My IP Help

Ransomware

Malware that encrypts a victim's files or locks their systems and demands payment — usually in cryptocurrency — for the decryption key and for the attackers not to publish stolen data.

Last updated:

What is ransomware?

Ransomware is a category of malware that encrypts the victim's files with a key the attacker holds, then demands a ransom in cryptocurrency for the decryptor. Modern "big game" ransomware also exfiltrates copies of sensitive data before encryption and threatens to publish it on a leak site if the ransom is not paid — a tactic known as double extortion. Groups like LockBit, BlackCat/ALPHV, Cl0p, and Play ran industrialized ransomware operations at scale throughout 2022–2025.

How ransomware gets in

Three attack paths dominate:

  • Phishing — a macro-laced document, a malicious link to a drive-by download, or a credential-theft page that leads to a manual intrusion
  • Exposed services — unpatched VPN appliances, RDP on the public internet with weak passwords (brute-forced or reused from leaked credential-stuffing lists), vulnerable file-transfer software like MOVEit or Accellion
  • Supply chain — an intrusion into a managed service provider that cascades to every downstream customer, as with the 2021 Kaseya VSA incident

Once inside, operators typically spend days to weeks moving laterally, disabling backups, and staging exfiltration before detonating the encryption phase.

Ransomware and IP intelligence

The command-and-control IPs, exfiltration destinations, and ransom-portal hosts used by ransomware gangs are catalogued by threat-intel providers within hours of each new campaign. Correlating outbound connections from your network against those feeds catches many intrusions before the encryption phase runs.

Check whether a suspicious destination IP has been reported in ransomware activity with our IP abuse report checker.

Frequently Asked Questions

Most law-enforcement agencies (FBI, NCA, Europol) advise against paying. Payment funds the next attack, marks you as a willing payer for future campaigns, and offers no guarantee — historically around 8% of paying victims never recover their data, and many that do still find leaked data published anyway. Paying may also breach OFAC or UK sanctions rules if the gang is on a sanctions list, exposing your organization to fines on top of the ransom.
For organizations without tested backups, full recovery typically takes three to four weeks of degraded operations, with some critical services down for days. Organizations with offline, regularly tested backups and a rehearsed incident-response plan often restore core systems within 48-72 hours. The single biggest predictor is whether backups themselves were reachable from the network the attacker compromised.
Double extortion is when attackers steal a copy of sensitive data before encrypting it, then threaten to publish the data on a leak site if the ransom is not paid. This breaks the "just restore from backup" defense — backups recover availability, but they do not prevent stolen customer or employee data from being published. Triple extortion adds DDoS attacks and direct harassment of customers.
The malware itself can usually be removed by wiping and rebuilding affected machines. Recovering encrypted files without paying is only possible if (a) you have clean backups, (b) the strain has a known cryptographic flaw and a free decryptor exists on No More Ransom, or (c) law enforcement has seized the gang's keys (as happened with LockBit, Hive, and BlackCat). Most modern strains use sound cryptography that cannot be brute-forced.
Most cyber-insurance policies sold since 2023 cover ransomware response costs (forensics, legal, restoration), but ransom payment coverage has tightened sharply — many policies now exclude payment entirely, cap it, or require pre-approval. Insurers also routinely deny claims when basic controls (MFA, EDR, tested backups, patched perimeter devices) were missing at the time of attack.
Back to glossary