What is ransomware?
Ransomware is malicious software that encrypts the victim's files or locks their device and demands payment — typically in cryptocurrency — for the decryption key needed to restore access.
Last reviewed: 10 June 2026
Explanation
Ransomware arrives through phishing emails with malicious attachments, drive-by downloads from compromised websites, exploit kits targeting unpatched software vulnerabilities, or remote desktop protocol (RDP) brute-force attacks. Once executed on a device, it silently encrypts documents, photos, databases, and other files, then displays a ransom demand.
Modern ransomware attacks against organisations combine encryption with data theft — criminals copy sensitive data before encrypting it and threaten to publish it if the ransom is not paid (double extortion). Some add a third pressure: launching DDoS attacks against the victim's external services.
For individuals, ransomware is often delivered through email attachments pretending to be invoices, parcel notifications, or legal documents. The ransom demand is usually in the hundreds to low thousands of dollars' worth of cryptocurrency. Payment does not guarantee decryption — some ransomware variants have no functional decryption key at all.
For organisations, attacks can be devastating: encrypting backup systems, halting operations, and demanding ransoms in the hundreds of thousands. Regular offline backups — tested for restorability — are the most important protection because they allow restoration without paying.
Common red flags
- Files suddenly have a new, unfamiliar extension and cannot be opened
- A ransom note appears on your desktop or as a text file in affected folders
- Your screen is locked with a message demanding payment
- Unusual network activity or high CPU usage that you did not initiate
- Antivirus software has been disabled or appears to have been removed
What to do now
- Disconnect the device from the network immediately to limit spread
- Do not pay the ransom — payment does not guarantee recovery and funds further attacks
- Check nomoreransom.org for free decryption tools for known ransomware variants
- Report to your national cybercrime authority
- Restore from clean backups if available, after fully reimaging the affected system
- Engage a cybersecurity firm if the attack affects business systems
Frequently asked questions
Should I ever pay a ransomware demand?
Most security authorities advise against payment. It funds criminal infrastructure, does not guarantee decryption, and may mark you as a willing payer for future attacks. Explore decryption tools on nomoreransom.org first. For critical business situations, consult a specialist before deciding.
How can I protect against ransomware?
The key defences are: maintain regular offline or air-gapped backups tested for restorability; keep operating systems and software patched; use email filtering to block malicious attachments; disable macros in Office documents from unknown senders; and limit RDP exposure.