What Is Ransomware?

Ransomware is a type of malware that encrypts your files or locks you out of your system, then demands a payment (ransom) in exchange for restoring access. It is one of the most destructive and financially damaging forms of cyberattack, affecting individuals, businesses, hospitals, schools, and government agencies worldwide.

Unlike other malware that operates silently, ransomware announces itself. After encrypting your files, it displays a ransom note demanding payment -- typically in cryptocurrency -- with a deadline. If you do not pay within the timeframe, the attackers may increase the ransom, permanently delete your decryption key, or publish your stolen data.

How Ransomware Works

A ransomware attack follows a predictable sequence, though modern variants have become increasingly sophisticated in each phase.

Phase 1: Initial Access

The attacker gains access to the target system. The most common entry points are phishing emails with malicious attachments, exploiting unpatched vulnerabilities in internet-facing services (such as VPN appliances or Remote Desktop Protocol), and compromised credentials purchased from darknet marketplaces.

Phase 2: Lateral Movement and Escalation

Once inside, sophisticated attackers do not encrypt immediately. They spend days or weeks moving laterally through the network, escalating privileges, identifying critical systems, and locating backup infrastructure. Their goal is to maximize damage and ensure backups cannot be used for recovery.

Phase 3: Data Exfiltration

Modern ransomware operations practice "double extortion" -- they steal sensitive data before encrypting it. This gives them a second lever: even if you restore from backups, they threaten to publish your confidential data unless you pay. Some groups have escalated to "triple extortion," adding DDoS attacks or contacting your customers directly.

Phase 4: Encryption and Ransom Demand

The ransomware encrypts files using strong encryption algorithms (typically AES-256 for file encryption with RSA or ECC for key wrapping). Encrypted files receive a new extension (such as .locked, .encrypted, or a random string), and a ransom note appears on every affected system.

YOUR FILES HAVE BEEN ENCRYPTED

All your documents, photos, databases, and other important files
have been encrypted with military-grade encryption.

You cannot decrypt your files without our private key.

To recover your files, you must pay 2.5 BTC to:
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

You have 72 hours. After that, the price doubles.
After 7 days, your files will be permanently lost.

Contact: recovery_support@protonmail.com

Notable Ransomware Attacks

These high-profile incidents demonstrate the scale and impact of ransomware on critical infrastructure and everyday life.

• WannaCry (2017) -- Exploited the EternalBlue SMB vulnerability to spread automatically across networks. Infected over 200,000 systems in 150 countries in a single day, including the UK's National Health Service, causing hospitals to cancel surgeries and divert ambulances
• NotPetya (2017) -- Disguised as ransomware but was actually a destructive wiper. Spread through a compromised Ukrainian tax software update, causing an estimated $10 billion in global damage. Shipping giant Maersk had to reinstall 45,000 PCs and 4,000 servers
• Colonial Pipeline (2021) -- Forced the shutdown of the largest fuel pipeline in the US, causing gas shortages across the East Coast. The company paid a $4.4 million ransom. Entry point was a single compromised VPN password
• Kaseya VSA (2021) -- REvil ransomware exploited a vulnerability in Kaseya's remote management software to attack managed service providers and their downstream clients simultaneously, affecting up to 1,500 businesses

Prevention Strategies

Preventing ransomware requires a combination of technical controls, user training, and operational discipline. No single measure is sufficient on its own.

• Patch management -- Apply security updates promptly. Many ransomware attacks exploit vulnerabilities for which patches have been available for months or years
• Email security -- Deploy email filtering that scans attachments for malware, blocks executable file types, and flags suspicious links. Train users to recognize phishing
• Network segmentation -- Divide your network into segments so that a single compromised system cannot reach all others. Isolate critical systems and backup infrastructure
• Principle of least privilege -- Users and services should have only the minimum permissions needed. Admin accounts should never be used for daily tasks
• Disable unnecessary services -- Turn off Remote Desktop Protocol (RDP) if not needed. If required, protect it with a VPN and multi-factor authentication
• Endpoint detection and response (EDR) -- Modern EDR tools can detect ransomware behavior patterns (mass file encryption, shadow copy deletion) and stop the attack in progress
• Multi-factor authentication -- Require MFA for all remote access, admin accounts, and email. This prevents attackers from using stolen passwords

Backup Strategies Against Ransomware

Backups are your most powerful defense against ransomware -- but only if they are designed to survive an attack. Ransomware operators specifically target backups to eliminate your ability to recover without paying.

The 3-2-1 Rule

Maintain at least 3 copies of your data, on at least 2 different types of media, with at least 1 copy stored offsite or offline. For ransomware resilience, the offsite/offline copy is critical.

Air-Gapped and Immutable Backups

• Air-gapped backups -- Backups stored on media that is physically disconnected from the network. An external hard drive that is only connected during backup operations and stored securely afterward
• Immutable backups -- Backups stored in a way that prevents modification or deletion for a defined retention period. Many cloud providers offer immutable storage options (e.g., object lock)
• Versioned backups -- Maintain multiple historical versions so you can restore from a point before the ransomware was deployed, even if you do not discover the attack immediately

Incident Response Steps

If ransomware strikes, a structured response minimizes damage and improves your chances of recovery. Every minute counts in the early stages.

• Isolate immediately -- Disconnect infected systems from the network. Do not shut them down (forensic evidence in memory may be lost), but unplug network cables and disable Wi-Fi
• Identify the scope -- Determine which systems and data are affected. Check network shares, cloud storage, and connected backup systems
• Preserve evidence -- Take screenshots of ransom notes, document affected file extensions, and preserve system logs. This information helps identify the ransomware variant and may aid law enforcement
• Identify the variant -- Upload a ransom note or encrypted file sample to services like ID Ransomware (id-ransomware.malwarehunterteam.com) to identify the specific ransomware family. Some variants have known decryptors available for free
• Report to authorities -- Contact law enforcement (FBI's IC3 in the US, Action Fraud in the UK, or your national equivalent). They may have intelligence on the specific threat actor
• Assess backup integrity -- Before restoring, verify that your backups are clean and were not compromised. Ransomware operators often lurk in networks for weeks before encrypting
• Restore and rebuild -- Restore systems from clean backups. Rebuild any systems that cannot be verified as clean. Change all credentials before bringing systems back online

Should You Pay the Ransom?

The question of whether to pay is one of the most difficult decisions a ransomware victim faces. There are strong arguments on both sides, and no universally correct answer.

Arguments Against Paying

• No guarantee of recovery -- Paying does not guarantee you will receive a working decryption key. Some victims pay and receive nothing, or receive a buggy decryptor that corrupts files
• Funds criminal enterprise -- Every ransom payment finances the development of more sophisticated attacks and encourages more criminals to enter the ransomware business
• Marks you as a target -- Paying once signals that you are willing to pay, making you a target for repeat attacks by the same group or others
• Potential legal issues -- In some jurisdictions, paying ransoms to sanctioned entities is illegal and can result in fines

Arguments for Paying

• Business survival -- When backups are destroyed and the alternative is permanent data loss or business closure, paying may be the only practical option
• Cost comparison -- The cost of extended downtime, lost revenue, and rebuilding from scratch may far exceed the ransom amount
• Life safety -- When hospitals or critical infrastructure are affected and lives are at stake, the moral calculus changes

Summary

Ransomware is one of the most impactful cyber threats today, but it is also one of the most preventable with proper preparation.

• Ransomware encrypts your files and demands payment for the decryption key, with modern variants also stealing data for double extortion
• Attacks follow a predictable lifecycle -- initial access, lateral movement, data exfiltration, then encryption
• Major incidents like WannaCry and Colonial Pipeline demonstrate that ransomware can impact critical infrastructure and daily life
• Prevention requires layers -- patching, email security, network segmentation, least privilege, MFA, and EDR
• Backups are your strongest defense -- but they must be air-gapped or immutable, versioned, and regularly tested
• Incident response should be planned in advance: isolate, identify, preserve evidence, check for free decryptors, and restore from clean backups
• The ransom payment decision should be made before an attack occurs, as part of your incident response plan