What Is Ransomware and How Does It Spread?

What Is Ransomware?

Ransomware is a category of malicious software that encrypts your files — documents, photos, databases, everything — and then demands payment, usually in cryptocurrency, for the decryption key needed to restore access. Without that key, your data is effectively gone. The encryption used by modern ransomware families is mathematically unbreakable by brute force; there is no way to recover your files without either paying or restoring from a backup.

The threat has evolved significantly over the past decade. Modern ransomware operators — particularly those running Ransomware-as-a-Service (RaaS) platforms — don't just encrypt your files. They first exfiltrate a copy of your sensitive data and then threaten to publish it publicly if you don't pay. This "double extortion" model means that even organisations with backups face pressure to pay, because the stolen data can still cause regulatory, legal, and reputational damage if published.

How It Spreads — The Main Vectors

Ransomware reaches victims through a variety of delivery mechanisms. Understanding these is essential for knowing what to guard against:

• Phishing emails — malicious attachments (Word documents with macros, PDFs with embedded links, ZIP archives) or links leading to drive-by download sites. This remains the single most common initial access vector.
• Pirated software and cracked applications — ransomware payloads are routinely embedded in pirated games, software cracks, and key generators downloaded from torrent sites and shady download portals.
• RDP brute-forcing — attackers scan the internet continuously for machines with Remote Desktop Protocol (RDP) exposed on port 3389. Weak or default credentials are tried systematically until access is gained. Once inside, ransomware is deployed manually.
• Malvertising — malicious advertisements served through legitimate ad networks that trigger automatic downloads or redirect users to exploit kit landing pages — no click required if the browser or plugins are unpatched.
• Supply chain attacks — compromising software update mechanisms or third-party vendors to deliver malicious code to thousands of organisations simultaneously, as seen in the Kaseya VSA and MOVEit incidents.

Notable Ransomware Examples

The ransomware landscape is populated by well-organised criminal groups operating with business-like efficiency:

• WannaCry (2017) — exploited the EternalBlue vulnerability in Windows SMB, spreading automatically across networks without user interaction. It affected over 200,000 systems in 150 countries within days, crippling hospitals, telecoms, and government agencies.
• LockBit — one of the most prolific RaaS operations ever documented, responsible for thousands of attacks globally before law enforcement action. Its affiliate model meant anyone could deploy LockBit ransomware by renting access to the platform.
• Cl0p — known for large-scale mass exploitation of vulnerabilities in file transfer software (GoAnywhere MFT, MOVEit Transfer), compromising hundreds of organisations simultaneously and focusing on data theft for extortion rather than encryption alone.

Should You Pay the Ransom?

Law enforcement agencies worldwide — including the FBI, Europol, and the NCSC — universally advise against paying the ransom. The reasoning is consistent and well-founded:

• Payment directly funds future attacks and signals that your sector is a profitable target.
• Decryption tools provided after payment frequently fail to fully restore all files — particularly databases and custom file types.
• Paying marks you as a willing payer; many victims are attacked again within 12 months.
• Attackers may still publish or sell the exfiltrated data regardless of payment — there is no enforceable guarantee.
• In some jurisdictions, paying ransomware groups that are under sanctions may itself carry legal risk.

How to Protect Yourself

Ransomware defences are layered — no single measure is sufficient, but the combination is highly effective:

• Maintain regular, tested, offline backups following the 3-2-1 rule: three copies of your data, on two different media types, with one stored offline or air-gapped and unreachable by ransomware.
• Patch software promptly — the majority of successful ransomware attacks exploit known vulnerabilities for which patches already exist. Timely patching eliminates this avenue entirely.
• Disable RDP if you don't need it. If you do need it, place it behind a VPN and enforce MFA on all remote access.
• Enable MFA on every account — compromised credentials are a primary ransomware entry point, and MFA stops stolen credentials from being usable.
• Never open unexpected attachments, even from known contacts — attackers frequently spoof sender addresses or compromise email accounts.
• Use reputable, actively maintained security software with real-time behavioural detection.