What Is Ransomware? How It Works, Major Attacks, and Prevention
A thorough explanation of ransomware — the malware that encrypts your files and demands payment. Learn how attacks unfold, notable incidents, and how organizations and individuals can protect themselves.
What Is Ransomware?
Ransomware is a category of malicious software (malware) designed to deny a victim access to their own data — typically by encrypting files on a computer or network — and then demanding a ransom payment in exchange for the decryption key. First documented in 1989 with the "AIDS Trojan" distributed via floppy disks, ransomware has evolved into one of the most financially destructive forms of cybercrime. Global ransomware damages exceeded an estimated $20 billion in 2024, affecting hospitals, schools, governments, and corporations on every continent.
How a Ransomware Attack Works
While specific variants differ in technical detail, most ransomware attacks follow a predictable sequence:
- Initial access — The attacker gains entry through phishing emails (the most common vector), exploiting unpatched software vulnerabilities, brute-forcing remote desktop protocol (RDP) credentials, or compromising a supply chain vendor.
- Lateral movement — Once inside the network, the attacker moves across systems, escalates privileges, and identifies high-value targets such as file servers, databases, and backup systems.
- Data exfiltration — In modern "double extortion" attacks, sensitive data is copied out of the network before encryption begins, giving the attacker additional leverage.
- Encryption — The ransomware payload encrypts files using strong cryptographic algorithms (typically AES-256 for speed, with the AES key itself encrypted via RSA-2048). Encrypted files are rendered completely unreadable.
- Ransom demand — A ransom note appears, directing the victim to a payment portal — almost always demanding cryptocurrency (usually Bitcoin or Monero) to complicate tracing.
Types of Ransomware
| Type | How It Works |
|---|---|
| Crypto ransomware | Encrypts files; demands payment for the decryption key. The dominant form today. |
| Locker ransomware | Locks the user out of the device entirely (locks the screen) without encrypting individual files. |
| Double extortion | Encrypts files and threatens to publish stolen data if the ransom is not paid. |
| Triple extortion | Adds a third pressure — such as DDoS attacks against the victim or contacting the victim's customers/partners. |
| Ransomware-as-a-Service (RaaS) | Operators provide ransomware tools to affiliates in exchange for a percentage of each ransom payment, lowering the barrier to entry. |
Notable Ransomware Attacks
| Attack | Year | Impact |
|---|---|---|
| WannaCry | 2017 | Infected 230,000+ computers in 150 countries; crippled the UK's National Health Service |
| NotPetya | 2017 | Caused over $10 billion in damages; hit Maersk, Merck, and FedEx; originated from a Ukrainian tax software update |
| Colonial Pipeline | 2021 | Shut down the largest fuel pipeline in the U.S. for six days; $4.4 million ransom paid (most later recovered by FBI) |
| Kaseya VSA | 2021 | Supply-chain attack through IT management software; affected up to 1,500 businesses worldwide |
| MOVEit | 2023 | Exploited zero-day vulnerability in file transfer software; compromised data from 2,600+ organizations |
Who Is Behind Ransomware?
The ransomware ecosystem is dominated by organized cybercriminal groups, many operating from jurisdictions with limited law enforcement cooperation. Groups like LockBit, BlackCat (ALPHV), and Cl0p function as sophisticated enterprises with customer support portals, negotiation teams, and affiliate programs. Some groups have suspected ties to nation-state intelligence agencies, though the primary motivation is almost always financial.
Prevention and Defense
No single measure eliminates ransomware risk, but a layered defense significantly reduces it:
- Backups — Maintain offline or immutable backups tested regularly. The 3-2-1 rule (3 copies, 2 media types, 1 offsite) remains the gold standard.
- Patching — Apply security updates promptly. Many major ransomware campaigns exploit vulnerabilities for which patches were available months earlier.
- Email security — Deploy advanced email filtering, disable macros by default, and train employees to recognize phishing.
- Multi-factor authentication (MFA) — Require MFA on all remote access points, especially RDP and VPN.
- Network segmentation — Limit lateral movement by isolating critical systems so a single compromised endpoint cannot reach the entire network.
- Endpoint detection and response (EDR) — Modern EDR tools can detect ransomware behavior patterns (rapid file encryption) and halt the process before widespread damage occurs.
- Incident response plan — Have a tested plan that includes communication protocols, legal contacts, and decision criteria for ransom payment.
Should You Pay the Ransom?
Law enforcement agencies including the FBI and Europol advise against paying ransoms, as payment funds criminal operations and provides no guarantee of data recovery. Studies indicate that roughly 80 percent of organizations that pay are targeted again. However, some victims — particularly hospitals and critical infrastructure operators — face situations where the cost of downtime dwarfs the ransom amount, creating painful dilemmas.
The consensus among cybersecurity professionals is clear: prevention and preparedness are far more effective than negotiation after the fact.