Ransomware — What It Is, What to Do, and How to Survive It

If you’ve been hit right now: Disconnect the affected device from the network (unplug Ethernet, turn off WiFi). Do not turn it off — evidence may be in memory. Do not pay yet. Call CISA at 1-888-282-0870 or report to the FBI IC3. If you’re a business, contact your cyber insurance provider immediately.

The TLDR

Ransomware is malware that encrypts your files — documents, photos, databases, everything — and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware operations also steal your data first and threaten to publish it if you don’t pay (“double extortion”). This is a multi-billion dollar criminal industry run by organized groups, not teenagers in hoodies. Individuals lose irreplaceable family photos. Small businesses close permanently. Hospitals have had to divert patients. If this is happening to you: you are not the first, you are not stupid for getting hit, and there are people who can help.

If This Is Happening to You

Before we explain how ransomware works, here’s what matters right now.

For individuals:

• Disconnect from the internet immediately
• Do not pay the ransom — there’s no guarantee you’ll get your files back, and payment funds the next attack
• Check No More Ransom — law enforcement and security companies have released free decryption tools for many ransomware variants
• If you have backups (external drive, cloud), your files may be recoverable without paying
• File a report with the FBI IC3 and local police
• The photos, documents, and memories you’re afraid you’ve lost — there may be copies you’ve forgotten about (email attachments, cloud services, shared albums, old devices)

For organizations:

• Isolate affected systems from the network — do not shut them down
• Activate your incident response plan (if you have one)
• Contact your cyber insurance provider — they often have pre-negotiated incident response firms
• Call CISA at 1-888-282-0870
• Do not communicate with the attacker without professional guidance
• Preserve logs and evidence — you’ll need them for law enforcement and insurance
• Be honest with your team — they need to know what’s happening

The feelings you’re having right now are normal. Panic, shame, anger, helplessness — everyone who gets hit feels these. IT professionals feel like they failed. Business owners feel responsible. Individuals feel violated. These are rational responses. Give yourself permission to feel them, and then focus on the steps above.

What Ransomware Actually Is

At its core, ransomware is encryption used as a weapon. The same math that protects your bank account is used to lock you out of your own files.

When ransomware executes on your system:

1. It scans for files — documents, spreadsheets, photos, databases, backups it can reach
2. It encrypts each file with a strong encryption key
3. It displays a ransom note with payment instructions (usually Bitcoin or Monero)
4. It may also exfiltrate (steal) your data before encrypting it
5. A timer starts — the ransom often increases if you don’t pay within 48–72 hours

The encryption is real. Without the key, modern ransomware encryption is mathematically unbreakable. That’s why prevention and backups matter so much — once files are encrypted, your options narrow significantly.

The Variants

Crypto Ransomware

The standard variant. Encrypts your files but leaves the operating system functional so you can read the ransom note and make payment. This is the most common type.

Notable examples: WannaCry (2017, hit hospitals worldwide), REvil (targeted enterprises), LockBit (most prolific group in 2023–2024).

Locker Ransomware

Locks you out of the entire device rather than encrypting individual files. More common on mobile devices. Generally considered less sophisticated and sometimes recoverable without payment.

Wiper Disguised as Ransomware

Destroys data permanently while pretending to be ransomware. The attacker has no intention of providing a decryption key — the goal is destruction, not money. NotPetya (2017) caused $10 billion in global damage while masquerading as ransomware. If a nation-state is behind the attack, assume it’s a wiper.

Double Extortion

The attacker steals your data before encrypting it. If you don’t pay, they threaten to publish it — customer records, employee data, financial documents, intellectual property. Even if you restore from backups, the stolen data is still in their hands. This is now the dominant model. Over 70% of ransomware attacks in 2024 involved data exfiltration.

Triple Extortion

Double extortion plus the attacker contacts your customers, partners, or regulators directly to pressure you. “We have your vendor’s customer database. We’ll release it unless they pay.” The victim’s business relationships become leverage.

Ransomware as a Service (RaaS)

Modern ransomware is a franchise operation. Groups like LockBit, BlackCat/ALPHV, and Cl0p build the ransomware platform, negotiate with victims, and handle payment infrastructure. Affiliates — independent criminals — pay for access or share a percentage of ransoms. This model has industrialized ransomware. The barrier to entry is now technical incompetence. If you can send a phishing email, you can deploy ransomware.

How It Gets In

Ransomware doesn’t magically appear on your system. It arrives through a door someone opened — sometimes you, sometimes a vulnerability in your software.

Phishing emails — The most common entry point. An email with a malicious attachment (Excel macro, PDF exploit, ZIP file) or a link to a credential-harvesting page. One click from one employee on one email.

Exposed Remote Desktop (RDP) — If your Remote Desktop Protocol is exposed to the internet with a weak password, attackers will find it. Automated scanners check every IP address on the internet for open RDP ports continuously. Stolen RDP credentials sell for $5–$50 on dark web markets.

Unpatched vulnerabilities — Software with known security holes that haven’t been updated. The MOVEit vulnerability (2023) allowed the Cl0p group to hit over 2,500 organizations through a single file transfer product.

Supply chain compromise — The attacker compromises a software vendor or managed service provider, then pushes ransomware to all of their customers. The Kaseya attack (2021) hit 1,500 businesses through one IT management platform.

Stolen credentials — Credentials from data breaches, phishing, or infostealers get used to log into VPNs, email, or cloud services. From there, the attacker moves laterally through the network until they have enough access to deploy ransomware everywhere at once.

The Decision: To Pay or Not

This is the hardest question, and there’s no universally right answer.

Arguments against paying:

• No guarantee you’ll get a working decryption key (some groups provide partial or broken decryptors)
• Payment funds the criminal operation and incentivizes future attacks
• You may be targeted again — paying marks you as someone who pays
• In some cases, payment may violate sanctions (OFAC) if the group is in a sanctioned country
• Law enforcement universally recommends against payment

The reality:

• Some organizations pay because the alternative is closing the business
• Hospitals pay because patient care is at stake
• Individuals pay because the encrypted files are the only copies of irreplaceable memories
• Cyber insurance may cover the ransom payment (though insurers increasingly push back)

If you’re considering payment:

• Do not negotiate directly — hire a professional negotiation firm (your cyber insurance likely covers this)
• Verify you’re dealing with the actual attacker and not a secondary scammer
• Demand proof of decryption before paying (most groups will decrypt a sample file)
• Understand that even if you pay, the stolen data is still compromised
• Report the payment to law enforcement — they may be able to recover funds (the FBI has recovered millions in ransomware payments through cryptocurrency tracing)

The Human Cost

Ransomware isn’t just a technical problem. It affects real people.

IT teams: The admin who gets the call at 2 AM and walks into a screen full of ransom notes carries that with them. The self-blame — “I should have patched that server,” “I should have caught that email” — is real and persistent. Burnout and PTSD-like symptoms are common among incident responders.

Business owners: Small businesses that don’t have cyber insurance or robust backups face an existential threat. The National Cyber Security Alliance estimates that 60% of small businesses that suffer a significant cyber attack close within six months.

Healthcare workers: When ransomware hits a hospital, surgeries get postponed, ambulances get diverted, and patient records become inaccessible. In 2020, a patient in Germany died after being redirected from a ransomed hospital to one farther away. Real people are harmed.

Individuals: The family photos from your grandmother’s 90th birthday. The novel you’ve been writing for three years. The tax documents you need for next month. Ransomware doesn’t distinguish between critical infrastructure and personal memories.

If you’re an IT professional who’s been through this: It wasn’t your fault. Ransomware is a criminal act committed by professional criminals with significant resources. One missed patch or one clicked link doesn’t make you responsible — it makes you human. Talk to someone. Your peers have been through it too.

Prevention

You can’t eliminate the risk, but you can make ransomware survivable.

Backups — the single most important defense:

• Follow the 3-2-1 rule: 3 copies, 2 different media, 1 offsite
• Test your backups regularly — a backup you’ve never restored is a hope, not a plan
• Keep at least one backup offline (disconnected from the network) — ransomware will encrypt network-connected backups
• Cloud backups with versioning can allow you to roll back to pre-encryption versions

Patching:

• Apply security updates promptly, especially for internet-facing systems
• Prioritize VPNs, email servers, remote access tools, and file transfer products

Email security:

• Use email filtering that strips or sandboxes attachments
• Train people to recognize phishing — but don’t blame them when they fail (see the phishing deep dive)

Access control:

• Don’t give admin rights to accounts that don’t need them
• Use multi-factor authentication on everything — VPNs, email, cloud, RDP
• Segment your network so ransomware can’t spread from one system to everything

Endpoint protection:

• Modern EDR (Endpoint Detection and Response) tools can detect and stop ransomware during encryption
• Keep it updated and don’t disable it

Resources

• CISA StopRansomware: cisa.gov/stopransomware — federal guidance and reporting
• No More Ransom: nomoreransom.org — free decryption tools for known ransomware variants
• FBI IC3: ic3.gov — report ransomware attacks
• ID Ransomware: id-ransomware.malwarehunterteam.com — identify which ransomware variant hit you
• 988 Suicide & Crisis Lifeline: Call or text 988 — if the stress is overwhelming, this is what they’re there for