Time to read: 6 minutes 40 seconds | Published: March 10, 2025
Ransomware What is ransomware?
Ransomware is a type of cyberattack designed to gain access to a system and encrypt the files stored there. The files cannot be decrypted without a private key, which the attackers hold for a ransom.
How are ransomware attacks resolved?
Attackers often demand a ransom in exchange for a decryption key. Unfortunately, the attackers seldom provide the decryption key even after the ransom is paid, depriving victims of both the ransom amount as well as their data.
The average ransomware recovery cost (excluding ransom payment) for organizations is $2.73M.
Why is ransomware becoming more common?
Ransomware is an ever-present concern for organizations. According to ESG research , 75% of organizations experienced ransomware attacks in the last 12 months, with 10% facing daily attacks.
Ransomware is big business. Many threat actors are organized crime groups. As an industry, ransomware was worth an estimated $14 billion just a few years ago.
Examples of ransomware
Some ransomware attacks begin by enticing a user to open a file, often an email attachment that then downloads malicious code, which then spreads via the network. Others take advantage of vulnerabilities in operating systems, weaknesses in physical security systems, or software exploits to gain access to a network and take root within the system.
The first large-scale ransomware threat began in September 2013 with the emergence of CryptoLocker, a Trojan horse malware that lured users to download a file that then infected their systems and scanned the network looking for additional systems and files to encrypt. In May 2014, as a result of a joint operation by law enforcement and security agencies, the CryptoLocker Trojan was shut down. However, many imitations of it are still circulating.
Many other families of ransomware have been developed since CryptoLocker was shut down. Some of the most common of these families are Conti, Maze (Egregor), Sodinokibi (REvil), TorrentLocker, WannaCry, Petya (NotPetya), Ryuk, and MegaCortex. Regardless of the name, their aim is the same—to extort money from victims in return for decrypting their data and files.
New ransomware-as-a-service (RaaS) schemes that allow anyone with basic computer skills and Internet access to get into the ransomware business are helping fuel significant growth in this type of attack. The ransomware author makes resources—such as encryption tools, communications with victims, and ransom collection—available to other cybercriminals in exchange for a percentage of the ransom payment.
What can you do to protect yourself from ransomware attacks?
Many of today’s ransomware attacks can be challenging to detect because they are increasingly hidden from system administrators and endpoint protections. Thus, attackers gain long-term persistence on the device and, in turn, the ability to inflict damage at will. The average ransomware dwell time is 24 days, giving attackers ample time and opportunity to access and tamper with an organization’s data.
And all it takes is just one user to practice poor password management or to click on a link in a phishing email to put an enterprise network at risk. Implementing security awareness training for employees is an important step for many enterprises to help lower the risk of ransomware’s entry to their networks. This training should be refreshed on a regular basis as attack techniques evolve.
The best way to protect against malware that exploits software vulnerabilities is to keep operating systems and critical applications current with all patches and updates. Network monitoring, password protection, multi-factor authentication (MFA), and endpoint security measures are all useful technologies and tactics to help lower an organization’s threat profile.
While the discovery of data encryption and demand for ransom may be the most visible signs of ransomware, they occur at the end of an attack. When organizations can detect signals of a ransomware attack early, they may be able to stop the attack and prevent further damage. Use intrusion detection and prevention systems (IDS/IPS) to incoming and outbound network traffic flows and block malicious and suspicious activity. If potential threat activity is detected, IDS/IPS tools can distribute threat information throughout the security ecosystem for additional protective actions.
Because it is impossible to eliminate the threat of a ransomware attack completely, having a robust backup strategy in place can help speed recovery for an organization under attack, with minimal interruption to operations. These backups should be separated from the network to prevent malware access, as most ransomware will also attempt to encrypt backups.
How is ransomware spread?
Many of today’s ransomware attacks can be challenging to detect because they are increasingly hidden from system administrators and endpoint protections. Thus, attackers gain long-term persistence on the device and, in turn, the ability to inflict damage at will. The average ransomware dwell time is 24 days, giving attackers ample time and opportunity to access and tamper with an organization’s data.
And all it takes is just one user to practice poor password management or to click on a link in a phishing email to put an enterprise network at risk. Implementing security awareness training for employees is an important step for many enterprises to help lower the risk of ransomware’s entry to their networks. This training should be refreshed on a regular basis as attack techniques evolve.
The best way to protect against malware that exploits software vulnerabilities is to keep operating systems and critical applications current with all patches and updates. Network monitoring, password protection, multi-factor authentication (MFA), and endpoint security measures are all useful technologies and tactics to help lower an organization’s threat profile.
Because it is impossible to eliminate the threat of a ransomware attack completely, having a robust backup strategy in place can help speed recovery for an organization under attack, with minimal interruption to operations. These backups should be separated from the network to prevent malware access, as most ransomware will also attempt to encrypt backups:
- Email phishing: A popular ransomware vector is known as email phishing. Attackers will send emails to targets that appear to come from a trusted source. These messages will typically try to get the recipient to enter personal credentials on a spoofed webpage or download a file containing malware.
- Remote Desktop Protocol (RDP): Remote desktop protocol (RDP) is a Microsoft protocol that allows users to remotely connect to and carry out commands on a system. Unfortunately, RDP security heavily relies on users having strong, unique passwords, which is often not the case in practice. Attackers can easily crack RDP credentials or purchase hacked usernames and passwords on the dark web to gain access to a system.
- Software vulnerabilities: Software vulnerabilities provide another common ransomware delivery method. Software that has not been updated can create gaps in security architectures and provide an open door to malware intrusions. These vulnerabilities provide a relatively easy target for attackers as there is no need for them to crack or otherwise harvest credentials.
How can HPE help protect you from ransomware?
Unfortunately, even the best security systems and practices cannot fully protect against ransomware attacks. A layered security approach and comprehensive data backup and recovery plan are critical for detecting and defending against early stages of an attack, restoring operations, and minimizing potential data loss in the event an attack is successful.
An HPE SimpliVity hyperconverged solution consolidates the IT infrastructure and simplifies both the data protection strategy and the recovery process, particularly for businesses with multiple remote offices to support. These solutions offer integrated functions, such as built-in data protection, to help ease the burden and provide better protection across the company, whether at remote or branch offices (ROBOs). Data efficiencies enable more frequent backups for near-continuous data protection, longer retention periods, and faster recovery. In the event of a ransomware infection, a VM and all its data can be restored quickly and easily, minimizing system downtime, business disruptions, and revenue loss.
HPE StoreOnce is a purpose-built backup appliance (or virtual machine) that includes HPE StoreOnce Catalyst stores to effectively isolate critical data from ransomware attackers. As a result, attackers cannot impact the data without resorting to direct physical interactions that ultimately destroy some or all of the hardware itself. Even if hardware is destroyed at a single location, whether from malware or a natural disaster, the more advanced implementation of HPE StoreOnce Catalyst stores (distributed implementation) would protect mission-critical data by effectively isolating it from traditional lines of communication and command sets leveraged by ransomware attackers.
Zerto, a Hewlett Packard Enterprise company, delivers journal-based continuous data protection (CDP) and unrivaled recovery for virtualized and containerized apps and data from edge to cloud. Zerto’s platform provides the flexibility to protect to, from, and between clouds of all kinds—whether private, public, or cloud native deployments. Its scale-out architecture can protect petabytes of data and thousands of VMs. The software only solution copies every data change, regardless of underlying hardware, without slowing down production systems.
HPE Aruba Networking security-first, AI-powered networking provides a common zero trust foundation that security and networking teams can use to power IoT- and AI-driven business initiatives without sacrificing cybersecurity protection.
HPE Aruba Networking Central monitors the network for malicious activity, using IDS/IPS threat intelligence signatures to inspect network traffic and detect patterns that match the ransomware kill chain, generate threat events, and (if enabled by security administrators) drop malicious data packets. These capabilities provide an extra layer of protection that actively analyzes the network, provides signals, and takes rule-based action on traffic flows to prevent threats like ransomware in real time. Webhooks in HPE Aruba Networking Central can also be configured to send a notification to Zerto for preventative action.
To combat malware-based attacks before they can propagate, a sandbox feature within HPE Aruba Networking SSE enables organizations to test suspicious files in a safe virtual environment and destroy malicious files before they cause damage.
