What Is Ransomware: How It Works, Examples and Defence

Ransomware is a type of malware that encrypts the files on a compromised machine or network and demands a ransom, usually in cryptocurrency, in exchange for the decryption key. Modern variants do not stop at encryption: they exfiltrate the data first and threaten to publish it if the victim does not pay. This is known as double extortion. Ransomware is the malware family with the highest operational and financial impact on companies today and the leading cause of incident reporting under NIS2 across Europe.

This guide explains what ransomware is, how it enters and operates inside an organisation, which families remain active in 2026, which controls actually reduce risk and how incident response is handled when it lands.

What ransomware is

Ransomware is malicious software whose goal is to block the victim's access to their own data (by encrypting it with a key known only to the attacker) and to monetise that block through a ransom payment. The transaction is coercive: pay or lose the data, or pay or have it published.

Three elements separate ransomware from other malware families:

• Mass file encryption with modern algorithms (AES-256 symmetric, RSA-2048 or Curve25519 asymmetric). The encryption is mathematically irreversible without the attacker's key.
• Ransom note left on the filesystem (typically README.txt or HOW_TO_DECRYPT.txt in every folder) with instructions to pay and a link to the group's portal on Tor.
• Structured criminal economic model (Ransomware-as-a-Service, RaaS): the ransomware developer maintains the tooling, affiliates execute the attacks and the take is split on agreed percentages.

Double (and triple) extortion adds pre-encryption exfiltration, threat of data publication on a Tor leak site and, in some cases, an additional DDoS attack or calls to the victim's clients as pressure. Data loss prevention (DLP) controls have direct impact here if they are well operated.

How ransomware operates step by step

The encryption itself is the final stage. Before it, the attacker has already done weeks or months of work:

1. Initial access. Phishing with an attachment, exploitation of an unpatched exposed service (VPN, RDP, Citrix, admin panel), purchase of credentials stolen by infostealers on criminal marketplaces, or supply chain compromise. Ransomware has moved from "spray and pray" to "big game hunting" targeting companies that can afford to pay.
2. Reconnaissance and lateral movement. The attacker maps the network, identifies domain controllers, backup servers, NAS, hypervisors and sensitive data. They use legitimate tools (PsExec, BloodHound, AnyDesk, RClone) to avoid raising flags.
3. Privilege escalation and persistence. They capture Active Directory credentials (Mimikatz, kerberoasting), create alternative privileged accounts, disable EDR where they can, manipulate GPOs.
4. Data exfiltration. Before encrypting, they upload sensitive files to their infrastructure. Mega, Dropbox, RClone to their own S3, reverse SSH tunnel. This phase can run for days or weeks.
5. Ransomware deployment. When the attacker decides to pull the trigger, they launch the binary coordinated through GPO, PsExec or the client's own legitimate deployment software. Within minutes it encrypts files, dumps shadow copies and sabotages online backups.
6. Negotiation. The victim enters the group's Tor portal with the ID shown in the ransom note. The group presents the demand and, if data was exfiltrated, a sample as proof.

The mean time between initial access and encryption (dwell time) varies by group and by defensive maturity: between 24 hours and several weeks. In 2025-2026, the fastest groups such as Akira or Play go from initial access to encryption in under 48 hours.

Active families in 2025-2026

The landscape shifts with every law enforcement operation, but the dominant families today:

• LockBit. The family with the largest cumulative victim count. After Operation Cronos (2024) it suffered serious disruption but variants and forks (LockBit 4.0, derivatives) continue to operate.
• BlackCat / ALPHV. Theatrical shutdown in March 2024 (exit scam after a multi-million dollar payment) but the affiliates regrouped into successor crews. RustyMonkey, Cicada3301 and others inherit code and TTPs.
• Akira. Active since 2023, focused on mid-sized companies. Double extortion and a professional operation.
• Play. Active and one of the fastest in dwell time (access to encryption in hours).
• Royal / BlackSuit. Conti's successor, an operation aimed at healthcare and the public sector in the US and Europe.
• Medusa. Ransomware with aggressive public communication. Active in public sector and education.
• Qilin. Growth in 2024-2025 after the BlackCat collapse, with notorious attacks against the UK NHS.

Most operate under the RaaS model: the developer maintains the platform and tools, affiliates run campaigns and take 70-80% of the ransom. The model professionalises the crime and lowers the entry barrier for new actors.

Most frequent entry vectors

Three paths concentrate almost every documented incident in reports from IBM, Verizon DBIR, ENISA Threat Landscape and Coveware:

1. Phishing with attachment or link. Still the number one vector. Office documents with macros, malicious PDFs, links to fake credential pages that steal SSO credentials or drop a loader.
2. Exposed services without patches or without MFA. VPN with a public unpatched CVE (Fortinet, Citrix, SonicWall, Ivanti have made headlines repeatedly), RDP open to the internet, admin panels without MFA, on-premises Microsoft Exchange. Every critical CVE in these products triggers mass campaigns within hours.
3. Access bought from Initial Access Brokers. An active market where other actors sell valid credentials or SSO sessions stolen by infostealers (Lumma, Redline, Vidar). The ransomware group buys ready-to-use access and goes straight into lateral movement.

Other vectors: supply chain (SolarWinds, Kaseya, 3CX), attack against a managed service provider that reaches multiple clients, USB drops in OT environments, drive-by download from compromised websites.

Defence against ransomware: what actually works

There is no single silver bullet. The combination that meaningfully reduces risk:

• MFA on everything exposed to the internet. VPN, RDP, admin panels, critical SaaS. Cancels most of the value of stolen credentials and cookies. Modern infostealers grab post-MFA cookies, so combining with short sessions and anomaly review on activity rounds out the control.
• Aggressive patch management on exposed surface. VPN, firewall, perimeter equipment, exchanges, admin panels. Critical CVEs in these products get exploited massively within hours. The patching SLA for external surface should be days, not weeks. More in what is a CVE: vulnerabilities explained.
• EDR with automatic response. Detects mass encryption, shadow copy deletion and communication with known C2. Some products (SentinelOne, certain CrowdStrike configurations) roll back files encrypted in the seconds before the block triggered.
• Real network segmentation. Workstations in separate VLANs from servers. Critical servers (DC, backup, ERP) reachable only from controlled bastions. Without segmentation, a single compromised endpoint becomes domain-wide encryption.
• Offline and tested backups. Immutable backups (object lock, snapshots outside the domain, tapes, S3 cross-account with MFA delete) that the attacker cannot wipe even with domain admin. Test real restoration at least quarterly. It is the only real exit when the ransomware has finished encrypting.
• Privilege management and Active Directory tiering. Separate privileged accounts, protected Tier 0, removal of credentials in memory on session lock, monitoring of kerberoasting and DCSync.
• SOC with 24/7 monitoring at least on critical assets. Most ransomware fires outside business hours because the attacker knows the team is not watching.
• Annual tabletop with a ransomware scenario. Practise communication, payment decision, restoration and regulatory notification before the real thing. The first ransomware incident is not the moment to improvise.

Pay or not pay: what the law says and what operations look like

Official recommendations from CISA, Europol and national CERTs are clear: do not pay. Paying funds the criminal ecosystem, does not guarantee key delivery (in documented cases the decryptors fail or the exfiltrated data leaks anyway) and does not prevent a repeat incident.

The operational reality of victims is nuanced. When the business is fully halted, the backups are compromised and the cost of not operating exceeds the ransom, some organisations pay. Worth knowing:

• Paying certain groups can be illegal. International sanctions (OFAC in the US, EU sanctions) prohibit payments to specific groups. Confirming with legal before transferring is mandatory.
• Paying does not waive regulatory notification. Under NIS2 and GDPR, notification to the competent authority and to affected parties applies regardless.
• Document everything. Communications with the group, the pay-or-not decision, criteria used. All of it is preserved as evidence for the auditor, the regulator and the cyber insurer.

Ransomware and compliance: NIS2, DORA, GDPR

• NIS2 (article 23). Notification of significant incidents within 24 hours (preliminary) and 72 hours (full report). A ransomware incident in an essential entity almost always meets the significant incident criteria and must be reported to the national competent authority. More in NIS2 in Spain: a compliance guide for 2026.
• DORA (article 19). Notification of major operational incidents to the supervisory authority (central bank, securities regulator) within similar windows. For significant financial entities, inclusion in TLPT testing under TIBER-EU. More in DORA compliance guide for financial entities 2026.
• GDPR (articles 33-34). If the ransomware compromised personal data (access or exfiltration), notification to the data protection authority within 72 hours and, if the risk is high, direct communication to the affected parties.

Incident documentation, containment measures and the timeline form part of the evidence the regulator can request and that the following year's auditor will review when evaluating the continuity control.

Frequently asked questions

Is ransomware the same as malware?

No. Ransomware is one specific type of malware. Other types (trojans, worms, RATs, infostealers, rootkits) have different objectives: remote access, credential theft, espionage, persistence. What distinguishes ransomware is mass data encryption and the ransom demand as economic model.

Is there a way to decrypt the files without paying?

Sometimes. The No More Ransom initiative (Europol + Politie + McAfee + Kaspersky) maintains a public repository with decryptors for older families or for groups whose servers were seized (old LockBit 3.0, certain Conti variants, REvil pre-disruption). For the most recent active families there is no public decryptor. The only reliable recovery path without paying is restoration from a clean backup.

How long does a company take to recover after ransomware?

It depends on the state of the backups and on defensive maturity. With offline tested backups and an operational EDR/SIEM, recovery can take days. Without reliable backups, or with compromised backups too, it can take weeks or months. Annual studies (IBM Cost of a Data Breach, Sophos State of Ransomware) put the average incident cost in the millions once operational downtime, recovery, legal advice and forced subsequent improvements are added.

Does cyber insurance cover the ransom?

Some policies cover it, but conditions are tightening significantly. Insurers require MFA, EDR, offline backups and a response plan as prerequisites and, without those controls, deny coverage or limit it. Ransom coverage also collides with legal restrictions when the group is on a sanctions list.

What do I do if I see ransomware executing right now?

Isolate the machine from the network immediately without powering it off (powering down destroys memory useful for forensics), alert the security team or an on-call DFIR provider, don't touch the files and keep the ransom note intact. If the organisation is under NIS2, open a report to the national CERT as soon as the incident is contained. The speed of isolation drives the scope of the damage.

Does antivirus or EDR stop ransomware?

Traditional antivirus only blocks variants with a known signature and falls short against modern families. Modern EDR detects the mass encryption pattern and shadow copy deletion within the first seconds and, in some products, undoes the damage with rollback. Neither replaces the rest of the chain (MFA, patching, segmentation, backup).

Related resources

• What is EDR (Endpoint Detection and Response): the endpoint piece that detects mass encryption and in some products undoes the damage.
• What is SIEM and how it works: how the SIEM correlates the lateral movement that precedes encryption.
• What is a SOC (Security Operations Center): the team and processes that detect and contain the incident before the encryption phase.
• What is a CVE: vulnerabilities explained: the vulnerability identifiers many groups exploit for initial access.
• What is MDR (Managed Detection and Response): the outsourced operation that delivers 24/7 monitoring for mid-sized companies.
• What is threat hunting and how it works: the proactive discipline that finds ransomware precursors before encryption.
• What is OSINT: cycle, sources, tools: how OSINT-led CTI tracks active ransomware groups.

Ransomware response at Secra

At Secra we help organisations contain ransomware incidents in progress (DFIR), recover operations with minimum data loss, preserve evidence for the regulator and the insurer and strengthen the defensive posture after the incident to reduce the probability of repetition. If your team is dealing with an active ransomware case or wants to prepare the playbook before the first one, get in touch through contact or check our managed cybersecurity catalogue.