What Is Ransomware?

Ransomware is a type of malicious software that encrypts a victim's files or locks them out of their system, then demands a ransom payment — typically in cryptocurrency — in exchange for the decryption key. It is one of the most financially damaging forms of cybercrime affecting both individuals and organisations worldwide.

How a Ransomware Attack Unfolds

Understanding the attack lifecycle helps you identify where defences can be most effective:

  1. Initial Access — The attacker gains a foothold, most commonly via a phishing email with a malicious attachment, a compromised website, or exploitation of unpatched software vulnerabilities.
  2. Establishing Persistence — The malware installs itself and ensures it survives reboots, often disabling security tools and backups.
  3. Lateral Movement — In network attacks, the malware spreads to other connected machines to maximise the impact of encryption.
  4. Data Exfiltration (Double Extortion) — Modern ransomware groups often steal sensitive data before encrypting it, threatening to publish it publicly if the ransom isn't paid.
  5. Encryption — Files are encrypted using strong cryptographic algorithms. Without the attacker's private key, recovery is practically impossible without clean backups.
  6. Ransom Demand — A note is displayed with payment instructions and a deadline.

Common Ransomware Delivery Methods

  • Phishing emails — malicious attachments or links disguised as legitimate communications
  • RDP exploitation — attackers brute-forcing exposed Remote Desktop Protocol ports
  • Drive-by downloads — visiting a compromised website that silently delivers malware
  • Software supply chain attacks — malware injected into legitimate software updates
  • Malvertising — malicious code embedded in online advertisements

High-Profile Ransomware Families to Know

Several ransomware groups have become known for particularly destructive or widespread campaigns. LockBit, BlackCat (ALPHV), and Cl0p are among those that have affected critical infrastructure, healthcare systems, and large enterprises in recent years. These groups operate as Ransomware-as-a-Service (RaaS) — they license their malware to affiliates who carry out attacks and split the proceeds.

Defending Against Ransomware: Your Action Plan

Backups Are Your Most Important Defence

Follow the 3-2-1 backup rule: keep 3 copies of your data, on 2 different media types, with 1 copy stored offsite (or offline). An offline backup that ransomware cannot reach is the most reliable recovery option. Test your backups regularly — a backup you've never restored from is an untested backup.

Keep Systems Patched

A significant proportion of ransomware attacks exploit known vulnerabilities for which patches already exist. Enable automatic updates on your operating system and applications. Prioritise patching internet-facing systems and software.

Reduce Your Attack Surface

  • Disable RDP if you don't use it; if you must use it, restrict access by IP and use strong passwords with 2FA.
  • Use email filtering to block malicious attachments and quarantine suspicious links.
  • Apply the principle of least privilege — users and applications should only have the permissions they absolutely need.

Train Users to Recognise Phishing

Since many ransomware infections begin with a user clicking a malicious link or opening a dangerous attachment, regular security awareness training is a cost-effective defence. Teach people to verify sender addresses, hover over links before clicking, and report suspicious emails.

Should You Pay the Ransom?

Law enforcement agencies including the FBI and NCSC generally advise against paying. Payment funds criminal operations, does not guarantee data recovery, and can make you a repeat target. If clean backups are available, restoring from them is almost always the better path. If backups are unavailable, consult a cybersecurity incident response professional before making any decision.