What is ransomware? How it works and how to prevent attacks

You sit down at your computer, ready to start your day—but instead of your desktop, you see a message: “Your files have been encrypted. Pay $500 in Bitcoin within 72 hours or lose everything.” Photos, documents, and years of work are gone unless you give in to the demand. Panic sets in. Do you pay? Can you even trust them to give your files back? This is ransomware, and it’s happening daily to people and businesses worldwide.

Understanding ransomware

Ransomware is one of the most dangerous cybersecurity threats today, affecting both individuals and businesses. It’s a type of malware that encrypts your files or locks you out of your computer until you pay a ransom—usually in cryptocurrency—to regain access. Ransomware attacks have grown more sophisticated over time, with cybercriminals using advanced encryption methods and targeted strategies to maximize damage and extort higher payments.

Ransomware definition and meaning

What is ransomware?

Ransomware is a type of malware designed to restrict access to a victim’s data or system by encrypting files or locking the entire device. The attackers demand a ransom payment for a decryption key or restore access. If the victim refuses to pay, they risk losing their data permanently or having it leaked online.

What does ransomware do?

Once installed, ransomware scans the victim’s system, encrypts files, and displays a ransom note with payment instructions. Some ransomware variants also threaten to leak sensitive data if the ransom isn’t paid, adding extra pressure on the victim.

Is ransomware a type of malware?

Yes, ransomware is classified as malware—a broad category of malicious software that includes viruses, spyware, and worms. Ransomware’s focus on extortion through encryption or system lockdown makes it unique.

How ransomware evolved over time

Ransomware has been around since the late 1980s, but it has evolved significantly in scale and complexity:

• First ransomware attack (1989): The first known ransomware attack was the “AIDS Trojan,” which was distributed via infected floppy disks. Victims were asked to pay $189 to regain access to their files.
• Rise of CryptoLocker (2013): CryptoLocker introduced the use of advanced encryption, making it nearly impossible to recover files without the decryption key. This marked the shift toward more sophisticated, financially motivated attacks.
• WannaCry outbreak (2017): WannaCry spread rapidly across the globe, infecting over 230,000 computers in 150 countries. It exploited a vulnerability in Windows, leading to widespread damage and millions in losses.
• Ransomware-as-a-Service (RaaS): Today, cybercriminals offer ransomware kits on the dark web, allowing even non-technical actors to launch attacks. This “pay-to-play” model of ransomware-as-a-service has made ransomware more accessible and common than ever.

Common ransomware jargon and key terms

Understanding key ransomware-related terms can help you navigate ransomware threats and better protect your data:

How does ransomware work?

Ransomware attacks can feel sudden and overwhelming, but they typically follow a structured process. Understanding how ransomware works is key to protecting your data and responding effectively if you’re targeted. A ransomware attack usually starts with infection, followed by data encryption, and finally, a ransom demand. The entire process can unfold in minutes, leaving victims locked out of their data and faced with a difficult decision.

How ransomware infects systems

Ransomware can infiltrate systems through various methods, most of which exploit human error or security gaps. Here are the most common ways ransomware gets in:

• Phishing emails: Phishing remains the most common delivery method for ransomware. Attackers send emails disguised as legitimate messages, often with malicious links or attachments. Clicking the link or opening the attachment triggers the ransomware installation.
• Malicious websites and downloads: Some ransomware is delivered through compromised websites or fake software downloads. If you visit a malicious site or download a file from an untrusted source, ransomware can install itself without you realizing it.
• Remote Desktop Protocol (RDP) attacks: RDP allows remote access to computers, but weak passwords or unpatched systems create vulnerabilities. Attackers can exploit these weaknesses to gain access and deploy ransomware directly onto the system.
• Software vulnerabilities: Outdated software or operating systems are prime targets for ransomware attacks. Cybercriminals install ransomware by exploiting unpatched security holes. For example, the WannaCry attack in 2017 exploited a vulnerability in Microsoft Windows.
• Malvertising: Malicious ads (malvertising) can infect systems without any user interaction. Simply loading a compromised web page with an infected ad can trigger a ransomware download.

Data encryption process

Once ransomware infiltrates a system, it immediately begins encrypting files:

1. Scanning and targeting: The ransomware scans the system for files to encrypt. It typically targets documents, images, videos, and other valuable data, but some variants also attack system files.
2. Encryption: The ransomware uses strong encryption algorithms (such as AES or RSA) to lock files. Encryption converts the file data into an unreadable format that can only be reversed with a unique decryption key.
3. Renaming and marking files: Many ransomware variants rename encrypted files, adding extensions like .locked or .crypt to signal that they’ve been encrypted.
4. Locking the system (in some cases): Some ransomware strains, like screen lockers, go a step further by locking the entire system, making it impossible to access anything until the ransom is paid.

Ransom demands and ransom notes

After encryption, ransomware displays a ransom note demanding payment to restore access to the files or system. Ransom notes typically include:

• The ransom amount: Payment amounts vary widely, from a few hundred dollars to millions, depending on the target and the data value.
• Payment method: Most attackers demand payment in cryptocurrency (like Bitcoin) because it’s difficult to trace.
• Deadline: Ransom notes often include a time limit to increase pressure on the victim. If the ransom isn’t paid in time, the data might be deleted or permanently encrypted.
• Contact details: Some ransomware variants provide an email address or dark web portal for victims to negotiate or receive instructions.

Example from the WannaCry attack:

“Ooops, your files have been encrypted! To recover your files, send $300 in Bitcoin to the following address. If payment is not made within 72 hours, your files will be deleted permanently.”

What happens if you don’t pay?

Refusing to pay the ransom is generally the recommended response—but it comes with consequences:

• Permanent data loss: If you don’t have backups, refusing to pay the ransom may mean losing your files permanently. Some ransomware strains delete encrypted files after a set period.
• Data leaks: In double extortion attacks, attackers not only encrypt the files but also threaten to release sensitive information online if the ransom isn’t paid.
• Reinfection: Paying the ransom doesn’t guarantee protection from future attacks. In fact, it may make you a target for repeat attacks.
• No guarantee of recovery: Even if you pay the ransom, there’s no guarantee the attackers will provide a working decryption key—or that the key will work correctly.

Cybersecurity experts generally advise against paying the ransom because it funds future attacks and encourages more ransomware activity. A more effective defense is investing in strong ransomware protection and a reliable backup strategy.

Types of ransomware attacks

Ransomware isn’t just a tech problem—it’s one of the biggest cybersecurity threats facing both individuals and businesses today. In fact, ransomware attacks increased by 95% between 2022 and 2023 alone, costing companies and individuals billions in damages. According to a 2023 report from Cybersecurity Ventures, a ransomware attack happens every two seconds on average—and the numbers are still rising.

Ransomware attacks are effective because they play on urgency and fear. The moment your files are encrypted or your screen is locked, you’re left with a difficult choice: pay the ransom or risk losing everything. The attackers rely on panic and confusion to push victims into making quick, costly decisions.

Understanding the different types of ransomware—and how they operate—can help you spot the early warning signs and respond effectively. Some ransomware strains are highly sophisticated and nearly impossible to crack without paying, while others are more easily removed. Knowing the difference could mean the difference between losing a few hours of work or losing your entire business.

Encrypting ransomware (crypto ransomware)

Encrypting ransomware is the most common and damaging type of ransomware. It works by encrypting files on the victim’s device, making them inaccessible without a decryption key. Attackers demand a ransom in exchange for the key, often threatening to delete the data or increase the ransom amount if payment isn’t made.

How it works:

1. The ransomware scans the system for files (like documents, images, videos, and backups).
2. It encrypts the files using a complex algorithm, such as AES or RSA encryption.
3. A ransom note appears, instructing the victim on how to pay to receive the decryption key.

Examples:

• CryptoLocker: One of the first high-profile encrypting ransomware attacks (2013).
• WannaCry: Used the EternalBlue exploit to target Windows systems, causing a global crisis in 2017.
• Locky: Spread through malicious email attachments disguised as invoices or business documents.

Lock-screen ransomware

Unlike encrypting ransomware, lock-screen ransomware doesn’t encrypt files—instead, it locks the victim out of their system entirely. A ransom message appears on the screen, preventing the victim from accessing anything on the device.

How it works:

1. The ransomware overrides system access settings.
2. A full-screen message appears, often impersonating law enforcement or government agencies.
3. The message claims the victim violated a law (such as downloading illegal content) and demands payment to unlock the device.

Examples:

• Police-themed ransomware: Displays a fake law enforcement message accusing the victim of illegal activity.
• FBI Moneypak: A lock-screen ransomware that pretends to be an FBI warning, demanding payment through a prepaid card.

Mobile and Mac ransomware

While ransomware originally targeted Windows systems, cybercriminals have expanded their reach to mobile devices and Mac computers as device usage continues to rise. While mobile platforms and Macs are less susceptible to ransomware, they’re still at risk. Attackers have adapted their methods to bypass the built-in security measures of these systems, exploiting user behavior and software vulnerabilities.

Mobile ransomware often spreads through malicious apps, fake updates, or phishing links. Once installed, it can lock the device, encrypt files, or display a ransom note demanding payment. Mac systems, once considered nearly immune to malware, have also become prime targets for ransomware, especially through malicious downloads and compromised software.

Mobile ransomware

Mobile ransomware usually arrives through:

• Fake apps (downloaded outside the official app store)
• Malicious links sent through SMS (known as smishing)
• Fake system updates

Examples:

• Lockerpin: An Android ransomware that changed the device’s PIN and locked the user out.
• Svpeng: Combined ransomware with banking trojan capabilities, stealing financial data while locking the device.
• Congur: Installed itself as a device administrator, making removing it extremely difficult without a factory reset.

Mac ransomware

Mac systems have better built-in security than Windows, but some ransomware variants have successfully bypassed those protections:

• KeRanger: Spread through a compromised version of the Transmission torrent client.
• EvilQuest: Installed a keylogger on infected Macs while encrypting files.

Emerging ransomware threats (Maze, REvil, Dharma, etc.)

Ransomware is evolving rapidly. Modern ransomware strains are more sophisticated and damaging than their predecessors, often combining multiple tactics to maximize the pressure on victims.

How to detect a ransomware infection

Detecting a ransomware infection early can make the difference between losing your data and successfully recovering it. Ransomware is designed to work quickly, often encrypting files or locking a system within minutes. However, most ransomware strains leave behind clues before they complete their attack.

Signs your device is infected

If your device has been compromised by ransomware, you’ll likely notice one or more of the following warning signs:

Sudden file inaccessibility

• Files that were accessible moments ago are suddenly locked or have strange file extensions (like .locked, .crypt, or .enc).
• You receive error messages when trying to open files.

Unusual file extensions

• File extensions like .locky, .cryptor, or .wallet often indicate ransomware encryption.
• Sometimes files are renamed entirely, with a ransom note attached to the new name.

Ransom note on your screen

• A pop-up message or full-screen alert demanding payment in cryptocurrency to regain access to files or systems.
• The message may include a countdown timer to increase pressure.

Unexplained high CPU or disk usage

• Ransomware often works in the background to encrypt files, which can cause your system to slow down dramatically.
• Fans running louder than usual or programs lagging could indicate hidden activity.

Disabled security tools

• Some ransomware strains attempt to disable antivirus or firewall protections to prevent detection.
• If your security software is suddenly turned off or unable to update, it could be a sign of infection.

Missing or corrupted files

• Files may disappear or show as corrupted even though you haven’t deleted or modified them.
• If the file structure appears intact but you can’t open the files, encryption may have occurred.

Network activity spikes

• If your system is suddenly transmitting large amounts of data, ransomware may be communicating with a command-and-control server or exfiltrating data as part of a double extortion tactic.

What to do: If you notice any of these signs, disconnect from the internet immediately to prevent further spread and seek ransomware removal help from a trusted cybersecurity expert.

Tools to identify ransomware threats

While recognizing signs of ransomware infection is important, the best defense comes from using dedicated ransomware detection tools. These tools can help identify ransomware activity early and stop it before it causes serious damage.

Antivirus and anti-malware software: Most modern antivirus tools have built-in ransomware detection. They work by identifying suspicious file behavior, like unauthorized encryption or modification attempts.

Behavior-based detection tools: Instead of relying on virus signature databases, behavior-based tools analyze how files and processes behave in real-time. If a program starts encrypting files or modifying file extensions, the tool can isolate and stop it.

Endpoint detection and response (EDR): EDR tools provide centralized monitoring across an entire network, making them ideal for businesses. They track file activity, network traffic, and system processes to detect ransomware-like behavior.

Network traffic monitoring: Some ransomware strains communicate with external servers to deliver encryption keys or exfiltrate data. Network monitoring tools can spot unusual outbound traffic and isolate the source.

File integrity monitoring: These tools watch for unexpected changes to files or file extensions, which are telltale signs of ransomware encryption.

Should you pay the ransom?

When ransomware strikes, the pressure to pay can be overwhelming. Attackers often demand payment in cryptocurrency, creating a sense of urgency by including a deadline and threatening to delete or leak your data if you don’t comply. The question seems simple but is difficult to answer: Should you pay the ransom?

At first glance, paying the ransom might seem like the quickest way to recover your files and get back to business. But it’s not that straightforward. Paying the ransom doesn’t guarantee that you’ll regain access to your data or that the attackers won’t target you again. It also fuels the ransomware economy, encouraging more attacks on other victims.

Risks of paying vs. not paying

What happens if you pay the ransom but don’t get your data back?
It may not work correctly even if the attackers provide a decryption key. Files could be permanently corrupted, or the attackers may demand additional payments to restore full access. In some cases, attackers have delivered faulty decryption keys intentionally to push victims into paying again.

What cybersecurity experts recommend

Law enforcement agencies, including the FBI and Europol, strongly advise against paying ransoms in the event of a ransomware attack. The FBI emphasizes that paying a ransom does not guarantee the recovery of data and may encourage further criminal activity. Similarly, Europol warns that paying ransoms finances criminal activities and encourages their continuation. Both agencies recommend reporting ransomware incidents to appropriate authorities and implementing robust cybersecurity measures to prevent such attacks. This is why it is not recommended:

1. Paying encourages more attacks: Ransomware is a business model, and attackers rely on victims paying to fund future operations. If no one paid, ransomware would become far less profitable—and less common.
2. You may not get your files back: Cybercriminals have no incentive to keep their promises. Some victims who pay the ransom never receive a working decryption key. In other cases, attackers deliver a key that only partially restores files, leaving victims with permanent data loss.
3. You could face legal issues: In some countries, paying a ransom to a sanctioned entity or terrorist group is illegal. For example, the US Department of the Treasury has issued warnings that companies paying ransoms to certain groups could face fines or legal action.
4. Data recovery and backup strategies are more effective: Instead of relying on the goodwill of criminals, experts recommend focusing on:

• Ransomware backup strategy: Keeping regular, offline backups of your data allows you to restore files without paying a ransom.
• Malware detection: Using behavior-based detection tools can help identify and stop ransomware before it encrypts your files.
• Cybersecurity best practices: Employee training, network monitoring, and multi-factor authentication can reduce the risk of infection.

5. Law enforcement and cybersecurity firms may have solutions: In some cases, law enforcement agencies or cybersecurity firms release free decryption tools after analyzing specific ransomware strains. Consulting with experts before paying the ransom can sometimes lead to recovery without financial loss.

While experts advise against paying, there are situations where it may be the only realistic choice:

• If the encrypted data is critical to business operations or personal life (such as medical records).
• If no backups exist and the cost of losing the data outweighs the ransom amount.
• If law enforcement or cybersecurity experts confirm that the attackers have a working decryption key.

However, even in these cases, experts recommend involving a cybersecurity professional before making any decisions. They can help negotiate with the attackers, confirm the authenticity of the decryption key, and improve security measures to prevent future attacks.

How to remove ransomware from your device

If your device is infected with ransomware, acting quickly and carefully can make the difference between recovering your files and permanently losing them. Ransomware removal requires a strategic approach to prevent further damage and increase the chances of data recovery.

While removing ransomware is possible in many cases, successful recovery depends on the type of ransomware, how deeply it has embedded itself in your system, and whether a decryption tool exists.

Steps for Windows users

If you suspect that your Windows PC has been infected with ransomware, follow these steps immediately:

1. Disconnect from the internet

• Unplug the device from Wi-Fi and any wired connections.
• Disconnect any external drives (such as USBs) to prevent the ransomware from spreading.

2. Enter Safe Mode

• Restart your computer and press F8 (or Shift + Restart) during boot-up.
• Select Safe Mode with Networking from the options menu.
• Safe Mode prevents most ransomware processes from running.

3. Run a malware scan

• Use a reputable antivirus or anti-malware tool.
• If you can’t install a program because the ransomware is blocking access, try running the scan from a USB drive with pre-installed software.

4. Identify and isolate the ransomware files

• If the malware scanner detects ransomware, allow it to quarantine or delete the infected files.
• If the scanner cannot remove the ransomware, search for the name of the ransomware strain online for manual removal instructions.

5. Restore files from a backup (if available)

• If you have a secure backup (preferably offline), you can restore your files after the ransomware is removed.
• Avoid using backups that may have been connected to the infected system during the attack.

6. Reinstall your operating system (if necessary)

• If the ransomware cannot be removed and your files are lost, a clean reinstall of Windows may be necessary.
• Be sure to format the drive during the reinstall to wipe any remaining ransomware code.

Steps for Mac users

While ransomware is less common on macOS, Mac-specific ransomware strains have shown that Apple devices are not immune. If you think your Mac is infected, follow these steps:

1. Disconnect from the internet

• Turn off Wi-Fi and unplug any connected drives or external devices.
• This helps prevent the ransomware from spreading to cloud storage or networked systems.

2. Force quit suspicious processes

• Open Activity Monitor (in Applications → Utilities).
• Look for unfamiliar processes consuming high CPU or memory.
• Select the process and click Force Quit to stop it.

3. Boot into Safe Mode

• Restart your Mac and hold down the Shift key during startup.
• Safe Mode prevents malicious programs from launching automatically.

4. Use a Mac-specific malware removal tool

• Run a trusted anti-malware program like Intego or Malwarebytes for Mac to scan for and remove ransomware files.
• If the malware cannot be removed, try using Terminal to locate and delete the infected files manually.

5. Remove suspicious login items

• Open System Settings → General → Login Items and remove any unrecognized apps.
• Ransomware often installs itself as a startup item to launch automatically.

6. Restore files from a backup

• If you have a secure Time Machine backup or an external backup, restore your files once the ransomware is removed.
• Ensure that the backup was not connected to the infected system during the attack.

7. Reinstall macOS (if necessary)

• If the ransomware persists, perform a clean reinstall of macOS using Recovery Mode.
• Hold down Command + R during startup and select Reinstall macOS.

Can decryption tools help?

Decryption tools can sometimes recover files encrypted by ransomware, but their effectiveness depends on the type of ransomware and whether a decryption key is available.

How decryption tools work:

• Ransomware encryption is usually based on complex algorithms like AES or RSA.
• If cybersecurity researchers or law enforcement agencies have cracked the algorithm or obtained the decryption key, a tool may be available.
• Decryption tools attempt to reverse the encryption process and restore access to files.

When decryption tools won’t work:

• If the ransomware uses unique encryption keys for each victim, a universal decryption tool may be impossible to create.
• Some modern ransomware strains are designed with unbreakable encryption.
• If the decryption key is stored on the attacker’s server and not embedded in the ransomware code, decryption tools won’t work without the key.

Alternatives if no decryption tool is available:

• Data recovery after ransomware: If the ransomware only deletes file references (instead of encrypting them), file recovery software may be able to restore them.
• Professional forensic recovery: Some data recovery firms specialize in ransomware cases and may have proprietary methods for unlocking encrypted files.

Ransomware prevention: How to protect yourself or your business

Preventing a ransomware attack is far more effective (and less expensive) than trying to recover from one. While no system is completely immune, following strong cybersecurity practices can drastically reduce your chances of falling victim to ransomware.

Many ransomware attacks succeed because of human error—opening a malicious link, using weak passwords, or failing to update software. But with the right combination of security tools, employee training, and backup strategies, you can make it much harder for attackers to infiltrate your systems.

Employee training and cybersecurity awareness

Nearly 90% of ransomware attacks involve human error. Training your team to recognize and respond to potential threats can significantly reduce your vulnerability to ransomware.

Key areas of focus:

• Phishing awareness: Teach employees how to spot suspicious emails, links, and attachments.
• Password hygiene: Encourage the use of strong passwords and MFA.
• Social engineering tactics: Educate staff on common manipulation techniques used by attackers.
• Incident response: Ensure employees know how to respond if they suspect a ransomware infection (e.g., disconnecting from the internet, notifying IT).

How to train employees effectively:

• Run regular simulated phishing tests to gauge employee awareness.
• Provide real-world examples of how ransomware spreads and the damage it can cause.
• Update training materials regularly to cover emerging threats and new attack methods.

For businesses:

• Develop a ransomware response plan so that employees and IT staff know exactly what to do if an attack occurs.
• Assign an internal or external cybersecurity team to oversee training and response.

Keep software updated & patch vulnerabilities

Outdated software is one of the most common ways ransomware gets in. Cybercriminals actively search for unpatched vulnerabilities in operating systems, browsers, and apps. Once they find a weakness, they exploit it to install ransomware without needing user interaction.

How to prevent ransomware through updates:

• Enable automatic updates for your operating system and all software.
• Regularly update third-party apps, including browsers, media players, and productivity tools.
• Prioritize security patches—software developers often release patches specifically to fix vulnerabilities that ransomware could exploit.

The WannaCry ransomware attack in 2017 exploited a vulnerability in Microsoft Windows. A security patch had been released two months earlier, but thousands of systems remained unpatched, allowing WannaCry to spread rapidly and cause billions in damages.

Establishing a patch management system for business environments is best practice to ensure that all software is updated regularly and consistently.

Use strong authentication & security software

Strong passwords and multi-factor authentication (MFA) are critical for preventing unauthorized access, which is one of the most common entry points for ransomware.

How to strengthen access security:

• Use complex passwords (at least 12 characters, including symbols and numbers).
• Enable multi-factor authentication (MFA) for all accounts, especially for email and remote access tools.
• Avoid password reuse across different services.
• Implement a password manager to generate and store strong passwords securely.

Deploy reputable security software:

• Use a comprehensive antivirus and anti-malware solution with ransomware protection.
• Security software should include real-time behavior analysis to detect and block suspicious activity.
• Keep your firewall enabled and properly configured.

For businesses:

• Use Endpoint Detection and Response (EDR) tools to monitor and respond to potential threats in real-time.
• Deploy Zero Trust security models that verify every user and device attempting to access the network.

Whitelist trusted applications

Application whitelisting is an effective way to prevent ransomware from executing on your system. By only allowing pre-approved programs to run, you can stop unauthorized software—including ransomware—from launching.

How whitelisting works:

• Create a list of trusted applications and processes that are allowed to run.
• Block all other applications unless explicitly approved.
• Monitor for any unauthorized attempts to execute programs.

Why it works:

• Ransomware often relies on scripting engines (like PowerShell) or unapproved software to execute its payload.
• Whitelisting blocks unknown or unverified applications from running in the first place.

It is best practice to use built-in tools like Windows AppLocker or third-party solutions to manage application whitelisting.

Back up important files regularly

A solid backup strategy is one of the most effective ways to protect yourself from ransomware. If you a have secure, up-to-date plan to backup files, you can restore your data without paying the ransom—even if your files are encrypted.

How to set up a ransomware-resistant backup strategy:

• Follow the 3-2-1 backup rule:
  • Keep three copies of your data.
  • Store backups on two different media types (e.g., cloud + external drive).
  • Keep one backup offsite or offline to prevent it from being encrypted in an attack.
• Automate backups to run daily or weekly.
• Encrypt your backups for additional security.
• Test your backups regularly to ensure they can be restored correctly.

Why offline backups matter:

• Some ransomware variants target connected network drives and cloud storage.
• An offline backup stored on an external hard drive or secure cloud storage provides additional protection.