PROBABLYPWNED
Home/Guides/What is Ransomware

What is Ransomware?

How ransomware attacks work, what happens when you're hit, and what you can do to protect your organization.

Last updated: January 202512 min read

What is Ransomware?

Ransomware is a type of malicious software (malware) that encrypts a victim's files or locks them out of their systems, then demands payment—usually in cryptocurrency—in exchange for restoring access. It's one of the most damaging and profitable forms of cybercrime, causing billions of dollars in losses annually.

Modern ransomware attacks often combine encryption with data theft, a tactic called "double extortion." Attackers threaten to publish stolen data if the ransom isn't paid, adding pressure beyond just losing access to files.

Key Statistic

The average ransomware payment in 2024 exceeded $1.5 million, with total damages including downtime, recovery, and reputational harm often reaching 10x the ransom amount.

How Ransomware Works

A typical ransomware attack follows these stages:

  1. Initial Access — Attackers gain entry through phishing emails, exploited vulnerabilities, stolen credentials, or compromised remote access tools.
  2. Reconnaissance & Lateral Movement — Once inside, attackers explore the network, escalate privileges, and identify valuable data and systems.
  3. Data Exfiltration — Before encrypting, attackers often steal sensitive data to use as additional leverage.
  4. Deployment & Encryption — Ransomware is deployed across systems, encrypting files with strong cryptographic algorithms.
  5. Ransom Demand — Victims receive a ransom note with payment instructions, usually demanding Bitcoin or Monero.

Types of Ransomware

Crypto Ransomware

Encrypts files, making them inaccessible. This is the most common type. Examples: LockBit, Akira, BlackCat/ALPHV.

Locker Ransomware

Locks users out of their device entirely without encrypting files. Less common in enterprise attacks.

Double Extortion

Combines encryption with data theft. Attackers threaten to leak stolen data if ransom isn't paid, even if victims restore from backups.

Ransomware-as-a-Service (RaaS)

Criminal business model where ransomware developers rent their tools to affiliates who carry out attacks, splitting profits. Most major ransomware operates this way.

Common Attack Vectors

Ransomware enters organizations through several common pathways:

  • Phishing emails — Malicious attachments or links remain the top delivery method
  • Exploited vulnerabilities — Unpatched software, especially VPNs and remote access tools
  • Compromised credentials — Stolen or weak passwords, often purchased from dark web markets
  • Remote Desktop Protocol (RDP) — Exposed or poorly secured RDP is frequently targeted
  • Supply chain attacks — Compromising software vendors or managed service providers

For real examples of phishing tactics, see our Phishing Email Examples guide.

How to Prevent Ransomware

Prevention requires a layered defense strategy:

1

Maintain Offline Backups

Keep regular backups offline or in immutable storage. Test restoration procedures.

2

Patch Promptly

Apply security updates quickly, especially for internet-facing systems and known exploited vulnerabilities.

3

Enable MFA Everywhere

Multi-factor authentication blocks most credential-based attacks. Prioritize email, VPN, and admin accounts.

4

Segment Your Network

Limit lateral movement by segmenting critical systems and restricting access between zones.

5

Train Your People

Regular security awareness training helps employees recognize phishing and social engineering.

What to Do If You're Attacked

Immediate Response Steps

  1. Isolate affected systems immediately—disconnect from network but don't power off
  2. Activate your incident response plan and contact your IR team or provider
  3. Preserve evidence for forensic analysis and potential law enforcement involvement
  4. Identify the ransomware variant—check ransom notes and file extensions
  5. Report to law enforcement (FBI IC3 in the US, Action Fraud in UK)
  6. Check No More Ransom (nomoreransom.org) for free decryptors

Paying the ransom is generally discouraged by law enforcement and security experts. Payment doesn't guarantee data recovery and funds criminal operations. However, each organization must weigh their specific circumstances with legal and executive leadership.

Frequently Asked Questions

Should I pay the ransom?

Most experts and law enforcement advise against paying. Payment doesn't guarantee recovery, may violate sanctions laws if the group is designated, and funds future attacks. That said, some organizations in critical situations may feel they have no choice.

Can encrypted files be recovered without paying?

Sometimes. Check nomoreransom.org for free decryptors. Some ransomware has flaws that allow decryption. Otherwise, recovery depends on having clean backups.

How long does recovery take?

Full recovery typically takes weeks to months. Even with backups, rebuilding systems, verifying data integrity, and hardening defenses is time-consuming.

Are small businesses targeted?

Yes. While headlines focus on big targets, small businesses are attacked constantly because they often have weaker defenses. Many ransomware groups use automated scanning to find vulnerable targets of any size.

Recent Ransomware News

Healthcare Cybersecurity: Why Hospitals Are Under Siege

Ransomware attacks on healthcare surged 30% in 2025. Here's why medical organizations remain prime targets and what defenders can do about it.

Ransomware Groups to Watch in 2025-2026

Qilin has hit 1,000+ victims. Everest targets critical infrastructure. Here's what security teams need to know about today's most active ransomware operations.

Chrome Extensions Stealing ChatGPT Chats Hit 900K Users

Two rogue browser extensions masquerading as AI tools exfiltrated complete conversation histories from ChatGPT and DeepSeek to attacker-controlled servers every 30 minutes.

View all ransomware news →

Related Guides

What is Malware?

Learn about all types of malicious software

Online Safety Tips

Essential practices for staying safe online