What is Ransomware? Types, Examples & Prevention

What is ransomware?

Ransomware is a type of malware designed to encrypt or restrict access to data or systems until a ransom is paid. It’s used by cybercriminals to extort money from individuals or organizations, often causing significant disruption to operations.

While it’s nearly impossible to be completely immune to ransomware, organizations can greatly reduce the likelihood and impact of an attack by implementing layered security defenses and rapid response protocols.

Common types of ransomware attacks

Ransomware comes in many forms and continues to evolve rapidly. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), ransomware is an “ever-evolving form of malware,” and new variants appear constantly. Below are some of the most common attack types seen across industries:

Double extortion: Attackers not only encrypt data but also exfiltrate it, demanding a second ransom to prevent public release or sale. This tactic significantly increases pressure on victims to pay.
Ransomware-as-a-Service (RaaS): Cybercriminal groups sell or lease pre-built ransomware kits to affiliates, making it easier for less-skilled actors to launch sophisticated attacks. RaaS has lowered the barrier to entry for cybercrime.
Distributed denial of service: In some ransomware campaigns, attackers launch DDoS attacks to overwhelm and distract the victim’s defenses, often in tandem with encryption-based extortion.
Spear phishing: Targeted phishing emails trick recipients into clicking malicious links or opening infected attachments. This is one of the most common phishing attack vectors used to initiate ransomware infections.
Stolen credentials: Attackers use compromised credentials from endpoints or previous breaches to escalate access inside a network, eventually launching ransomware to lock systems.
Application exploitation: Unpatched or misconfigured applications provide entry points for ransomware payloads. Once inside, attackers can move laterally to target high-value assets.

How Does Ransomware Work?

Ransomware is a form of malicious malware designed to encrypt files or block access to critical systems until a ransom is paid—often in cryptocurrency. Many modern ransomware variants also exfiltrate data to increase leverage on the victim.

Here’s a typical sequence of how a ransomware attack unfolds:

Initial access: Attackers gain a foothold in the environment through phishing emails, stolen credentials, or unpatched vulnerabilities. These early steps often go unnoticed and are executed by the threat actor to avoid detection.

Malware execution and encryption: Once inside, the ransomware is deployed—either manually or through an automated payload. It encrypts targeted files and systems, often using asymmetric encryption, making data inaccessible without a unique decryption key.

Extortion and ransom demand: A ransom note appears on the infected system, instructing the victim to pay in cryptocurrency to regain access. Increasingly, attackers also threaten to leak stolen data unless a second payment is made—this is known as double extortion.

Lateral movement and privileged escalation: In more advanced attacks, the ransomware spreads laterally across the network. Attackers use post-exploitation frameworks and stolen credentials to gain admin-level access and maximize the impact.

Business disruption: Without access to key systems and data, business operations can grind to a halt. Recovery is often slow, costly, and incomplete—especially if backups are missing or also encrypted.

Stages of a ransomware attack

While ransomware attacks can vary, most follow a predictable progression. Here are the typical stages of a ransomware attack—from initial access to full encryption:

Initial access and persistence: The threat actor gains initial access through techniques like phishing attacks, credential stuffing, or exploiting known vulnerabilities. Once inside, the attacker installs backdoors to maintain access over time.
Reconnaissance: Attackers survey the network to understand the environment—identifying high-value systems, user roles, and existing security controls. This stage helps the attacker determine where and how to move next without triggering alarms.
Credential theft and lateral movement: Using stolen credentials or post-exploitation tools, attackers escalate privileges and move laterally across the environment. They often disable defenses to avoid detection and gain deeper access.
Exfiltration: Sensitive data—such as financial records, client files, or project IP—is exfiltrated to use as leverage in a double extortion attack. The more valuable the data, the higher the ransom demand.
Encryption: The attacker encrypts selected files and systems, cutting off access to critical services and triggering a ransom demand. This is typically the most visible and damaging phase of the attack.

Real-world ransomware examples

Ransomware attacks are widespread, and many have caused major disruption around the world. Below are some of the most notable ransomware incidents, showing how different strains operate and why strong security hygiene is essential.

WannaCry ransomware (2017)

WannaCry was a fast-spreading ransomware worm that exploited a vulnerability in Windows systems. It was notable for its ability to self-propagate across networks, infecting thousands of systems globally—including hospitals, banks, and businesses. Victims were asked to pay a ransom in Bitcoin to unlock their data.

WannaCry combined traditional phishing with a worm-like component, making it especially damaging. It primarily impacted organizations with outdated software or poor patching and access control practices.

Petya and NotPetya ransomware (2016-2017)

Petya ransomware initially spread through infected email attachments. Once executed, it rebooted the system and encrypted the file system, locking users out completely. The NotPetya variant went further—masquerading as ransomware but acting more like a destructive wiper.

The attack caused significant disruption in Ukraine’s banking sector before spreading across Europe, ultimately causing billions of dollars in damages to organizations worldwide.

CryptoLocker ransomware (2013-2014)

CryptoLocker spread primarily through phishing emails disguised as messages from legitimate companies like FedEx or UPS. Once a user clicked the attachment, the ransomware used asymmetric encryption to lock files and demanded payment in exchange for the decryption key.

CryptoLocker is widely cited as a turning point in ransomware history—it demonstrated how profitable and persistent this attack type could be, and reinforced the need for strong security awareness training.

How to prevent ransomware

Ransomware prevention depends on a combination of a proactive security strategies, layered defenses, and user education. There are two key phases where your team can take action to reduce the risk and minimize damage: before and during an attack.

Before an attack: Prevention and preparation

Taking proactive steps before a ransomware attack can dramatically reduce your risk. Key measures include:

Reduce the attack surface: Identify the most common techniques ransomware actors use to gain access—like phishing or vulnerability exploitation—and harden those entry points.
Train your workforce: Conduct ongoing security awareness training to ensure employees can spot phishing attempts and understand safe data-handling practices.
Segment your network: Use network segmentation to isolate critical systems and prevent ransomware from spreading laterally.
Patch regularly: Apply updates to operating systems, software, and applications to close known security gaps.
Back up your data: Maintain frequent, tested backups—ideally segmented from your production environment.

During an attack: Containment and response

If ransomware does strike, fast containment is critical to reducing damage. Best practices include:

Restrict access to critical systems: Ensure sensitive files and resources are protected with least privilege access (LPA) policies to minimize exposure.
Use immutable backups: Restore data using uncompromised, recent backups to avoid paying ransom.
Automate response: Deploy tools that can isolate infected systems, disable accounts, and halt command-and-control communications in real time.
Investigate the root cause: Determine how the attacker gained access and patch the entry point to prevent reinfection.

How to remove ransomware from a system

If a ransomware infection occurs, fast action is essential to contain the threat and begin recovery. Removing ransomware requires a mix of automated tools, manual investigation, and strong access control.

Here's how to respond effectively:

Detect and isolate infected systems: Run a malware or endpoint detection scan across your environment to identify affected devices. Once ransomware is detected, immediately isolate the infected systems to prevent it from spreading across the network.
Revoke privileged access: Disable or remove the affected user's domain account from the local administrator group. This limits the malware's ability to run privileged commands or deploy to other systems. Most ransomware strains rely on administrator privileges to execute widespread damage.
Block malware communication and lateral movement: Use network security tools to block command-and-control (C2) traffic and prevent further spread. Consider quarantining infected machines and disabling vulnerable services that may be exploited to propagate the ransomware.
Automate and accelerate containment: Leverage security automation tools to create decision points for incident response teams. Automating common actions—like isolating hosts, suspending accounts, or rolling back changes—buys time and reduces attacker dwell time.
Begin recovery and remediation: Once the threat is contained, restore affected systems using clean, uncompromised backups. Conduct a root cause analysis to determine how the ransomware entered the environment and take corrective action to close that vector.

Ransomware Explained: Types, Stages & Prevention