Ransomware is the most financially damaging category of cyberattack in history. In 2025 alone, ransomware attacks caused an estimated $20 billion in damages globally — a figure that includes ransom payments, recovery costs, downtime, legal liability, and reputational damage. Attacks hit hospitals that had to turn away patients, schools that lost years of records, and businesses that never recovered.

Despite the scale of the problem, most people still do not have a clear picture of how ransomware actually works, how it gets in, or what to do if it hits. This guide covers all three — in plain English, without the technical jargon that makes most security writing inaccessible.

What ransomware actually is

Ransomware is malicious software that encrypts your files — making them completely inaccessible — and then demands payment in exchange for the decryption key that would restore access. The name comes from the ransom demand: pay us or your files stay locked forever.

Encryption is the same technology that protects your banking information and private messages. It is mathematically unbreakable without the correct key. When ransomware encrypts your files, there is no technical workaround. Without the decryption key, the files are gone. The only options are: pay the ransom and hope the attackers provide a working key, restore from a backup, or accept the loss.

That is the fundamental leverage ransomware provides. It does not need to steal your password or compromise your server. It just needs to reach your files, encrypt them, and leave a note.

Modern ransomware groups do not just encrypt your files — they steal them first. Even if you restore from backup, attackers can threaten to publish your data publicly. Paying the ransom does not make this threat go away.

How ransomware gets in

Ransomware does not appear out of nowhere. It arrives through one of a small number of well-understood entry points. Understanding these is the starting point for preventing infection.

Phishing emails. The most common delivery method. An employee receives an email that appears to be from a legitimate source — a supplier invoice, a shipping notification, an HR document — and clicks a link or opens an attachment that executes the ransomware. Modern AI-generated phishing emails are increasingly indistinguishable from legitimate communications, which is why technical controls matter more than user awareness alone.

Exposed Remote Desktop Protocol. RDP allows remote access to Windows machines. Organizations that expose RDP directly to the internet without adequate protection — multi-factor authentication, network-level authentication, VPN requirements — are advertising an entry point to attackers who scan for exposed RDP constantly. Compromised RDP credentials are sold on dark web markets for as little as $10.

Unpatched vulnerabilities. Software vulnerabilities that allow attackers to execute code remotely are exploited rapidly after public disclosure. Organizations that delay patching — particularly internet-facing systems — provide attackers with known entry points. The Apache Struts vulnerability that led to the Equifax breach was patched two months before the attack. Equifax had not applied it.

Compromised credentials. Passwords stolen from previous breaches, purchased on dark web markets, or obtained through phishing are used to access corporate systems. Once inside with legitimate credentials, attackers can move laterally to high-value targets before deploying ransomware.

Malicious software downloads. Pirated software, fake software updates, and malicious browser extensions are a consistent delivery vector, particularly for consumer ransomware. If you downloaded software from an unofficial source recently, that is worth examining.

The ransomware attack chain

Modern ransomware attacks — particularly those targeting organizations rather than individuals — follow a predictable sequence. Understanding the chain reveals where defenders have opportunities to interrupt it.

HOW A RANSOMWARE ATTACK UNFOLDS
1
Initial accessAttacker gains entry through phishing, exposed RDP, or a vulnerability. This is often the fastest step — a single click on a phishing link is enough.
2
Persistence and reconnaissanceThe attacker establishes a foothold and spends time mapping the network — identifying domain controllers, backup systems, and high-value data stores. This phase can last days or weeks undetected.
3
Lateral movementUsing stolen credentials and privilege escalation techniques, the attacker moves from the initial entry point to higher-value systems. The goal is Domain Admin — full control of the Windows environment.
4
Data exfiltrationBefore deploying ransomware, modern groups steal sensitive data. This creates a second leverage point: even if you restore from backup, they can threaten to publish what they took.
5
Backup destructionSophisticated ransomware groups specifically target and destroy backup systems before deploying encryption. This is why offline backups are essential — they cannot be reached by an attacker with network access.
6
Encryption and ransom demandThe ransomware deploys across the network simultaneously, encrypting files on every reachable system. A ransom note appears with payment instructions and a deadline.

Real-world attacks — the scale of the problem

NOTABLE RANSOMWARE INCIDENTS
2021
Colonial Pipeline — $4.4M ransom paidDarkSide ransomware shut down the largest fuel pipeline in the US, causing fuel shortages across the East Coast. The company paid $4.4 million. The FBI recovered most of it.
2021
Ireland's Health Service Executive — $0 paid, months of disruptionConti ransomware hit Ireland's national health service. They refused to pay. Recovery took months and cost over €100 million. Hospitals reverted to paper records.
2023
MGM Resorts — $100M+ in lossesALPHV/BlackCat ransomware via a social engineering attack. MGM refused to pay. Slot machines, hotel check-in systems, and digital room keys were offline for days.
2024
Change Healthcare — $22M ransom paidThe largest healthcare payment processor in the US was hit by ALPHV. Pharmacies across the US could not process prescriptions for weeks. The $22M ransom payment did not prevent data from being published.

How to protect yourself and your organization

Ransomware protection is not a single product or a single action. It is a set of overlapping controls that reduce the probability of infection and limit the damage if infection occurs. No control is perfect. The goal is making your organization a harder target than the next one.

PRIORITY 1 — CRITICAL
The 3-2-1 backup rule
3 copies of your data, on 2 different media types, with 1 copy offsite and offline. The offline copy is what attackers cannot reach. Test your backups regularly — an untested backup is not a backup.
PRIORITY 2 — CRITICAL
Patch everything, fast
Most ransomware exploits known vulnerabilities that have patches available. Enable automatic updates where possible. Prioritize internet-facing systems. A patched system cannot be exploited through a fixed vulnerability.
PRIORITY 3 — HIGH
Multi-factor authentication everywhere
MFA on email, VPN, RDP, and all remote access eliminates credential-based attacks. A stolen password is useless without the second factor. This single control stops a significant percentage of ransomware entry points.
PRIORITY 4 — HIGH
Disable or restrict RDP
If you do not need RDP accessible from the internet, disable it. If you do need it, require VPN first, enable Network Level Authentication, and monitor for brute force attempts.
PRIORITY 5 — HIGH
Email filtering and phishing training
Modern email security solutions filter malicious attachments and links before they reach users. No filter is perfect — pair technical controls with awareness training that focuses on process rather than visual detection.
PRIORITY 6 — MEDIUM
Endpoint Detection and Response
EDR solutions monitor endpoint behavior and can detect ransomware activity before encryption completes. More effective than traditional antivirus for catching novel ransomware variants that evade signature detection.
MB
Malwarebytes
Real-time ransomware protection with behavioral detection. Catches ransomware that signature-based antivirus misses. Consumer and business plans available.
GET 50% OFF →

If you get hit — what to do

Ransomware response is one area where the right actions in the first hour matter enormously. The wrong actions can make recovery significantly harder or more expensive.

NEVER DO THESE THINGS
Do not pay the ransom immediately. Contact law enforcement and a professional incident response firm first. Paying funds criminal operations, does not guarantee file recovery, and may violate sanctions regulations depending on the ransomware group involved.
Do not reboot infected systems. Some ransomware variants destroy encryption keys or cause additional damage on reboot. Isolate affected systems from the network without shutting them down if possible.
Do not connect backup drives to an infected network. Ransomware will encrypt anything it can reach. An online backup connected to an infected network becomes another victim.
Do not assume paying ends the problem. Modern ransomware groups maintain access and may re-encrypt after payment. The initial infection vector must be identified and closed before any recovery begins.

What to do immediately: Isolate infected systems by disconnecting them from the network. Contact your IT team or managed security provider. Report to law enforcement — the FBI's IC3 at ic3.gov in the US. Contact a professional incident response firm. Preserve evidence — do not wipe systems before forensic examination.

Recovery options: Restore from clean offline backups — the most reliable path if backups exist and are uncompromised. Check for free decryptors — law enforcement operations regularly seize ransomware infrastructure and publish decryption keys. No More Ransom (nomoreransom.org) maintains a library of free decryptors for known ransomware variants. Engage a professional recovery firm — some data recovery specialists can recover partially encrypted files in specific circumstances.

"The organizations that recover quickly from ransomware are not the ones with the best incident response — they are the ones with tested offline backups. Everything else is secondary."

The ransomware landscape in 2026

Ransomware has evolved significantly from the early days of generic mass-distributed infections. Today's ransomware is largely operated by organized criminal groups running what are effectively businesses — Ransomware-as-a-Service platforms where developers license their malware to affiliates who conduct the actual attacks.

AI is making the problem worse. AI-powered phishing campaigns generate more convincing lures at greater scale. AI tools are being used to identify and prioritize high-value targets. Ransomware code is being modified using AI to evade detection more effectively.

The groups operating at the top of this ecosystem — LockBit, ALPHV/BlackCat, Cl0p, and their successors — are sophisticated enough to rival corporate IT departments in capability and coordination. They have negotiators, technical support teams, and PR operations. They are businesses, and they are profitable.

The most important thing to understand about the current ransomware landscape is that no organization is too small to be targeted. Automated scanning identifies vulnerable systems regardless of the organization's size or visibility. Small businesses and local government are frequently targeted specifically because they are more likely to have weaker defenses and less ability to absorb the cost of extended downtime.

The defenses work. Organizations that implement the controls described in this article are significantly less likely to become victims and significantly more likely to recover quickly if they do. None of the controls are particularly expensive or technically complex. The gap between protected and unprotected is largely a question of prioritization and follow-through.