What Is Ransomware?

Ransomware is a category of malicious software that encrypts a victim's files or locks them out of their systems, then demands payment — typically in cryptocurrency — in exchange for the decryption key. It's a form of extortion, and it has become one of the most financially damaging forms of cybercrime, targeting hospitals, schools, government agencies, and businesses of all sizes.

Modern ransomware operations are often run by organized criminal groups with professional support staff, affiliate programs, and even customer service desks for victims making payments.

The Anatomy of a Ransomware Attack

Understanding how an attack unfolds helps you understand where defenses should be placed:

  1. Initial access: The attacker gains a foothold — most commonly through phishing emails with malicious attachments or links, exploitation of unpatched vulnerabilities (especially in public-facing systems like RDP or VPN gateways), or compromised credentials purchased on dark web markets.
  2. Persistence and lateral movement: Once inside, the attacker establishes persistence (ensuring they survive reboots) and moves laterally through the network, often using legitimate admin tools like PowerShell, WMI, or PsExec to avoid detection.
  3. Reconnaissance: The attacker maps the network, identifies backup systems, domain controllers, and high-value data repositories.
  4. Data exfiltration (double extortion): Modern ransomware groups frequently steal data before encrypting it, threatening to publish it publicly if the ransom isn't paid — even if the victim restores from backups.
  5. Encryption: The ransomware payload deploys and encrypts files using strong asymmetric encryption (commonly RSA + AES). This happens rapidly — sometimes within minutes.
  6. Ransom demand: A ransom note is dropped, typically with instructions for contacting the attackers via a Tor-based website and paying in Bitcoin or Monero.

Common Ransomware Delivery Methods

  • Phishing emails: The most common vector. Malicious Word documents, PDFs, or links that download a dropper.
  • Exploit kits: Automated tools that probe for unpatched browser or plugin vulnerabilities when a victim visits a compromised website.
  • RDP exploitation: Exposed Remote Desktop Protocol ports with weak or reused passwords are a major entry point.
  • Malvertising: Malicious ads served through legitimate ad networks that redirect to exploit kits.
  • Supply chain attacks: Compromising software update mechanisms to push ransomware to many victims at once.

Should You Pay the Ransom?

Law enforcement agencies generally advise against paying ransoms for several reasons:

  • Payment does not guarantee you'll receive a working decryption key.
  • Paying signals that you're a viable target, potentially inviting future attacks.
  • Payments fund further criminal operations.
  • In some jurisdictions, paying ransoms to sanctioned groups may carry legal liability.

That said, organizations in critical situations sometimes face an impossible choice. The real answer is to invest in prevention so you never reach that point.

How to Defend Against Ransomware

Backup Strategy

Follow the 3-2-1 rule: maintain 3 copies of important data, on 2 different media types, with 1 copy stored offsite or offline (air-gapped). Test your backups regularly — an untested backup is not a backup.

Reduce the Attack Surface

  • Disable unnecessary services and close unused ports (especially RDP — if needed, place it behind a VPN).
  • Apply security patches promptly, prioritizing internet-facing systems.
  • Implement network segmentation so ransomware can't spread freely between systems.

Harden User Access

  • Enforce multi-factor authentication (MFA) on all accounts, especially admin accounts.
  • Apply the principle of least privilege — users should only have access to what they need.
  • Monitor for unusual authentication patterns (logins at odd hours, from unusual locations).

Detection and Response

  • Deploy Endpoint Detection and Response (EDR) tools that can detect ransomware behavior before encryption completes.
  • Centralize logs and monitor for indicators of compromise (IOCs) with a SIEM solution.
  • Develop and rehearse an incident response plan so your team knows exactly what to do when an attack occurs.