What is ransomware and how to defend against it? How does ransomware work?

Ransomware in the digital world: What is ransomware and how can we protect ourselves against it?

The ransomware virus is one of the most dangerous forms of cybercrime. One wrong click or missed update is enough to get your data encrypted and held for ransom. But what exactly is ransomware? How does it work, what types are it, and how can we defend ourselves against it effectively? In this article, we'll take a look around this.

Ransomware is one of the most dangerous forms of cybercrime.

What is ransomware?

Ransomware is malicious software that encrypts or locks data stored on a computer, network or in the cloud. The attacker then demands a ransom - usually in cryptocurrency - in exchange for restoring access to the data. In some cases, attackers not only lock the data, but also steal it and threaten to make it public.

The ransomware virus is therefore a digital hostage-taking, the "buying back" of data for ransom.

The history of ransomware

Ransomware is not a recent phenomenon: the first known attacks appeared surprisingly early, in the late 1980s, long before the general public became aware of them.

Key milestones in the history of the ransomware virus:

1989 - The first ransomware: PC Cyborg (AIDS Trojan)

The first known ransomware was created by a biologist called Joseph Popp.

  • spread on a 5.25″ floppy disk
  • locked the computers of researchers attending the AIDS conference and demanded ransom by post, cheque
  • was still primitive: files were not encrypted, just hidden

This has not yet caused a global panic, but it has set the stage for more advanced blackmail schemes to follow.

2005-2009 - The dawn of modern ransomware

  • first viruses using real encryption start spreading on Russian forums
  • "GPCoder" and "Archiveus" already locked files with strong RSA encryption
  • ransoms had to be paid by e-mail and through various payment systems

During this period there were even fewer infections, especially among technically skilled victims.

2013 - CryptoLocker is released

The first serious ransomware that:

  • used strong RSA + AES encryption,
  • used Bitcoin to pay,
  • professionally spread via email attachments and botnets.

It has infected tens of thousands of victims worldwide.

The FBI issued a warning, and eventually the botnet (Gameover Zeus) was shut down in an international operation.

2015-2016 - The birth of the ransomware "industry"

The Ransomware-as-a-Service (RaaS) model is emerging.

  • anyone could "rent" ransomware in exchange for a share
  • examples: Cerber, Locky, TeslaCrypt.

New variants appeared en masse. Educational institutions, hospitals and municipalities have also become targets.

2017 - The black year: WannaCry & NotPetya

WannaCry

  • devastated more than 150 countries
  • exploited a Windows SMB protocol vulnerability (EternalBlue)

Victims include the British NHS, Renault, FedEx and Telefonica.

Its presumed source was North Korea (Lazarus group).

NotPetya

  • was ostensibly ransomware, in fact it was destructive malware.
  • Started in Ukraine, but spread globally
  • It has crippled multinational companies (Maersk, Merck, Rosneft).
  • suspected Russian origin

2018-2022 - Extortion Virus 2.0: Double extortion and targeted attacks

The attackers not only encrypted the data, but also stole it.

Two threats in one:

  • "Pay to get your data back!"
  • "Pay up or we'll publish it!"

Targets: large companies, hospitals, municipalities.

The famous blackmail blogs (e.g. MazeLeaks, REvil, ContiLeaks) have appeared.

From 2023 to today - AI and BitLocker-based ransomware

  • ShrinkLocker (2024): used Windows' built-in BitLocker encryption system for encryption, making decryption more difficult
  • increasingly using artificial intelligence to select targets and improve phishing emails
  • the development of unbreakable encryption methods
  • attacks have become more complex, faster and better targeted
  • In 2025, Medusa, Qilin, Dragonforce and Warlock groups are actively using triple extortion strategy (data theft + encryption + DDoS threat)
Ransomware is malicious software that encrypts or locks data stored on a computer, network or in the cloud.

How does the ransomware virus work? The three phases of ransomware

For a ransomware virus to succeed in its goal - to encrypt data and then hold it to ransom - it needs to perform three basic steps.

1. Entry into the system, infection

The ransomware virus first looks for an entry point through which it can infect the target system.

Let's see the most common methods!

Phishing emails (phishing)

Attackers often send apparently official emails that:

  • contain a link to an infected website, or
  • an attachment (e.g. fake invoice, Word document) that downloads and launches the ransomware.

Once the recipient clicks or opens the file, the malicious code is activated.

Remote access - RDP (Remote Desktop Protocol)

Many organisations use remote desktop connections (RDP), but with weak passwords or open ports they can be left unprotected. The attacker:

  • logs in with stolen or fictitious credentials,
  • directly installs the ransomware.

Exploiting vulnerabilities

The famous WannaCry ransomware virus, for example, exploited a flaw in the Windows SMB service (EternalBlue) to automatically spread from computer to computer.

Supply chain attacks (2025 trend)

In recent years, attackers have increasingly targeted external partners or subcontractors. If a supplier's system is weakly protected, the attacker:

  • obtains the rights of access,
  • then uses the trusted connection to get to the main target - for example, a large corporation.

2. Encryption - Taking files hostage

Once the ransomware has successfully entered the system, it immediately starts encrypting files. This process:

  • access to documents, images, databases,
  • lock them with a unique encryption key (e.g. AES-256),
  • then deletes the original files and replaces them with the encrypted version.

Most ransomware carefully selects the files to be encrypted so as not to completely cripple the operating system, as it is necessary for the ransom message to be displayed and the user to pay.

Many viruses also delete shadow copies and backups to make it difficult to restore data.

3. Extortion - Claiming the ransom

Once all the targeted files have been encrypted, the ransomware activates the blackmail phase:

  • the background image changes, or
  • each folder will contain a "_READ_ME.txt" or similar file containing the ransom demand

The claim usually includes the following:

  • "All files are encrypted, you can't access them!"
  • "Pay X amount of cryptocurrency (e.g. Bitcoin) to get the key back!"

There is a time limit (e.g. 72 hours), otherwise the data will be lost or disclosed.

If the victim pays, the attackers:

  • send a private key to decrypt the data, or
  • provide decryption software that can be used to reverse the encryption
Ransomware has evolved considerably in recent years.

What ransomware attacks exist?

Ransomware has evolved considerably in recent years. Today, they are far more than simple file-encrypting programs. The new generation of ransomware employs complex, multi-layered blackmail strategies, designed not only to make money but also to exert as much pressure as possible.

Let's look at the most common and important ransomware types and techniques!

1. Double Extortion

This type, such as in the case of Maze ransomware, does not stop at encrypting data. The attackers:

  • first they steal the data, and then
  • encrypt them on the target system

If the victim restores the data from backup and does not pay, the attacker threatens to disclose the information obtained, causing legal, PR and competitive damage.

With the method, backups are no longer enough - companies often pay to avoid a data scandal.

 2. Triple Extortion

Triple blackmail is an improved version of the double blackmail method. The attackers are:

  • data is stolen
  • encrypt files

Further pressure is applied:

  • the victim's clients or partners are also approached and blackmailed
  • launch a DDoS attack against the victim's website or services

This tactic is particularly effective against companies, as the reputational damage and costs of downtime can increase dramatically.

 3. Locker ransomware

Locker-type ransomware does not encrypt files, but:

  • lock down the entire system so the victim cannot log in or perform any operations
  • only the ransom message is displayed on the screen

This method is often less technical and more psychological, especially for home users.

4. Crypto ransomware

Classic file-encrypting ransomware is often referred to as crypto ransomware, referring to the cryptographic techniques used and the cryptocurrency ransom.

  • files are encrypted using AES or RSA algorithms

The ransom is usually requested in Bitcoin or other cryptocurrency. The use of cryptocurrency allows anonymous transactions, making it difficult to trace the attackers.

5. Wiper - Data wiper ransomware

Wiper-type malware is similar to ransomware, but it wreaks havoc instead of extorting:

  • encrypt or delete files
  • neither stores nor passes on the decryption key - the aim is to permanently lose the data

This often serves political, cyber warfare or sabotage purposes (e.g. NotPetya).

 6. Ransomware-as-a-Service (RaaS)

The essence of the RaaS model is that developers rent out ransomware:

  • anyone can "rent" the virus platform, even without technical knowledge
  • the attacker (affiliate) carries out the infection
  • share profits with ransomware developers

This democratised cybercrime and enabled mass attacks.

 7. Data-Stealing Ransomware (DST)

Some newer viruses no longer encrypt files, but steal data (e.g. customer databases, trade secrets) and use it as their only means of extortion.

This method is faster, less obtrusive and more effective for targets where backups work well.

What are the consequences of a ransomware attack?

Ransomware attacks are not just a technical problem - they can cause serious financial, operational, legal and reputational damage to a company's life.

1. Financial losses

The most obvious impact is material damage:

  • Payment of ransom: many companies pay up to millions in cryptocurrency to get their data back.
  • Cost of damage repair and restoration: IT experts, recovery services, purchase of new hardware or software.
  • Loss of revenue: down systems interrupt operations, prevent them from serving customers, and result in lost revenue.
  • Legal fees: costs of privacy lawyers, damages actions.

 2. Data loss

Even if the company pays, there is no guarantee that all files can be recovered:

  • Attackers do not always send the decryption key.
  • Often, the files that are returned are damaged or incomplete.
  • Shadow copies, backups may also be deleted during the attack.

A ransomware attack can therefore result in permanent data loss, especially if there has not been a proper backup.

3. Data leakage

Modern ransomware often uses double or triple extortion techniques:

  • Data is not only encrypted, it is also stolen.
  • The attackers threaten to expose sensitive information if the company does not pay.
  • This could involve leaks of customer, partner or even intellectual property data.

 4. Shutdown, malfunction

Encrypting critical systems or services can make it impossible for the entire company to operate.

  • No access to customer data, stock, delivery system, etc.
  • Triple extortion attacks often use DDoS attacks, overloading even systems that are not infected.
  • A medium-sized company can be out of business for days or weeks, which means a significant loss of revenue.

5. Reputational damage, loss of trust

  • Customers and partners may lose confidence in the company.
  • It is particularly serious if customer data has been stolen or is being blackmailed.
  • Press coverage and negative PR can damage a company's image in the long run.

6. Legal and regulatory implications

Ransomware attacks often reveal that:

  • The company did not comply with data protection or IT security regulations (e.g. GDPR),
  • Personal data have fallen into unauthorised hands,
  • There were no proper emergency or rescue protocols.

As a consequence:

  • Administrative investigations, fines may be launched,
  • Damages actions may be brought by customers,
  • The reputation of the company continues to deteriorate.

How to defend against the ransomware virus?

The key is a combination of prevention, awareness and technical protection. A well-designed defence strategy not only reduces the chance of attack, but also allows for rapid recovery - even without paying ransom.

Basic prevention steps

  • Cybersecurity education: Most attacks start with phishing emails. Regular training will help you to recognise suspicious emails, links, attachments - one of the most important protection tools.
  • Regular backup: Automatic, secure data backup allows files to be recovered in the event of infection, without paying a ransom.
  • Install updates and patches: Ransomware often exploits known vulnerabilities. Using the latest software versions significantly reduces the vulnerability.
  • Strong authentication: For services such as remote desktop (RDP), the use of complex passwords and two-factor authentication is essential.

Reducing the attack surface

  • Email filtering and phishing protection
  • Use external risk management tools (e.g. monitoring leaked passwords)
  • Protecting remote access with advanced SASE solutions
  • Protecting mobile devices, using MDM systems

Advanced protection: anti-Ransomware solutions

Modern anti-ransomware software is able to recognise the operating patterns typical of ransomware. A good anti-ransomware solution:

  • Recognises several variants
  • Reacts quickly to threats
  • Automatically restore modified files, even without shadow copies

Prevent ransomware attacks! Contact us and let's build a safer, more resilient digital environment together - with expertise, experience and reliable solutions!