Ransomware in plain terms
Most people search for ransomware for one of two reasons: they want to understand the threat, or something has already started locking files. This page focuses on both needs without drifting into news archives.
What is ransomware?
Ransomware is a type of malware used for extortion. It may encrypt documents, photos, databases, and backups; lock the screen; or steal data before demanding money. The ransom note usually claims that payment is the only way to recover files, but that is not always true and payment still does not guarantee recovery.
Modern ransomware attacks often involve more than encryption. Criminals may steal files, threaten publication, contact employees or customers, and pressure victims to pay quickly. For home users, the most common damage is encrypted personal files. For businesses, the damage can include downtime, data exposure, legal reporting, and recovery costs.
If you think ransomware is active now
- Disconnect the device from the network. Unplug Ethernet and turn off Wi-Fi to limit spread.
- Do not delete encrypted files. Keep samples, ransom notes, and file extensions for identification.
- Do not rush to pay. Payment can fail, fund criminals, and make you a repeat target.
- Check safe backups. Use offline or cloud versions that were not connected during the infection.
- Scan before recovery. Remove the active malware before restoring files, or the restored files may be encrypted again.
How ransomware works
A ransomware incident usually has several stages. The visible ransom note is the last stage, not the beginning of the attack.
- Initial access. The attacker gets in through a malicious attachment, fake download, exposed remote access, stolen password, or exploited vulnerability.
- Execution. A loader, script, or trojan starts the ransomware process or downloads the final payload.
- Preparation. The malware may disable security tools, delete shadow copies, stop services, or look for shared folders and backups.
- Encryption or lockout. Files are encrypted or the device is locked. Many attacks also leave ransom notes in affected folders.
- Extortion. Criminals demand payment and may threaten to publish stolen data or increase the price after a deadline.
Warning signs of ransomware
Some ransomware attacks are sudden, but there are often earlier clues that something is wrong.
- Files suddenly have strange extensions or cannot be opened.
- Folders contain ransom notes such as
README.txt,RECOVER-FILES.html, or similar messages. - Security tools, backup software, or system restore features stop working.
- The computer becomes slow while disk activity stays unusually high.
- Unknown processes run from temporary folders, downloads, or user profile directories.
- Remote access tools, scripts, or scheduled tasks appear unexpectedly.
- Shared folders or mapped network drives begin changing at the same time.
Ransomware removal and recovery steps
The safest order is containment first, cleanup second, recovery third. Restoring files before removing the active infection can repeat the damage.
- Isolate the affected device. Disconnect it from the internet and local network. If several computers are involved, separate them quickly.
- Preserve evidence. Keep ransom notes, encrypted file samples, suspicious emails, and screenshots. These details help identify the family.
- Identify the strain. Use file extensions, ransom note names, and scanner detections to determine whether a decryptor may exist.
- Remove the malware. Run a full scan with a trusted anti-malware tool and check startup entries, scheduled tasks, services, and remote access tools.
- Check decryptor options. Search reputable decryptor repositories before considering drastic recovery steps.
- Restore from clean backups. Restore only after the system is clean, preferably to a fresh or verified environment.
- Change exposed credentials. Update passwords from a clean device, especially for email, cloud storage, VPN, RDP, and administrator accounts.
For Windows cleanup and prevention guidance, start with the anti-ransomware workflow. If the device shows broader malware symptoms, use the malware removal workflow before restoring data.
Can ransomware files be decrypted?
Sometimes, but not always. Free decryption may be possible when researchers find a flaw in the ransomware, law enforcement obtains keys, or the malware used an offline or reused key. If the ransomware used strong encryption correctly and generated a unique online key, free decryption may not be available.
Before paying or wiping the system, check trusted decryptor sources such as No More Ransom and keep encrypted file samples. Even when decryption is not possible today, future keys or tools may appear for some families.
Common types of ransomware
| Type | What it does |
|---|---|
| Encrypting ransomware | Encrypts files and demands payment for a decryption key. |
| Locker ransomware | Blocks access to the device or screen without necessarily encrypting each file. |
| Leakware or doxware | Steals data and threatens to publish it unless the victim pays. |
| Ransomware-as-a-Service | Ransomware infrastructure rented to affiliates who conduct attacks and share profits. |
| Wiper-like ransomware | Looks like ransomware but is designed mainly to destroy data or disrupt operations. |
How ransomware spreads
Ransomware rarely appears without an entry point. The most common paths are familiar, which is why prevention still works.
- Phishing emails: attachments, links, fake invoices, delivery notices, or document prompts.
- Malicious downloads: cracks, keygens, fake installers, fake browser updates, and repacked software.
- Stolen credentials: reused passwords for email, cloud accounts, VPN, or remote desktop.
- Exposed remote access: poorly protected RDP, VPN, remote monitoring, or admin tools.
- Unpatched software: vulnerable servers, plugins, CMS installations, and network appliances.
- Other malware: trojans, droppers, spyware, or botnets that later deliver ransomware.
How to protect against ransomware
Good ransomware defense is not one product or one setting. It is a layered routine: reduce entry points, keep backups outside the attacker’s reach, and detect suspicious behavior early.
- Keep offline or immutable backups. Backups should not stay permanently writable from the same device that could be infected.
- Update software quickly. Patch Windows, browsers, document readers, VPN clients, and internet-facing systems.
- Use strong authentication. Enable MFA for email, cloud storage, VPN, remote desktop, and administrator accounts.
- Limit remote access. Disable public RDP where possible and restrict admin tools to trusted networks.
- Block risky downloads. Avoid cracks, pirated installers, unknown download managers, and fake update prompts.
- Watch for early behavior. Sudden mass file changes, disabled security tools, and shadow-copy deletion are urgent signals.
- Use anti-malware protection. Keep a scanner available for full-system checks and cleanup after suspicious activity.
Need to check a Windows PC?
Gridinsoft Anti-Malware scans for ransomware, trojans, spyware, droppers, and persistence components that can keep an infection alive.
Scan with Gridinsoft Anti-Malware or follow the dedicated anti-ransomware workflow.
Ransomware families and examples
Ransomware families change over time, but many techniques repeat across generations. These examples help with identification and internal research:
- LockBit - a widely discussed ransomware-as-a-service family.
- Conti and Ryuk - historically important enterprise ransomware operations.
- Dharma - commonly associated with exposed remote access and weak credentials.
- Magniber, MedusaLocker, and Snatch - examples with distinct ransom notes and file behavior.
Recent ransomware research
- Dire Wolf (.direwolf) Ransomware Virus - Removal and Decryption
- PE32 Ransomware
- VerdaCrypt Ransomware
- D0glun Ransomware: Analysis and Protection Guide
- Moscovium Ransomware