What Is Ransomware? How It Works and How to Defend Against It

Ransomware showed up in 44% of all breaches last year. It locks your files, demands payment, and can shut down an entire business in minutes. Here is everything you need to know to avoid becoming the next victim.

If you have ever come back to your laptop after lunch and seen a message demanding bitcoin in exchange for your own files, or if you have watched the news as a hospital, a fuel pipeline, or a Las Vegas casino went dark for days, you have seen ransomware in action.

Ransomware is malicious software that locks up your files or your entire system and demands payment, usually in cryptocurrency, to give them back. It is the most disruptive type of cyberattack most organizations will ever face. According to the Verizon 2025 Data Breach Investigations Report, ransomware showed up in 44% of breaches last year, up from 32% the year before.

This guide walks through how ransomware actually works, two real-world cases that made headlines, why paying the ransom is rarely the answer, and the practical defense playbook that works for both individuals and small businesses.

What is ransomware?

At its core, ransomware is extortion delivered by software. The attacker breaks into your system, encrypts your files using strong cryptography so you cannot open them without the key, and leaves a note telling you how much to pay and where.

Modern ransomware has evolved past simple file-locking. The current playbook, sometimes called “double extortion,” adds a second threat: “Pay us, or we will also publish all the data we stole on our leak site.” That way, even organizations with great backups still feel pressure to pay, because backups will not undo a public data leak.

The first known ransomware was the AIDS Trojan in 1989, distributed on floppy disks at a medical conference. It was clunky, the encryption was weak, and the victim was supposed to mail $189 to a P.O. box in Panama. The basic idea has barely changed in 35 years. The technology around it has changed enormously.

How a ransomware attack actually unfolds

The Hollywood version of a ransomware attack is instant. Someone clicks a link and the screen goes red. The reality is slower, quieter, and usually unfolds in five stages over days or weeks.

Stage 1: Initial access

The attacker gets a foothold. The most common routes are phishing emails, exposed remote-access services like RDP and VPNs without MFA, exploitation of unpatched software vulnerabilities, and credentials bought from another criminal who already stole them. Verizon’s data shows stolen credentials remain the single most common initial access method across breaches.

Stage 2: Privilege escalation

The first account they compromise is rarely an admin. So they pivot, exploiting weak permissions, misconfigured systems, or unpatched vulnerabilities to climb from “regular user” to “domain admin.” This is where attackers spend most of their time.

Stage 3: Lateral movement and reconnaissance

With elevated privileges, they map the network, identify the most valuable data, find the backup systems so they can disable them, and stage their tools across as many machines as possible. They want to encrypt everything at once.

Stage 4: Data exfiltration

Before encrypting anything, modern ransomware groups copy your sensitive data out of the network to their own servers. This is the “double extortion” leverage. Even if you can restore from backups, they still have your data.

Stage 5: Encryption and the ransom note

Only at the very end does the loud, visible part happen. The encryption fires across the network, files become unreadable, the ransom note appears, and the clock starts. By the time the victim sees it, the attackers have often been inside for weeks.

Two real-world ransomware attacks worth knowing

MGM Resorts (September 2023)

The hospitality giant behind the Bellagio, Aria, and dozens of Las Vegas properties was hit by a group called Scattered Spider, working with the ALPHV/BlackCat ransomware operation. The initial access was not sophisticated: attackers found an MGM employee on LinkedIn, called the IT help desk pretending to be them, and got their account reset over a 10-minute phone call.

From there it was textbook: privilege escalation through Okta, lateral movement, and ransomware deployed across more than 100 ESXi hypervisors. Slot machines, digital room keys, and reservation systems went dark. MGM refused to pay. The estimated total damage: around $100 million, plus class-action lawsuits.

The same week, Caesars Entertainment was hit by the same group and reportedly paid roughly $15 million to keep the disruption quiet.

Colonial Pipeline (May 2021)

This one is required reading because it took out the largest fuel pipeline on the U.S. East Coast for six days. Gas stations across the Southeast ran dry. The attack started through a single compromised VPN password, an old account that did not have multi-factor authentication. Colonial Pipeline ended up paying around $4.4 million to the DarkSide ransomware group, most of which the FBI later recovered.

The lesson from both incidents is the same: the impressive part of a ransomware attack is not the encryption. It is the access. And access usually walks in the front door wearing a stolen badge.

Should you pay the ransom?

Short answer from law enforcement and most security professionals: no, if you can possibly avoid it. Here is why.

• Payment does not guarantee recovery. Some groups send a working decryption key. Some send a broken one. Some send nothing. Even when the key works, the decryption process is often slow, buggy, and incomplete.
• It marks you as a future target. Groups talk to each other. A company that paid once is on a list of companies likely to pay again.
• It funds the next attack. Ransom payments are the fuel for the entire ecosystem, including attacks on hospitals, schools, and critical infrastructure.
• It may be illegal. Depending on jurisdiction and which group hit you, paying can violate sanctions laws and expose your organization to penalties.

Encouragingly, the trend is moving in the right direction. The 2025 DBIR found that 64% of victim organizations refused to pay ransoms, up from 50% two years earlier, and the median ransom payment fell to about $115,000.

The non-payment path requires one thing above all: backups you can actually restore from. That is not optional. That is the entire game.

How to defend against ransomware

The 3-2-1 backup rule (the most important thing on this page)

Three copies of your data. Two different types of storage. One copy offsite and offline. The “offline” part is critical because ransomware groups specifically hunt down and encrypt connected backups before triggering the main encryption. A backup that is plugged in is a backup the attacker can destroy.

And here is the part most people forget: test your restores. A backup you have never restored from is a hope, not a plan.

Patch fast and patch everything internet-facing

Ransomware groups increasingly enter through unpatched vulnerabilities in things like VPN appliances, file-transfer software, and remote-access tools. The DBIR found that exploitation of vulnerabilities as an initial access method nearly tripled in 2024. The fix is not complicated: patch quickly, especially on anything exposed to the internet. But it requires discipline.

Multi-factor authentication on everything that supports it

Especially on remote access, email, and admin accounts. Colonial Pipeline did not happen because of an exotic exploit. It happened because one VPN account did not have MFA. If you have not set up MFA yet, our beginner’s guide to 2FA walks you through it in five minutes.

Endpoint detection and response (EDR)

Traditional antivirus catches known malware. EDR tools like Microsoft Defender for Endpoint, CrowdStrike Falcon, or SentinelOne watch for the behaviors ransomware exhibits, such as mass file encryption, suspicious script execution, and lateral movement, and can stop attacks mid-flight.

Network segmentation and least privilege

If a ransomware infection on one laptop can spread to your entire network, you have a flat network problem. Segmentation, least-privilege access, and a Zero Trust approach dramatically limit the blast radius of any single compromise. Our Wi-Fi security guide covers the home network version of this principle.

Train your people, especially on phishing

Most ransomware attacks start with a phishing email or a phone call to the help desk. People are the first line of defense and increasingly the first line of detection. The DBIR shows that one in five users in well-trained organizations now reports phishing emails rather than just deleting them.

Ransomware tips for small businesses

Ransomware groups increasingly target small and mid-sized businesses precisely because they do not have enterprise-grade defenses. Five high-leverage moves on a tight budget:

• Set up automated, offline backups today. A consumer NAS plus a rotated external drive that is unplugged most of the time beats no backup. Cloud services like Backblaze B2 or AWS S3 with object lock are also strong options.
• Turn on MFA on email, banking, and any remote-access tool. Free, takes ten minutes, blocks most of what comes for you.
• Get rid of any open RDP or unprotected VPN. If you need remote access, put it behind MFA at minimum.
• Use a free or low-cost EDR. Microsoft Defender, built into Windows, is genuinely good now. Check our free security tools guide for more options.
• Have an incident response plan written down, even one page. Who do you call? Who is authorized to make decisions? What is the order of containment? You do not want to figure this out at 3 a.m. with files encrypting.

What to do if you are hit right now

• Disconnect, do not power off. Pull the network cable or disable Wi-Fi on affected machines to stop the spread, but leave them running so forensic data in memory is preserved.
• Notify the right people. Internally: leadership, legal, IT/security. Externally: your cyber insurance provider (they often have an incident response team on retainer) and law enforcement.
• Do not engage with the attackers yourself. If a ransom conversation is going to happen, it should happen through professional negotiators retained by your insurer or legal counsel.
• Check decryption availability before paying anything. The No More Ransom project, run by Europol, Dutch police, and several security firms, maintains a free database of decryptors for many ransomware strains.
• Preserve evidence and document everything. Timestamps, screenshots, logs. You will need them for insurance, regulators, and investigators.

The bottom line

Ransomware looks dramatic on the news, and at the moment of impact it certainly is. But the defense is not dramatic at all. It is three boring habits: back up properly, patch quickly, require MFA. Layer on EDR and basic awareness training and you have handled the realistic threat surface for most homes and small businesses.

What ransomware really exploits is not a clever trick. It is the assumption that “we will deal with backups next quarter,” that one old VPN account without MFA is fine, that the help desk will recognize a stranger’s voice. The MGM and Colonial attacks both succeeded against multi-billion-dollar companies for exactly these reasons. The good news: the same fixes work for a one-person business too.