Request Information

Request Information

or Call 1.877.459.4347
What is Ransomware and how does it work?

What is Ransomware?

Topics Covered in this Ransomware whitepaper:

  • How does Ransomware work?
  • How much do Ransomware Attacks Cost?
  • Early Ransomware Attacks
  • Notorious Ransomware Attacks
  • Why Business Need to be Protected from Ransomware
  • Why Antivirus Programs don’s stop Ransomware Attacks
  • What to do if you get Attacked
  • How to stop Ransomware Attacks from Occuring

Ransomware is a thriving marketplace plaguing individuals and businesses alike. It is a malicious and sophisticated malware attack that leverages a computer virus designed to hold a user’s data hostage. While ransomware is not a new technique, it has become increasingly notorious in recent years. Once imagined to be one clever hacker operating from his basement, it has now grown into a booming business.

Ransomware attacks are becoming more prevalent for several reasons. One is that most people today are incredibly dependent on their computers, with precious photos, important files, and more stored on them and are therefore willing to pay to get lost files back. And, in the case of businesses, most literally cannot afford to be locked out of their computers or files for any significant period of time. Considering that ransomware can spread to other PCs connected to a local network, it can be particularly catastrophic for businesses.

Another reason is simply that more and more people are able to access the ability to create and launch a ransomware attack. With the opportunity to become a lucrative business, there’s plenty of incentive to get into it.

There are two basic different types of ransomware. The first is locker ransomware, which locks the user out of their entire system and only unlocks it when the creator receives the ransom he has demanded. The other type is encrypting ransomware, which encrypts the user’s files and where the creator demands a ransom from the victim in exchange for a decrypting key.

How does Ransomware work?

As its name indicates, Ransomware works just like a kidnapping, except that you are paying the ransom for your data instead of for a loved one.

There are several different methods hackers use to launch their ransomware. It often begins when the cybercriminal behind the act designs an email that looks convincingly like a real email, such as a UPS package tracking email that baits the user to click a URL. When the user clicks the link, it launches malware that infects his computer with a virus. Alternately, when users unknowingly visit a compromised or malicious website, ransomware can be downloaded onto their systems. Additionally, it can be spread via infected software apps or infected external storage devices.

This virus then locks or encrypts everything on the user’s computer hard drive, literally locking the user out of all the files on the computer. The user is notified by a screen popping up that informs him that his files will all be destroyed unless he pays a ransom through an online payment to get access to a decrypt key.

Typically, the ransom is made with a specific deadline and if the victim goes past the deadline without paying, either the ransom will increase, or the user’s data is permanently destroyed.

It has become much more prevalent in recent years thanks to the dark web, which has made it possible for people even with very limited technical experience to get their hands on kits known as ransomware as a service (RaaS). Basically, just about anyone can create and launch a ransomware attack if they know where to look for RaaS.

Cybercriminals enjoy the challenge and the thrill of their malicious activities. But, layer on the fact that they can make fast, easy cash and it’s clear that ransomware isn’t going away anytime soon.

How much do Ransomware Attacks Cost?

According to Symantec, the amount of ransom demanded in 2017 was nearly three times what it was in 2016, averaging $1,077. The cybercriminals responsible for these attacks most commonly demand payment via cryptocurrency such as Bitcoin, though some other payment methods include Amazon and iTunes gift cards.

However, paying the ransom doesn’t always guarantee you’ll get your decryption key. In fact, a 2016 Kaspersky Security Bulletin indicates that 20 percent of companies that paid a ransom in response to an attack never recovered their files.

Early Ransomware Attacks

According to Symantec, the first known ransomware attack called AIDS Trojan occurred in 1989 for a payment of $189 and was spread via shared floppy discs. It was created and distributed by biologist Dr. Joseph Popp, who claimed to be using the funds collected to fund AIDS research.

In Russia, cases of ransomware attacks began to occur in 2005. In these early years, ransomware was mostly focused on encrypting the most commonly used file types such as  .PDF, .DOC, .XLS, .JPG. While ransomware attacks originally were prevalent in Russia, they soon moved into Europe before the infections began to spread across North America.

The first ransomware strand to use RSA encryption in the mid-’00s was called Archiveus. Very difficult to decode, an RSA encrypted file requires a specific alpha-numeric string of digits to unlock.

Some Notorious Ransomware Attacks


In the early ’10s, a type of ransomware known as Reveton, or “Police Ransomware” packages hit the scene. These police trojans impersonated law enforcement agencies with notification pages informing the victims that they were caught doing illicit activities online and demanded the payment of “fines”. Reveton tracked the geolocation of its victims in order to know which local law enforcement agency to impersonate.


Named after its ability to encrypt files as well as lock the files, CryptoLocker appeared in 2013. At its peak, CryptoLocker was infecting about 150,000 victims monthly.

This threat was powerful because even if the victim was able to delete the malware, they would still have to pay the ransom to receive a decryption key for their encrypted files. A spam campaign was identified to be the cause behind the CryptoLocker infections, which used a small file size and simple downloading function.

While CryptoLocker was taken down by a white-hat campaign, CryptoLocker got the foot in the door for variations of file-encryption ransomware, such as the widely-known imitators CryptoWall and TorrentLocker.


TeslaCrypt originally targeted gamers of several specific and extremely popular games: Call of Duty, World of Warcraft, Minecraft, and World of Tanks. TeslaCrypt targeted the ancillary files associated with those video games that are commonly stored on the local hard drive.

In 2015-2016 TeslaCrypt was responsible for nearly half of all ransomware attacks. Surprisingly in 2016, the cybercriminals behind TeslaCrypt not only provided the master decryption key publicly, ending the threat, they even apologized.


In late 2015, the Android platform was targeted by SimpleLocker, the first Android-based attack to encrypt files. Additionally, it was the first ransomware to use a Trojan downloader mimicking a legitimate app to deliver the ransomware. The majority of victims were infected when they attempted to download porn or other shady apps from sources other than the Google Play store.


In mid-May of 2017, the WannaCry worm literally made ransomware life-threatening when it shut down hospitals in Ukraine and striking Britain’s National Health Service (NHS). Originally spread through malicious Dropbox URLs embedded in spam, WannaCry spread rapidly through a number of computer networks by infecting a Windows computer and encrypting files on the PC’s hard drive. Considered one of the worst ransomware attacks of all time, it was detected in more than 115 countries.


The Petya ransomware package originated in 2016 and was a standard package aimed at extracting Bitcoin from its victims. An updated version—named “NotPetya” to signify its advanced state from its predecessor—became prevalent while the world was still reeling from the WannaCry outbreak.

It is widely speculated that NotPetya was actually a state-sponsored Russian cyberattack on Ukraine, disguised as a ransomware attack.


Cerber appeared in March 2016 and was notorious for its creepy voice component, which reads out the ransom message. It was responsible for an attack on millions of Microsoft Office 365 users who were potentially exposed.


The GoldenEye ransomware attacks reported in Ukraine in late June of 2017, targeted Kiev’s largest airport, Ukraine’s national bank, and its state power company. Unlike most ransomware just encrypting files, GoldenEye attacked the entire computer preventing the system from booting up by encrypting the Master File Table. When the victim attempted to reboot their machine, a skull and crossbones splash screen appeared displaying the ransom demand.


Locky was especially notorious because it encrypted not just data files but also Volume Snapshot Service (VSS) files to stop victims from attempting to restore files using it. It also encrypted Bitcoin wallets. Its name comes from the fact that while encrypting the user’s files, it also renamed them to have the extension “.locky”.

Why Business Need to be Protected from Ransomware

Once cybercriminals realized that the real money was not in targeting individual home users, but in targeting companies, because of the major disruptions an attack would cause, the shift moved in that direction. In fact, nearly 70 percent of companies pay the ransom to recover their data.

Complex networks in businesses are often more vulnerable and many businesses are reluctant to report attacks because they fear it would damage their brand and cause customer losses.

Why Antivirus Programs don’s stop Ransomware Attacks

Antivirus software can’t detect ransomware because it is designed to stay hidden. While Antivirus programs can stop any known ransomware from attacking your business by reading the signature of the known ransomware, it can’t protect your business new ransomware attacks. Because stealth is critical to ransomware being a lucrative business, these cybercriminals are employing talented developers to ensure that their attacks remain undetected.

What to do if you get Attacked

Step 1: Disconnect from the network and stop backing data up immediately. Disconnect the infected machine from the network immediately after the infection is discovered.

Step 2: Remove ransomware and clean computers of malicious software. If you have a good restore, remove all traces of the ransomware using antivirus software or an appropriate malware remover before proceeding.

Step 3: Restore from the most recent clean backup. Provided  that  you  maintain  consistent  backups,  locate  a  clean  version  of  the  files,  and  restore  to  your  most  recent  backup  set.

How to stop Ransomware Attacks from Occuring

There are two key ways to combat ransomware and keep it from affecting your business.

The first is to have your staff educated on what to watch for and trained to be diligent since most ransomware attacks are launched via phishing emails. Train your associates to avoid opening unverified emails or clicking links embedded in unverified emails. Provide employees with examples of what phishing emails look like, so that the next time they receive an email from “FedEx” with a “tracking link” for a “package” they know nothing about, they will think twice before clicking the link and send it to the helpdesk.

Your associates should also adhere to such best practices such as keeping macros turned off in the Microsoft Office suite of software and avoiding the use of browser plug-ins including Adobe Flash, Adobe Reader, Java, and Silverlight except on an ad-hoc basis.

Secondly, evaluate your technical infrastructure and the way your IT pros build and maintain that infrastructure. With a solid, cloud-based business continuity plan, you can successfully avoid ransomware damage for your company.

Most security vendors are constantly working on updates to catch and stop ransomware before it infects your files. If you use antivirus or anti-malware services, be sure you are running the most recent versions of these products and do regular updates. And, setting up a next-generation firewall can combat numerous threats—in fact, some can even detect zero-day threats before they infiltrate the system.

If your business does become the victim of an attack, it can be a manageable event when your data is backed up and easily recoverable.

For more information on ransomware, download Evolve IP’s Ultimate Guide to Ransomware.

Recommended For You
The Evolve IP Compliance CloudTM

Compliance is a way to do business … not an afterthought when clients need it.

At Evolve IP we have a dedicated compliance and security practice and work with two of the world’s top 3rd-party compliance auditors, Grant Thornton and Ernst & Young, to enable customers to extend their compliance to our fully audited cloud. This focus allows us to deliver the documentation and assurances that other’s simply cannot including HIPAA / HITRUST, PCI-DSS (all 12 sections), SOC 2/3 and more. The Compliance CloudTM includes true client isolation, encryption in transit and at rest, private VLANs, firewalls and dozens of other security measures.

What Our Clients Say
  • "Yesterday was, perhaps, my busiest day of client interaction either by phone or email since I have been a PM, and I don’t think any of my clients knew I was working from home unless I told them. I was also able to do trades behind the scene and interact with my team. So, for me, the technology has been working great. As an old guy, I am constantly dazzled by technology in general, but being able to do this stuff from home is amazing!"

    James C. Hunter, CFA, CFP, AIF, Senior Portfolio Manager, Principal

  • "Hey, IT people, As I’m working away in my home office, I just wanted to say thanks to you for all you’re doing, and have done in the past, to make it possible for us to run our company virtually. Not many of us JICers have jobs that everyone in the firm sees and could stop us from doing business. But you have this job, and do it well. Thank you for having the foresight and wisdom to get us in a position to succeed in a pandemic! You’re awesome."

    Michael D. Barnes, Esq., CTFA President, Principal

  • “That’s the type of proposition I like to bring to a Board of Directors. When I can say, ‘we can get everything new, be completely redundant, it can meet all of our needs and oh, by the way, we are going to save over $300,000 a year.’ It makes it easy for me to sell!”

    - Ken Schultz, CIO Ogletree Deakins

    Watch Testimonial

  • "The people that Evolve IP are more personable; you don't feel like there's necessarily a script when you're talking with them, they’re easy to understand, quick to get a hold of, and they follow through on what they say they're going to do."

    Watch Testimonial

  • "Evolve IP has been a vendor partner that has grown with us, that has helped us, and that you know stands by us and stands by their word."

    Watch Testimonial

What the Experts Think

Our analyst-acclaimed solutions are built on a world-class, compliant architecture that leverages the blue-chip technologies organizations already know and trust.


We deploy best-of-breed solutions including: Disaster Recovery, Contact Center, Unified Communications, DaaS, IaaS. Our services are analyst-acclaimed, vendor-validated, client recommended and award-winning.


Evolve IP is proud to have achieved the honor of being HITRUST CSF certified! Certification to the HITRUST Common Security Framework (CSF) affirms that all of Evolve IP’s cloud computing and cloud communications services adhere to the strictest security standards for electronic protected health information (PHI). The HITRUST security standard was developed by and for the healthcare industry as a means of going above and beyond the compliance requirements of HIPAA.

The HITRUST Common Security Framework (CSF) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. The HITRUST CSF was developed by healthcare and IT professionals to provide an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. An important part of the “What is HITRUST” answer is understanding that the CSF is risk-based and compliance-based so that organizations can tailor the security control baselines and vendor management programs that they follow based on their specific organization type, size, systems, and regulatory requirements.


The Privacy regulations of the U.S. Health Insurance Portability and Accountability Act (HIPAA) require health care providers, organizations, and their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI — paper, oral, and electronic, etc. Those who fail to adhere to HIPAA can suffer from huge fines climbing into the millions of dollars for major violations.

The Compliance Cloud™ fully enables covered entities and their business associates subject to HIPAA regulations to leverage a secure environment to process, maintain, and store protected health Information (PHI) featuring among other controls.

SSAW 16 Service Organization Control II (SOC 2)

Evolve IP has received an SSAE 16 SOC 2 Type II report on our internal controls relating to how we assess and address the potential risks associated with the security, availability, and confidentiality of not only the cloud-based services that we provide, but also our physical and logical infrastructure. Evolve IP utilizes the Certified Public Accounting firm of Grant Thornton to perform its annual audit and attestation in accordance with the Statements on Standards for Attestation Engagements No. 16 and the associated Trust Services Principles, as published by the AICPA, to evaluate the effectiveness of Evolve IP’s service organizations controls.


While Forbes regularly features coverage and recognition about Evolve IP, they've most recently recognized Evolve IP as being the "Best Cloud Computing Companies And CEOs To Work For In 2017".  They've ranked Evolve IP in the Top 3 just behind Google and Microsoft in the Cloud Infrastructure classification.  (Feb 2017). Forbes  also recently recognizes Evolve IP for bringing Singer Equipment Corporation, a mainstream business based in PA, into the cloud by means of unified communication. (Sept  2017). Last year, Forbes recognized Evolve IP's survey of 1,080 executives citing that the number one reason to go to the cloud is the same reason that it is avoided. (Mar 2016).

Unified Communications Product of the Year

TMC and Internet Telephony Magazine have named Evolve IP’s unified communications platform as a 2017 Unified Communications Product of the Year Award winner. This marks the 6th time Evolve IP has been honored with this prestigious award and follows a series of product innovations that have allowed the company to rapidly expand its international coverage.

Evolve IP’s business collaboration tools and IP phone system dramatically improve employee productivity in the office and on the road with a Unified Communications as a Service (UCaaS) platform that fully integrates voice, video, instant messaging & presence (IM&P), desktop sharing, audio/web conferencing and more. The company also provides a sophisticated Web-based management portal, OSSmosis®, that allows administrators to easily configure system functions and quickly modify users without the need to reach out to a third party for changes.


Inc. magazine has recognized Evolve IP in the 34th annual Inc. 500|5000, an exclusive listing of the nation's fastest-growing private companies. The list will be unveiled in the September issue of Inc.

The story of this year's Inc. 5000 is the story of great leadership. In an incredibly competitive business landscape, it takes something extraordinary to take your company to the top," says Inc. President and Editor-In-Chief Eric Schurenberg. "You have to remember that the average company on the Inc. 5000 grew nearly six-fold since 2012. Business owners don't achieve that kind of success by accident.

Payment Card Industry Data Security Standard (PCI DSS)

Evolve IP has achieved Payment Card Industry (PCI) Data Security Standard (DSS) compliance covering all 12 sections of the PCI DSS. The PCI data security standard is a comprehensive set of standards that require merchants and service providers that store, process, or transmit customer payment card data to adhere to strict information security controls and processes. It was created by the founding brands of the PCI Security Standards Council, which includes American Express, Discover Financial, JCB International, MasterCard Worldwide, and Visa Inc.


Evolve IP is also a registered and participating member of the CSA Security, Trust & Assurance Registry (STAR). The CSA was formed to encourage transparency of security practices within cloud providers. It is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CSA STAR is open to all cloud providers, and allows them to submit assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.

Deloitte’s Technology Fast 500TM

Evolve IP has been ranked for the second consecutive year on Deloitte’s Technology Fast 500™, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America – both public and private. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth from 2012 to 2015. The list is a veritable Who’s Who of technology that has included tech companies like Google, VMware and Facebook.

Technology Fast 500 provides a ranking of the fastest growing technology, life sciences, and energy the companies – both public and private – in North America. Technology Fast 500 award winners are selected based on percentage fiscal year revenue growth during the period from 2012 – 2016.

Red Herring

Red Herring has named Evolve IP as one of the Top 100 Companies in North America.  Red Herring’s Top 100 recognizes the leading and most promising private companies from around the world. Among the over 20 criteria used to analyze companies for the award, Evolve IP was noted for its financial performance, technological innovation, customer footprint, the DNA of its founders and addressable market.

Red Herring selects the award winners for North America from approximately 1,200 privately financed companies each year in the US and Canada. Since 1996, Red Herring has kept tabs on these organizations and its editors were among the first to recognize that companies such as Facebook, Twitter, Google, Yahoo, Skype,, YouTube, Palo Alto Networks and eBay would change the way we live and work.


Evolve IP has been recognized as one of the “Best Entrepreneurial Companies in America” in Entrepreneur magazine’s Entrepreneur360™ Performance Index, a study involving a comprehensive analysis of private companies in America. Based on this study forged by Entrepreneur, Evolve IP is recognized as a company that exemplifies growth, not just in top and bottom line, but in sustainability and the ability to achieve lasting success.

According to Entrepreneur, after evaluating approximately 10,000 U.S. based firms, the team of editors and researchers behind the E360 Performance Index collected more than 250 pieces of data from the finalists, focusing on growth drivers and challenges, goal setting, resource allocations, and reward systems. The analysis uncovered a class of leading companies, including Evolve IP, whose continued success is largely based on superior value creation for their customers, building an adaptive learning culture, and aggressive geographic expansion—placing them amongst the most dynamic firms in America today.

Latest Press Releases

Evolve IP Enhances Its Microsoft Teams and Cisco Voice Direct Routing Platform
September 22, 2020 / Evolve IP
Evolve IP announced that it has integrated SMS business messaging and voice recording with AI speech analytics into its Microsoft Teams direct routing platform.
Evolve IP Integrates Business Messaging Into Microsoft Teams; Enhances Microsoft’s Direct Routing Solution
September 17, 2020 / Evolve IP
Evolve IP® announced that it has launched a fully-integrated SMS / business messaging platform for its Microsoft Teams Direct Routing solution.
Evolve IP® Named For Eighth Time to the Inc. 5000 List of Fastest-Growing Private Companies
August 12, 2020 / Evolve IP
Evolve IP®, the world's leading provider of Work Anywhere™ solutions, today announced that it has been named to the Inc. 5000 for the 8th time since 2012.
Evolve IP Delivers World’s Only Omnichannel Contact Center Integrated with Microsoft Teams and Virtual Workspaces
August 5, 2020 / Evolve IP
Evolve IP®, the world's leading provider of Work Anywhere™ solutions; today announced that it has integrated the omnichannel Evolve Contact Suite with Microsoft Teams and the company's virtual Workspaces...
View More

Contact Us

or Call 1.877.459.4347