What Is Ransomware and How Does It Work?

CybersecurityMar 17, 2026·8 perc olvasás

Imagine turning on your computer and seeing a message: "All your files have been encrypted. Pay $5,000 in Bitcoin within 72 hours or your data will be permanently deleted." This is ransomware — and it's one of the most devastating cyber threats of our time.

In 2025, ransomware attacks caused over $30 billion in damages worldwide. Hospitals were forced to turn away patients. Schools lost years of records. Small businesses closed permanently. No one is immune.

How Ransomware Works: Step by Step

Stage 1: Infection

Ransomware enters your system through one of these vectors:

Phishing emails — a convincing email with a malicious attachment or link (most common, ~70% of cases)
Exploited vulnerabilities — unpatched software with known security holes
Remote Desktop Protocol (RDP) — brute-forcing weak passwords on exposed RDP servers
Compromised websites — drive-by downloads from infected legitimate sites
USB drives — infected USB devices left in public places

Stage 2: Execution & Persistence

Once inside, the ransomware:

Disables antivirus and security tools
Establishes persistence (survives reboots)
Spreads to other devices on the network
Identifies and deletes backup copies (Shadow Copies on Windows)
Communicates with the attacker's command server to receive encryption keys

Stage 3: Encryption

The ransomware encrypts your files using military-grade encryption (typically AES-256). It targets documents, photos, databases, and backups. The encryption key is stored only on the attacker's server.

Modern ransomware encrypts files selectively — it skips system files so your computer still boots and you can see the ransom note.

Stage 4: Ransom Demand

A note appears demanding payment in cryptocurrency (usually Bitcoin or Monero). Demands range from $500 for individuals to millions for organizations. A countdown timer creates urgency.

Double and Triple Extortion

Modern ransomware gangs don't just encrypt — they also steal your data first. If you refuse to pay for decryption, they threaten to publish your sensitive files online. This is "double extortion."

"Triple extortion" adds a DDoS attack against your organization while you're trying to recover, and contacting your customers or partners to pressure you into paying.

5 Biggest Ransomware Attacks in History

WannaCry (2017) — infected 200,000+ computers in 150 countries in hours, crippling the UK's NHS healthcare system
NotPetya (2017) — caused $10 billion in damages, primarily targeting Ukraine but spreading globally
Colonial Pipeline (2021) — shut down the largest US fuel pipeline, causing gas shortages across the East Coast
Kaseya (2021) — supply chain attack affecting 1,500+ businesses through a single software provider
MOVEit (2023) — exploited a file transfer tool used by governments and corporations, affecting 60+ million people

How to Protect Yourself

For Individuals

Back up regularly: Follow the 3-2-1 rule — 3 copies, 2 different media, 1 offsite. Keep at least one backup disconnected.
Update everything: Enable automatic updates for your OS, browser, and all applications.
Use strong passwords: Generate unique passwords with a password generator for every account.
Enable 2FA: Even if your password is compromised, two-factor authentication prevents unauthorized access.
Be cautious with emails: Never open unexpected attachments. Verify senders through a different channel.

For Organizations

Segment your network: Limit lateral movement so ransomware can't spread to all systems.
Disable RDP: If remote access is needed, use a VPN with MFA.
Train employees: Regular phishing simulations and security awareness training.
Implement EDR: Endpoint Detection and Response tools can detect ransomware behavior before encryption completes.
Test your backups: Regularly verify that backups can actually be restored.

What to Do If You're Infected

Disconnect immediately — unplug the infected device from the network to prevent spreading
Don't pay — only 65% of victims who pay get their data back
Report it — contact law enforcement (FBI IC3 in the US, Action Fraud in the UK)
Check No More Ransom — the project at nomoreransom.org has free decryption tools for many ransomware variants
Restore from backups — wipe the infected system and restore clean backups

FAQ

Should I pay the ransomware ransom?

Law enforcement agencies universally advise against paying. Only 65% of victims who pay actually get their data back, and paying encourages more attacks. Focus on prevention and backups instead.

Can ransomware spread through email?

Yes, email is the most common delivery method. Ransomware is typically hidden in attachments (Word docs with macros, PDFs, ZIP files) or delivered via links to malicious websites.

Can antivirus software stop ransomware?

Modern antivirus can detect known ransomware variants, but new strains are created daily. Anti-ransomware features that detect suspicious file encryption behavior provide better protection than signature-based detection alone.

Can ransomware infect my phone?

Yes, mobile ransomware exists, though it's less common. It typically locks your screen rather than encrypting files. Stick to official app stores and keep your phone updated.

Related Tools

Password Generator — prevent brute-force entry points
Anatomy of a Phishing Attack — recognize the #1 ransomware delivery method