What Is Ransomware? How It Works & How to Protect Yourself (2026)
Ransomware is one of the most financially damaging forms of malware ever created. In 2023 alone, ransomware payments exceeded $1 billion — and attacks hit hospitals, schools, governments, and individuals worldwide. Here is exactly what it is, how it works, and what you can do to protect yourself starting today.
Quick Answer
Ransomware is malware that encrypts your files and demands payment — usually in cryptocurrency — in exchange for the decryption key. The best protection is maintaining offline backups, keeping software updated, and being careful about email attachments and links. Paying the ransom is generally not recommended.
$1B+
In ransom payments in 2023
66%
Of organisations hit in 2023
$1.85M
Average recovery cost per attack
What Is Ransomware?
Ransomware is a category of malicious software (malware) designed to deny you access to your own files or systems until you pay a fee to the attacker. The most common type works by encrypting your files — turning your documents, photos, and data into scrambled, unreadable content — and then demanding payment in exchange for the decryption key needed to restore them.
The word "ransomware" combines "ransom" and "software." It was first documented in the late 1980s, but it became a mass phenomenon in the 2010s when Bitcoin provided attackers with a way to receive payment anonymously. Before cryptocurrency, collecting a ransom without being traced was extremely difficult.
Modern ransomware operations are run like businesses. Criminal groups have dedicated development teams, customer service operations to help victims pay, and affiliate programmes that let other criminals deploy their ransomware in exchange for a share of the proceeds — a model known as Ransomware-as-a-Service (RaaS).
Types of Ransomware
Encrypting ransomware (Crypto ransomware)
The most common and destructive type. It encrypts specific file types on your device — documents, photos, videos, databases — leaving the operating system intact so you can still use the computer to read the ransom note and make payment. The encryption used is typically military-grade (AES-256 or RSA-2048), making it practically impossible to decrypt without the key. Famous examples include WannaCry, CryptoLocker, and REvil.
Locker ransomware
Instead of encrypting files, locker ransomware locks you out of your operating system entirely. You boot your computer and see only the ransom demand — you cannot access the desktop, files, or any applications. This type is more common on mobile devices. The good news is that it doesn't actually damage your files, so recovery is often possible by booting from an external drive or restoring the system.
Double-extortion ransomware
A newer and more dangerous evolution. Before encrypting your files, the attacker first copies them to their own servers. They then threaten to publish your sensitive data publicly if you don't pay — even if you restore from backups. This means backups alone are no longer a complete solution for organisations storing sensitive customer or financial data. The Cl0p and LockBit ransomware groups are known for this approach.
Scareware
A less sophisticated variant that displays alarming messages claiming your computer is infected or that illegal activity has been detected (sometimes impersonating the police or FBI). It demands payment to "clean" or "unlock" the computer. Unlike real ransomware, scareware often hasn't actually done anything to your files — it's purely psychological pressure. However, some scareware does include real malicious components.
How a Ransomware Attack Unfolds: Step by Step
1. Initial access
The attacker gets ransomware onto your device. This most commonly happens through a phishing email with a malicious attachment (a macro-enabled Word document, a zip file containing an executable), a compromised website that exploits a browser vulnerability, or an exposed Remote Desktop Protocol (RDP) port with a weak password.
2. Execution
Once on your device, the ransomware executes. The initial file (often called a "dropper") may download additional components from the attacker's servers. It may also disable security software, delete system restore points and shadow copies (to prevent easy recovery), and establish persistence so it survives a reboot.
3. Reconnaissance and lateral movement
In enterprise attacks, the ransomware (or the attacker controlling it) explores the network to identify valuable targets — file servers, backup systems, domain controllers. It moves laterally using compromised credentials or unpatched vulnerabilities, infecting as many systems as possible before revealing itself.
4. Encryption
The ransomware begins encrypting files. It generates an encryption key, encrypts your files (often targeting specific extensions: .doc, .pdf, .jpg, .db), and renames them with a new extension. The original key is then encrypted using the attacker's public key, so only the attacker can provide the decryption key. This process can take seconds to hours depending on the volume of files.
5. The ransom demand
A ransom note appears — usually as a text file in every folder and/or as a desktop wallpaper change. It explains what happened, demands payment in cryptocurrency (typically Bitcoin or Monero), provides a wallet address, and often sets a deadline after which the price doubles or the decryption key is deleted.
6. Payment and decryption (if paid)
If the victim pays, the attacker provides a decryption tool or key. However, this is not guaranteed — some ransomware groups disappear after receiving payment, some provide broken decryption tools, and some demand additional payment. This is why paying is generally not recommended.
How Ransomware Spreads
Distribution methods by percentage of attacks (2025 data)
Malicious attachments or links in convincing emails
Exploiting known security flaws in unupdated software
Brute-forcing or exploiting exposed RDP ports
Fake software, pirated content, or trojanised installers
Scan a Suspicious File for Free
Not sure if a file is safe to open? SafeSearchScan checks files against multiple threat intelligence databases. Free, instant, no account required.
6 Things to Do Right Now to Protect Yourself
You do not need to be a technical expert to implement these. Each one meaningfully reduces your risk.
Maintain the 3-2-1 backup rule
The single most effective protection against ransomware is maintaining backups that ransomware cannot reach. The 3-2-1 rule means: 3 copies of your data, on 2 different types of media, with 1 copy stored offsite (or offline). An external hard drive that stays permanently connected to your computer is not safe — ransomware will encrypt it too. Your backup must be either offline (disconnected) or on a service like cloud backup that keeps version history, so you can restore from before the infection.
Pro tip:
Test your backups by restoring a file occasionally. A backup you have never tested is a backup you cannot trust.
Keep everything updated
Many of the most damaging ransomware attacks in history — including WannaCry, which infected 200,000 computers in 150 countries — exploited vulnerabilities that had already been patched by the software vendor. The victims simply hadn't applied the updates. Enable automatic updates for your operating system, web browser, and all installed applications. Pay particular attention to software that handles untrusted content: PDF readers, office suites, and archive tools are common entry points.
Pro tip:
Enable Windows Update or macOS Software Update to install updates automatically, including for Microsoft Office.
Be extremely careful with email attachments and links
Email is the most common delivery mechanism for ransomware. Attackers send convincing emails with malicious attachments disguised as invoices, delivery notifications, legal documents, or HR communications. The attachment typically contains a macro-enabled Word document, a JavaScript file, or a zip archive containing an executable. Never enable macros in Office documents from unknown sources, and never open executable file types (.exe, .bat, .js, .vbs) from email.
Pro tip:
If you receive an unexpected invoice or "important document" from someone you don't recognise, call them to verify before opening anything.
Scan files before opening them
Files downloaded from the internet, shared via email, or transferred from USB drives should be scanned before you open them. This is especially true for files from unfamiliar sources. Antivirus software helps but is not infallible — ransomware writers actively test their payloads against antivirus tools before deploying them. Using a file scanner that checks against multiple threat intelligence databases gives you broader coverage than a single antivirus engine.
Pro tip:
SafeSearchScan's file scanner checks uploaded files against multiple threat databases. Use it for any file you're uncertain about.
Use least-privilege access
Don't use an administrator account for everyday computer use. When ransomware runs with administrator privileges, it can encrypt more files, disable security software, and spread more easily. Create a standard user account for daily work and only switch to an administrator account when you actually need to install software or change system settings. On Windows, ensure UAC (User Account Control) is enabled so any attempt to run elevated processes prompts for confirmation.
Pro tip:
This single change can significantly limit what ransomware can do even if it does get onto your system.
Check URLs before clicking
Ransomware also spreads through malicious websites — particularly through drive-by downloads that exploit browser vulnerabilities, and through fake software download pages. Before visiting any unfamiliar website, check the URL carefully. Use SafeSearchScan's URL Checker to scan suspicious links before clicking. Be particularly cautious of links in emails, text messages, and social media — these are prime distribution channels for ransomware campaigns.
Pro tip:
Keep your browser updated and consider using a browser extension that blocks known malicious domains.
What to Do If You're Already Infected
Disconnect immediately
Unplug the computer from the network (pull the ethernet cable, turn off Wi-Fi) to prevent ransomware from spreading to other devices and network shares. Do this before anything else.
Don't turn the computer off
Counterintuitively, leaving the computer running may preserve evidence and, in some cases, allow recovery tools to work. However, if the ransomware is still actively encrypting files, turning it off to stop further encryption may be the right call. Use your judgment.
Document what you see
Photograph or screenshot the ransom note. Record the file extension being used on encrypted files (e.g., .locked, .crypted, or a random string). This information helps identify the specific ransomware strain and check whether decryptors exist.
Check for a free decryptor
Visit nomoreransom.org — a joint initiative by Europol, the FBI, and security companies. Many ransomware families have had their encryption broken, and free decryption tools are available. You may not need to pay anything.
Report it
Report the attack to your national cybersecurity authority (in the UK: NCSC; in the US: CISA and the FBI's IC3). This helps authorities track and disrupt ransomware groups. For businesses, this may also be legally required under data protection regulations if personal data was affected.
Restore from backup
If you have clean, recent backups, this is your recovery path. Wipe the affected systems completely, reinstall the operating system fresh, then restore your data from backup. This is the reason backups are so critical — they give you a way out that doesn't involve paying criminals.
Notable Ransomware Attacks
WannaCry (2017)
Infected 200,000+ computers in 150 countries in 4 days by exploiting an unpatched Windows vulnerability (EternalBlue). Caused an estimated $4–8 billion in damages. The UK's NHS was severely affected, with hospitals forced to turn away patients.
NotPetya (2017)
Technically a "wiper" disguised as ransomware — it destroyed data rather than encrypting it for ransom. Primarily targeted Ukraine but spread globally. Caused over $10 billion in damages, making it the most destructive cyberattack in history.
Colonial Pipeline (2021)
A DarkSide ransomware attack on the largest US fuel pipeline caused widespread fuel shortages along the US East Coast. The company paid $4.4 million in ransom, though the FBI recovered most of it shortly afterward.
Royal Mail (2023)
LockBit ransomware disrupted UK Royal Mail's international export services for weeks. The attackers demanded £65.7 million ransom. Royal Mail refused to pay, leading to months of disruption.
Protect Yourself — Scan Files Before Opening
Ransomware hides in downloads. Our scanner checks against known ransomware hashes before you open anything.
Scan a File Free →Frequently Asked Questions
Should you pay ransomware attackers?
The FBI, CISA, and virtually all cybersecurity authorities advise against paying ransoms. Paying does not guarantee you will receive a working decryption key — roughly 30% of victims who pay never recover their files. It also funds criminal organisations and marks you as a willing payer, making you a target for repeat attacks. The better approach is to restore from backups, which is only possible if you have maintained them.
Can ransomware spread across a network?
Yes — modern ransomware is specifically designed to spread laterally across networks. Once one device is infected, it actively scans the local network for other machines and shared drives to encrypt. This is why ransomware attacks on businesses can affect hundreds of computers within hours of initial infection. Network-spreading ransomware often uses the same exploits that were used in the WannaCry and NotPetya attacks.
Can I get ransomware on my phone?
Yes, though it is less common than on Windows PCs. Mobile ransomware exists for both Android and iOS. Android is more vulnerable because it allows installation from outside the official app store. Mobile ransomware typically locks the screen rather than encrypting files, because file system access is more restricted on mobile operating systems. Keeping your phone's OS updated and only installing apps from official stores significantly reduces your risk.
What files does ransomware typically encrypt?
Ransomware targets files that are valuable to you but don't affect the computer's ability to boot — so it can still display the ransom demand. Typically targeted file types include documents (.doc, .docx, .pdf, .txt), spreadsheets (.xlsx, .csv), images (.jpg, .png, .raw), videos (.mp4, .mov), databases (.sql, .db), and backups (.bak). Most modern ransomware skips system files to keep the computer functional enough to show payment instructions.
How long does it take for ransomware to encrypt files?
Modern ransomware can encrypt thousands of files in minutes. Some strains can encrypt a typical home user's documents folder in under a minute. High-speed variants target the most valuable files first (documents, databases) in case they are interrupted. This speed means that by the time most users notice something is wrong, encryption is already complete. Early warning signs include unusually high CPU and disk activity, files being renamed with strange extensions, and programs refusing to open files.
Related Articles
Is This File Safe to Open?
5 checks before opening any downloaded file
How to Spot a Phishing Email
9 warning signs — the #1 ransomware delivery method
Is This Website Safe?
7 checks before entering your details
Clicked a Suspicious Link?
What to do in the next 60 minutes
Is This Link Safe to Click?
How to check any URL before opening it
How to Tell If an Email Is a Scam
8 red flags in scam emails