflecting how ransomware has become a leading tactic used by cybercriminals.

In simple terms, ransomware is a type of malicious software that gains access to and encrypts files or systems. A ransomware attack is designed to coerce businesses into paying money in exchange for the decryption key needed to regain access to their data.

It typically works by encrypting either mission-critical information or essential files that are necessary for a device to function. Encrypted files or machines make it impossible for a company to operate normally unless the business pays the criminals for the decryption key, leading to extensive downtime until systems can be restored.

Traditional types of ransomware infection include Crypto ransomware and Locker ransomware, which encrypt specific files or completely lock users out of their devices until a ransom is paid.

However, these tactics have been overtaken by what’s known as ‘double extortion’ ransomware. This involves criminals exfiltrating data from a network as well as encrypting it. These techniques mean that when ransom demands are sent, organized hackers can increase the pressure on businesses by threatening to release data publicly or sell it on the dark web until companies pay.

This has proven to be a highly effective tactic that has made double extortion the number one ransomware threat today. Indeed, BlackFog research indicates 95 percent of ransomware attacks now aim to exfiltrate data for use in double extortion.

Ransomware threats are growing more advanced, with attackers leveraging emerging techniques to bypass ransomware detection efforts and maximise disruption. Understanding these evolving tactics is essential to staying protected. Key trends include:

• Ransomware-as-a-Service (RaaS): Pre-built ransomware kits are now sold or leased to affiliates, making attacks easier to launch at scale.
• Fileless attacks: These run entirely in memory, leaving no trace on disk and making them difficult for traditional tools to detect.
• AI-powered malware: One study estimates 40 percent of all cyberattacks are now AI-driven, with this technology able to make more convincing phishing emails or rewrite code quickly to evade detection.
• Supply chain attacks: Hackers compromise trusted third-party software or services to infiltrate wider networks unnoticed.

Ransomware attacks typically begin with a phishing email or a visit to a compromised website, where malware is unknowingly downloaded. Once on a device, the ransomware activates by contacting a remote command-and-control server to download additional malicious components. It then begins spreading laterally across the network, moving from one device to another by exploiting shared credentials, unpatched systems or open network connections.

After establishing a foothold, the ransomware seeks out and encrypts files on every infected machine. A ransom note is then displayed, demanding payment – usually in cryptocurrency – in exchange for the decryption key.

However, in many modern attacks, there’s a second stage before the ransom demand is sent: data exfiltration. Before encryption, the ransomware quietly extracts sensitive information from the network and sends it to the attacker’s server. This is a critical part of a double extortion attack, where victims are also threatened with public exposure of their stolen data if the ransom isn’t paid.

The consequences of a ransomware incident can be severe and wide-ranging. Some of the most common issues businesses encounter include:

• Temporary or permanent loss of sensitive or proprietary information
• Disruption to regular operations
• Financial losses incurred to restore systems and files
• Reputational damage

It’s estimated that in 2025, global ransomware-related costs are projected to reach $57 billion, up from $20 billion in 2021. This includes a wide range of factors, such as expenses related to downtime, lost productivity, theft of intellectual property, personal and financial data, forensic investigation, restoration and deletion of hacked data and systems, reputational damage, legal costs, and regulatory fines.

While all companies are at risk, our research suggests cybercriminals have set their sights on healthcare organizations, local government and the services sector as prime targets. These organizations often have less than adequate cybersecurity protection in place, despite the fact they handle highly-sensitive information that is attractive to hackers. They often also have strong insurance policies that can incentivize them to pay for an easy resolution to an attack.

Traditional antimalware tools are no longer enough to stop modern ransomware. Most rely on signature-based detection, which only identifies known threats. Today’s attackers use tactics like fileless malware, zero-day exploits and encryption evasion to bypass these defenses entirely.

This means static tools can’t keep up with threats that evolve in real-time. An effective anti ransomware solution requires organizations to go beyond signatures. For instance, solutions must include behavioral monitoring to detect unusual activity, real-time analytics and automation to respond instantly before damage is done.

Official recommendation from law enforcement in the US and UK is never to pay the ransom. However, guidance from Forrester Research suggests that paying a ransom may be considered a valid recovery path that should be explored and evaluated just like any other business decision.

A ransomware victim must consider its ability to recover from the cyberattack, the costs of outside consultants and ransomware recovery plans, as well as cybersecurity insurance, which may not cover ransomware payments. It is important to note that even if you pay there is no guarantee you will get your data back.

One of the main arguments against paying a ransom is that it will encourage future attacks on the business. In fact, research by Cybereason found that 80 percent of companies that paid a ransom were targeted for a second time, with 40 percent paying again. Of these, 70 percent paid a higher amount the second time round.

As with any malware attack, defending against ransomware requires a multilayered approach. Firms cannot rely on traditional tools like firewalls and antivirus software alone to keep them safe, while human factors must also be considered. Among the top points to keep in mind are:

• Always back up your data
• Update your software regularly
• Educate the weakest link in your organization – your employees – to ensure they don’t fall victim to a phishing scam or use poor password practices.
• Take a layered approach to security to prevent cyberattacks
• Prevent unauthorized data exfiltration by blocking outbound data flow
• Deploy an on-device solution to prevent unauthorized data from ever leaving your endpoints

While the best way to protect against ransomware is to stop the attack from happening in the first place, no antimalware solution is 100 percent foolproof. Being a victim of a cyberattack is a question of when, not if. Therefore, organizations must have specialized ransomware tools that are able to prevent attackers from removing data from the business.

A dedicated anti data exfiltration (ADX) solution is therefore essential. This technology uses machine learning to build a picture of activity on a network and then spot unusual behavior in real-time. Once it detects indicators that an attacker is trying to remove unauthorized data from your device or network, it can step in automatically and stop hackers in their tracks.

Learn more about how BlackFog ADX protects enterprises from the threats posed by ransomware.