What is ransomware?

What ransomware is and how it works

Ransomware is malware with one goal: make your data inaccessible until you pay. Once it executes on a victim's machine, it enumerates every accessible file — local drives, mapped network shares, connected backup drives — and encrypts them using strong asymmetric cryptography. The private decryption key exists only on the attacker's server. A ransom note, dropped in every folder, explains how to pay.

Payment is demanded in cryptocurrency — Bitcoin or Monero — specifically because blockchain transactions are far harder to trace and reverse than wire transfers. Attackers frequently provide a darknet "customer support" portal where victims can negotiate the ransom amount, receive proof-of-decryption for one sample file, or request a payment extension.

Modern ransomware groups don't simply encrypt and demand payment. Since 2019, the dominant technique has been double extortion: exfiltrating sensitive data before encrypting it, then threatening to publish on a dedicated leak site if the ransom is not paid. This means paying no longer guarantees your data won't be exposed — it adds a second lever of pressure completely independent of the encryption.

The Ransomware-as-a-Service model

Ransomware is no longer the exclusive tool of elite hackers. The RaaS model has industrialised it. Core developers build the ransomware, manage the command-and-control (C2) infrastructure, operate the payment portals, and handle victim negotiations. Affiliates — who may have limited technical skills — purchase access to the toolkit, conduct attacks themselves, and hand over a percentage of any ransom received (typically 70% to the affiliate, 30% to the developers).

The result is a criminal franchise. Barrier to entry has dropped dramatically. An affiliate needs only to find a way into a network — phishing, an exposed RDP port, or a purchased credential — and deploy the payload. The developers handle everything else.

Major RaaS operations include LockBit (the most prolific group by victim count), BlackCat/ALPHV (notable for using Rust, making detection harder), Cl0p (responsible for mass exploitation of file-transfer software vulnerabilities), and DarkSide (responsible for the Colonial Pipeline attack before rebranding).

How ransomware enters your network

Ransomware operators don't break in — they walk in through doors that were left open. The most common initial access vectors are:

• Phishing emails: Malicious attachments (Office documents with macros, PDFs with embedded links) or links to credential-harvesting pages. The most common entry point overall.
• RDP brute force: Remote Desktop Protocol on port 3389 exposed to the internet with weak or compromised credentials is a favourite target. Automated scanners probe millions of IPs for open RDP continuously.
• Unpatched vulnerabilities: WannaCry exploited EternalBlue (MS17-010), a Windows SMB vulnerability that Microsoft had already patched — organisations that hadn't applied the patch were compromised at scale.
• Supply chain compromise: Inserting malware into a trusted software update that is then distributed to thousands of customers automatically.

Once inside, attackers don't immediately detonate the ransomware. They move laterally — using stolen credentials, pass-the-hash, or exploitation of additional vulnerabilities — to reach domain controllers, backup systems, and the most valuable data stores. Only then does the ransomware execute across the entire environment simultaneously.

Notable ransomware attacks

WannaCry (2017) — Infected 230,000 machines across 150 countries in a single day using the EternalBlue NSA exploit leaked by the Shadow Brokers group. The UK National Health Service was particularly hard hit, with thousands of appointments cancelled and ambulances diverted. Estimated damage: $4 billion. The kill switch — a hardcoded domain that, once registered, halted the spread — was discovered by a security researcher for £8.

NotPetya (2017) — Disguised as ransomware but actually a destructive wiper: it encrypted machines with no intention of decrypting them, even if victims paid. Targeted Ukraine but spread globally via a compromised Ukrainian accounting software update. Maersk, the world's largest shipping company, had its entire global IT infrastructure destroyed. Estimated damage: $10 billion. Attributed to the Russian GRU.

Colonial Pipeline (2021) — As detailed above, a single compromised VPN credential with no MFA enabled DarkSide to shut down fuel supply to 45% of the US East Coast.

Defending against ransomware

No single control stops ransomware — defence requires layered controls across people, process, and technology:

• 3-2-1 backup rule: Maintain 3 copies of data on 2 different media types with 1 copy offsite and air-gapped (disconnected from the network). An attacker who reaches your backup system can encrypt it too — an offline copy is the only reliable recovery mechanism.
• MFA everywhere: Especially on VPN, remote access, and email. The Colonial Pipeline attack was enabled by a VPN account with no MFA. MFA alone would have prevented it.
• Aggressive patch management: EternalBlue had a Microsoft patch available two months before WannaCry. Every unpatched vulnerability is a potential entry point. Prioritise internet-facing systems and known exploited vulnerabilities (CISA's KEV catalogue).
• Network segmentation: Divide the network so that a compromised workstation cannot reach domain controllers, backup systems, or production servers without traversing a monitored chokepoint. Limits the blast radius of a successful intrusion.
• EDR with behavioural detection: Endpoint Detection and Response tools that detect encryption behaviour patterns — not just known malware signatures — can stop a ransomware detonation before it completes.
• Email filtering: Block macros in Office documents from the internet, sandbox attachments before delivery, and implement SPF/DKIM/DMARC to prevent spoofed sender addresses.