Passwordly

What Is Ransomware and How to Protect Yourself

🛡️ Cybersecurity Basics

What Is Ransomware and How to Protect Yourself

Everything you need to know about ransomware — how it works, how it spreads, and the concrete steps you can take to prevent, detect, and recover from an attack.

Passwordly Team
10 min read

What Is Ransomware

Ransomware is a type of malware that encrypts your files — documents, photos, databases, everything — and demands payment in exchange for the decryption key. Without the key, your files are essentially destroyed: scrambled into unreadable data that no amount of technical expertise can reverse without the attacker's cooperation.

What started as a nuisance targeting individual computers has evolved into one of the most profitable and devastating forms of cybercrime. In 2025, global ransomware damages exceeded $20 billion, with the average ransom payment reaching $570,000 for businesses. Individuals typically face demands of $200–$2,000, payable in cryptocurrency.

The victims include hospitals unable to access patient records, schools that lose years of data, small businesses that close permanently, and individuals who lose irreplaceable family photos. Ransomware doesn't discriminate — if you have data you value and a connection to the internet, you're a potential target.

The fundamental defense against ransomware predates computers entirely: keep copies of what matters to you in a safe place. Everything else — antivirus, email filtering, network segmentation — is an additional layer of protection on top of that principle.

How Ransomware Works

A ransomware attack follows a predictable sequence, though the sophistication of each phase has increased dramatically:

Phase 1: Initial access. The attacker gains a foothold on your system. This typically happens through a phishing email with a malicious attachment, a compromised website exploiting a browser vulnerability, an exposed Remote Desktop Protocol (RDP) port with weak credentials, or a vulnerability in unpatched software.

Phase 2: Establishing persistence. Sophisticated ransomware doesn't immediately encrypt. It first ensures it can survive reboots and removal attempts by modifying startup processes, creating scheduled tasks, or installing backdoor access.

Phase 3: Reconnaissance and lateral movement. In targeted attacks (especially against businesses), the ransomware maps the network, identifies valuable data, locates backup systems, and spreads to additional machines. This phase can last days or weeks — the attacker quietly exploring before striking.

Phase 4: Data exfiltration (double extortion). Modern ransomware groups steal copies of sensitive data before encrypting it. This creates a second pressure point: even if you can restore from backups, the attacker threatens to publish or sell the stolen data unless you pay.

Phase 5: Encryption. The ransomware encrypts files using strong cryptographic algorithms — typically AES-256 for file encryption with an RSA-2048 or RSA-4096 public key protecting the AES key. Files are renamed with new extensions (e.g., .locked, .encrypted, .ryuk). A ransom note appears explaining the situation and providing payment instructions.

Phase 6: Ransom demand. Payment is demanded in cryptocurrency (usually Bitcoin or Monero) because it's difficult to trace and reverse. A deadline is set — after which the ransom increases or the decryption key is destroyed. Some groups offer "customer support" via dark web chat to help victims navigate cryptocurrency payments.

Ransomware-as-a-Service

The modern ransomware ecosystem operates more like a corporate franchise than individual hackers. Ransomware-as-a-Service (RaaS) platforms provide turnkey tools, infrastructure, and support to affiliates who conduct the actual attacks.

How RaaS works:

  • Developers create and maintain the ransomware software, encryption infrastructure, payment portals, and decryption tools
  • Affiliates pay a subscription or revenue share (typically 20–30% to the developer) and receive the ransomware, access to a management panel, and sometimes technical support
  • Initial Access Brokers sell access to already-compromised networks, providing affiliates with a starting point
  • Negotiators handle ransom negotiations with victims, sometimes operating as independent contractors

Major RaaS operations in 2025-2026 include LockBit, ALPHV/BlackCat, Cl0p, and their successors. These groups have dedicated leak sites where they publish stolen data from non-paying victims, negotiation portals that resemble legitimate support systems, and sophisticated encryption that no security researcher has been able to break.

This industrialization means ransomware attacks are conducted by a wide range of threat actors — from sophisticated cybercriminal groups to relatively unskilled individuals who simply rent tools and follow instructions. The barrier to entry has never been lower, which is why attack volume continues to grow.

Common Attack Vectors

Understanding how ransomware reaches your system is essential for prevention:

Phishing emails (most common). An email with a malicious attachment (Word doc with macros, PDF with embedded scripts, ZIP containing an executable) or a link to a compromised website. The email impersonates a trusted sender — your bank, a shipping company, a colleague, HR. AI tools are making phishing emails increasingly convincing in 2026.

Remote Desktop Protocol (RDP) exploitation. Many businesses and some individuals leave RDP accessible from the internet. Attackers scan for open RDP ports and attempt brute-force login or use stolen credentials. This has been one of the top ransomware vectors for several years.

Software vulnerabilities. Unpatched software provides direct entry points. The MOVEit vulnerability (2023) and similar zero-days in widely-used software allow ransomware deployment without any user interaction.

Drive-by downloads. Visiting a compromised website that exploits browser or plugin vulnerabilities to automatically download and execute ransomware. No clicking required — simply loading the page is enough.

USB and removable media. Less common for targeted attacks but still used. Infected USB drives left in offices exploiting employee curiosity (social engineering meets physical media).

Supply chain compromise. A legitimate software vendor's update mechanism is hijacked to distribute ransomware to all customers. The Kaseya attack (2021) used this vector to hit over 1,500 businesses through a single compromised IT management tool.

Prevention Strategies

No single measure eliminates ransomware risk, but layered defenses dramatically reduce it:

Maintain comprehensive backups. This is your ultimate defense. Follow the 3-2-1-1 rule (an update to the classic 3-2-1): 3 copies of your data, on 2 different media types, 1 off-site, and 1 offline or immutable. The offline/immutable copy is critical because sophisticated ransomware specifically targets and encrypts backup systems.

  • For individuals: External hard drive for local backup (Time Machine, Windows Backup) + cloud backup (Backblaze, iDrive). Disconnect the external drive when not actively backing up.
  • Test restores quarterly. A backup you can't restore from is not a backup.

Keep software updated. Patch everything promptly — operating systems, applications, browser plugins, and especially any internet-facing services. Enable automatic updates wherever possible.

Email security. Use email filtering to block malicious attachments. Never enable macros in unexpected documents. Verify unexpected attachments through a separate communication channel before opening. Learn to recognize phishing red flags.

Disable RDP or secure it properly. If you don't need Remote Desktop, disable it entirely. If you do need it, use it only through a VPN, enforce strong passwords and account lockout policies, and enable Network Level Authentication.

Use endpoint protection with behavioral detection. Modern ransomware can evade signature-based antivirus. Endpoint Detection and Response (EDR) tools that monitor behavior — like mass file encryption attempts — provide better protection. Windows Defender's Controlled Folder Access specifically guards against ransomware.

Apply least-privilege access. Don't use an administrator account for daily activities. Limit which folders each user and application can modify. The less access ransomware has when it executes, the less damage it can do.

What to Do If Infected

If you discover a ransomware infection, speed and calm are essential:

Immediately:

  1. Disconnect from the network. Unplug Ethernet, disable Wi-Fi. This prevents the ransomware from spreading to other devices and from exfiltrating data.
  2. Do not shut down the computer. The encryption key may still be in memory. Law enforcement or security professionals may be able to recover it in some cases.
  3. Document everything. Take photos of the ransom note. Record the ransomware variant name, extension used on encrypted files, and any displayed information.

Next (within the first hour): 4. Report the incident. Contact law enforcement (FBI's IC3 at ic3.gov in the US) and your IT department if applicable. 5. Identify the ransomware variant. Upload a ransom note or encrypted file sample to ID Ransomware (id-ransomware.malwarehunterteam.com). Some variants have been cracked and have free decryption tools available. 6. Check for free decryption tools. The No More Ransom project (nomoreransom.org) maintains a collection of free decryption tools for many ransomware variants. This is a legitimate law enforcement initiative.

Recovery: 7. Restore from backups if available and unaffected. Reformat the infected device before restoring — don't simply restore files onto a still-infected system. 8. If no backup exists and no free decryptor is available, you face a difficult decision about whether to pay the ransom (see next section). 9. After recovery, investigate the initial infection vector and close the vulnerability. Change all passwords that may have been exposed.

Should You Pay the Ransom?

This is one of the most difficult questions in cybersecurity. Here's the reality:

Arguments against paying:

  • No guarantee of decryption. Some ransomware groups provide working decryptors; others don't. Some provide broken decryptors. A 2024 survey found that only 60% of organizations that paid the ransom fully recovered their data.
  • Funds criminal operations. Every ransom payment funds the development of more sophisticated ransomware, the targeting of more victims, and the growth of cybercriminal organizations.
  • You become a repeat target. Organizations that pay are often attacked again because they've demonstrated willingness to pay. Some are re-attacked by the same group within months.
  • Legal risks. Paying ransom to sanctioned entities (and some ransomware groups have been sanctioned) can violate OFAC regulations and other laws.

Arguments for paying:

  • Business survival. For some businesses, especially small ones without backups, the alternative to paying is permanent closure.
  • Data recovery. Some files — patient records, ongoing projects, irreplaceable research — may be worth more than the ransom.
  • Speed. Restoring from backup and rebuilding systems can take weeks. Decryption may take hours.

The official position from the FBI and most cybersecurity agencies is: do not pay. However, they also acknowledge that each victim must make their own decision based on their specific circumstances.

The real answer: Make the question irrelevant by having tested, current backups that ransomware can't reach. If you can restore from backup within hours, paying a ransom is never necessary.

Building Ransomware Resilience

Resilience means accepting that an attack may succeed and ensuring you can recover quickly:

For individuals:

  • Set up automated backups to both an external drive and a cloud service
  • Keep the external drive disconnected when not backing up (prevents ransomware from encrypting it)
  • Test restoring files from your backup at least once a quarter
  • Enable ransomware protection features in your OS (Windows Controlled Folder Access)
  • Maintain current copies of important documents separate from your main system

For families:

  • Ensure backup covers all devices — laptops, desktops, and valuable data on phones
  • Store critical documents (tax returns, insurance policies, IDs) in multiple locations
  • Educate family members about phishing — the weakest link determines the whole family's security
  • Consider a cloud backup service with versioning that retains previous file versions

The resilience mindset: You can't guarantee you'll never encounter ransomware. But you can guarantee that if you do, it's an inconvenience rather than a catastrophe. The difference is preparation — specifically, backups that are current, tested, and out of ransomware's reach.

Ransomware is a serious threat, but it's not an unstoppable one. The combination of good security habits, current software, healthy email skepticism, and — above all — reliable offline backups makes you resilient against even the most sophisticated ransomware attacks. Prepare now, so you never have to make the impossible choice of whether to pay.

Share:

Tags

ransomwaremalwaredata protectionbackupscybercrime

Related Articles

Continue exploring related topics