Ransomware - what it is, how it works, and how to protect yourself
Ransomware - a guide for organizations: attack types, incidents 2017-2025 (Colonial Pipeline, Change Healthcare), protection, incident response plan, statistics.
Łukasz Dudkowski 
Łukasz Drążek 
Ransomware is one of the greatest operational threats facing organizations today - not merely a technical issue, but a business risk with measurable cost: production downtime, customer data leaks, regulatory fines, and loss of trust among business partners.
The scale of the problem is growing. In the first half of 2025, Poland ranked first in the world for detected ransomware attacks - 6% of all global incidents according to the ESET report. This increase points to active targeting of the region by RaaS groups. An average of 9 confirmed attacks per day - and those are only the ones reported to CERT Polska (Poland’s national computer emergency response team).
From floppy disks to organized crime
How it started
The first ransomware appeared in 1989. The AIDS Trojan, also known as PC Cyborg, was distributed on 5.25-inch floppy disks - disguised as a survey about HIV infection risk. After 90 computer reboots, it encrypted file names on the C drive and demanded 189 dollars be sent by mail to a PO box in Panama. The ransom message printed on the printer connected to the computer.
For the next dozen or so years, ransomware remained a curiosity. Everything changed in 2013, when CryptoLocker appeared - the first ransomware to use RSA-2048 asymmetric cryptography and Bitcoin payments. Within the first hundred days, it infected over 250,000 devices. The mechanism was simple: an email with an attachment posing as an invoice, a click, encryption. Although few victims paid, the criminals earned over 3 million dollars.
Six generations of ransomware
Each successive generation raised the stakes - both in terms of technical sophistication and demanded amounts.
| Generation | Period | What changed | Key example |
|---|---|---|---|
| 1. Physical distribution | 1989-2005 | Floppy disks, simple symmetric encryption | AIDS/PC Cyborg (1989) - $189 ransom by mail |
| 2. Asymmetric cryptography | 2006-2015 | RSA, Bitcoin payment, mass distribution | CryptoLocker (2013) - 250,000 victims, $3M |
| 3. Network worms | 2016-2018 | Automatic propagation without user interaction | WannaCry (2017) - 200,000 computers in 100 countries |
| 4. Big Game Hunting | 2018-2021 | Targeted attacks, weeks of reconnaissance, manual operations | Ryuk / Conti - average ransom >$1M |
| 5. Double/triple extortion | 2020-present | Data theft + encryption + publication blackmail + DDoS | LockBit, ALPHV/BlackCat |
| 6. RaaS + attacks on OT | 2023-present | Ransomware-as-a-Service, attacks on physical infrastructure | BlackSuit, attacks on manufacturing and energy sectors |
The transition from generation 3 to 4 was a turning point. WannaCry in 2017 infected 200,000 computers in 100 countries - including the UK’s National Health Service (NHS), Russian banks, and Nissan factories. But WannaCry was “dumb” - it spread automatically, exploiting the EternalBlue vulnerability in SMB, for which Microsoft had released a patch a month earlier. The ransom was only 300 dollars. The criminals collected approximately $100,000 total - a fraction of the damage caused.
Ryuk changed the rules of the game. Instead of mass bombardment, Ryuk operators spent weeks infiltrating the victim’s network - identifying key servers, stealing data, destroying backups, disabling antivirus. Only when they controlled the entire infrastructure did they launch encryption. The first attack yielded 705 BTC (approximately $10 million PLN at the time). This was the beginning of the “Big Game Hunting” era - hunting for large targets.
Incidents that defined the industry
Some ransomware attacks changed not only the victims, but the entire cybersecurity industry - forcing new regulations, investments, and approaches to protection.
NotPetya (2017) - when ransomware is actually a weapon
In June 2017, a program masquerading as ransomware attacked Ukrainian companies through an infected update of the M.E.Doc accounting software. Within hours, it spread globally. Maersk - the world’s largest shipping company - lost its entire IT infrastructure and operated “on paper” for 10 days. Merck, FedEx, Mondelez - combined losses exceeded 10 billion dollars.
Key takeaway: NotPetya was not ransomware - it was a wiper disguised as ransomware. Even paying the ransom did not restore data, because the decryption mechanism never existed. This demonstrated that not every attack that looks like ransomware actually is one.
Colonial Pipeline (2021) - one password, one pipeline
In May 2021, the DarkSide group encrypted the IT systems of the operator of the largest fuel pipeline on the US East Coast. The entry vector? A compromised password for an old VPN account without multi-factor authentication. Colonial Pipeline paid 4.4 million dollars in ransom.
But the real problem was elsewhere. The ransomware affected only IT systems - not the pipeline control systems. The operator shut down the pipeline preemptively because it was uncertain whether the attack had impacted the MES (Manufacturing Execution System) responsible for fuel transfer accounting. Without a functioning MES, the company could not determine how much of what product it was transporting, to whom, and at what price. An IT incident turned into a critical infrastructure crisis - gas station queues and a state of emergency in several states.
Change Healthcare (2024) - the largest medical data breach
In February 2024, the ALPHV/BlackCat group attacked Change Healthcare - a company processing medical billing for most hospitals and pharmacies in the United States. The entry vector: compromised credentials for a Citrix portal without MFA. The attackers moved through the network for 9 days before launching encryption.
UnitedHealth Group (owner of Change Healthcare) paid 22 million dollars in ransom. The data was not recovered - an ALPHV affiliate leaked it on the dark web, attempting additional extortion. The total cost of the incident exceeded 2.5 billion dollars. Data of 100 million people was compromised - the largest medical data breach in US history.
Other key incidents
| Incident | Year | Victim | Ransom / cost | Key takeaway |
|---|---|---|---|---|
| WannaCry | 2017 | NHS, Nissan, FedEx (100 countries) | ~$100K collected ransom | The patch had existed for a month - updates save |
| Norsk Hydro | 2019 | Aluminum manufacturer (Norway) | $35-41M in losses | LockerGoga - production paralysis, company did not pay |
| JBS Foods | 2021 | Meat producer (global) | $11M (REvil) | Plant closures in the US, Australia, Canada |
| MOVEit | 2023 | 2,700 organizations globally | 93M people affected (Cl0p) | Supply chain - one vulnerability = thousands of victims |
| Renewable energy attack in Poland | 2025 | 30+ wind farms, combined heat and power plant | RTU firmware damage | Wiper on OT - destruction, not ransom |
Sources: CISA advisories, FBI IC3 Annual Reports, UnitedHealth Group SEC filings, CERT Polska (Poland’s national CERT), Mandiant and Dragos reports.
Ransomware in industrial environments
Ransomware in operational technology (OT) networks is a distinct and growing problem. The 2025 Dragos report documents an 87% increase in attacks on industrial organizations and a 60% increase in the number of groups targeting the OT/ICS sector. Manufacturing is the most frequently attacked industry - 1,466 attacks in 2025, a 56% increase over the previous year. The average ransom demanded from manufacturers doubled to $1.16 million.
The difference between ransomware in IT and in OT is fundamental. In IT, ransomware encrypts data - painful but reversible with a good backup. In OT, ransomware can halt a production line, damage physical equipment, or - in the worst-case scenario - endanger human safety. The attack on Polish renewable energy infrastructure in December 2025 showed that attackers can damage RTU controller firmware using wiper malware - this was not about ransom, but about destruction.
Colonial Pipeline illustrates the indirect impact mechanism: ransomware affected only IT, but uncertainty about the integrity of the MES system (fuel transfer accounting) forced the pipeline shutdown. The company could not conduct business because it did not know how much of what product it was transporting. Network segmentation and isolation of business systems from OT could have limited this domino effect.
The RaaS ecosystem - how the ransomware “industry” works
Modern ransomware is not the work of lone hackers. It is an organized ecosystem with a clear division of roles, revenue models, and specialization comparable to the legitimate software market. Understanding this ecosystem is essential - because it enables defenders to identify points where they can disrupt the attack chain.
Division of roles
The Ransomware-as-a-Service (RaaS) model operates like a franchise. Malware developers build and maintain the software, while affiliates - independent operators - carry out the actual attacks. But the ecosystem is much broader than the operator-affiliate relationship:
| Role | What they do | How they earn | Scale in 2025 |
|---|---|---|---|
| Operator/Developer | Builds ransomware, C2 infrastructure, negotiation panel, leak site | 20-40% of each ransom | 85 active groups in Q3 2025 (record) |
| Affiliate | Carries out the attack end-to-end - reconnaissance, access, exfiltration, encryption | 60-80% of ransom | Migrate between platforms after takedowns |
| Initial Access Broker (IAB) | Sells ready-made network access (VPN, RDP, stolen credentials) | $500-50,000 per access | ~$14M revenue in 2025 |
| Negotiator | Negotiates ransom with the victim, manages communications | Percentage of negotiated amount | Dedicated “call centers” |
| Money laundering | Cryptocurrency conversion, bridge services, mixers | Percentage of transaction | Bridge +66% YoY, mixers -37% |
The cartel model - 2025 evolution
The ransomware market has undergone a significant shift. After the takedowns of LockBit and ALPHV/BlackCat by law enforcement in 2024, the market fragmented - no single group controls more than 11% of the market (compared to LockBit’s 34% in 2023). In 2025, TRM Labs identified 93 new ransomware variants - a 94% increase year-over-year.
An interesting evolution is the cartel model. In March 2025, the DragonForce group launched a platform where affiliates can create their own ransomware brands, using DragonForce infrastructure (C2 servers, negotiation panel, leak site). DragonForce takes only 20% of the ransom - significantly less than the typical 30-40%. This lowered barrier to entry means that increasingly less technically skilled operators can run effective ransomware campaigns.
Attack chain and detection windows
Every ransomware attack goes through the same phases - regardless of the group. Reconnaissance and access purchase (IAB) can take weeks before the actual attack. Social engineering, infrastructure scanning, and purchasing stolen credentials is the phase where threat intelligence and dark web monitoring provide an opportunity for early warning.
After gaining access, an affiliate spends an average of 5-14 days in the network (Mandiant M-Trends 2026) on internal reconnaissance, privilege escalation, and data exfiltration - before launching encryption. This window is critical for defenders.
Impact of law enforcement actions
Enforcement operations achieve real results. The takedowns of Hive (2023), LockBit (2024), and ALPHV/BlackCat (2024) caused market fragmentation and short-term activity decline. The RAMP forum - the main RaaS affiliate recruitment platform - was seized by US authorities in January 2025.
At the same time, the ecosystem demonstrates resilience. Affiliates migrate to new platforms within weeks, and new groups (Qilin, Akira, DragonForce) quickly fill the vacant space. The decline of the ransom payment rate to 23-25% (a historic low) forces groups to change tactics - hence the growing emphasis on triple extortion (encryption + data theft + DDoS) and attacks on smaller organizations that have lower security budgets but a higher propensity to pay.
How to monitor the ecosystem
Tracking ransomware group activity enables early warning - especially when a new campaign targets a client’s industry or region. Tools such as RIFFSEC Ransomware Monitor track group activity on leak sites and allow monitoring whether an organization’s data or its contractors’ data has appeared in a leak. Other sources: ransomware.live (real-time attack map), Ransom-DB (group and victim tracking), quarterly reports from Check Point Research and Dragos (for the OT sector).
Protection against ransomware
Three dominant entry vectors
Before we discuss defense, it is worth understanding how ransomware reaches organizations. Three vectors account for over 90% of successful attacks:
Phishing and spearphishing (~45% of attacks) remains the most effective vector. Attackers impersonate well-known companies - banks, telecom operators, courier services - and persuade victims to open an attachment or click a link. In the spearphishing variant, the message is personalized - for example, posing as a CV sent to the HR department or an invoice from an actual supplier.
Public service exploits (~30%) - exploiting vulnerabilities in VPN, RDP, and web applications exposed to the internet. Colonial Pipeline (VPN without MFA), Change Healthcare (Citrix without MFA), Volt Typhoon (Fortinet and Ivanti vulnerabilities) - the pattern repeats.
Stolen credentials (~20%) - login data purchased on the dark web. Initial Access Brokers sell network access to organizations for 500 to 50,000 dollars. Without MFA, a single stolen password is sufficient.
Anatomy of an attack - from access to encryption
Between gaining initial access and launching encryption, an average of 5-14 days passes (Mandiant M-Trends 2026). This is a critical window in which an organization with good detection can interrupt the attack. Below is a typical Big Game Hunting attack chain mapped to MITRE ATT&CK:
| Phase | What the attacker does | ATT&CK technique | How to detect |
|---|---|---|---|
| Day 1 | Logs in with stolen credentials via VPN | Valid Accounts (T1078) | Login from unusual location/time |
| Day 2-3 | Scans the network, identifies Active Directory | Network Discovery (T1046) | Scanning anomalies in NDR |
| Day 3-5 | Escalates privileges to Domain Admin | Privilege Escalation (T1068) | EDR, process monitoring |
| Day 5-8 | Steals data, packages and exfiltrates it | Archive + Exfiltration (T1560, T1041) | DLP, outbound traffic monitoring |
| Day 8-12 | Deletes Volume Shadow Copy, disables backup | Inhibit Recovery (T1490) | Alert on VSS deletion, immutable backups |
| Day 12-14 | Launches encryption and demands ransom | Data Encrypted (T1486) | Canary files, EDR behavioral |
Five layers of protection
Protection against ransomware requires a layered approach. No single mechanism is sufficient - but a combination of five layers dramatically raises the bar for attackers.
Layer 1: Backups - the last line of defense, but it must work. The 3-2-1-1 strategy means: 3 copies of data, on 2 different media types, 1 copy offsite, 1 copy immutable. Critical: regularly test your restores. A backup from which data cannot be recovered is a false sense of security. And isolate backups from the production network - Ryuk systematically searched for and destroyed backups before launching encryption.
Layer 2: Access control - MFA on every remote access point (VPN, RDP, cloud, email). Colonial Pipeline, Change Healthcare - both attacks started from a lack of MFA. Add the principle of least privilege and privileged access management (PAM).
Layer 3: Hardening - critical updates within 48 hours (WannaCry had a patch available for a month), disabling unnecessary services (RDP, SMBv1, PowerShell remoting where not needed), and network segmentation - separating IT from OT, internal segmentation, DMZ.
Layer 4: Detection - EDR on all endpoints with behavioral detection, network monitoring (NDR), SIEM with rules for known ransomware patterns. Canary files - decoy files in key locations that generate an alert when modified - are a simple and effective early warning mechanism.
Layer 5: People - regular training and phishing simulations (including controlled phishing campaigns as part of penetration testing), a documented and practiced incident response plan, and cyber insurance to cover forensics and recovery costs. Verifying the effectiveness of layers 1-4 requires regular penetration testing and Red Team operations.
What to do when an attack has already occurred
When a ransom demand appears on screen, time and the order of actions matter.
The first 60 minutes are critical. Confirm the incident (EDR alert, user report, canary file), but do not shut down infected machines - disconnect them from the network. Shutting down causes loss of RAM, which may contain decryption keys or forensic evidence. In parallel, block compromised accounts in Active Directory and isolate network segments via VLAN/firewall.
The next 4-24 hours should be spent on assessment. How many systems are affected? What data was stolen? Is the backup safe? Identify the ransomware variant - services like NoMoreRansom.org and ID Ransomware (malwarehunterteam.com) can help determine whether a free decryptor exists. Notify the board, legal counsel, and insurer.
Paying the ransom guarantees nothing. Change Healthcare paid 22 million dollars and did not recover the data - an ALPHV affiliate leaked it despite the payment. This is a typical double extortion scenario. Paying funds further attacks, creates legal risk (OFAC/EU sanctions against certain groups), and does not protect against data publication. CERT Polska (Poland’s national CERT), CISA, and Europol all unequivocally recommend: do not pay.
Legal obligations - report to CERT Polska (Poland’s national computer emergency response team) within 24 hours, to UODO (Poland’s data protection authority, equivalent to a DPA) within 72 hours (if personal data breach), to the sectoral CSIRT (if critical infrastructure). Under NIS2/KSC (Poland’s National Cybersecurity System Act), these deadlines are binding.
Incident response plan - 6 phases
The following plan is worth printing out and practicing before it is needed. A tabletop exercise every six months is the minimum.
| Phase | Actions | Responsible | Time |
|---|---|---|---|
| 1. Detection | Confirm the incident - EDR/SIEM alert, canary file, user report | SOC / IT | 0-15 min |
| 2. Isolation | Disconnect systems from the network, block accounts, VLAN isolation | IT / SOC / Network | 15-120 min |
| 3. Assessment | Scope, variant identification, backup status, notifications | IR / Forensics / CISO | 1-4h |
| 4. Eradication | Remove malware, close attack vectors, reset passwords, revoke tokens | IR / IT | 4-48h |
| 5. Recovery | Restore from backup, rebuild systems, monitor for reinfection | IT / SOC | 1-14 days |
| 6. Lessons learned | Post-mortem with ATT&CK mapping, update procedures and rules | IR / CISO | 2-4 weeks |
NIST SP 800-53 control mapping
For organizations subject to regulatory requirements (NIS2, KSC, DORA) - below is a mapping of key protection mechanisms to NIST SP 800-53 Rev. 5 controls:
| Protection mechanism | NIST SP 800-53 controls | Description |
|---|---|---|
| 3-2-1-1 backups | CP-9, CP-10 | System backup and recovery |
| MFA | IA-2(1), IA-2(2) | Multi-factor authentication |
| Patch management | SI-2, RA-5 | Updates and vulnerability scanning |
| Network segmentation | SC-7, AC-4 | Boundary protection, information flow control |
| EDR / monitoring | SI-3, SI-4 | Malware protection, system monitoring |
| Incident response plan | IR-1, IR-4, IR-8 | IR policy, incident handling, IR plan |
| Training | AT-2, AT-3 | Security awareness |
| Account management | AC-2, AC-6 | Account management, least privilege |
Source: NIST SP 800-53 Rev. 5.
Frequently asked questions
What is ransomware? Ransomware is malicious software that encrypts a victim’s data and demands a ransom for its release. Modern variants additionally steal data before encryption and threaten to publish it (double extortion). Ransomware targets both individuals and organizations - from small businesses to critical infrastructure.
Is it worth paying a ransomware ransom? No. CERT Polska (Poland’s national CERT), CISA, and Europol all unequivocally recommend against paying. Change Healthcare paid $22M and did not recover the data. Paying does not guarantee data recovery, funds further attacks, and creates legal risk (OFAC/EU sanctions against certain groups). Instead, restore from backups and report the incident to the appropriate authorities.
How much does a ransomware attack cost? Costs far exceed the ransom itself. The average ransom demanded in 2025 is $1.09M, but total costs (downtime, forensics, recovery, regulatory fines, customer loss) are many times higher. Change Healthcare incurred costs of approximately $2.5B. Norsk Hydro suffered $35-41M in losses despite not paying the ransom.
How does ransomware encrypt files? Ransomware uses hybrid cryptography: it encrypts files with a fast symmetric cipher (e.g., AES-256), then encrypts the symmetric key with the attacker’s RSA-2048 public key. Without the private key (which only the attacker possesses), decryption is practically impossible. Some older variants have known weaknesses - the NoMoreRansom.org service provides free decryptors for over 170 variants.
How can I protect my organization against ransomware? Key mechanisms include: backups following the 3-2-1-1 model (including immutable copies), multi-factor authentication (MFA) on all remote access points, up-to-date software (patch management), IT/OT network segmentation, and monitoring (EDR, NDR). Regular verification of security effectiveness through penetration testing helps identify gaps before attackers do.
How can I recover data after a ransomware attack? The best option is restoring from backup. If no backup exists or it is compromised, check NoMoreRansom.org and ID Ransomware - free decryption tools may be available. Do not shut down infected machines (RAM may contain decryption keys). Report the incident to your national CERT within 24 hours.
Ransomware in numbers - 2025
The figures below illustrate the scale of the problem - and two warning signals for Poland: first place globally in attack frequency and a growing share of the industrial sector.
| Metric | Value | Source |
|---|---|---|
| Global ransomware attacks (2025) | 7,419 | VikingCloud |
| YoY attack increase | +32% | industrialcyber.co |
| Poland - global ranking (H1 2025) | 1st place (6% of global) | ESET |
| Average ransom demanded | $1.09M | Varonis |
| Average ransom payment | $1.0M (-50% YoY) | Varonis |
| Manufacturing sector - number of attacks | 1,466 (+56% YoY) | industrialcyber.co |
| Increase in OT/ICS attacks | +87% | Dragos |
| Time from access to encryption | 5-14 days (median) | Mandiant M-Trends 2026 |
| Change Healthcare cost | $2.5B | UnitedHealth Group |
| Groups dismantled (2023-2025) | LockBit, ALPHV/BlackCat, Hive | Europol, FBI |
Sources
- ESET “Poland most frequently attacked by ransomware worldwide in 2025”
- CERT Polska - annual reports
- Mandiant M-Trends 2026
- Dragos Year in Review 2025
- CISA “Primary Mitigations to Reduce Cyber Threats to OT” (May 2025)
- VikingCloud “Ransomware Statistics and Trends Report 2026”
- NIST SP 800-53 Rev. 5
- NoMoreRansom.org (Europol + security companies)