Ransomware is malicious software that encrypts the files on your device, then demands payment for the key to decrypt them. Your photos, documents, and tax records are still sitting on the drive, but they have been scrambled into unreadable data. A note appears on the screen with payment instructions, almost always in cryptocurrency, and often with a countdown timer designed to panic you into paying.
Attacks on hospitals, school districts, and city governments make the news, so ransomware can feel like a problem for big organizations. It is not just a corporate problem. Criminals also run high-volume campaigns aimed at regular people, because a home user with irreplaceable family photos and no backup is often more motivated to pay than a company with an IT department. The ransom demand is simply sized to match the victim.
The encouraging part: ransomware is one of the most preventable threats you will face online. This guide explains how an attack unfolds, why paying rarely ends well, and the habits that turn an infection from a disaster into an inconvenience.
How a ransomware attack works
Every strain has its quirks, but the sequence is usually the same. The malware lands on your device, most often through an email attachment or a bad download, and may sit quietly for a while, mapping out which files look valuable and which drives are connected.
Then it runs its main job: encryption. It scrambles your documents, photos, spreadsheets, and anything else it can reach with a mathematical lock that cannot be broken without the matching key. Many strains also delete shadow copies, the hidden restore points Windows keeps, specifically so you cannot recover on your own. Anything attached at the time, including USB drives and shared network folders, usually gets encrypted too.
Finally, the ransom note appears. It names a price, sets a deadline, and sometimes threatens to publish your files if you refuse. That last tactic, called double extortion, started with corporate victims, but the pressure works on anyone whose private files were copied before they were locked.
Who ransomware targets
Two kinds of ransomware operations run side by side. The first hand-picks victims: hospitals, insurers, manufacturers, school systems, anyone whose downtime is expensive. Those are the attacks that make headlines.
The second kind is a numbers game, and it is aimed squarely at individuals and small businesses. These crews blast out phishing emails, seed infected downloads on piracy sites, and scan the internet for home computers with remote access left exposed. They do not know or care who you are. If your machine runs the malware, you get the same ransom note as everyone else.
The honest answer to who gets targeted: anyone with files they would pay to get back.
How ransomware gets onto a device
Ransomware almost never breaks in on its own. It gets invited, tricked in, or walks through a door someone left open. The common routes:
- Phishing emails: a fake invoice, delivery notice, or voicemail attachment that runs malware when opened, or a link to a page that does the same job.
- Pirated and cracked software: keygens, game cheats, and free versions of paid apps are a favorite delivery vehicle, because victims willingly ignore security warnings to run them.
- Fake updates and pop-ups: a website claims your video player or browser is out of date and offers a download. Real updates come from the software itself, never from a web page.
- Malicious ads: compromised ad networks can steer you toward infected downloads even on otherwise legitimate sites.
- Exposed remote access: attackers scan for computers with remote desktop switched on, guess weak or reused passwords, and install ransomware by hand.
- Unpatched software: known security holes in an operating system or app that an update would have closed.
Should you pay the ransom?
Law enforcement agencies and security researchers give the same advice: do not pay if you can avoid it. Payment guarantees nothing. Some victims pay and receive no key at all. Others receive a decryption tool that is slow, buggy, or only recovers part of what was lost. You are relying on the customer service of criminals.
Paying also marks you as someone who pays. Victim lists get shared and resold between crews, and repeat attacks on people who paid once are a documented pattern. Every ransom paid also funds the next round of attacks.
Before you decide, check whether a free fix already exists. The No More Ransom project, run by law enforcement agencies and security researchers, hosts free decryption tools for many older strains. It will not defeat a brand-new strain, but it has rescued plenty of victims of older ones.
Backups: the defense that decides everything
A recent backup turns ransomware from a catastrophe into an afternoon of restoring files. It is the single highest-value protection you can set up, and it also covers dead drives, stolen laptops, and spilled coffee.
Follow the 3-2-1 rule: keep three copies of your important data, on two different types of storage, with one copy offsite or in the cloud. In practice that can be as simple as the files on your computer, an external drive, and a cloud backup service.
- Automate it. On a Mac, turn on Time Machine under System Settings, then General, then Time Machine. On Windows, search the Start menu for File History, or use the backup feature in your security suite. A backup you have to remember is a backup that eventually stops happening.
- Disconnect external drives. Ransomware encrypts anything plugged in at the moment it runs. Unplug the backup drive once the backup finishes.
- Prefer cloud storage with version history. If encrypted files sync to the cloud and overwrite the good copies, version history lets you roll back to the clean versions.
- Test a restore. Every few months, pull a few files back from your backup and open them. A backup you have never restored from is a hope, not a plan.
Prevention: stop it before it runs
Backups are the safety net. These layers make sure you rarely need it.
Start with reputable security software. Good antivirus is genuinely effective against ransomware: it recognizes and blocks known families before they run, and it flags suspicious behavior, like a program rapidly encrypting file after file, even from strains it has never seen. Keep real-time protection switched on and let the software update itself. On Windows, the built-in Windows Security app is a solid baseline, and a paid product adds stronger web filtering and dedicated ransomware shields on top.
Turn on the ransomware setting Windows hides
Windows ships with a protection most people never find. Open the Windows Security app, go to Virus & threat protection, scroll down to Ransomware protection, and turn on Controlled folder access. It blocks untrusted programs from changing files in your Documents, Pictures, and other protected folders, which is exactly what ransomware needs to do.
Then add the everyday habits:
- Install updates promptly. On Windows: Settings, then Windows Update. On a Mac: System Settings, then General, then Software Update. On an iPhone: Settings, then General, then Software Update, and switch on automatic updates. Major outbreaks have spread through holes that a patch had already closed.
- Lock down remote access. If you do not use remote desktop, leave it off. If you do, protect it with a long, unique password, and run that password through our password strength checker if you are not sure it would survive guessing.
- Protect your email account. It is the front door for phishing and password resets. Use a unique password, turn on two-factor authentication, and see whether your address appears in known data leaks with our email breach checker.
- Download only from official sources. The app store on your phone, or the developer's real website. Nothing else.
- Slow down on attachments. If an invoice, delivery notice, or shared document arrives out of the blue, verify it through another channel before you open it.
What to do if you are hit
If a ransom note appears, or your files suddenly will not open and carry strange extensions, act in this order:
- Disconnect immediately. Turn off Wi-Fi or pull the network cable, and unplug any external drives. This limits how far the encryption spreads.
- Do not pay yet, and do not wipe yet. Photograph the ransom note with your phone. The note identifies the strain, and some strains have free decryptors.
- Remove the malware first. Run a full scan with a reputable antivirus, or reinstall the operating system cleanly. Restoring files onto an infected machine just gets them encrypted again.
- Restore from backup. This is the moment all the preparation above pays for itself.
- Report the attack. In the United States, that means the FBI's Internet Crime Complaint Center. Reports help investigators connect campaigns, and a formal report can matter for insurance claims.
Where to start tonight
You do not need to do all of this at once. This sequence knocks out the biggest risks first:
- Copy your irreplaceable files, photos, tax records, and important documents to an external drive or cloud storage, then set up automatic backups this week.
- Open the Windows Security app and turn on Controlled folder access, or confirm that real-time protection in your antivirus is on.
- Install every pending update on your computer and phone, and switch on automatic updates.
- Turn on two-factor authentication for your email account.
- Unplug the external backup drive when the backup finishes.
That is one evening of work. Do it once, refresh it now and then, and ransomware becomes something you read about instead of something you pay for.