Logo of Acalvio, a leading company in cyber deception technology


What is ransomware?

Ransomware is a type of malware that encrypts a victim’s files and demands payment to restore access to the data. It’s a form of digital extortion.

How Does Ransomware Work? What Does Ransomware Do?

Here’s how a typical ransomware attack unfolds:

1. Infection:

The ransomware is delivered to the victim’s computer, often through a phishing email, malicious attachment, or by exploiting a vulnerability in the system.

2. Encryption:

Once executed, the ransomware encrypts files on the victim’s system using a strong encryption algorithm. It might target specific file types, such as documents, spreadsheets, and images, or encrypt entire drives.

3. Ransom Demand:

After encrypting the files, the ransomware displays a message to the victim, demanding payment in exchange for the decryption key. The ransom is typically requested in cryptocurrency, such as Bitcoin, to make the transaction more difficult to trace.

4. Payment (Optional):

Victims may choose to pay the ransom in hopes of getting their files back. However, there’s no guarantee that the attacker will provide the decryption key after receiving payment, and paying the ransom encourages further attacks.

5. Decryption (Optional):

If the victim pays the ransom and receives the decryption key, they can attempt to restore their files. In some cases, security researchers are able to crack the encryption or obtain the decryption keys, and they may offer free decryption tools.

What Are Some Examples of Ransomware Types?

Crypto Ransomware

Crypto ransomware encrypts files on a victim’s computer and demands a ransom payment in cryptocurrency to decrypt them. It is often spread through phishing emails or drive-by downloads.


Scareware uses social engineering to trick users into downloading or buying unwanted software. It often appears as a pop-up window that warns the user that their computer is infected with a virus or other malware. The pop-up window may also demand that the user pay a fee to remove the infection.

Locker Ransomware

Locker ransomware is a type of malware that locks the victim’s computer and demands a ransom payment to unlock it. It is often spread through phishing emails or drive-by downloads. Paying the ransom is not always a guarantee of getting the computer unlocked.

What are some of the tactics that ransomware actors employ to force their victims to pay a ransom?

Ransomware actors use various tactics to manipulate and pressure their victims into paying the ransom. Some of these tactics include:

Deadline Pressure:

Many ransomware notes include a countdown timer, threatening to increase the ransom amount or permanently delete the decryption key after a certain period. This sense of urgency pressures victims to pay quickly without seeking alternatives.

Threatening to Expose Sensitive Data:

Some ransomware variants not only encrypt the victim’s files but also exfiltrate them. Attackers may threaten to release sensitive or embarrassing information publicly if the ransom is not paid.

Impersonating Law Enforcement or Government Agencies:

Some ransomware screens pretend to be from a law enforcement agency, falsely claiming that illegal activities were detected on the victim’s computer. The ransom is then framed as a “fine” that must be paid to unlock the computer.

Social Pressure:

By attacking high-profile targets such as hospitals or municipalities, attackers create public pressure and negative media attention that might urge the victim to pay the ransom quickly.

Offering “Support” or Negotiation:

Some ransomware groups provide a “customer service” experience, guiding the victim through the payment process or even negotiating the ransom amount. This may make the payment process seem more legitimate or manageable.

Providing Evidence of Decryption Capability:

To build trust, some attackers may offer to decrypt a small number of files for free as proof that they have the ability to unlock everything once the ransom is paid.

Targeting Critical Systems:

By targeting essential business systems or critical infrastructure, attackers can bring operations to a halt, creating a crisis that pushes the victim to pay the ransom quickly.

What is ransomware-as-a-service (RaaS)?

Ransomware-as-a-Service (RaaS) refers to a business model where ransomware developers offer their malicious software and sometimes additional support services to other criminals for a fee or a share of the profits.

This arrangement allows individuals or groups with little or no technical expertise to launch sophisticated ransomware attacks, significantly lowering the barrier to entry in cybercrime. Even attackers with minimal technical skills can use RaaS to launch effective campaigns.

What Are Some Ransomware Examples?

LockBit Ransomware

In May 2023, the LockBit ransomware group targeted the Taiwan Semiconductor Manufacturing Company (TSMC). The LockBit group was able to gain access to TSMC’s network through a phishing email that was sent to an employee. Once the LockBit group had access to TSMC’s network, they were able to encrypt the data on over 10,000 servers.

The LockBit group demanded a ransom of $70 million from TSMC in exchange for the decryption key.

CI0p Ransomware

In June 2023, the Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit Transfer platform to steal data from several organizations, including British Airways, the BBC, and Boots. The group then encrypted the stolen data and demanded a ransom payment of $10 million from each victim.

How can Acalvio help an enterprise counter ransomware attacks?

Acalvio’s Ransomware Protection solution provides a playbook of purpose-built deceptions that are designed to detect ransomware at any stage of the ransomware kill chain. For example, the solution deploys a special set of ransomware detection baits that enable detection of encryption actions performed by ransomware. These deceptions enable detection of known, zero-day, and unknown ransomware.

When ransomware infiltrates the network and tries to compromise an endpoint, a high-fidelity incident is immediately generated in the solution. Details of the endpoint along with evidence of the ransomware attack are displayed in the incident.

The solution carries out automated notification and response actions that have been configured by the Security team. These steps leverage prebuilt integrations with existing SOC workflows.