What Is Ransomware and How to Protect Yourself
A beginner-friendly explanation of how ransomware works, how it spreads, and the essential steps to protect against it.
Continue your mission
A beginner-friendly explanation of how ransomware works, how it spreads, and the essential steps to protect against it.
# What Is Ransomware and How to Protect Yourself
Ransomware is malicious software that encrypts a victim's files or systems and demands payment, typically in cryptocurrency, in exchange for the decryption key. It exists because attackers discovered that holding data hostage is more reliably profitable than stealing it outright. Unlike data theft, which requires finding a buyer for stolen information, ransomware converts access to a victim's own data into immediate revenue. The problem it solves for attackers is monetization at scale: a single ransomware campaign can target thousands of organizations simultaneously, and even a modest payment rate generates substantial criminal income. For defenders, understanding ransomware is not optional. It is the most financially damaging category of malware in operation today and the one most likely to produce visible, catastrophic consequences within hours of a successful intrusion.
---
Ransomware is a category of malware that denies access to data or systems through encryption, destruction threats, or exfiltration threats, then presents a ransom demand as the mechanism for restoration. The defining characteristic is coercion: the attacker holds something the victim needs and demands payment to return it.
Ransomware is not the same as a virus, worm, or generic trojan, though it may use those delivery mechanisms. A virus replicates and corrupts; a worm spreads autonomously; a trojan deceives the user into installation. Ransomware may incorporate all of these behaviors, but its purpose is extortion, not disruption for its own sake.
The major variants include:
Crypto-ransomware: Encrypts files on local drives, mapped network shares, and cloud-synced folders. This is the most common form. Examples include REvil, LockBit, and BlackCat (ALPHV).
Locker ransomware: Locks the user out of the operating system or device without necessarily encrypting files. Common on mobile platforms.
Double extortion ransomware: Exfiltrates data before encrypting it, then threatens to publish the stolen data publicly if payment is not made. Cl0p and Maze pioneered this model.
Triple extortion ransomware: Adds a third pressure vector, such as threatening to notify the victim's customers or regulators, or launching distributed denial-of-service attacks against the victim during negotiations.
Ransomware-as-a-Service (RaaS): A criminal business model in which ransomware developers lease their tools and infrastructure to affiliates who conduct attacks and split ransom payments. Most major ransomware groups now operate as RaaS.
Ransomware should not be confused with scareware, which displays fake warnings and demands payment without actually encrypting anything, or with wiperware, which destroys data without providing a restoration path regardless of payment.
---
Understanding ransomware mechanics requires following the attack from initial access through extortion. Each phase has specific technical characteristics that defenders can detect and interrupt.
Phase 1: Initial Access
Attackers gain entry through one of several well-documented methods. Phishing emails carrying malicious attachments or links account for a substantial portion of ransomware intrusions. Remote Desktop Protocol (RDP) exposed to the internet with weak or compromised credentials is another primary vector. Exploitation of unpatched vulnerabilities in internet-facing systems, including VPN appliances, firewalls, and web servers, has become increasingly common. Attackers also purchase initial access from brokers operating in criminal marketplaces who have already compromised target environments.
Phase 2: Execution and Persistence
Once inside, the attacker executes a payload or hands off to a ransomware affiliate who does. The initial payload is often a loader or implant, such as Cobalt Strike, that establishes a command-and-control (C2) channel. The attacker creates persistence through scheduled tasks, registry run keys, or service installation so that access survives reboots and remediation attempts.
Phase 3: Privilege Escalation and Lateral Movement
This phase separates damaging ransomware incidents from contained ones. Attackers dump credentials using tools like Mimikatz, exploit misconfigurations in Active Directory, and move laterally across the network to reach high-value systems: backup servers, domain controllers, file servers, and databases. The goal is to maximize the scope of encryption so that restoration without paying becomes impractical.
Phase 4: Data Exfiltration (double extortion model)
Before deploying the encryption payload, many groups exfiltrate data to attacker-controlled infrastructure. Tools like Rclone, MEGAsync, or custom upload utilities move gigabytes of sensitive files out of the environment. This exfiltration often occurs over days or weeks before the ransomware is deployed, which is why early detection of C2 traffic and unusual outbound data transfers matters.
Phase 5: Encryption and Ransom Delivery
The ransomware payload executes, typically using strong asymmetric encryption. A common implementation uses RSA-2048 or RSA-4096 to encrypt a per-victim AES key. Without the attacker's private RSA key, decryption is computationally infeasible. The ransomware enumerates local drives, mapped network drives, and accessible shares, encrypts target file types (documents, databases, virtual machine images, backups), and drops a ransom note in each affected directory.
Specific Scenario: LockBit 3.0 Against a Manufacturing Company
A manufacturing firm running unpatched Citrix ADC appliances is identified by a RaaS affiliate scanning for CVE-2023-3519. The affiliate exploits the vulnerability, drops a webshell, and establishes a Cobalt Strike beacon. Over the following ten days, the affiliate conducts reconnaissance, identifies the domain controller and backup infrastructure, and exfiltrates roughly 80 GB of engineering drawings and contracts to a Mega.nz account. On a Friday evening, the LockBit payload executes across the environment, encrypting workstations, file servers, and critically, the backup server that was online and accessible via SMB. By Monday morning, operations are halted. The ransom demand is $4.2 million. The firm has no offline backups and no incident response retainer in place.
Phase 6: Negotiation and Payment
Most major ransomware groups operate negotiation portals accessible through Tor. Victims communicate through these portals. Attackers often reduce demands based on the victim's demonstrated ability to pay, typically assessed through financial documents exfiltrated during the attack. Payment in Monero or Bitcoin releases a decryptor. Decryptors frequently work imperfectly, and recovery remains slow even after payment.
---
The financial impact of ransomware is measurable and severe. The FBI's Internet Crime Complaint Center (IC3) reported adjusted losses from ransomware exceeding $59 million in 2023 from complaints alone, a figure that substantially undercounts actual losses because most incidents go unreported. Third-party estimates from organizations tracking ransom payments place total payments in the billions annually.
Operational disruption often exceeds the ransom itself in cost. A hospital that cannot access patient records must divert ambulances, cancel surgeries, and revert to paper processes. A manufacturer that cannot access production systems stops producing. A logistics company that loses access to scheduling software loses shipments and customers. Recovery timelines routinely extend to weeks or months even for well-resourced organizations.
The Colonial Pipeline incident in May 2021 illustrates systemic consequences. The DarkSide ransomware group compromised Colonial Pipeline's IT network, and the company proactively shut down its operational technology systems as a precaution. This resulted in fuel shortages across the southeastern United States, panic buying, and a declared state of emergency in multiple states. The company paid approximately $4.4 million in ransom, the majority of which was later recovered by the Department of Justice through private key seizure.
Common misconceptions that cost organizations money:
The most damaging misconception is that backups guarantee recovery. Ransomware groups specifically target and encrypt backup systems. Backups that are online, accessible from the production network, or not regularly tested for restoration are not effective controls against modern ransomware.
A second misconception is that small organizations are not targets. RaaS affiliates use automated scanning to identify vulnerable systems at scale. An organization's size does not protect it; its vulnerability profile determines its attractiveness.
A third misconception is that paying the ransom resolves the incident. Payment does not remove the attacker from the environment, does not address the initial access vector, does not guarantee working decryption, and does not prevent the attacker from returning or publishing exfiltrated data.
---
The Cyber Defense Alliance approaches ransomware through the Planetary Defense Model (PDM) within the Threat Intelligence and Detection (TID) domain, applying Predictive Defense Intelligence (PDI): see the threat before it sees you.
Most organizations respond to ransomware after encryption has occurred. By that point, the attacker has already spent days or weeks inside the environment. The incident response phase begins after maximum damage has been achieved. CDA's position is that this is the wrong problem to solve first. The encryption event is the last step in a long kill chain, and every earlier step represents an opportunity to stop the attack before it becomes a recovery problem.
PDI applied to ransomware means tracking threat actor infrastructure, tactics, and campaigns at the intelligence layer before those actors engage a specific target. CDA analysts monitor criminal forums, RaaS affiliate recruitment, and initial access broker markets to identify which threat groups are active, which vulnerability classes they are exploiting, and which sectors they are targeting. This intelligence flows directly to defensive configuration: if a specific RaaS group is actively exploiting a Citrix vulnerability, organizations in targeted sectors receive actionable guidance to patch, segment, or temporarily remove that exposure before the campaign reaches them.
At the detection layer, CDA focuses on pre-encryption indicators rather than encryption itself. By the time files are encrypted, the detection opportunity has passed. The actionable detection window is during lateral movement, credential dumping, and exfiltration. CDA's detection engineering produces rules and behavioral analytics tuned to these phases: unusual LSASS memory access, Rclone execution, large outbound transfers to cloud storage APIs, and RDP logons from anomalous source addresses.
CDA also applies PDI to recovery readiness. Backup architecture review, specifically validating that backups are air-gapped or immutable and tested for restoration, is a standard component of TID-domain assessments. An organization that has followed CDA's backup architecture guidance and tested restoration procedures within the last 30 days is in a categorically different recovery position than one that has not.
The operational difference CDA delivers is the shift from reactive incident response to proactive threat interruption, applied at the specific technical phases where ransomware campaigns are most vulnerable to detection and disruption.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.