What Is Ransomware: How It Works, Spreads, and How to Defend Against It

What Is Ransomware?

Ransomware is a type of malicious software that encrypts the victim's files or locks them out of their system, then demands a ransom payment—usually in cryptocurrency—in exchange for the decryption key needed to restore access. The name combines "ransom" and "software," perfectly describing its function: it holds your data hostage until you pay. Since the mid-2000s, ransomware has evolved from crude nuisanceware into a sophisticated criminal industry generating billions of dollars annually.

Early ransomware variants like the AIDS Trojan (1989) used simple symmetric encryption and demanded payment by postal mail. Modern ransomware uses military-grade asymmetric cryptography, making decryption without the attacker's private key practically impossible. Today's ransomware attacks are often carried out by organized criminal groups with dedicated malware developers, negotiators, and customer-service portals. Some groups operate as Ransomware-as-a-Service (RaaS) businesses, licensing their malware to affiliates in exchange for a percentage of ransom payments.

The consequences extend far beyond financial loss. The 2021 Colonial Pipeline attack forced the shutdown of the largest fuel pipeline in the United States, causing fuel shortages across the East Coast. Hospitals attacked by ransomware have had to divert emergency patients and delay surgeries. In 2020, a German hospital's ransomware attack was linked to the death of a patient who had to be redirected to a more distant facility. Ransomware is no longer just a business problem—it is a public safety crisis.

How Ransomware Infects Systems

Phishing emails remain the most common ransomware delivery mechanism. A malicious attachment—often a Word document with a macro, a PDF, or a disguised executable—delivers the ransomware payload when opened. Increasingly, phishing links lead to drive-by download pages that exploit browser vulnerabilities. Spear-phishing campaigns targeting specific organizations or individuals are used for high-value attacks.

Exploitation of unpatched vulnerabilities is another major vector. The WannaCry attack of 2017 used EternalBlue, an NSA-developed exploit for a Windows SMB vulnerability, to spread across networks without any user interaction. Systems that had not applied Microsoft's critical security patch were immediately vulnerable. Remote Desktop Protocol (RDP) exploitation is similarly common; attackers scan the internet for exposed RDP ports and brute-force or use stolen credentials to gain access.

Supply chain attacks compromise software vendors or managed service providers (MSPs) to reach their customers. The 2021 Kaseya VSA attack exploited a vulnerability in an IT management tool to push ransomware to hundreds of MSP customers simultaneously, ultimately affecting over 1,500 businesses worldwide. Malicious ads (malvertising) on legitimate websites can silently deliver ransomware to visitors. Compromised software repositories and trojanized legitimate applications are increasingly used by sophisticated groups.

How Ransomware Works: The Encryption Process

Once ransomware gains a foothold, it typically begins by establishing persistence—adding itself to startup entries, scheduled tasks, or the Windows Registry—to survive reboots. It then connects to a command-and-control (C2) server to receive a unique encryption key pair. The public key is sent to the victim's machine; the private key is retained by the attacker. Without the private key, decryption is mathematically infeasible.

The malware then scans the system and mapped network drives for target files—documents, images, databases, backups—and encrypts them using the received public key, often with AES-256 for file encryption and RSA-2048 for key protection. Encrypted files are typically renamed with a distinctive extension (.locked, .crypted, or a group-specific extension). Modern ransomware is designed to encrypt as many files as possible as quickly as possible before detection systems can intervene.

Most modern ransomware also exfiltrates data before encrypting it, a tactic known as "double extortion." Attackers threaten to publish stolen data on "leak sites" on the dark web if the ransom is not paid. Some use "triple extortion," also contacting the victim's customers or partners and threatening to expose their data too. After encryption, a ransom note is deposited explaining the situation, providing a .onion (Tor) address to contact the attackers, and stating the ransom amount.

Ransomware-as-a-Service and Criminal Ecosystems

The ransomware landscape has professionalized dramatically. RaaS platforms like LockBit, BlackCat (ALPHV), and REvil (now defunct) provide a full ecosystem: a polished management portal, automated ransom negotiation tools, decryption testers that let victims verify the key works on a sample file, and even customer support. Affiliates—the actual attackers who infiltrate networks—receive 70-80% of ransom payments; the RaaS developers take the remainder.

Initial Access Brokers (IABs) are a specialized segment that compromises networks and sells that access to ransomware operators. This division of labor allows ransomware groups to scale efficiently. Dark web forums host markets for stolen credentials, exploit kits, and network access listings. A major corporation's RDP credentials might sell for a few hundred dollars; a well-positioned foothold in a hospital network might command tens of thousands.

Cryptocurrency, particularly Bitcoin and Monero, enables pseudonymous payment. Ransomware gangs use mixing services and cross-chain swaps to launder payments. Law enforcement has achieved some successes—the FBI recovered a portion of the Colonial Pipeline ransom by tracking the Bitcoin wallet—but attribution and prosecution remain difficult when groups operate from jurisdictions with limited cybercrime cooperation, particularly Russia, where many major groups are believed to be based.

Notable Ransomware Attacks

WannaCry (2017) infected over 200,000 systems across 150 countries in a single day, causing an estimated $4-8 billion in damages. It exploited the EternalBlue vulnerability and spread autonomously as a worm, requiring no user interaction. The UK's National Health Service was among the hardest hit, with hospitals canceling appointments and diverting ambulances. NotPetya (2017), though initially appearing to be ransomware, was actually a destructive wiper disguised as ransomware—designed to cause maximum damage rather than extract payment. It caused an estimated $10 billion in damages and is attributed to Russian military intelligence.

The Ryuk ransomware, used by a group known as Wizard Spider, targeted hundreds of hospitals, schools, and local governments between 2018 and 2021, demanding multimillion-dollar ransoms. The 2021 attack on Irish Health Service Executive (HSE) disrupted healthcare across Ireland for months, affecting cancer screenings, radiology, and diagnostic services. The JBS Foods attack in 2021 disrupted meat processing across North America and Australia, highlighting the vulnerability of critical food supply infrastructure.

Defending Against Ransomware

The 3-2-1 backup rule is the single most important defense: keep three copies of data, on two different media types, with one copy offsite or offline. Critically, backups must be isolated from the production network—ransomware that can reach backup systems will encrypt them too. Immutable backups (write-once storage) prevent ransomware from modifying or deleting backup copies. Regularly test backup restoration to ensure recovery is actually possible when needed.

Patch management is foundational. The majority of ransomware infections exploit known, patched vulnerabilities. Organizations should prioritize patching internet-facing systems and critical infrastructure components. Disabling or restricting RDP where not needed, implementing network segmentation to limit lateral movement, and deploying Endpoint Detection and Response (EDR) tools can dramatically reduce both the likelihood and impact of an attack. Email filtering, web content filtering, and application allowlisting prevent many delivery mechanisms from succeeding.

Zero-trust network architecture—where no device or user is trusted by default, even inside the corporate network—limits the blast radius when any single component is compromised. Multi-factor authentication prevents stolen credentials from being immediately useful. Employee training on recognizing phishing and suspicious behavior remains critical. Organizations should have a tested incident response plan that includes ransomware scenarios, with clear decision trees for when to notify law enforcement, how to communicate with stakeholders, and whether paying the ransom (generally discouraged by authorities) is even under consideration. Cyber insurance has become part of many organizations' risk management strategies, though insurers are increasingly scrutinizing security posture before issuing policies.