What Is Ransomware?

Ransomware is a category of malicious software that encrypts a victim's files or locks them out of their systems entirely, then demands a ransom payment — usually in cryptocurrency — in exchange for a decryption key. It's one of the most financially damaging forms of cybercrime affecting businesses, hospitals, schools, and individuals worldwide.

How a Ransomware Attack Unfolds

Understanding the attack lifecycle helps explain why prevention is so critical — and why responding after encryption has already occurred is so difficult.

Stage 1: Initial Access

Attackers gain entry through one of several common vectors:

  • Phishing emails with malicious attachments or links
  • Exposed Remote Desktop Protocol (RDP) with weak or stolen credentials
  • Unpatched software vulnerabilities in VPNs, web servers, or operating systems
  • Malvertising — malicious ads on legitimate websites

Stage 2: Reconnaissance and Lateral Movement

Once inside, sophisticated attackers don't immediately encrypt files. Instead, they spend days or weeks mapping the network, elevating privileges, and moving to high-value systems. This "dwell time" is why an incident response team often discovers attackers had been present long before encryption triggered.

Stage 3: Data Exfiltration (Modern Twist)

Many modern ransomware groups now steal data before encrypting it. This enables a double extortion tactic: pay to decrypt your files, and pay to prevent the stolen data from being published. Some groups skip encryption entirely and simply threaten to leak.

Stage 4: Encryption and Ransom Note

The ransomware payload executes, encrypting files across connected drives and network shares. A ransom note is left explaining how to pay and what happens if the deadline is missed.

Why Paying Isn't a Solution

Law enforcement agencies including the FBI generally advise against paying ransoms. Key reasons include:

  • Payment does not guarantee you'll receive a working decryption key
  • It signals to attackers that your organization is willing to pay, making you a repeat target
  • It funds criminal enterprises that go on to attack others
  • In some jurisdictions, paying groups on sanctions lists may expose organizations to legal liability

Effective Defenses

Backups: Your Most Important Defense

Maintain regular, tested backups following the 3-2-1 rule: three copies of data, on two different media types, with one stored offline or air-gapped. An offline backup that attackers cannot reach is the most reliable recovery option.

Patch Management

A significant portion of ransomware exploits known vulnerabilities that already have patches available. Establishing a consistent, prioritized patching schedule — particularly for internet-facing systems — closes a major attack avenue.

Multi-Factor Authentication (MFA)

Enabling MFA on all remote access points, email, and admin accounts dramatically reduces the risk of credential-based intrusion.

Network Segmentation

Dividing your network into segments limits how far ransomware can spread if it does gain a foothold. Critical systems should not be directly reachable from general user workstations.

User Awareness Training

Since phishing remains the most common entry point, regular training that helps users recognize suspicious emails is a high-return investment.

What to Do If You're Hit

  1. Isolate affected systems immediately — disconnect from the network
  2. Do not turn off machines (forensic evidence may be lost)
  3. Contact your incident response team or a specialist firm
  4. Report to law enforcement (FBI, CISA in the US)
  5. Check ransomware decryption resources at nomoreransom.org before considering payment

Ransomware is a serious but manageable threat. Organizations that invest in prevention, detection, and tested recovery plans are far better positioned than those who learn its lessons the hard way.