What Is Ransomware (and How to Protect Yourself)

Ransomware is one of the most disruptive forms of malware in current use. It encrypts the victim's files, rendering them inaccessible, and demands payment for the decryption key. Attacks have targeted individuals, hospitals, schools, municipal governments, and large corporations. The consequences range from losing personal photos to multi-week outages of critical services.
Understanding how ransomware works and what the effective countermeasures are makes both the threat and the protection more concrete.
What this covers:
What ransomware is and the two main types
How ransomware gets onto a system
What happens after infection
Whether paying the ransom is ever advisable
Practical steps to prevent infection
What to do if you are already infected

What Ransomware Is

Ransomware is malware that restricts access to a system or its files and demands payment to restore that access. The term covers two distinct mechanisms.

Locker ransomware prevents access to the device itself. The screen is replaced with a ransom message and the system is otherwize unusable. This type is less common than it once was.

Crypto ransomware is the more prevalent and damaging type. It encrypts files on the device using strong cryptographic algorithms, making them unreadable without the decryption key, which the attacker holds. The victim's data remains on the device but is inaccessible. A ransom demand is displayed with payment instructions, typically to a cryptocurrency wallet, and often with a countdown timer.

Some modern ransomware groups use a tactic called double extortion: they exfiltrate data before encrypting it, then threaten to publish the stolen files if the ransom is not paid. This adds a second form of leverage beyond simply locking files.

How Ransomware Reaches a System

Phishing emails. This is the most common delivery method. An email with a malicious attachment or link arrives looking like a legitimate communication. Opening the attachment or clicking the link executes the malware. The email might appear to be from a shipping company, a bank, a government agency, or a colleague. The phishing guide covers how to identify these messages in more detail.

Malicious downloads. Pirated software, fake browser update prompts, and files from unverified sources can carry hidden malware. The ransomware installs quietly during or after the download.

Malvertizing. Malicious advertizing can appear on legitimate websites that have been compromized or that accept ads without adequate screening. Some variants can execute malware simply by loading the page, without any click required. This has become less common as browsers have improved their security models, but it remains a vector.

Unpatched vulnerabilities. Outdated operating systems and software contain known vulnerabilities that attackers actively exploit. WannaCry, one of the most damaging ransomware outbreaks in history, spread by exploiting a Windows vulnerability that had already been patched. Systems that had not applied the update were compromized without any user interaction.

Remote Desktop Protocol (RDP) attacks. For businesses and home users who have Remote Desktop exposed to the internet, attackers scan for open RDP ports and attempt to log in using stolen or guessed credentials. Once in, they deploy ransomware manually.

What Happens After Infection

The sequence after ransomware executes is typically:

The malware scans the file system for files worth encrypting: documents, photos, spreadsheets, databases, backups stored on the same drive or network. It may also attempt to spread to other devices on the same network.

Files are encrypted with a strong algorithm. Common ones include AES-256 combined with RSA, which makes the encryption computationally infeasible to break without the key. The originals are replaced with encrypted versions.

A ransom note is displayed or dropped as a text file, with instructions for payment and how to receive the decryption key. Payment is almost always demanded in cryptocurrency for the attacker's anonymity.

Some variants attempt to delete Volume Shadow Copies (Windows) or other local backup mechanisms to prevent recovery without paying.

Should You Pay the Ransom?

Security professionals and law enforcement agencies consistently advize against paying. Several factors inform this position.

Payment does not guarantee decryption. Ransomware groups are criminal organisations with no accountability. Some provide working decryption tools; others take payment and disappear, send non-functional tools, or demand additional payment. Studies suggest that a significant proportion of victims who pay do not recover all their data.

Payment funds further attacks. The ransomware economy depends on victims paying. Each successful ransom incentivizes more attacks and funds the development of more capable malware.

There may be free decryption options. The No More Ransom project (nomoreransom.org) is a collaboration between law enforcement agencies and security companies that provides free decryption tools for certain ransomware variants. Before concluding that payment is the only option, checking this resource is worthwhile.

If infection occurs in a business context, legal and regulatory considerations may also apply before any payment decision is made.

How to Protect Yourself

Maintain offline or separate backups. This is the single most effective protection. A backup that is not connected to the infected system (an external drive disconnected when not in use, or a cloud backup with versioning) allows recovery without paying. The backup needs to be tested periodically to confirm it actually works. A backup that fails at restoration time provides no protection.

Keep software updated. Operating systems, browsers, and applications should be updated promptly when security patches are released. Many significant ransomware outbreaks have exploited vulnerabilities that had patches available for weeks or months before the attack.

Be cautious with email attachments and links. Unexpected attachments, even from known contacts whose accounts may be compromized, should be treated with caution. Verify through a separate channel if something seems out of place. Hovering over links before clicking reveals the actual destination URL.

Use reputable security software. A current antivirus or endpoint protection tool provides some protection against known ransomware variants and can detect suspicious behavior (such as rapid mass file encryption) before the attack completes. It is not a complete defense but adds a meaningful layer.

Disable or restrict Remote Desktop Protocol. If RDP is not needed, disable it. If it is required, restrict it to specific IP addresses and ensure it is protected with strong credentials and multi-factor authentication.

Enable ransomware protection in Windows. Windows Defender includes a Controlled Folder Access feature that restricts which applications can modify files in protected folders. It is disabled by default but worth enabling. It can be found under Windows Security, Virus and Threat Protection, Ransomware Protection.

Use a standard user account for daily tasks. Running as an administrator on a daily basis gives malware the same elevated permissions when it executes. Using a standard user account and elevating to an administrator account only when needed limits what malware can do.

What to Do If Infected

Disconnect from the network immediately. Ransomware often attempts to spread to other devices on the same network and to network-connected backups. Disconnecting the affected device from Wi-Fi, Ethernet, and any connected external drives limits the spread.

Identify the ransomware variant if possible. Upload a sample of the ransom note or an encrypted file to ID Ransomware (id-ransomware.malwarehunterteam.com). Identifying the specific variant tells you whether a free decryption tool exists.

Check No More Ransom. Visit nomoreransom.org to see if a decryption tool is available for the identified variant. New tools are added regularly as law enforcement operations disrupt ransomware groups.

Do not pay without exhausting other options. If backups are available, restore from them. If a free tool exists, use it. Payment should be a last resort after confirming no other recovery path is available.

Wipe and restore. If no decryption option is available and payment is not being made, wipe the system and restore from the most recent clean backup. This removes the malware entirely.

Report the incident. In most countries, ransomware attacks can be reported to the national cybersecurity authority or law enforcement. Reports contribute to intelligence on active ransomware groups and can help others.

Key Takeaways

Ransomware encrypts files and demands payment for the decryption key. Crypto ransomware is more common and damaging than locker ransomware.
Phishing emails and unpatched vulnerabilities are the most common infection vectors. Keeping software updated and treating unexpected email attachments with caution addresses both.
Offline or versioned backups are the most effective protection. A backup that is not accessible to the infected system cannot be encrypted by the ransomware.
Paying the ransom does not guarantee data recovery and funds further attacks. Check No More Ransom (nomoreransom.org) for free decryption tools before considering payment.
If infected, disconnect from the network immediately, identify the variant, and check for free decryption options before wiping and restoring from backup.

Conclusion

Ransomware is serious but not inevitable. The protective measures that matter most are also the simplest: regular backups stored separately from the main system, software kept current, and caution with unexpected email content. These three habits address the most common attack vectors and ensure that, if an attack succeeds, recovery is possible without paying.

Have a question about backing up your data or securing a specific device against ransomware? Leave it in the comments.