10 min read

Imagine arriving at the office on a Monday morning, opening your laptop, and discovering that every file on your system has been replaced with a message saying, “Your data has been encrypted. Pay $30,000 in Bitcoin within 72 hours or lose everything.” This is not just a hypothetical scenario. It happens to thousands of businesses every month, from small family-owned companies to large hospital networks and global manufacturers.
This type of cyberattack is known as ransomware. In simple terms, ransomware is a form of malware that prevents victims from accessing their data by encrypting files or locking entire systems until a ransom is paid.
Modern ransomware attacks have become even more dangerous because many variants now steal sensitive information before encrypting the system, putting victims at risk of both data loss and data exposure even if backups are available.
This article explains what is ransomware, how ransomware attacks work, the common ways hackers target victims, and the most effective strategies to prevent ransomware attacks before they cause damage.
What is ransomware?Link to heading

Ransomware is a form of malware designed to lock a victim's data or device and hold it hostage until a ransom is paid. If the victim refuses, or fails to pay in time, the attacker may keep the system locked indefinitely, or follow through on further threats.
Early ransomware attacks were relatively straightforward: the attacker encrypted the victim's files and demanded payment in exchange for the decryption key. At that stage, organisations with solid backup habits could often recover their data without paying anything, keeping the financial damage to a minimum.
That approach no longer guarantees safety. In recent years, ransomware attacks have grown significantly more aggressive, with double-extortion and triple-extortion techniques now commonplace. These methods put even well-prepared victims in a difficult position.
Double-extortion attacks go beyond encryption, the attacker also steals a copy of the victim's data before locking it, then threatens to release it publicly if the ransom is not paid. Triple-extortion takes this a step further, using that stolen data as a weapon against the victim's customers or business partners, widening the blast radius of a single attack considerably.
Types of ransomwareLink to heading
To fully understand what is ransomware, it helps to know that it does not come in a single form. Ransomware broadly falls into two categories. The first and most prevalent is encrypting ransomware, also known as crypto ransomware. This variant works by scrambling the victim's files with an encryption algorithm, making them completely unreadable without the corresponding decryption key, which the attacker only provides upon payment.
The second category is non-encrypting ransomware, sometimes called screen-locking ransomware. Rather than targeting individual files, it seizes control of the entire device by blocking access to the operating system. The victim is met with a ransom demand screen instead of their normal desktop, effectively rendering the device unusable.
Within these two broad categories, several more specific subtypes exist:
Leakware or doxwareLink to heading

Leakware, also referred to as doxware, is ransomware built around the threat of public exposure. It exfiltrates sensitive data from the victim's systems and threatens to publish it unless payment is made. While older versions of leakware focused purely on theft without encrypting anything, most modern variants now combine both tactics: stealing the data and encrypting it simultaneously to maximise pressure on the victim.
Mobile ransomwareLink to heading
Mobile ransomware covers any ransomware that targets smartphones and tablets. For users researching what is ransomware, mobile ransomware is one of the fastest-growing threats affecting Android and mobile devices worldwide. It typically arrives through malicious applications or drive-by downloads from compromised websites.
The majority of mobile ransomware is of the screen-locking variety rather than the encrypting kind, and there is a practical reason for this.
Most mobile devices automatically back up data to the cloud, which makes file encryption far easier for victims to reverse. Locking the screen, on the other hand, renders the device immediately unusable regardless of whether a backup exists.
WipersLink to heading
Wipers, sometimes categorised as destructive ransomware, do not just threaten to destroy data, they follow through. In a standard wiper attack, the attacker destroys the victim's data if the ransom is not paid. In more extreme cases, the data is destroyed even after payment is made, meaning there was never any intention to restore access.
This latter behaviour is more commonly associated with nation-state actors and hacktivists pursuing disruption rather than financial gain.
ScarewareLink to heading
Scareware relies on fear and social engineering rather than genuine technical damage, at least initially. It may present itself as an official warning from a law enforcement agency, falsely accusing the victim of illegal activity and demanding an immediate fine. Alternatively, it might mimic a legitimate antivirus alert, tricking the user into purchasing fake security software that is actually ransomware in disguise.
In some cases, the scareware is itself the ransomware: it locks the device or encrypts files while displaying the threatening message. In others, it acts as a delivery mechanism, frightening the victim into downloading a separate ransomware payload that then carries out the actual attack.
How ransomware infects a system or deviceLink to heading

Understanding what is ransomware also means understanding how it finds its way onto a device in the first place. Ransomware does not rely on a single method to reach its victims. Attackers have developed a wide range of entry points, known as infection vectors, to compromise networks and devices. The most widely used include the following.
Phishing and other social engineering attacksLink to heading
Social engineering remains one of the most effective ways to deploy ransomware because it exploits human behaviour rather than technical weaknesses. In a typical phishing attack, the victim receives an email containing a malicious file disguised as something routine, a PDF invoice, a Word document, or a spreadsheet. Opening the attachment executes the ransomware without the victim realising anything has gone wrong.
Social engineering attacks are not limited to email. Attackers also direct victims to malicious websites or use fraudulent QR codes that, once scanned, silently push ransomware through the victim's browser.
Operating system and software vulnerabilitiesLink to heading
Unpatched software gives attackers a direct path into a system. Cybercriminals actively scan for known weaknesses in operating systems and applications, then inject malicious code before the affected organisation has had a chance to apply a fix.
Zero-day vulnerabilities, flaws that are either unknown to the security community or discovered but not yet patched, present a particularly serious risk. Some ransomware groups purchase intelligence on these vulnerabilities from other hackers specifically to plan their next campaigns. Even vulnerabilities that have already been patched continue to serve as viable attack vectors against organisations that are slow to update their systems.
To fully understand what is ransomware and why it spreads so effectively, it helps to recognise that attackers do not need to develop new techniques when outdated software hands them a ready-made entry point. Keeping systems current is not just a maintenance task, it is one of the most direct ways to close the doors that ransomware operators rely on most.
Credential theftLink to heading

Gaining access through legitimate credentials is one of the cleanest ways for an attacker to move through a network undetected. Cybercriminals obtain valid login details through several methods: stealing them directly, purchasing stolen credential databases on dark web marketplaces, or running brute-force attacks that systematically guess weak passwords.
Once inside, the attacker logs in as a trusted user and deploys ransomware without triggering the same alarms that a conventional intrusion might. Remote Desktop Protocol (RDP), Microsoft's built-in tool for remotely accessing computers, is a particularly attractive target for this approach, as misconfigured or poorly secured RDP connections are widespread across corporate environments.
This is one reason why knowing what is ransomware and how it spreads through credential abuse is especially important for businesses that rely on remote access tools.
Other malwareLink to heading
Ransomware is frequently the final payload in a multi-stage attack, delivered to a device by malware that was originally built for a completely different purpose. A well-documented example is the Trickbot Trojan, which was initially developed to steal online banking credentials. Threat actors later repurposed it as a delivery mechanism for the Conti ransomware, using it to spread infections across compromised networks throughout 2021.
Drive-by downloadsLink to heading
Not every ransomware infection requires the victim to click on anything suspicious. Drive-by downloads occur when a user simply visits a compromised website, and an exploit kit silently scans their browser for vulnerabilities. If a weakness is found, ransomware is injected onto the device in the background with no visible action required from the user.
Malvertising follows a similar principle. In this case, attackers compromise legitimate digital advertising networks and embed malicious code within the ads themselves. Anyone who still wonders what is ransomware capable of in practice need only look at malvertising: the ransomware can reach a device even if the user never clicks the advertisement, simply loading the page is enough.
Ransomware as a serviceLink to heading

Not every attacker who deploys ransomware has the technical ability to build it. The ransomware-as-a-service (RaaS) model addresses this by allowing criminal developers to lease or license their malware to other cybercriminals, referred to as affiliates. The affiliate uses the ransomware code to carry out attacks independently, then splits any ransom collected with the developer.
The arrangement works in both parties' favour. Affiliates gain access to sophisticated tools without needing to write a single line of code, while developers expand their reach and revenue without personally conducting more attacks.
RaaS operations are actively marketed. Some groups sell access through dark web marketplaces, while others run organised recruitment drives through online forums, investing heavily in attracting skilled affiliates to grow their operations.
Stages of a ransomware attackLink to heading
A ransomware attack rarely happens in a single moment. It unfolds across a series of deliberate stages, each one building on the last.
Stage 1: Initial accessLink to heading
The attack begins when the threat actor finds a way into the target environment. For businesses trying to understand what is ransomware, this is one of the most critical stages because it determines how the infection first enters the network. The most common entry points include phishing emails, unpatched software vulnerabilities, and the abuse of remote access protocols such as RDP.
Regardless of the method used, the objective at this stage is simple: gain an initial foothold inside the system that can later be used to launch a larger attack.
Stage 2: Post-exploitationLink to heading
Once inside, the attacker works to solidify their position before doing anything that might trigger an alert. Depending on how initial access was achieved, this often involves deploying a remote access tool (RAT) or another piece of intermediary malware. These tools give the attacker persistent, reliable access to the compromised system and lay the groundwork for deeper infiltration.
Stage 3: Understand and expandLink to heading
With a stable presence inside the network, the attacker begins reconnaissance. They map the local environment, identify connected devices, review user permissions, and analyze domain structures. This information allows them to move laterally through the network and compromise additional systems beyond the original entry point.
The more systems attackers can access during this stage, the greater the potential damage becomes. For organisations learning what is ransomware, understanding lateral movement is essential because a single compromised device can quickly lead to a widespread network infection.
Stage 4: Data collection and exfiltrationLink to heading

Before any encryption takes place, the attacker identifies the most valuable data on the network and quietly copies it. This exfiltration step, downloading or exporting a clean copy of the target data to an attacker-controlled location, is what enables double-extortion later in the attack.
While attackers will take whatever they can access, they tend to prioritise data that carries the highest leverage: login credentials, customers' personally identifiable information, financial records, and proprietary intellectual property. Having this data in hand gives the attacker a second threat to hold over the victim even if the encryption itself can be reversed.
Stage 5: Deployment and sending the ransom noteLink to heading
With exfiltration complete, the attacker triggers the ransomware payload. Encrypting ransomware begins systematically identifying and locking files across the compromised system.
To prevent the victim from simply restoring a clean copy of their data, many modern variants also target backups, disabling system restore features, deleting local backup copies, or encrypting them alongside everything else. The message is deliberate: there is no easy way out.
Non-encrypting ransomware takes a different approach, locking the device's screen, bombarding the victim with pop-ups, or otherwise making the system completely unusable without touching individual files.
Once the damage is done, the ransomware makes itself known. The victim typically discovers the infection through a text file placed on the desktop or a pop-up window that appears in place of their normal screen. The ransom note spells out exactly what has happened, how much is owed, and how to pay, almost always in cryptocurrency or another method designed to keep the transaction untraceable.
Payment, the note promises, will be exchanged for a decryption key or the restoration of normal access. For anyone researching what is ransomware, this final stage clearly shows why ransomware remains one of the most damaging cyber threats facing businesses today.
Notable ransomware variantsLink to heading
Cybersecurity researchers have identified thousands of distinct ransomware strains, each with its own code signature, behaviour, and method of attack. Among them, a smaller number stand out for the sheer scale of destruction they caused, the way they reshaped how ransomware operates, or the continued threat they represent today.

CryptoLockerLink to heading
CryptoLocker, which first appeared in September 2013, is widely regarded as the strain that launched the modern era of ransomware. Distributed through a botnet, a network of computers hijacked without their owners' knowledge, CryptoLocker was among the first ransomware families to use strong encryption against victims' files, making recovery without the decryption key effectively impossible.
Before an international law enforcement operation dismantled it in 2014, CryptoLocker had extorted an estimated USD 3 million from its victims. Its success proved the model worked, spawning a wave of copycat strains and directly influencing the development of later variants including WannaCry, Ryuk, and Petya.
WannaCryLink to heading
WannaCry holds the distinction of being the first high-profile cryptoworm, ransomware capable of spreading itself automatically across a network without any action from the user. In May 2017, it tore through more than 200,000 computers across 150 countries, targeting machines left vulnerable because administrators had failed to apply a patch for the EternalBlue vulnerability in Microsoft Windows.
Beyond encrypting victims' files, WannaCry threatened to permanently delete data unless payment arrived within seven days. Total estimated damages reached as high as USD 4 billion, making it one of the most costly ransomware attacks ever recorded.
Petya and NotPetyaLink to heading
When discussing what is ransomware and how ransomware attacks have evolved, Petya and NotPetya are important examples because they demonstrated that attackers could go beyond encrypting individual files.
Instead of targeting files directly, Petya encrypted the file system table itself, preventing infected machines from booting into Windows. In 2017, a modified version called NotPetya was used in a massive cyberattack aimed primarily at Ukraine.
NotPetya was ultimately classified as a wiper rather than true ransomware: it was designed to destroy systems permanently, and paying the ransom restored nothing. Victims had no path to recovery regardless of whether they paid.
RyukLink to heading

Ryuk first appeared in 2018 and is widely credited with popularising the strategy now known as big-game hunting, deliberately targeting high-value organisations rather than casting a wide net across general users. Ransom demands averaged more than USD 1 million per attack.
Ryuk was also notable for its ability to locate and disable backup files and system restore points, stripping victims of the most common fallback options. A new variant with cryptoworm capabilities surfaced in 2021, extending the strain's reach further.
DarkSideLink to heading
DarkSide is the ransomware group responsible for one of the most disruptive cyberattacks against critical infrastructure in US history. The attack became a major example in discussions about what is ransomware because it demonstrated how ransomware can impact not only businesses, but also entire supply chains and public services.
On 7 May 2021, the group, believed to be operating out of Russia, struck Colonial Pipeline, forcing a temporary shutdown of the pipeline that supplies roughly 45% of the fuel consumed on the US East Coast.
The disruption caused widespread fuel shortages across multiple states. Beyond conducting attacks directly, the DarkSide group also operated a RaaS model, licensing its ransomware to outside affiliates who carried out attacks on its behalf.
LockyLink to heading
Locky is an encrypting ransomware strain known for a particularly deceptive delivery method. It arrives as a Microsoft Word document attached to an email, disguised as a legitimate invoice or business communication.
When the recipient opens the file, hidden macros embedded in the document silently download and execute the ransomware payload in the background. By the time any damage becomes visible, the encryption process is already underway.
REvilLink to heading

REvil, also known as Sodin or Sodinokibi, played a significant role in establishing the RaaS model as a mainstream criminal enterprise. For readers searching what is ransomware, REvil is one of the clearest examples of how modern ransomware groups operate at scale.
The group specialised in big-game hunting and double-extortion tactics, and was responsible for two of the most high-profile attacks of 2021. JBS USA, one of the world’s largest meat processing companies, paid USD 11 million in ransom after REvil paralysed its entire US beef processing operation.
A separate attack on Kaseya Limited cascaded downstream to affect more than 1,000 of Kaseya's software customers. In early 2022, Russia's Federal Security Service announced it had dismantled REvil and charged several of its members.
ContiLink to heading
Conti emerged in 2020 and quickly built one of the most organised ransomware operations on record, running an extensive RaaS scheme in which hackers were paid a regular wage to carry out attacks using Conti's infrastructure.
The group developed its own version of double-extortion with an unusual twist: rather than simply threatening to publish stolen data, Conti threatened to sell access to the victim's network to other criminal actors if the ransom went unpaid. The operation collapsed in 2022 after internal chat logs were leaked publicly, exposing the gang's communications and structure.
Despite the disbandment, former Conti members remain active across the cybercrime landscape. According to the X-Force Threat Intelligence Index, individuals previously linked to Conti have since been connected to several of today's most widespread ransomware variants, including BlackBasta, Royal, and Zeon.
LockBitLink to heading
LockBit ranked as one of the most frequently observed ransomware variants in 2023 according to the X-Force Threat Intelligence Index, and it stands out for the unusually businesslike way its developers operate. When people ask what is ransomware, LockBit is often included in the answer because it shows how ransomware has evolved into a highly organised criminal business with ongoing development, recruitment, and attack campaigns.
The group has been known to acquire other malware strains through a process that mirrors legitimate corporate acquisitions.
In February 2024, law enforcement agencies seized portions of LockBit's infrastructure and the US government imposed sanctions on a senior member of the gang. Despite these setbacks, LockBit has continued to carry out attacks, demonstrating a resilience that has made it one of the most persistent threats in the current ransomware landscape.
Ransomware protectionLink to heading

The following best practices can significantly reduce the risk of a ransomware infection reaching your organisation and limit the damage if one does.
Endpoint protectionLink to heading
Antivirus software is a logical starting point, but traditional antivirus tools are built around known threat signatures, meaning they can only catch ransomware variants that have already been identified and catalogued. That leaves a meaningful gap when attackers use newer, more evasive techniques.
Modern endpoint protection platforms address this with next-generation antivirus (NGAV) capabilities designed to detect obfuscated ransomware, fileless attacks such as WannaCry, and zero-day malware that has not yet appeared in any threat database.
These platforms also include device-level firewalls and Endpoint Detection and Response (EDR) functionality, giving security teams the visibility and tooling needed to identify and shut down attacks on individual endpoints as they happen, rather than after the fact.
Data backupLink to heading
Maintaining reliable, up-to-date backups remains one of the most effective ways to recover from a ransomware attack without paying the ransom. If you already understand what is ransomware, you know that backups are often the fastest path to recovery. Back up data regularly to an external drive, applying version control so previous file states can be restored even if recent copies are compromised.
Follow the 3-2-1 rule: keep three copies of the data, stored across two different media types, with one copy held in a separate physical location. Where possible, disconnect the external drive from the device when it is not actively being used, because a connected drive is just as vulnerable to encryption as the primary system.
Patch managementLink to heading
Unpatched software is one of the most common entry points ransomware attackers exploit. Keep operating systems and all installed applications updated, and apply security patches as soon as they become available. Run regular vulnerability scans to surface known weaknesses across your environment, and prioritise remediation before those gaps can be weaponised.
Application whitelisting and controlLink to heading

Restricting which applications can run on a device removes a large category of potential infection vectors. Implement device controls that limit software installations to a centrally managed whitelist, ensuring that unauthorised or unverified programs cannot execute. Tighten browser security settings, disable Adobe Flash and other browser plugins with a history of exploitation, and deploy web filtering to block access to known malicious sites.
Disable macros in word processing applications and any other software where macro execution is not operationally necessary, as macros are a well-established method for delivering ransomware payloads.
Email protectionLink to heading
Since phishing remains one of the primary ways ransomware enters an organisation, email security deserves dedicated attention on both the technical and human side. Train employees to recognise social engineering attempts, and run regular phishing simulations to test whether that training translates into real-world awareness.
On the technical side, deploy spam filtering and endpoint protection tools configured to automatically quarantine suspicious messages before they reach the inbox, and ensure that malicious links are blocked even in cases where a user manages to click through. Organisations researching what is ransomware often discover that phishing emails remain one of the most effective delivery methods used by attackers.
Network defencesLink to heading
Network-level controls provide an important additional layer of protection by preventing ransomware from communicating with the external Command and Control servers that attackers use to manage infections and deliver encryption keys.
Deploy a firewall or web application firewall (WAF) alongside Intrusion Prevention and Intrusion Detection Systems (IPS/IDS) to monitor traffic, flag anomalous behaviour, and block outbound connections associated with known ransomware infrastructure.
Ransomware detectionLink to heading

Use real-time alerts and automated blocking to detect ransomware-specific read and write behavior, then stop affected users and endpoints from accessing any more data. This helps reduce damage early and limits the spread of the attack across the network.
Use deception-based detection to place hidden files on storage systems in a way that helps identify ransomware encryption behavior at the earliest stage of an attack. If anyone writes to or renames these hidden files, the system should automatically block the infected user or endpoint while still allowing normal access for users and devices that are not affected.
Use detailed reporting and analysis to create a full audit trail for forensic investigations. This should show who accessed files, what was accessed, when it happened, where the access came from, and how the files were used. A deception-based detection approach also helps ensure that only the infected user is blocked from the data, rather than interrupting access for everyone else.
When teams understand what is ransomware, they are in a much better position to detect it early, contain it quickly, and prevent it from spreading across the network.
Ransomware removal: How to mitigate an active ransomware infectionLink to heading
If you detect a ransomware infection on your network, take immediate action to reduce the impact and contain the threat.
- Isolate infected machines as quickly as possible. Disconnect them from the network and lock down shared drives to prevent further encryption and stop the malware from spreading to other systems.
- Investigate what backups are available for the encrypted data. Identify the ransomware strain that affected your environment and check whether a decryptor is available. You should also evaluate whether paying the ransom is even a practical option in your situation.
- Recover the affected data from backups if no decryptor tools are available. In most countries, authorities do not recommend paying the ransom, although in some extreme cases it may still be considered. Follow standard procedures to remove the ransomware or wipe and reimage the compromised systems.
- Reinforce your defenses by holding a lessons learned review to understand how the infection entered your environment and how it can be prevented in the future. Identify the weaknesses, security gaps, or missing protections that allowed the attackers in, and fix them as soon as possible.
- Evaluate the incident once the immediate crisis has passed. Review how the ransomware was successfully executed, which vulnerabilities made the attack possible, why antivirus or email filtering failed, how far the infection spread, and whether infected machines could be wiped and restored successfully. Also check whether backups were reliable and usable.
ConclusionLink to heading
Understanding what is ransomware and recognising how these attacks spread is an important first step toward improving overall cybersecurity resilience. While no security measure can eliminate every risk completely, businesses that invest in strong security practices are far less likely to suffer severe damage during an attack.
Keeping systems patched, securing remote access, monitoring suspicious activity, and maintaining reliable backups all play a critical role in ransomware prevention.
>>> Would your business recover quickly after a ransomware attack on your website? Protect your WordPress system now with W7SFW and reduce the chances of costly downtime and data compromise.