What Is Ransomware?

Ransomware is a type of malicious software that encrypts a victim's files or entire systems, then demands payment — typically in cryptocurrency — in exchange for the decryption key. It has evolved from a simple nuisance into a sophisticated criminal enterprise capable of crippling hospitals, pipelines, and government agencies.

Understanding how ransomware works is the first step toward defending against it effectively.

The Anatomy of a Ransomware Attack

Modern ransomware attacks rarely happen in a single step. They follow a deliberate, multi-stage process:

Stage 1: Initial Access

Attackers need a way in. The most common entry vectors include:

  • Phishing emails — malicious attachments or links that trick users into running malware
  • Exposed Remote Desktop Protocol (RDP) — brute-forced or credential-stuffed logins to internet-facing RDP servers
  • Vulnerable public-facing software — unpatched VPNs, web servers, or applications
  • Malicious ads (malvertising) — drive-by downloads from compromised ad networks

Stage 2: Persistence & Lateral Movement

Once inside, the attacker doesn't immediately encrypt files. Instead, they establish persistence (ensuring they can return if detected), escalate privileges, and move laterally across the network to infect as many systems as possible. Tools like Mimikatz are often used to harvest credentials from memory.

Stage 3: Data Exfiltration (Double Extortion)

Many modern ransomware groups now steal data before encrypting it. This is called double extortion — victims face two threats: encrypted files AND the public release of sensitive data if they don't pay. This tactic significantly increases pressure on victims.

Stage 4: Encryption

The ransomware payload deploys and begins encrypting files using strong asymmetric encryption (commonly RSA or AES). Shadow copies and backups are often deleted to prevent easy recovery. The encryption happens quickly — often faster than security tools can respond.

Stage 5: Ransom Demand

A ransom note is displayed, providing payment instructions (usually a Tor-based website and a cryptocurrency wallet address). Modern ransomware groups operate like businesses — some even offer "customer support" to help victims pay.

Ransomware-as-a-Service (RaaS)

Today's ransomware landscape is dominated by Ransomware-as-a-Service models. Developers build and maintain the ransomware platform, then lease it to affiliates who conduct the actual attacks. Profits are split between the developer and the affiliate. This model has dramatically lowered the technical barrier to launching attacks.

Key Indicators of a Ransomware Infection

  • Files suddenly have unusual extensions (e.g., .locked, .encrypted)
  • Ransom note files (e.g., README.txt, HOW_TO_DECRYPT.html) appear in directories
  • Unusual spikes in disk I/O or CPU usage
  • Shadow copies deleted (detectable via Event Log entries)
  • Antivirus or security tools disabled

How to Reduce Your Ransomware Risk

  1. Maintain offline, tested backups — the 3-2-1 rule: 3 copies, 2 different media, 1 offsite
  2. Patch aggressively — many ransomware campaigns exploit known, patched vulnerabilities
  3. Disable or restrict RDP — if RDP must be used, place it behind a VPN with MFA
  4. Train users on phishing — the human layer is often the weakest link
  5. Deploy Endpoint Detection & Response (EDR) — modern EDR tools can detect ransomware behavior before encryption completes
  6. Segment your network — limit lateral movement by isolating critical systems

Should You Pay the Ransom?

Law enforcement agencies generally advise against paying, as it funds criminal operations and doesn't guarantee you'll receive a working key. However, the decision depends on the specifics of each situation. Always consult with a cybersecurity incident response team before making this decision.

The best time to decide your ransomware response policy is before an attack happens — not during one.