* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Threat Intelligence](https://origin-researchcenter.paloaltonetworks.com/blog/category/threat-intelligence/)
* Threat Brief: Why Ransomw...

# Threat Brief: Why Ransomware Hurts So Much and Is So Hard to Stop

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F11%2Fthreat-brief-ransomware-hurts-much-hard-stop%2F)  
[](https://twitter.com/share?text=Threat+Brief%3A+Why+Ransomware+Hurts+So+Much+and+Is+So+Hard+to+Stop&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F11%2Fthreat-brief-ransomware-hurts-much-hard-stop%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2017%2F11%2Fthreat-brief-ransomware-hurts-much-hard-stop%2F&title=Threat+Brief%3A+Why+Ransomware+Hurts+So+Much+and+Is+So+Hard+to+Stop&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2017/11/threat-brief-ransomware-hurts-much-hard-stop/&ts=markdown)  
\[\](mailto:?subject=Threat Brief: Why Ransomware Hurts So Much and Is So Hard to Stop)  
Link copied  
By [Christopher Budd](https://www.paloaltonetworks.com/blog/author/christopher-budd/?ts=markdown "Posts by Christopher Budd")  
Nov 13, 2017  
5 minutes  
[Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)

In our updated report on ransomware from Unit 42, "[Ransomware: Unlocking the Lucrative Criminal Business Model](https://www.paloaltonetworks.com/resources/research/ransomware-report)," Unit 42 researcher Bryan Lee notes: "In 2016, it was thought that there were less than one hundred active ransomware variants out in the wild. Today, the number of total ransomware variants at least over 150, if not hundreds more."

It's reasonable to ask why ransomware continues not only to exist but to thrive. The first answer to this, as we've outlined in our report, is that ransomware is a lucrative cybercriminal business model. However, in addition to the human factor, there are technical reasons. Specifically, there are three things that combine to make ransomware a particularly potent threat on the technical level:

1. Ransomware very effectively exploits the total trust the Microsoft Windows operating system places in the user.
2. Ransomware specifically targets file types and locations that are valuable to users..
3. Ransomware operates quickly, thwarting post-compromise tools for response

In some ways, these three points state the obvious. But the full ramifications and why these make ransomware hard to stop aren't always discussed.

The way ransomware works is well documented, but let's recap here. Ransomware is downloaded to a user's system and executed on it. The way the attackers get the ransomware on the system varies: it can be through unpatched vulnerabilities, social engineering or both. The most common way ransomware operators levy attacks is through email or by web browsing to malicious or compromised sites. The overwhelming majority of ransomware attacks are against Microsoft Windows systems. Once malware is running on the user's system, it seeks out and encrypts files and folders that hold information critical for the user, such as documents, business applications or even database files. In some cases, the ransomware is sophisticated enough to target specific application files. Most importantly, because the ransomware is executing with the compromised user's privileges, any file the legitimate, now-compromised user has access to, including network shares and backups, is fair game for the ransomware.

It's this last point that gets to the heart of why ransomware is so potent. From an operating system point of view, the ransomware IS the user. Even though Microsoft Windows today features a robust user access control system, that system has inherent limitations. In the early days of Window Vista, Microsoft enabled aggressive security checking to ensure user-initiated actions were legitimate. This was well-intentioned but ultimately backfired: users got fed up clicking "Are you sure?" dialog boxes and quickly disabled the feature, or just mindlessly clicked "OK" every time they saw it. Microsoft made reasonable adjustments so that these alerts are now raised sparingly. Although that feature was never enabled to protect user data files like ransomware targets, there is a clear lesson from the experience: too many security checks on user activity fails in the end.

Bringing that lesson to bear here, the only way the operating system could protect against ransomware would be to raise "Are you sure?" dialog boxes on everyday operations against the kinds of files that ransomware targets. And this is where the second point comes to bear.

Unlike other forms of malware, ransomware is very specific in its targeting. It goes after the files users are most likely to care about. These also happen to be files users are most likely to use on a day-to-day basis or that are critical to an organization's operations. Extra layers of protection for those files would be incredibly onerous. Imagine having to click through "Are you sure?" dialog boxes for every document or picture you opened in a day.

From an engineering point of view, this sole, specific targeting of files that matter significantly increases the chances of ransomware's success. This brings us to the third point: there is little attack time wasted on files that don't matter to the victim. Even a successful ransomware attack that is halted early by security software will achieve some level of damage -- enough to make the victim consider paying the ransom to get the files back. If user32.dll were encrypted and unusable, it would be a problem. But when your organization's overall accounting and audit report is inaccessible right before the big deadline, that's catastrophic.

The net of these three points is that ransomware is a threat such that focus needs to be placed solely around prevention. There is no effective solution for ransomware at the operating system level, as outlined above. And unlike other attacks, ransomware attacks can't succeed "just a little." In some cases, a single file lost is more than enough to count as a fully successful attack.

In some ways, ransomware is a threat unlike any other. Its impact and scope are both broad and deep in ways that are unique. Because of that, from a risk assessment point of view, ransomware needs to be put in a class by itself -- a class that acknowledges that the risks from a successful attack of any kind are very high.

*** ** * ** ***

## Related Blogs

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### From Ransom to Revenue Loss](https://origin-researchcenter.paloaltonetworks.com/blog/2025/10/from-ransom-to-revenue-loss/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: Information on Bad Rabbit Ransomware Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/2017/10/threat-brief-information-bad-rabbit-ransomware-attacks/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown)

[#### Threat Brief: Understanding Kernel APC Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/2017/10/threat-brief-understanding-kernel-apc-attacks/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: Patch Today and Don't Get Burned by an Android Toast Overlay](https://origin-researchcenter.paloaltonetworks.com/blog/2017/09/unit42-threat-brief-patch-today-dont-get-burned-android-toast-overlay-attack/)

### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com)

[#### Threat Brief: WanaCrypt0r-- What We Know](https://origin-researchcenter.paloaltonetworks.com/blog/2017/05/unit42-threat-brief-wanacrypt0r-know/)

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [Network Security](https://www.paloaltonetworks.com/blog/category/network-security/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown), [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown)

[#### How AI and Evasion Demand a Radical Shift in Network Threat Prevention](https://origin-researchcenter.paloaltonetworks.com/blog/2026/06/ai-and-evasion-demand-radical-shift-in-threat-prevention/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer} Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown)

* [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown)

* [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown)

* [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown)

* [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown)

* [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown)

* [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown)

* [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown)

* [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown)

* [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown)

* [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)  
  Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)

* [Careers](https://jobs.paloaltonetworks.com/en/)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)

* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)

* [Investor Relations](https://investors.paloaltonetworks.com/)

* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)

* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)  
  Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)

* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)

* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)

* [Event Center](https://events.paloaltonetworks.com/)

* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)

* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)

* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)

* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)

* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)

* [Tech Docs](https://docs.paloaltonetworks.com/)

* [Unit 42](https://unit42.paloaltonetworks.com/)

* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)

* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)

* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)

* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)

* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language