What Is Ransomware?
Ransomware is a type of malware that locks or encrypts your files and demands payment to give them back. The attacker holds your data hostage — and won’t release it until you pay a ransom, usually in bitcoin or another crypto currency. If you don’t pay, they may delete the files, leak them online, or sell them on the dark web.
Here’s a simple way to think of it. Imagine someone breaks into your house, puts all your belongings in a safe, and changes the combination. They leave a note: “Pay me $10,000 and I’ll give you the code.” That’s ransomware — but for your digital life. Your photos, documents, databases, and systems are all locked behind a key only the attacker holds.
This isn’t a niche threat. Ransomware is now the third most common type of cyberattack, making up over 10% of all data breaches. The average cost of a ransomware breach — not counting the ransom itself — is $5.68 million, according to IBM. And attacks hit everyone: hospitals, schools, city governments, small businesses, and global corporations alike. No industry and no region is safe from this threat.
How Ransomware Has Evolved
The threat has also evolved fast. Early ransomware just locked the screen. Today’s strains encrypt every file on the system, steal data before locking it, and threaten to publish it if you don’t pay. This is called double extortion — and some groups even add a third layer by targeting the victim’s customers or partners. Ransomware-as-a-Service (RaaS) has made it even easier for low-skill attackers to launch attacks, since they can rent the tools from more advanced criminal groups for a share of the profits.
Ransomware encrypts your files and demands payment to unlock them. Modern strains also steal data and threaten to leak it — a tactic called double extortion. The FBI advises against paying, because payment doesn’t guarantee recovery and it funds more attacks.
How Ransomware Works
Essentially, a ransomware attack follows a clear chain — from the first click to the final demand. So here’s how the flow plays out step by step.
The 5-Step Attack Chain
Encryption and Ransom Demand
An attack chain like this can play out in hours or weeks — depending on the attacker’s goals and how well the target is defended. As a result, early detection is critical. The sooner you catch the breach, the less damage it does. And because attackers now demand payment in cryptocurrency like bitcoin — which is hard to trace — recovery without backups often means total loss.
Types of Ransomware
Notably, not all ransomware works the same way. Here are the main types and what each one does.
Common Attack Vectors
How does ransomware actually get in? Here are the most common entry points — and why each one works.
- Phishing emails: The #1 vector. A user clicks a link or opens a file in a fake email. The malware installs in seconds. Even smart users fall for well-crafted phishing — which is why email filtering and security training are so critical.
- RDP and remote access: Attackers scan for open Remote Desktop Protocol (RDP) ports and brute-force or buy stolen credentials to log in. Once inside, they have full admin control. Locking down RDP with MFA and VPN is one of the fastest ways to cut this risk.
- Unpatched software: Old software with known flaws is an easy target. Attackers use exploit kits that scan for these gaps and push malware through them. Keeping systems patched closes these doors before the attacker gets there.
- Malicious downloads: Fake software, cracked apps, and drive-by downloads from compromised websites. Users think they’re getting a free tool — but they’re installing malware instead.
- Supply chain attacks: The attacker poisons a trusted software update or a third-party vendor’s code. When the victim installs the update, the ransomware rides in on a channel they already trust. This is one of the hardest vectors to defend against — because the source looks legitimate.
Most ransomware enters through human error — a clicked link, an open RDP port, or an unpatched system. Technical defenses matter. But user training and basic hygiene — like patching, MFA, and email filtering — stop the majority of attacks before they start.
The Real Cost of Ransomware
Ransomware isn’t just a tech problem — it’s a business problem. Here’s what the numbers show.
The total cost goes far beyond the ransom itself. It includes downtime, lost revenue, legal fees, regulatory fines, customer notification, brand damage, and the cost of rebuilding systems from scratch. For small firms, a single attack can be fatal — many never fully recover. And even when victims pay, less than half get all their data back in usable form. Others get a bad decryption key. A few find that the attacker only decrypted one layer of a double-encrypted system. And still others find their files are corrupted even after decryption — because the ransomware damaged them during the process.
The indirect costs are just as real. Customer trust drops after a breach. Partners may cut ties. Regulators may investigate. And the firm’s stock price — if public — often takes a hit that lasts months. For healthcare, a ransomware attack can delay patient care and put lives at risk. For government, it can shut down public services for days or weeks. And for retail, it can halt sales during peak season — costing millions in lost revenue on top of the breach costs.
However, there’s good news. The share of victims who pay has dropped sharply — from 70% in a recent year to 37%. Better backups, stronger defenses, and clearer guidance from the FBI and CISA are driving this shift. The firms that prepare in advance spend far less when (not if) an attack hits. And the firms that test their incident response plans recover in days instead of weeks.
Ransomware vs Other Malware
Indeed, ransomware is just one type of malware. Here’s how it compares to other common threats.
| Feature | Ransomware | Virus | Spyware | Worm |
|---|---|---|---|---|
| Goal | Extort money | Damage or spread | Steal data silently | Spread fast across networks |
| Method | Encrypts files, demands ransom | Attaches to files, corrupts data | Logs keystrokes, tracks activity | Self-replicates without user action |
| Visibility | ✕ Hidden until encryption is done | ◐ May show symptoms | ✕ Runs silently | ✓ Often causes visible slowdowns |
| Recovery | Backup or pay (no guarantee) | Antivirus can remove | Antivirus + password reset | Patch + isolate + antivirus |
| Worst Case | Total data loss + data leak | Corrupted files + system damage | Identity theft + credential leak | Network-wide outage |
Notable Ransomware Attacks
Ransomware isn’t just a theory — it’s caused billions in real damage. Here are some of the most well-known attacks and what they teach us.
WannaCry (2017). This worm-based attack spread across 150 countries in a single day, hitting over 200,000 systems. It exploited a known Windows flaw (EternalBlue) that had a patch available — but many firms hadn’t installed it. WannaCry shut down hospitals, factories, and government systems. The lesson: patching known flaws is not optional. A single missed update can lead to a global event.
Colonial Pipeline (2021). A single compromised VPN password gave attackers access to the billing systems of the largest fuel pipeline in the US. The company paid $4.4 million in ransom — though the FBI later recovered most of it. As a result, the attack caused fuel shortages across the East Coast. Clearly, one weak password plus no MFA equals a national crisis.
Supply Chain and Sector-Wide Attacks
Kaseya (2021). The REvil group attacked Kaseya’s VSA software — a tool used by managed service providers (MSPs) to manage their clients’ IT. Because the attack hit the supply chain, it spread to over 1,500 firms downstream. The lesson: supply chain attacks multiply the damage by using trusted tools as the weapon.
Change Healthcare (2024). This attack disrupted health insurance claims processing across the US for weeks, affecting millions of patients and thousands of providers. It showed how a single point of failure in a critical industry can cascade across the entire sector. The lesson: critical systems need segmentation, redundancy, and tested recovery plans.
These events share a common thread: each one exploited a basic gap — an unpatched system, a weak password, a trusted tool, or a single point of failure. The attacks that cause the most damage are rarely the most advanced. They’re the ones that find the simplest door left open. And the attackers behind them are getting better organized every year — with customer support portals, payment systems, and even helpdesks to “assist” their victims. The ransomware industry now runs like a business — and defending against it requires the same level of planning and discipline.
Should You Pay the Ransom?
This is one of the hardest calls in cybersecurity. Here’s a clear look at both sides.
The FBI does not support paying a ransom. Paying encourages the business model, doesn’t guarantee recovery, and may fund groups linked to terrorism or sanctioned states. The best defense is to prepare so you never face this choice — with tested backups, an incident response plan, and strong preventive controls.
How to Respond During a Ransomware Attack
If you’ve been hit, speed matters. Here’s what to do — in order — during the first hours of an attack.
First, isolate the infected systems. Unplug them from the network. Disable Wi-Fi. But don’t turn them off — turning off a machine can destroy evidence in memory that your forensics team needs. The goal is to stop the ransomware from spreading to other systems while keeping the evidence intact.
Then, alert your incident response team. Activate your in-house team right away. However, if you don’t have one, contact a third-party IR firm. Time is critical — every minute the attacker has access is another minute they can encrypt, steal, or destroy data. Also notify your legal team, because breach notification laws may apply depending on the data involved.
Contain, Report, and Recover
Also, determine the scope. Find out which systems are hit and which data is affected. Is the attack still spreading? Use your EDR and SIEM to trace the attack chain — from the entry point through lateral movement to the encryption trigger. Consequently, the more you understand about the scope, the faster you can contain it and plan your recovery. Check whether the attacker has also stolen data — because if they have, you may face a double extortion demand even if you restore from backup. Furthermore, check whether they’ve disabled your backup systems, which is a common tactic in modern attacks.
Report the attack. File a report with the FBI at ic3.gov and contact CISA. They can provide guidance, share threat intel, and in some cases help track down the attacker. You should also check nomoreransom.org — a joint project of law enforcement and security firms — to see if a free decryption tool exists for your specific strain. In addition, notify your cyber insurance carrier right away — most policies have a window for reporting incidents, and missing it can void your coverage.
Finally, recover from clean backups. If your backups are current, tested, and stored off-network, this is your best path. Wipe the infected systems and restore from the latest clean copy. Then patch the flaw that let the attacker in — before you bring the systems back online. Because the worst outcome is restoring your data only to get hit again through the same gap. After recovery, run a full post-incident review to find what went wrong, what worked, and what needs to change. This review is how you turn a bad event into better defenses for next time.
Ransomware Prevention Best Practices
Here are the ransomware best practices that help you prevent, detect, and recover from an attack.
First, back up everything — and test your backups. This is the single most important control. Keep three copies of your data: two local (on different media) and one off-site or in the cloud. Make sure backups are not connected to the network they protect — because ransomware will encrypt backups too if it can reach them. And test your restore process at least once a quarter. A backup you’ve never tested is a backup you can’t trust.
Then, patch and update everything. Most ransomware exploits known flaws in software that already has a fix available. So turn on auto-updates. Patch your OS, apps, and firmware on a regular schedule. Because an unpatched system is an open door — and attackers scan for these doors every day.
Also, train your users. Phishing is the #1 entry point. Run regular training sessions and phishing simulations. Teach users to check sender addresses, hover over links before clicking, and report anything suspicious. Because the best firewall in the world can’t stop a user who opens the wrong email.
Detect, Respond, and Recover
Lock down remote access. If you use RDP, put it behind a VPN and require MFA. Better yet, switch to a zero trust network access (ZTNA) tool that checks identity and device health before granting any connection. Consequently, even if an attacker has stolen credentials, they can’t get in without a second factor and a compliant device.
Deploy EDR and email security. Antivirus alone is not enough. Use endpoint detection and response (EDR) to catch lateral movement and fileless attacks. Also deploy email filtering to block phishing before it reaches the inbox. And use a SIEM to correlate alerts across your stack — so you catch the attack chain early, not after encryption starts.
Build and test an incident response plan. Don’t wait for an attack to figure out what to do. Write a plan that covers: who to call, how to isolate systems, how to restore from backup, when to notify regulators, and whether to contact the FBI. Then run a tabletop exercise at least twice a year. Because the firms that rehearse respond faster — and recover with far less damage.
Insure and Align
Finally, carry cyber insurance. A good policy can cover breach costs, legal fees, and even ransom payments (though paying is still not advised). However, insurers now require strong controls before they’ll issue a policy — like MFA, EDR, backups, and PAM. So building your defenses first isn’t just good security — it’s also what you need to get insured.
Back up everything — three copies, one off-site, test quarterly. Patch all systems on a set schedule. Train users against phishing. Lock down RDP with VPN and MFA. Deploy EDR and email filtering. Use a SIEM for alert correlation. Build and test an incident response plan. Carry cyber insurance. Align with CISA, FBI, and NIST guidance.
Frequently Asked Questions About Ransomware
More Common Questions
Conclusion: Why Ransomware Protection Matters Now
In short, ransomware is one of the most damaging and fast-growing threats in all of cybersecurity. It encrypts your data, steals it, and demands payment — and no industry, no firm size, and no platform is immune. The average breach now costs $5.68 million, and the attacks are only getting more advanced with AI and RaaS. Every firm needs to treat ransomware not as a “maybe” but as a “when” — and build defenses that match.
However, the firms that prepare in advance recover faster and pay less. So back up everything and test your restores. Patch every system. Train every user. Also, lock down remote access with MFA and ZTNA. And build an incident response plan before you need one — then test it twice a year.
Start now. First, check that your backups are current, tested, and stored off-network. Then patch every device and turn on auto-updates. Next, deploy EDR and email filtering across all endpoints. After that, train your users with phishing simulations at least once a quarter. Finally, write your incident response plan, run a tabletop exercise, and review your cyber insurance coverage. Because the firms that prepare for ransomware are the firms that survive it — and the ones that don’t prepare may not get a second chance.
References
- CISA — Ransomware 101
- IBM — What Is Ransomware?
- FBI — Ransomware
Join 1 million+ technology professionals. Weekly digest of new terms, threat intelligence, and architecture decisions.