Ransomware - Definition & Overview

What is Ransomware?

Ransomware is a form of malicious software that restricts access to a user's data, usually by encrypting files, until a payment is made. Cybercriminals demand a ransom in return for a decryption key and may threaten to leak or permanently block access to the data if the payment is not completed.

This form of cyberattack has become increasingly widespread, targeting critical sectors such as government agencies, educational institutions, financial organizations, and healthcare systems. The financial impact is significant, with global losses amounting to billions annually due to ransom payments, downtime, and data recovery efforts.

How Does Ransomware Work?

The operation of ransomware typically unfolds in three main stages, gaining access, encrypting data, and issuing a ransom demand. While methods can differ across variants, the core process remains consistent.

1. Infection

Ransomware begins with infiltration into a system. This often happens through phishing emails containing malicious links or attachments. When a user clicks or downloads the file, the payload is triggered and installed.

Another common entry point is the misuse of Remote Desktop Protocol (RDP). Attackers use stolen or brute-forced login credentials to gain remote access to systems, from where they can manually deploy the ransomware.

Some variants exploit unpatched vulnerabilities in software or operating systems, to spread without requiring user interaction. Many strains use multiple tactics to improve infection success.

2. Encryption

Once inside, the ransomware scans for specific files and begins encryption using an attacker-controlled key. It replaces the original files with encrypted versions, making them inaccessible. To prevent easy recovery, it may also delete local backups or shadow copies.

Most ransomware avoids encrypting core system files to ensure the device remains operational, allowing the victim to view the ransom instructions.

3. Ransom Demand

After encryption, a ransom note is delivered, often as a pop-up window, changed desktop background, or text file in each affected folder.  Victims are asked to pay a specified amount in anonymous digital currency in exchange for a decryption key or tool.

If payment is made, the attacker may send either the key required to decrypt the files or a decryption utility. However, there is no guarantee that files will be restored, and paying the ransom may further encourage future attacks.

Types of Ransomware

Ransomware has advanced in complexity and tactics, resulting in several distinct forms. Below are the most common types and related variants seen in today’s threat landscape:

1. Double Extortion Ransomware

This variant not only encrypts files but also steals sensitive data before displaying the ransom note. If the ransom isn’t paid, attackers threaten to publish the stolen information, adding reputational damage to operational disruption.

2. Triple Extortion Ransomware

An escalation of double extortion, this form includes an additional pressure tactic, such as threatening customers, partners, or launching Distributed Denial-of-Service (DDoS) attacks. The goal is to increase the chances of payment by amplifying the impact.

3. Locker Ransomware

Unlike file-encrypting variants, locker ransomware blocks access to the entire device or operating system interface, preventing the user from performing any actions until the ransom is settled. Personal files often remain untouched, but access is completely restricted.

4. Crypto Ransomware

Focused on encrypting valuable data files, crypto ransomware locks users out of specific documents, media, or databases. Ransom demands are usually requested in cryptocurrency due to its anonymous nature and difficulty to trace.

5. Wiper Malware

Though it shares similarities with ransomware, wiper malware is designed to destroy data rather than profit from it. In some cases, it may simulate ransomware behaviour but ultimately erases the encrypted files or deletes the decryption key irreversibly.

6. Ransomware-as-a-Service (RaaS)

In this model, ransomware developers provide malware kits or platforms to affiliates, who carry out attacks in exchange for a share of the ransom. This has lowered the barrier to entry for cybercrime, making attacks more accessible and frequent.

7. Data-Theft-Only Ransomware

Some modern strains skip encryption entirely and focus solely on stealing data. This allows for quicker attacks and avoids triggering security systems that monitor file encryption activity. Victims are then extorted under the threat of data exposure.

Ransomware continues to evolve with increasingly aggressive tactics, making it harder for organizations to defend against both data loss and digital blackmail.

How to Remove Ransomware

If a ransomware infection is detected, immediate action is essential to limit damage. Below are practical steps for containment, cleanup, and recovery.

1. Disconnect Infected Devices

Immediately isolate affected systems from the network, including Wi-Fi and shared drives. This helps prevent the ransomware from spreading to other devices.

2. Assess the Type of Ransomware

Take note of visible ransom messages, filenames, or behavioral patterns. Understanding the variant involved will guide the appropriate response and potential recovery options.

3. Scan with Security Tools

Deploy trusted antivirus or anti-malware tools to thoroughly scan the system. This can identify and remove the ransomware and other associated threats. For complex infections, professional cybersecurity support may be required.

4. Remove Malicious Files

Follow the cleanup steps recommended by the security tool. In some cases, rebooting in Safe Mode and running the scan again may be necessary to fully remove the ransomware.

5. Attempt File Recovery

Access to encrypted data depends on the ransomware type. If backups exist, restore files from a clean copy. Some older variants have publicly available decryption tools, but many modern strains do not.

6. Avoid Paying the Ransom

While removing ransomware disables the attacker’s control, it does not decrypt files. Paying the ransom is discouraged, as it offers no guarantee of recovery and may encourage further attacks.

Removing ransomware is a critical first step, but data recovery may not always be possible, especially without proper backups or known decryption solutions.

How to Protect Your Systems from Ransomware

Preventing ransomware requires a layered security strategy that combines proactive technology measures with user awareness. Below are essential practices to reduce the risk of infection and strengthen organizational defence.

1. Keep Systems Updated

Apply security updates and patches regularly to close known vulnerabilities in operating systems, software, and firmware. Enabling automatic updates ensures that critical fixes are applied without delay.

2. Use Trusted Security Software

Install a reliable antivirus solution with ransomware-specific detection capabilities. Ensure it includes live threat monitoring, email filtering, and automated threat intelligence updates to detect malicious activity before damage occurs.

3. Enable Multi-Factor Authentication (MFA)

Adding an extra layer of verification for system logins and remote access significantly reduces the risk of unauthorized entry through stolen credentials.

4. Control Application Access (Whitelisting)

Allow only verified and necessary software to run within the environment. Application whitelisting limits the execution of unknown programs and helps blocking potentially harmful code from launching.

5. Backup Data Regularly

Maintain secure, offline backups of important data. Ensure backups are updated frequently and tested periodically for integrity. In case of an attack, backups allow systems to be restored without paying ransom.

6. Train Users on Threat Awareness

Educate staff to recognize phishing emails, suspicious links, and unexpected file attachments. Human error remains one of the most common causes of ransomware infections, making awareness critical.

7. Secure Remote Access

Restrict and monitor access through Remote Desktop Protocol (RDP) and other remote tools. Use strong passwords, change default ports, and enforce MFA to protect entry points.

8. Deploy Advanced Network Security

Utilize next-generation firewalls, intrusion detection systems, and web filtering to block malicious traffic. Segmentation of networks also helps contain the spread if an infection occurs.

9. Implement Sandboxing for Application Testing

Analyze unknown or untrusted applications in a sandboxed environment to detect malicious behaviour before they interact with the main network.

10. Validate Software Sources

Ensure any software installed is obtained from official or verified providers. Avoid downloading tools from email links or untrusted websites, as these can serve as delivery vehicles for ransomware.

Despite following best practices, ransomware continues to pose a serious risk, emphasizing the need for constant vigilance, user training, and resilience planning.

Popular Ransomware Variants

Over the years, thousands of ransomware variants have emerged, each with distinct behaviours, targets, and capabilities. Below are some of the most widely recognized and impactful strains:

1. LockBit

LockBit is one of the most active ransomware families in recent years, known for its fast encryption speeds and professionalized operations. It operates as a Ransomware-as-a-Service (RaaS) model and has been responsible for numerous attacks globally, even after facing law enforcement crackdowns and partial infrastructure takedowns.

2. REvil (Sodinokibi)

REvil gained notoriety through large-scale attacks and was a key player in advancing double extortion and RaaS tactics. High-profile incidents involving JBS USA (the world’s largest meat processing companies) and Kaseya (a provider of IT management software) marked its influence, with ransom demands reaching into the millions. Though disrupted by authorities, REvil's tactics continue to shape modern ransomware strategies.

3. Ryuk

Ryuk is associated with targeted attacks on large enterprises and critical infrastructure. It can disable system backups and restore functions, increasing the pressure on victims. With ransom amounts typically exceeding USD 1 million, Ryuk exemplified the shift toward financially motivated, high-impact campaigns.

There are many more variants that demonstrate the growing sophistication of ransomware groups, with many continuing to evolve despite global efforts to dismantle them.