What is Ransomware?

  • Last Updated: June 11, 2026
What is Ransomware

Originally published: February 12, 2020 by Justin Channell

Ransomware has been one of the scariest topics in cybersecurity for years – and for good reason.

Living up to its name, ransomware is a type of malware where a bad actor blocks access to data or applications until payment is received. In other words, it turns hackers into kidnappers of your information. And much like a kidnapping, there is no guarantee that paying the ransom will result in a happy ending.

In short: ransomware is malicious software that encrypts your files, locks your systems, or steals your data, or some combination of all three, and demands payment to undo the damage. Increasingly, attackers steal a copy of your data before locking anything, so that even a flawless recovery doesn’t end the threat.

It may sound like paranoia or something out of an episode of Black Mirror – and yes, they have done a ransomware episode.

But the truth is, these attacks have cost billions of dollars for organizations around the world. They often target organizations with sensitive data, such as governments, hospitals, and law firms. That said, the assumption that ransomware only hits large enterprises is a dangerous myth. Small and mid-sized businesses are now among the most frequently targeted, in part because they tend to run leaner security operations. Mastercard’s global SMB study found that nearly 1 in 5 small businesses hit by a cyberattack ended up filing for bankruptcy or closing entirely. Any organization with an online presence should be aware of how ransomware works.

How do hackers use ransomware?

The first documented example of ransomware was the PC Cyborg trojan in 1989. It was an elaborate scheme involving a ludicrous amount of floppy disks, denying access to machines, and mailing cash to a PO Box in Panama. It may not have been the most efficient plan, but does show extortion has been on the mind of hackers for decades.

Modern ransomware uses the same kind of infection strategies as standard malware, including phishing, social engineering, and application security flaws. Exploiting unpatched vulnerabilities in public-facing applications has become one of the most common entry points, often rivaling or surpassing stolen credentials and phishing as the initial cause of an attack. Another common installation technique is using malspam or malvertising. With malspam, the payload is disguised as an email. Malvertising has the bad actor injecting malicious code into advertisements on legitimate websites.

It’s also worth understanding what happens after that first foothold. The ransom note is rarely the beginning of an attack, but the announcement that the attack has already happened. Intruders frequently spend days, sometimes weeks, quietly moving through a network before triggering anything. During this “dwell time,” they use legitimate administrative tools like PowerShell and RDP to avoid tripping alarms, escalate their privileges, locate the most valuable data, and map out where the backups live so they can disable them. By the time files lock, the attacker has usually already copied everything worth stealing.

Once ransomware is installed, the bad actor can begin to reap their payoff. The exact strategy of ransomware varies, but it usually falls in one of these categories:

  • Crypto Malware – The bad actor will encrypt files, folders, and drives. The victim will not be able to access their files until paying the ransom.
  • Lockers: Hackers will block access to a device or application for ransom.
  • Doxware: In this case, the bad actor has copied files and is threatening to share them. The victim may still have access to their files, but does not want sensitive content revealed.

Why backups alone no longer stop ransomware

When this category breakdown was first written, encryption was the heart of nearly every ransomware attack. That has fundamentally changed. The dominant model today is double extortion, which combines two pressure tactics at once: attackers encrypt your files and exfiltrate a copy of your data, threatening to publish or sell it if you don’t pay.

The implication is significant. Backups, long considered the primary defense against ransomware, address only half of the problem: encryption. An organization can restore every system from immutable backups and still face the public release of stolen customer records, employee data, or trade secrets. Data exfiltration also turns nearly every incident into a reportable data breach, triggering notification obligations under regulations like GDPR and HIPAA regardless of how quickly systems are recovered.

Some groups have pushed the model even further. Triple extortion layers on additional pressure, such as launching DDoS attacks against the victim or contacting customers and partners directly. Quadruple extortion adds direct harassment of executives, employees, or affected individuals. In one 2025 attack on a group of nurseries, criminals reportedly phoned parents directly with threats. A growing number of groups have even abandoned encryption altogether, relying on data theft alone because it’s faster, requires less technical skill, and sidesteps modern security tools designed to catch encryption activity.

Ransomware as a Service (RaaS)

Ransomware attacks may be a collaboration between a bad actor and a hacker working for a cut of the bounty. We call this Ransomware as a Service (RaaS).

In this case, the bad actor may have already gained access to an environment, but needs a third party to execute the malware campaign. They may not know how to pull off the ransomware attack on their own, or they need a tailored attack. Regardless, these collaborations often occur within threat actor groups.

The RaaS ecosystem has also become more fragmented and competitive. Major law enforcement takedowns of dominant operations like LockBit and ALPHV/BlackCat in 2024 didn’t end the threat, but scattered it. The power vacuum was quickly filled by a churn of smaller, more agile groups. IBM’s X-Force observed a 49% increase in active ransomware groups in 2025 compared to the prior year, many of them short-lived operators whose low-volume campaigns make attribution harder.

To attract affiliates, these services increasingly compete on features. Some now advertise in-house “legal” teams, chatbots to pressure victims, and perhaps most notably, AI and automation tooling. It’s less about AI inventing brand-new attack techniques and more about scaling the proven ones: generating hyper-personalized, multilingual phishing lures, automating reconnaissance once inside a network, and lowering the skill bar so that even low-capability criminals can run convincing, large-scale campaigns. The practical effect is faster, more frequent, and more polished attacks.

Getting rid of ransomware

A ransomware attack is tricky. A victim is likely to face the difficult decision of paying off hackers to get their data back.

Even then, there is no guarantee the hacker will follow through on their word. Like any extortion attempt, there is no easy solution. The point of the attack is to put the victim in a difficult position that only a payoff can solve.

If your website was defaced by a ransomware campaign, the first you should do is try to apply backups. In the best case scenario, you’ll have off-site backups of your database and website going back at least one week. If the backups are good, make sure to change all your credentials after restoration. Then, consider working with a malware prevention company.

But if backups are not an option, you’re unfortunately not in a great position. You could pay, but as noted, there is no guarantee the bad actors will comply. You’ll need to consider the type of affected data. Depending on the sensitivity, you may want to contact a professional or law enforcement for help.

Preventing ransomware infection

Because ransomware can be difficult to remove, ongoing prevention is the best protection. Following general best practices for security can help prevent ransomware infection. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency recommends these precautions:

  • Keep any applications and operating systems up to date: Many attacks rely on known flaws that already have fixes available, so timely updates close the gaps before criminals can use them.
  • Never click on links or open attachments in unsolicited emails: Phishing remains one of the most common ways ransomware gets in, and a single careless click can hand an attacker the foothold they need.
  • Make regular off-site backups of data: Wherever possible, keep at least one backup copy offline or immutable, so it can’t be altered or deleted if attackers reach your network.
  • Follow safe browsing practices on the internet: Pair strong passwords with multi-factor authentication (MFA) on every account that supports it, especially remote access, email, and administrator logins.
  • Patch internet-facing systems promptly: Because attackers increasingly break in by exploiting known, unpatched vulnerabilities in things like VPNs and firewalls, prioritizing these updates closes one of the most common doors.
  • Monitor for unusual outbound network traffic: Since most attacks now involve stealing data before any files are locked, watching for large or anomalous data transfers can be the best chance to catch an attack while it’s still unfolding.

On top of that, it is also good to look into any administrator privileges. Follow the Principle of Least Privilege. Remove admin privileges from any users who do not need them. This can help prevent malware attacks, including ransomware.

For more tips on protecting your website, check out our Website Security Guide.

FAQs

Should I pay the ransom?

Most experts and law enforcement say don’t. There’s no guarantee you’ll get your data back, paying funds the next attack, and it paints a target on your back. If you have clean backups, restore from those instead. The hard cases are when there’s no backup and the stolen data is sensitive. That’s when you’ll want a professional and law enforcement weighing in before you decide anything.

If I pay, will I actually get my data back?

Maybe. You’re trusting a criminal’s word, and sometimes the decryption tool is broken, only part of the data comes back, or they hit you again later. And here’s the catch: most attacks now copy your data before locking it, so even paying can’t un-steal it. Once it’s out there, it’s out there.

Can I get rid of ransomware without paying?

Often, yes, if you have clean, offline backups, you can wipe the affected systems and restore them without ever talking to the attackers. Free decryption tools exist for some older strains, too. Just remember that cleaning up your systems doesn’t recover data that was already stolen.

How do I keep this from happening in the first place?

No single thing does it, but the basics go a long way: patch your systems, turn on multi-factor authentication everywhere you can, keep an offline backup, limit who has admin access, and train your team to spot phishing. Prevention is genuinely cheaper and easier than cleanup.

Conclusion

While law enforcement and cybersecurity agencies continue to discourage ransom payments, current data suggests victim behavior is shifting in the same direction. CISA’s official #StopRansomware Guide warns that paying a ransom does not ensure data will be decrypted, systems will no longer be compromised, or stolen data will not be leaked. At the same time, Verizon’s 2025 Data Breach Investigations Report found that 64% of victim organizations did not pay the ransom, up from 50% two years earlier, while the median ransom paid fell to $115,000 from $150,000. Ransomware remains a serious and costly threat, but the economics are becoming less predictable for attackers as more victims resist payment and focus instead on recovery, resilience, and incident response.

But, as long as they are profitable, ransomware attacks are likely to continue. The United States consistently accounts for roughly half of all listed victims. Even as the share of victims who pay declines, total criminal revenue has stayed roughly flat year over year, driven by a smaller number of very large payouts. In other words, attackers are running more campaigns against more victims to extract a similar haul, and that volume is exactly what makes prevention so important.

Hardening security helps to prevent ransomware attacks from succeeding. But depending on the sensitivity of the data on your website, you may want to consider further protection such as a Web Application Firewall (WAF).

Chat with Sucuri

Related Tags
Related Categories
You May Also Like