What Is Ransomware? How It Works and How to Protect Yourself

Ransomware is malicious software that blocks access to your files or systems until you pay a ransom. Attackers encrypt your data and demand payment—usually in cryptocurrency—for the decryption key. Refuse to pay and your files stay locked, or worse, get leaked publicly.

It's one of the most financially damaging cyberattacks facing organizations today. The average ransomware incident now costs $5.08 million, and tracking sites expect 7,000 victims to appear on leak sites by the end of 2026—a fivefold increase since 2020.

TL;DR

• What it is: Malware that encrypts your files and demands payment for their return
• Why it matters: Average costs exceed $5 million per incident; attacks increased 23% in 2025
• Key takeaway: Offline backups and multi-factor authentication are your best defenses

How Ransomware Works

A ransomware attack typically follows a predictable sequence:

1. Initial Access Attackers get into your network through phishing emails, compromised credentials, or exploited vulnerabilities. Remote desktop services (RDP) exposed to the internet are a common entry point—we've covered how brute force tools on dark web forums specifically target these services.

2. Lateral Movement Once inside, attackers spend time mapping your network. They identify valuable data, backup systems, and domain controllers. The median dwell time before ransomware deployment is six days. That's nearly a week of activity before the actual encryption begins.

3. Data Exfiltration Most modern ransomware groups steal your data before encrypting it. In 96% of ransomware cases, attackers exfiltrate data to use as additional leverage.

4. Encryption The ransomware encrypts files across the network. You'll typically see a ransom note with payment instructions and a countdown timer.

5. Extortion You're given a deadline to pay. Miss it, and the price increases—or your stolen data gets published on leak sites.

Types of Ransomware Attacks

Ransomware has evolved well beyond simple file encryption.

Single Extortion (Traditional)

The original model: encrypt files, demand payment, provide decryption key. WannaCry and CryptoLocker used this approach. It's largely obsolete because organizations can often restore from backups.

Double Extortion

Attackers encrypt your data and threaten to publish it. This emerged around 2019 with Maze and REvil. Even if you restore from backups, sensitive data exposure remains a threat. This is now the dominant model.

Triple Extortion

Beyond encryption and data leaks, attackers add a third pressure point. This might mean DDoS attacks against your infrastructure, contacting your customers directly, or targeting business partners. AvosLocker and similar groups use DDoS threats alongside traditional extortion.

Quadruple Extortion

Some groups now target your business ecosystem. When hardware supplier Quanta refused to pay REvil, the group turned to Apple—one of Quanta's major clients—with demands.

Major Ransomware Groups in 2026

The ransomware ecosystem is crowded and competitive. Current leaders include:

Qilin leads victim counts. The Russian-linked group operates a ransomware-as-a-service model and has hit over 1,000 victims. Healthcare is a particular focus—we've tracked their attacks on multiple medical organizations and the Covenant Health breach that exposed 478,000 patient records.

LockBit remains active despite repeated law enforcement takedowns. Operation Cronos seized infrastructure in February 2024, but LockBit5 emerged shortly after. The group claimed 53 victims in a single day during the December holiday period.

Cl0p specializes in mass exploitation of zero-day vulnerabilities, particularly in file transfer applications.

Akira and Sinobi round out the top five most active operations.

How Organizations Get Infected

Understanding infection vectors helps prioritize defenses:

Phishing remains the top entry point. A convincing email with a malicious attachment or link can bypass technical controls entirely.

Exposed RDP and remote services. Internet-facing remote access without proper protection is an invitation.

Software vulnerabilities. Unpatched systems, especially edge devices like VPNs and firewalls, provide reliable entry. Recent Fortinet and Ivanti vulnerabilities were exploited by ransomware groups within days of disclosure.

Compromised credentials. Stolen passwords from previous breaches get tested across corporate systems.

Supply chain attacks. Compromising managed service providers or software updates reaches multiple victims simultaneously.

How to Protect Against Ransomware

CISA's #StopRansomware guidance provides the foundation for defense. Here's what actually matters:

Backups Are Non-Negotiable

Maintain offline, encrypted backups that ransomware can't reach. Test them regularly. Many organizations discover their backups are useless only during a real incident.

Multi-Factor Authentication Everywhere

MFA on remote access, email, and administrative accounts stops most credential-based attacks. This single control prevents a significant portion of ransomware intrusions.

Patch Quickly, Especially Edge Devices

VPNs, firewalls, and remote access gateways face constant scanning. When vulnerabilities drop, you have days—not weeks—before exploitation begins.

Segment Your Network

Flat networks let attackers move freely. Segmentation limits blast radius when initial compromise happens.

Email Filtering and User Training

Block executable attachments. Train users to recognize phishing. Neither is foolproof, but together they reduce successful social engineering.

Endpoint Detection and Response

EDR tools can catch ransomware deployment and lateral movement. Centralized management helps security teams respond before encryption completes.

What to Do If You're Hit

If ransomware encrypts your systems:

1. Isolate affected systems to prevent spread
2. Don't pay immediately—payment doesn't guarantee recovery and funds criminal operations
3. Report to authorities—FBI's IC3 and CISA's reporting portal help track threat actors
4. Check for decryptors—No More Ransom and similar projects have free tools for some variants
5. Engage incident response—professional help can determine attack scope and recovery options

The decision to pay is complex and depends on your specific situation. Only about 41% of organizations successfully blocked ransomware with existing defenses in recent studies. Recovery without payment is possible but often lengthy and expensive.

The Ransomware Business Model

Modern ransomware operates like a criminal franchise. Ransomware-as-a-service (RaaS) groups develop the malware and infrastructure, then recruit affiliates to conduct actual attacks. Affiliates keep a percentage of ransoms—typically 70-80%.

This model is why ransomware has scaled so dramatically. Technical barriers dropped when groups started licensing their tools. Anyone with hacking skills can become a ransomware affiliate; they don't need to develop their own encryption software.

For a deeper look at how these groups pressure victims psychologically, see our coverage of ransomware extortion tactics.

Frequently Asked Questions

Should you pay the ransom? No organization recommends paying, but the decision depends on circumstances. Even with payment, only about 65% of data gets recovered on average. Payment also funds future attacks and may violate sanctions if the group is connected to sanctioned entities.

Can ransomware spread to backups? Yes, if backups are network-connected. Modern ransomware specifically targets backup systems. This is why offline, air-gapped backups are essential.

Are Macs and Linux systems immune? No. While Windows remains the primary target, ransomware variants exist for macOS and Linux. Cloud environments and virtual machines are also targeted.