๐ŸŸข Beginner Summary

Ransomware encrypts your files โ€” making them completely inaccessible โ€” then demands payment to restore them. Attacks have paralyzed hospitals, schools, and cities. Here's exactly how they work and what you can do to protect yourself.

Table of Contents

  1. What ransomware is
  2. How ransomware gets into systems
  3. The attack lifecycle, step by step
  4. Real-world examples
  5. Should victims pay the ransom?
  6. How to protect yourself
  7. FAQ

What Ransomware Is

Ransomware is a type of malware that encrypts the victim's files using strong cryptography โ€” the same mathematical principles used to secure online banking. Once encrypted, files are completely inaccessible without the decryption key, which only the attacker holds.

Then comes the ransom note: a message demanding payment โ€” usually in Bitcoin or Monero โ€” in exchange for the key. The amounts range from a few hundred dollars for individuals to tens of millions for large corporations.

What makes ransomware particularly devastating:

  • The encryption is mathematically sound โ€” without the key, files cannot be recovered
  • Modern ransomware attacks are often double-extortion: attackers steal data before encrypting it, and threaten to publish it publicly if you don't pay
  • Ransomware spreads automatically across networks once it's inside
  • Backups can be targeted too โ€” ransomware often specifically seeks out and destroys backup files

How Ransomware Gets into Systems

Ransomware is delivered through several primary vectors:

  • Phishing emails โ€” the most common method. A malicious attachment or link delivers the ransomware. Read: What is Phishing?
  • Remote Desktop Protocol (RDP) vulnerabilities โ€” exposed RDP ports with weak passwords are a major entry point for attacks targeting businesses
  • Software vulnerabilities โ€” unpatched systems can be exploited without any user interaction
  • Malicious downloads โ€” pirated software, cracked games, unofficial installers often bundle ransomware
  • Supply chain attacks โ€” compromising legitimate software that organizations trust. See: Inside a Supply Chain Attack

The Attack Lifecycle, Step by Step

Step 1: Initial Access

The attacker gains a foothold. For individuals, this is typically via phishing. For organizations, it's often an exposed server or a phishing email that compromises one employee's credentials.

Step 2: Establishing Persistence

Before deploying ransomware, sophisticated attackers establish persistent access โ€” creating backdoors, adding new admin accounts, and ensuring they can return even if the initial entry point is closed.

Step 3: Reconnaissance Inside the Network

In targeted attacks on organizations, attackers spend days or weeks exploring the network they've infiltrated. They map the network, find critical systems, identify backup locations, and understand the full scope of what they can encrypt.

The average time between initial intrusion and ransomware deployment in corporate attacks is 24 days, according to Mandiant research. The victim often has no idea.

Step 4: Stealing Data (Double Extortion)

Modern ransomware groups first exfiltrate sensitive data โ€” employee records, customer information, financial data, intellectual property. This gives them a second lever: "Pay, or we publish everything."

Step 5: Destroying Backups

Before deploying ransomware, attackers specifically hunt for and destroy backup files and shadow copies. This removes the victim's obvious recovery option, increasing pressure to pay.

Step 6: Deploying the Ransomware

With preparation complete, the attacker deploys the ransomware โ€” often timed for maximum impact (Friday afternoon, a holiday weekend, the middle of the night).

The ransomware spreads rapidly across the network, encrypting files on every connected device. In large organizations, thousands of computers can be encrypted in minutes.

Step 7: The Ransom Note

Every encrypted folder contains a text file with instructions: how to contact the attackers, how much to pay, a deadline, and sometimes a threat to publish stolen data. Many modern ransomware groups have professional-looking "customer service" portals on the dark web.

Real-World Examples

WannaCry (2017)

Perhaps the most devastating ransomware attack in history. WannaCry exploited a vulnerability in Windows (specifically an NSA-developed exploit called EternalBlue that had been stolen and leaked). It spread automatically across networks without any user interaction, infecting 230,000+ computers in 150 countries in just 24 hours.

The UK's National Health Service was hit particularly hard โ€” hospitals cancelled appointments, ambulances were diverted, and medical procedures were postponed. The estimated damage: $4-8 billion globally. The patch had been available for two months before the attack. Organizations that had updated their systems were unaffected.

Colonial Pipeline (2021)

A DarkSide ransomware attack on Colonial Pipeline โ€” the largest fuel pipeline in the US โ€” caused a shutdown that led to fuel shortages across the Eastern seaboard. Colonial paid approximately $4.4 million in ransom (later partially recovered by the FBI). Entry point: a compromised password for a VPN account that wasn't using 2FA.

Should Victims Pay the Ransom?

This is a genuinely difficult question.

Arguments against paying:

  • It funds criminal operations and encourages more attacks
  • There's no guarantee you'll actually get your files back โ€” some ransomware groups take payment and disappear
  • Even after paying, stolen data may still be published or sold
  • In some jurisdictions, paying ransomware groups that are sanctioned by governments may be illegal

Arguments for paying (in some cases):

  • When human lives are at stake (hospitals, emergency services) and no recovery alternative exists
  • When the economic cost of non-recovery vastly exceeds the ransom
  • When reputable ransomware groups (yes, they exist) reliably decrypt after payment

The best answer: don't be in a position where you have to decide. Regular, tested, offline backups mean you can recover without paying.

How to Protect Yourself

๐Ÿ”ต Ransomware Defense Checklist

  • Maintain regular, offline backups. The 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 stored offsite or offline. An offline backup (a drive unplugged from your computer) cannot be encrypted by ransomware.
  • Keep systems updated. WannaCry exploited a patched vulnerability. Organizations that had applied the patch weren't affected.
  • Don't click attachments from unexpected sources. Most ransomware starts with a phishing email. Read: What is Phishing?
  • Use 2FA on all accounts, especially VPNs and remote access tools
  • Restrict user permissions. Don't run as an administrator for daily tasks โ€” ransomware can only encrypt what the current user has access to
  • Enable Windows "Controlled Folder Access" โ€” blocks unauthorized apps from modifying files in protected folders

FAQ

Can free decryptors help recover encrypted files?

Sometimes. Security organizations like Europol and No More Ransom Project (nomoreransom.org) collaborate to release free decryptors when ransomware encryption keys are seized or reversed. Always check here before paying.

Is ransomware only a threat to businesses?

No. Individuals are targeted too, particularly through drive-by downloads and phishing emails. Consumer ransomware typically demands smaller amounts ($200-$500) but is distressing when family photos and irreplaceable files are lost.

References

  • No More Ransom Project โ€” nomoreransom.org
  • Mandiant M-Trends Report โ€” intrusion dwell time statistics
  • CISA Ransomware Guide โ€” cisa.gov/stopransomware
  • WannaCry analysis โ€” Symantec and MalwareTech