What Is Ransomware?
Ransomware is a specific and extremely harmful type of malware used by cybercriminals to extort money from individuals, organizations, and businesses. The infections block access to your data until you make a ransom payment, at which point you’re supposed to regain access.
In reality, nearly 40% of the victims who pay the ransom never get their data back and 73% of those that pay are targeted again later – which is why everyone must protect against ransomware.

Notorious Ransomware Types
- Dharma
- Ryuk
- Sodinokibi
- Netwalker
- Maze
- Impact:HighStatus:Active
Dharma
Dharma evolved out of the CrySis ransomware in 2016 and is mostly distributed as malicious attachments in spam emails, using various tricks like double file extensions or inside installer files for legitimate software packages. More recently, this ransomware strain has also been distributed through exposed RDP servers with weak or leaked passwords. The ransom demand is usually around 1 Bitcoin per infection, with many victims in the SMB and personal sectors. The FBI estimates that all versions together made more than $8 million in profits in 2019. In March 2020, Dharma’s source code was offered for sale on several underground forums, allowing for even more variations to be created.
In the News - Impact:ModerateStatus:Active
Ryuk Ransomware
Ryuk is allegedly linked to the state-sponsored hacking group Lazarus and the earlier Hermes ransomware variant. Unlike common ransomware strains that are distributed via massive spam campaigns and exploit kits, this variant is mostly used in targeted attacks. Ryuk uses a three-tier encryption model where encryption keys are encrypted using RSA encryption and AES encryption is used to encrypt user’s files, as well as using process injection techniques to hide itself from antivirus solutions. Ryuk has infected very high-profile targets and demanded ransoms in the order of millions of dollars. The FBI estimates Ryuk’s earning to be around $3 million per month, indicating how successful their strategy has been.
In the News - Impact:ModerateStatus:Active
Sodinokibi Ransomware
Sodinokibi is allegedly distributed by attackers affiliated with those that distributed the infamous GandCrab ransomware. Sodinokibi avoids infecting computers from Iran, Russia, and other countries that were formerly part of the USSR. Sodinokibi uses an Elliptic Curve Integrated Encryption Scheme (ECIES) for Key generation and exchange (Elliptic-curve Diffie-Hellman key exchange algorithm). This ransomware uses AES and Salsa20 algorithms to encrypt session keys and user’s files respectively, AES is also used to encrypt network data that is sent to the control server. The ransomware generally demands around 0.32806964 BTC (≈ $2,500) to regain access to the encrypted files.
In the News- Sodinokibi ransomware may tip NASDAQ on attacks to hurt stock prices
- Sodinokibi ransomware attack cripples Gedia Automotive Group’s IT network
- Attack on Travelex has alarming implications
Find out more about Sodinokibi on Acronis - Impact:HighStatus:Active
Netwalker
Discovered by GrujaRS, NetWalker (also known as Mailto) is an updated version of Kokoklock ransomware. It asks for high ransom prices after compromising networks and encrypting all connected Windows devices. Cybercriminals have recently started a coronavirus-related email spam campaign to spread NetWalker ransomware. At the end of March 2020, the group launched an affiliate campaign to provide NetWalker as Ransomware as a Service (RaaS).
In the News - Impact:HighStatus:Active
Maze
Maze, also previously referred to as ChaCha, first appeared on the ransomware scene in 2019. The group is active globally and distributes malware through various methods including spam emails, exploit kits, and remote desktop connections with weak passwords. Maze ransomware is quite complex and contains various anti-analysis tricks, such as the termination of debuggers and reverse engineering tools. Maze was one of the first large ransomware families to publish stolen data when victims failed to pay the ransom demand. Unlike many others, the group behind the Maze ransomware is very active on social media, taunting researchers and journalists.
In the News
Ransomware’s Connection to Cryptojacking
Cybercriminals are infecting Windows and Linux machines with malware that hijacks computing resources to mine cryptocurrencies without the user’s knowledge. Cryptojacking not only slows computer performance, increases energy costs, and damages hardware, the infection usually injects ransomware to maximize the malware’s profitability.
Thankfully, Acronis automatically detects and stops both ransomware and cryptojackers in real time – outperforming many leading endpoint cybersecurity solutions.

Our Cyber Protection Solutions Save Your Data
- For Home
Cyber Protect Home Office
The world’s #1 personal cyber protection solution, independently proven to be the fastest, easiest to use, and most secure.
Buy Now - For Business
Cyber Protect
The only solution that natively integrates cybersecurity, data protection and management to protect endpoints, systems and data. Integration and automation provide unmatched protection – increasing productivity while decreasing TCO.
Buy Now
Proven Protection Against Ransomware
Independent labratories, cybersecurity analysts, and industry groups agree that Acronis offers the best defense against modern cyberthreats.

Don’t Be a Victim
How Acronis solutions safeguard your data, applications, and systems
- Detects Attacks
Using artificial intelligence, Acronis monitors your system in real time – examining the process stack to identify activities that exhibit behavior patterns that are typically seen in ransomware and cryptojacking attacks.
- Stops Encryption
If a process tries encrypting your data or injecting malicious code, Acronis immediately stops it and instantly notifies you that something suspicious was found. You can then block the activity or allow it to continue.
- Restores Affected Files
If any files are altered or encrypted before the attack is halted, Acronis Cyber Protection solutions will automatically restore those files from the backup or cache – almost immediately reversing the affects of any attack.
- Five Vectors of Cyber Protection
Modern cyber protection must ensure the safety, accessibility, privacy, authenticity, and security of all data (known as SAPAS). Only Acronis unifies all of the necessary technology – hybrid cloud, AI, encryption, and blockchain – into one easy, efficient, secure solution.
Securing the Industry
Proud member of AMTSO
As part of the Anti-Malware Testing Standards Organization (AMTSO), Acronis is helping to develop proper standards for testing security solutions, and we participate in tests that adhere to AMTSO’s standards
ML Contributor to VirusTotal
Membership in AMTSO allowed Acronis to contribute our Machine Learning engine to VirusTotal, enabling all users around the world to benefit from our technology’s ability to detect various online data threats.
Joel S.
Network Administrator

“With the innovative features such as Acronis Active Protection against ransomware, we are implementing the strongest cyber protection on the market today.”
Looking for Help?
Frequently Asked Questions
- What is ransomware?
Ransomware is a type of malware used by cybercriminals to extort money from individuals, organizations, and businesses. While there are many ransomware types, a typical attack encrypts the victim’s data and then presents the user with a message that demands a ransom payment – usually in the form of digital currency like Bitcoin or Monero.
Once the ransom is paid, the criminals are supposed to provide a decryption key – although it’s important to note that nearly 40% of the victims who pay the ransom never regain access to their data.
- How to prevent ransomware?
Ransomware is commonly distributed by emails and infected websites. Most ransomware is distributed using a malware infection technique known as “phishing”, in which you receive an email that looks like it is from someone you know or trust. The idea is to trick you into opening an attachment or click on a link within the email, at which point the ransomware is injected into your system.
Being vigilant and avoiding suspicious links or attachments is the first defense, but cybercriminals are adept at fooling even the most guarded people. Having ransomware protection software defending your system is vital.
Unfortunately, traditional anti-virus solutions that look for known strains of ransomware cannot keep up with today’s ever-evolving threats. Whether you need ransomware protection for Windows 10 or Mac devices, be sure to use anti-ransomware technology that detects attacks based on suspicious activities, since behaviorally based defenses are much better at identifying and stopping zero-day attacks
- How to remove ransomware?
If you are the victim of ransomware, removal is difficult. You essentially have three options.
First, you can restore your system from a backup. You’ll need to ensure your backup hasn’t been tampered with, however, since new ransomware strains target backup files and backup software.
The second option is to reformat the hard drive, wipe out all the data (including the infection), and then reinstall the operating system and applications. Without a backup, however, you’ll lose all of your personal data and will still face the threat of future ransomware attacks.
Finally, you can pay the ransom and hope the decryption key works and your data will be restored. Just remember that 40% of those who pay never regain their data, so preventing an attack before damage is done is a much better approach.
- Who is behind ransomware?
Generally, those who develop and distribute ransomware are either organized crime groups or nation-state actors.
Organized criminals are motivated by extorting as much money as possible. Increasingly they distribute their malware as ransomware kits that anyone can use – even if they don’t have much technical expertise. This ransomware as a service (RaaS) model spreads their software rapidly. The criminals facilitate the payments, decryptions, and other operational requirements, and they take a percentage of the collected ransom.
Nation-states that rely on ransomware are generally rogue countries that are often under strict sanctions by the international community. Their use of ransomware is both to collect money from victims, and as a way to disrupt the economic, community, and governmental well-being of their rivals.
- How to decrypt files?
Given the wide array of ransomware families and the individual strains within those families, how you decrypt data following an attack varies.
In some cases, there are decrypting software packages available online for certain kinds of ransomware. They can be created either because the strain has been thoroughly studied since it appeared or because a researcher found a flaw in the encryption used by the criminals. If you can determine the type of ransomware that has encrypted your files, you can look to see if a decryptor is available.
In many cases, however, the popular ransomware strains have such strong encryption that decrypting files is not possible and, for the most part, there are no decryption options for modern ransomware families.
The better option is to restore your system from a secure backup – which recovers your files and, in the majority of cases, deletes the malware so you do not risk reinfection.
Ensuring you have a behavior-based ransomware blocker will also prevent future infections.