Ransomware Explained: How to Avoid Losing Everything

By /

On a Tuesday morning in 2021, a hospital in Ireland arrived to work and found every computer on its network locked. Patient records were inaccessible. Diagnostic equipment that relied on connected systems was offline. Surgeries were postponed. Chemotherapy appointments were canceled. The attackers demanded $20 million to restore access. The Irish Health Service Executive refused to pay — and spent the next four months and an estimated €100 million rebuilding its systems from scratch.

That incident — the HSE ransomware attack — is one of the most documented ransomware cases in history. But it is far from unique. Every day, hundreds of businesses, hospitals, schools, law firms, government agencies, and individuals discover that their files have been encrypted by software they did not install, controlled by people they have never met, who are demanding money they may not have.

Ransomware is the defining cybersecurity threat of the current era. It is also one of the most preventable — if you understand how it works, how it reaches its victims, and what specific defenses actually stop it. This guide covers all of that, in depth, with no jargon left unexplained and no critical detail omitted.

What Is Ransomware?

Ransomware is a category of malicious software — malware — that encrypts the victim’s files and demands a payment, typically in cryptocurrency, in exchange for the decryption key needed to restore access. From the victim’s perspective, the result is immediate and total: every document, database, photograph, spreadsheet, and backup stored on the encrypted system becomes unreadable. The files are still there — but without the decryption key, they are as useful as gibberish.

The name combines “ransom” — the payment demanded — with “software.” It is precisely what it sounds like: software that holds your data hostage.

What makes ransomware uniquely destructive compared to other malware categories is its combination of three properties:

  • Immediacy — the damage occurs in hours or minutes once the encryption process begins. Unlike a slow-acting credential stealer or espionage implant, ransomware creates an emergency that demands immediate attention and decision-making under pressure.
  • Completeness — effective ransomware encrypts everything accessible to the compromised system: local drives, mapped network drives, connected external storage, and in many cases, cloud-synced folders. There is nowhere for the data to hide once encryption begins.
  • Leverage — the attacker holds something of genuine value — your operational data — and the cost of not paying (permanent data loss and operational shutdown) is often large enough to make payment feel like the rational response. This is the economic model that has made ransomware one of the most profitable categories of cybercrime in history.

How Ransomware Has Evolved: A Brief History

The first documented ransomware attack occurred in 1989, when a biologist named Joseph Popp distributed 20,000 floppy disks labeled “AIDS Information” at a World Health Organization conference. The disks contained malware that, after 90 reboots, hid the victim’s file directories and demanded $189 sent by mail to a P.O. box in Panama. Popp was arrested and never prosecuted, having been deemed mentally unfit for trial.

For the next two decades, ransomware remained a relatively rare and unsophisticated attack type. Two developments changed everything.

The first was the widespread availability of strong public-key cryptography. Early ransomware used symmetric encryption — the same key encrypted and decrypted files — meaning the decryption key was often recoverable from the malware itself. Modern ransomware uses asymmetric encryption (typically RSA-2048 or higher), where the public key encrypts and a private key held only by the attacker decrypts. Without the private key, there is no recovery. The encryption is unbreakable with any currently available computational power.

The second was cryptocurrency. Before Bitcoin, ransomware operators faced a fundamental problem: collecting payment anonymously was nearly impossible. Bank transfers were traceable. Prepaid cards had limits and identifiability. Cryptocurrency enabled truly anonymous, instant, global, unrefundable payments that could be collected by attackers anywhere in the world from victims anywhere else — with no intermediary able to reverse or block the transaction.

The result of these two developments was a ransomware explosion. The FBI estimates that ransomware caused over $34 billion in losses in 2023 alone. The actual figure, accounting for unreported incidents, is almost certainly higher.

How Modern Ransomware Works: The Full Attack Chain

Understanding how a ransomware attack actually unfolds — from the first point of entry to the ransom note on your screen — is the foundation of understanding how to prevent it. Modern ransomware attacks follow a recognizable pattern, even though the specific tools and techniques vary between groups.

Stage 1: Initial access

Every ransomware attack begins with the attacker gaining a foothold in the target’s environment. The most common initial access methods, in rough order of prevalence, are:

Access MethodHow It WorksWhy It Succeeds
Phishing emailMalicious link or attachment delivered via email; victim clicks and executes malware or enters credentials on a fake siteTargets human behavior rather than technical defenses; personalized spear-phishing bypasses skepticism
RDP exploitationAttacker brute-forces or exploits vulnerabilities in Remote Desktop Protocol exposed to the internetMany organizations expose RDP directly without VPN; weak or default passwords are endemic
Unpatched vulnerabilitiesKnown software vulnerabilities in internet-facing systems exploited before patches are appliedPatch lag between vulnerability disclosure and deployment; legacy systems that cannot be patched
Credential theft / stuffingPreviously stolen credentials tested against VPN, email, or remote access systemsPassword reuse across accounts means one breach provides access to many systems
Supply chain compromiseAttacker compromises a managed service provider, software vendor, or IT tool trusted by the targetLegitimate trusted access bypasses security controls designed to stop external threats
Malvertising / drive-by downloadVisiting a compromised or malicious website automatically downloads and executes malwareRequires only a browser visit; no user interaction beyond page load in some exploit kit variants

Stage 2: Reconnaissance and lateral movement

Here is the fact that surprises most victims when they learn it: the ransomware encryption event — the moment your files disappear and the ransom note appears — is almost never the beginning of the attack. It is the end of it.

Between gaining initial access and triggering the visible encryption, sophisticated ransomware operators spend days, weeks, or sometimes months inside the victim’s network. During this “dwell time,” they are:

  • Mapping the network — identifying all systems, servers, backup infrastructure, and high-value targets
  • Escalating privileges — moving from the initial low-privilege access point to administrator and domain administrator accounts that can reach everything
  • Moving laterally — deploying their tools to additional systems to maximize the scope of the eventual encryption event
  • Compromising backups — specifically targeting and either deleting, encrypting, or compromising the victim’s backup systems to eliminate the primary recovery option
  • Exfiltrating data — stealing copies of valuable data before the encryption begins, to be used as additional leverage in what is now called “double extortion”

This pre-encryption dwell period is why organizations that discover a ransomware attack and immediately restore from “recent” backups sometimes find themselves reinfected: the backup was taken during the attacker’s silent presence, and restoring from it restores the attacker’s tools along with the legitimate data.

Stage 3: Encryption

When the attacker determines that preparation is complete — backups are compromised, lateral movement has reached as many systems as possible, data exfiltration is done — they trigger the encryption event. This is typically done simultaneously across all compromised systems to maximize the damage before any detection and response can occur.

Modern ransomware encryption is optimized for speed. Operators know that every minute of encryption is a minute in which detection and response might interrupt the process. Tools like LockBit (which held the speed record among ransomware variants for a period) can encrypt hundreds of gigabytes per minute. By the time a victim sees the ransom note, hours of encryption may have already completed across every connected system.

The encryption process typically:

  • Targets specific file extensions associated with documents, databases, images, and backups while leaving operating system files intact (the system must remain functional enough to display the ransom note and communicate with the attacker)
  • Generates a unique symmetric key for the encryption, then encrypts that key with the attacker’s public RSA key — meaning decryption requires the attacker’s private RSA key
  • Deletes shadow copies (Windows’ built-in recovery mechanism) and other local recovery options
  • Drops a ransom note in every encrypted directory explaining how to contact the attacker and initiate payment

Stage 4: Extortion

The ransom note provides instructions for contacting the attacker — typically through a Tor-based communication portal — and initiating payment. Modern ransomware operations run professionally: many have customer service-like portals, live chat support, negotiation capabilities, and even “satisfaction guarantees” that the decryption key will work.

Double extortion has become the dominant model: in addition to the encryption ransom, attackers threaten to publish the exfiltrated data on public leak sites if payment is not made. This creates pressure even for organizations with intact backups — you may be able to restore your systems, but the attacker still holds your customers’ data, your financial records, or your confidential business information.

Triple extortion adds a third lever: attackers contact the victim’s customers directly, threatening to expose their data unless the victim pays — or unless the customers themselves apply pressure on the victim to pay.

Ransomware-as-a-Service: The Business Model Behind the Attacks

One of the most important — and least understood — developments in the ransomware landscape is the professionalization of the criminal ecosystem through Ransomware-as-a-Service (RaaS). Understanding this model explains why ransomware attacks have become so numerous, so sophisticated, and so geographically distributed.

RaaS operates similarly to legitimate software-as-a-service businesses. A core development team — sometimes called a “cartel” — creates and maintains the ransomware platform: the encryption software, the ransom payment infrastructure, the negotiation portals, and the data leak sites. They then recruit “affiliates” — individuals or small teams with access to victims’ networks — and provide them with the ransomware toolkit in exchange for a percentage of every ransom paid, typically 20–30%.

The consequences of this model are significant:

  • Technical sophistication is no longer required to conduct ransomware attacks. An affiliate needs only the ability to gain initial access — a much lower bar — while the developer handles all the complex infrastructure.
  • The attack volume scales with the number of affiliates recruited, not with the developer’s own capacity.
  • Takedowns of specific RaaS operations — as happened with REvil, DarkSide, and Hive — disrupt but rarely eliminate the broader ecosystem, as developers reconstitute under new names and affiliates migrate to competing platforms.
  • The financial stakes for successful operations are enormous. LockBit, before its disruption, reportedly collected over $120 million in ransom payments and was responsible for thousands of attacks across dozens of countries.

The major RaaS groups that have dominated the threat landscape include LockBit, BlackCat (ALPHV), Cl0p, Royal, and Black Basta, though the landscape shifts regularly as law enforcement actions and internal disputes disrupt established groups and new ones emerge.

Who Gets Hit: Understanding Ransomware Targeting

A common misconception is that ransomware attacks are indiscriminate — automated tools sweeping the internet and attacking every vulnerable target they find. While opportunistic attacks of this kind do occur, the most damaging and most frequently reported incidents involve deliberate targeting by RaaS affiliates who have researched their victims and selected them based on specific criteria.

Targeting criteria that make an organization attractive to ransomware operators include:

  • Financial capacity to pay — attackers research victims’ revenue, insurance coverage, and financial health before setting ransom demands. Publicly available financial filings, LinkedIn job postings (which reveal technology stacks and team sizes), and dark web data broker services all inform this research.
  • Data sensitivity — organizations holding data that is particularly sensitive — patient records, legal case files, financial data, personal identifiable information — face higher double-extortion leverage because the consequences of public disclosure are more severe.
  • Operational dependency on data — organizations where operational continuity requires immediate data access (hospitals, manufacturers with just-in-time supply chains, financial institutions) face greater pressure to pay quickly.
  • Weak security posture — visible indicators of security weakness, including outdated software versions, exposed RDP, and known unpatched vulnerabilities, make organizations more attractive targets relative to the effort required to compromise them.

Small businesses are attacked both opportunistically (automated scanning finds a vulnerability and triggers an attack without specific targeting) and deliberately (an affiliate identifies a small business in a profitable sector with apparent security gaps and pursues it specifically). The assumption that small businesses are too small to be worth targeting is statistically false and dangerously comforting.

The Most Effective Ransomware Defenses

The good news — and it is genuine good news — is that the defenses against ransomware are well-understood, proven, and accessible to organizations of every size. The majority of successful ransomware attacks exploit vulnerabilities and behaviors that could have been addressed with controls that require no advanced security expertise to implement.

Defense 1: The 3-2-1 backup strategy (most critical single control)

If one defense deserves to be called the ransomware antidote, it is an offline backup strategy that ransomware cannot reach. A backup that ransomware cannot encrypt cannot be used as leverage. A backup you can restore from eliminates the data loss component of the attack — reducing a potentially existential event to a disruptive but survivable operational recovery.

The 3-2-1 backup rule provides the framework:

  • 3 — maintain three copies of your data: the primary data and two backups
  • 2 — store those copies on two different media types (local NAS and cloud, for example) to protect against media failure
  • 1 — keep at least one copy completely offline or air-gapped — physically disconnected from any network, including the internet and the local network. This copy cannot be reached by ransomware regardless of how deeply the attacker has compromised the network.

Critical backup rules that organizations frequently miss:

  • Test your backups regularly. A backup you cannot restore from is not a backup — it is a false sense of security. Monthly restoration tests from backup should be standard practice, with the results documented.
  • Maintain multiple backup generations. A single backup snapshot taken recently may have been taken during an undetected attacker dwell period. Multiple generations of backups going back weeks or months provide options for restoration before the compromise occurred.
  • Protect backup credentials separately. The account used to manage backups should have different credentials from any account on the primary network. Attackers who compromise administrative accounts specifically look for backup management credentials to use in destroying recovery options.
  • Use immutable backup storage. Cloud backup services that offer immutable (write-once, cannot-be-modified) storage prevent attackers from encrypting or deleting backup data even if they obtain the storage account credentials.

Defense 2: Patch management — close the doors they walk through

A significant percentage of ransomware attacks exploit known vulnerabilities for which patches are available at the time of the attack. The interval between vulnerability disclosure and patch deployment is the most dangerous period for any organization — and the longer that interval, the higher the risk.

Effective patch management for ransomware defense means:

  • Critical security patches applied within 24–48 hours of release — not scheduled for the next quarterly maintenance window
  • Internet-facing systems (VPN appliances, firewalls, remote access gateways, web servers) patched first, as they are the most directly exposed to exploitation
  • An accurate asset inventory so that no system is missed in patching cycles — unmanaged devices and forgotten legacy systems are common exploitation points
  • End-of-life systems that can no longer receive security patches either replaced or isolated from the broader network, as they represent permanently open vulnerabilities

Defense 3: Eliminate or harden exposed remote access

Exposed Remote Desktop Protocol (RDP) is one of the most exploited initial access vectors in ransomware attacks. The combination of its ubiquity (nearly every Windows system has it enabled by default), its direct internet exposure in many organizations, and the weakness of the passwords protecting it makes it an extraordinarily productive hunting ground for ransomware affiliates, who use automated scanning tools to identify exposed RDP at scale.

  • Disable RDP entirely on any system that does not genuinely require it for business purposes
  • Where RDP is necessary, place it behind a VPN — the VPN acts as an authentication layer that must be passed before the RDP service is even reachable
  • Enable Network Level Authentication (NLA) on all RDP connections to require credential verification before a session is established
  • Implement account lockout policies that temporarily lock accounts after a defined number of failed login attempts, making brute force attacks against RDP impractical
  • Consider changing the default RDP port (3389) — this does not provide security by obscurity alone, but it eliminates the most automated opportunistic scanning that targets the default port exclusively

Defense 4: Multi-factor authentication on everything

Multi-factor authentication (MFA) is the single most effective control against credential-based initial access — which encompasses phishing, credential stuffing, brute force, and password spraying, collectively representing the majority of ransomware entry points. An attacker who has obtained valid credentials through any of these methods cannot use them to access an MFA-protected system without also possessing the second factor.

MFA must be implemented on:

  • Email accounts — the most valuable target for phishing and the recovery mechanism for every other account
  • VPN and remote access — any path into the corporate network from outside the perimeter
  • Administrative accounts — domain administrators, local administrators, and any privileged account with the ability to reach backup systems, deploy software, or modify security configurations
  • Cloud services — Microsoft 365, Google Workspace, AWS, Azure, and any SaaS platform with access to business data
  • Backup management interfaces — specifically because attackers target backup access to disable recovery options

Authenticator app-based MFA (TOTP) is significantly more resistant to phishing than SMS-based MFA — attackers can intercept SMS codes through SIM swapping or real-time phishing proxies. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant by design and represent the strongest available MFA for the highest-privilege accounts.

What to Do If You Are Hit by Ransomware

Despite best efforts, ransomware attacks succeed. If you discover your organization has been hit, the actions you take in the first hours — and those you avoid — have an enormous impact on the outcome.

Immediate actions (first 30 minutes)

  • Do not turn off affected machines. Ransomware encryption processes often generate recoverable data in volatile memory that is lost permanently on shutdown. A forensic investigator may be able to extract the encryption key from RAM — but only if the machine is still running.
  • Isolate affected systems from the network. Disconnect ethernet cables and disable Wi-Fi on affected machines to prevent the ransomware from spreading to additional systems. This does not require shutting the machines down.
  • Do not try to decrypt files yourself. Amateur decryption attempts frequently corrupt files, making them unrecoverable even if you later obtain a legitimate decryption key.
  • Photograph the ransom note. The ransom note contains information about the specific ransomware variant, the attacker’s contact portal, and often a victim ID needed to communicate with the attacker. Preserve this information before doing anything that might affect the screen.
  • Check for free decryption tools before considering payment. The website nomoreransom.org — a collaboration between law enforcement agencies and security vendors — hosts free decryption tools for dozens of ransomware variants. Before any discussion of payment, check whether a free decryptor exists for the specific variant you have been hit with.

Engage professional help before making payment decisions

  • Contact your cyber insurer immediately — most policies provide access to incident response firms, ransom negotiators, and legal counsel as covered services
  • Engage a professional incident response firm — they have experience with specific ransomware groups, know which are likely to honor payment and provide working decryptors, and can negotiate demands down by 30–70% in many cases
  • Have legal counsel assess OFAC sanctions risk before any payment — paying a sanctioned ransomware group may constitute a federal crime regardless of the circumstances
  • Report to the FBI (IC3.gov) — law enforcement agencies have intelligence on specific groups, can assist in cryptocurrency tracing, and may have access to decryption tools from disrupted operations

Ransomware Myths That Put Organizations at Risk

Dangerous misconceptions about ransomware are widespread — in boardrooms, among employees, and even in some media coverage. These myths lead organizations to make decisions that increase their risk or worsen their outcomes when an attack occurs.

Myth 1: “We’re too small to be targeted”

This is the most common and most dangerous ransomware myth. Small businesses represent the majority of ransomware victims by volume. They are attractive precisely because they typically have less mature security programs, smaller IT teams, and less incident response preparedness than larger organizations — while still holding data with genuine monetary value (customer records, financial data, intellectual property) and facing genuine business continuity pressure that creates payment incentive. Ransomware affiliates actively seek out small businesses as targets. Being small provides no protection.

Myth 2: “Our antivirus will catch it”

Traditional antivirus software misses a significant percentage of modern ransomware. Ransomware operators specifically test their tools against leading antivirus products before deployment and regularly modify their code to evade signature-based detection. Antivirus is a necessary but completely insufficient defense against ransomware. EDR, behavioral monitoring, MFA, segmentation, and offline backups are required to meaningfully reduce ransomware risk.

Myth 3: “We can just restore from backup”

Backup restoration is the correct strategy — but only if the backups are intact, offline, recent, and tested. Ransomware operators specifically target backup systems during the dwell period before triggering encryption. Cloud-synced backups are frequently encrypted along with primary data. Backup systems connected to the main network are accessible and corruptible. An untested backup may fail to restore. “We have backups” is not a ransomware defense — “we have offline, tested, recent, verified backups that ransomware cannot reach” is.

Myth 4: “Paying the ransom solves the problem”

Payment delivers a decryption key — in most cases, after negotiation and processing, though 20–25% of payments do not result in working decryptors. But payment does not address the underlying compromise. The attacker still has access to whatever data was exfiltrated. The initial access vulnerability they used to enter the network is likely still open. The attacker’s tools may still be present on systems that were not encrypted. Payment restores data access; it does not restore security.

Building a Ransomware-Resilient Organization: Priority Checklist

Translating the defenses discussed in this guide into an actionable priority list helps organizations with limited security resources focus on the controls with the highest impact. Work through this list in order — each item addresses a documented ransomware attack vector and its completion meaningfully reduces overall ransomware risk.

Week 1 — Foundations

  • Implement offline backup following the 3-2-1 rule and test restoration from backup
  • Enable MFA on email, VPN, and all administrative accounts — prioritize these above all other MFA deployments
  • Audit and restrict RDP exposure — disable it where not needed, place it behind VPN where it is
  • Apply all outstanding critical security patches, starting with internet-facing systems

Month 1 — Core Controls

  • Deploy EDR on all workstations and servers — replace or supplement traditional antivirus with behavioral detection
  • Review and reduce privileged account scope — audit who has administrator rights and remove where not genuinely required
  • Conduct phishing simulation training and establish a clear incident reporting process
  • Review network segmentation — at minimum, ensure backup infrastructure is isolated from general network traffic

Ongoing — Sustained Resilience

  • Maintain and verify offline backups monthly — test restoration quarterly
  • Establish a patch management cadence — critical patches within 48 hours, all patches within 30 days
  • Run phishing simulations quarterly and update training to reflect current active campaigns
  • Develop and annually test an incident response plan that specifically addresses ransomware scenarios
  • Review cyber insurance coverage annually — ensure coverage includes ransomware, incident response costs, and legal and notification expenses

The Bottom Line

Ransomware is not going away. The criminal ecosystem supporting it is financially sophisticated, organizationally mature, and continuously adapting to defensive improvements. The RaaS model ensures that attack volume remains high even as specific groups are disrupted. And the fundamental economics of the attack — low cost to execute, high potential return, difficult to attribute — remain in the attacker’s favor.

What has changed is our collective understanding of how to defend against it. The controls that prevent ransomware attacks are not exotic or expensive. Offline backups, multi-factor authentication, patched software, restricted remote access, network segmentation, endpoint behavioral detection, and trained employees collectively address the majority of documented ransomware attack vectors. Organizations that implement these controls consistently are not immune to ransomware — but they are dramatically less likely to lose everything to it.

The hospitals that have paid millions in ransoms, the municipalities that have spent years recovering from ransomware attacks, and the small businesses that never reopened after a ransomware incident share a common factor: the defenses that would have prevented or contained the attack were available, proven, and could have been implemented for far less than the cost of the incident they suffered.

Do not wait for the ransom note to appear on your screen. The time to build ransomware resilience is before the attack — not during it, and certainly not after.

Disclaimer: This article is for informational and educational purposes only. Ransomware threats, tools, and actor behaviors evolve continuously — information provided reflects the threat landscape as of the publication date. This guide does not constitute legal or professional cybersecurity advice. For specific incident response guidance, engage qualified cybersecurity professionals and legal counsel.

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top