What Is Ransomware and How Does It Work?

Ransomware locks your files and demands payment to unlock them. Here is how these attacks actually work, from the first click to the ransom note, and the practical defences that keep your data safe.

Amar Singh
Amar Singh
Technology & Cloud Writer · June 22, 2026 · 9 min read
Fact-checked Reviewed by Aswin Vijayan Updated June 22, 2026 Based on 5 sources
In short

Ransomware is malicious software that locks or encrypts your files and demands payment to restore access. It usually arrives through a phishing email, a malicious download or an unpatched security hole. Once it runs, it quietly encrypts your data, then displays a ransom note demanding cryptocurrency. The good news: nearly every attack relies on a few predictable steps, and breaking any one of them stops it.

Few things are as alarming as opening your computer to find every file renamed and a note demanding money. Ransomware has grown from a niche nuisance into one of the most damaging forms of cybercrime, hitting hospitals, schools, businesses and home users alike. Understanding how it actually works is the first step to making sure it never reaches you.

How a ransomware attack unfolds A five-stage flow showing how ransomware moves from initial entry, to execution, to encryption, to the ransom demand, and finally the victim's response. 1 Entry A phishing email, malicious link or unpatched vulnerability lets the attacker in. 2 Execution & spread The code runs, hides itself and quietly spreads across the device and any connected drives. 3 Encryption Files are encrypted with a key only the attacker holds. Your data is now locked. 4 Ransom demand A note appears demanding cryptocurrency in exchange for the decryption key. 5 Your response With good backups you restore and move on. Without them, you face an impossible choice.
The five stages of a typical ransomware attack. Strong backups at stage 5 are what turn a disaster into an inconvenience.

Stage 1: How ransomware gets in

Almost every attack starts with one of three doors. The most common is a phishing email: a convincing message that tricks you into opening an attachment or clicking a link. The second is a malicious download, often pirated software, a fake update or an infected file. The third is an unpatched vulnerability, a known security hole in software you never updated, which lets the attacker walk in without any action from you.

This is why the most effective defences are also the most boring: be cautious with email, only download from trusted sources, and keep everything updated.

Stage 2: Execution and spread

Once the malicious code runs, it works quietly. Good ransomware does not announce itself immediately. Instead it establishes a foothold, often disables backups and security tools, and spreads to every drive and network share it can reach. On a home PC that might mean your external backup drive. On a business network it can mean hundreds of machines. The delay is deliberate: the more it can reach before you notice, the more leverage the attacker gains.

Stage 3: Encryption locks your files

This is the moment the damage is done. The ransomware encrypts your files using strong cryptography, scrambling them into unreadable data. The key needed to unlock them exists only on the attacker's server. You will often see your file names change or gain a strange new extension, and folders fill with identical ransom-note text files.

Modern encryption is genuinely unbreakable without the key. This is why “just decrypt it” is rarely an option, and why prevention and backups matter so much more than any cure.

Stage 4: The ransom demand

With your files locked, the attacker reveals themselves. A ransom note appears, on screen, as a text file or as your new desktop wallpaper, demanding payment in cryptocurrency, usually with a countdown timer to pressure you. Many modern attacks add a second threat: pay up or we leak your stolen data publicly. This is called double extortion.

Security agencies broadly advise against paying. There is no guarantee you will get a working key, payment funds further crime, and it marks you as a willing target for the future. The only reliable way out is to not need the key at all.

How to protect yourself from ransomware

The reassuring part is that ransomware relies on a chain of steps, and breaking any link stops the whole attack. A handful of habits cover almost every case:

  • Keep offline or versioned backups. This is the single most important defence. If your data exists somewhere the ransomware cannot reach, an attack becomes an inconvenience, not a catastrophe. Follow the 3-2-1 rule: three copies, two types of media, one kept offline or off-site.
  • Update everything. Operating system, browser, apps. Patches close the holes that attackers use to get in without a click.
  • Be sceptical of email. Do not open unexpected attachments or click links in messages you were not expecting, even if they look legitimate. When in doubt, verify through another channel.
  • Use reputable security software and keep it on. Modern tools catch many ransomware families before they execute.
  • Limit access. Do not run day-to-day as an administrator, and restrict who can reach shared drives. The less a single compromised account can touch, the less an attack can spread.

If you ever are hit, disconnect the device from the network immediately to stop the spread, and do not pay before exploring recovery options. Our ransomware response playbook walks through exactly what to do, and free tools like the No More Ransom project sometimes have a working decryptor for older strains.

Key points to remember

  • Ransomware encrypts your files and demands payment for the key to unlock them.
  • It almost always enters through phishing, malicious downloads or unpatched software.
  • The encryption itself is unbreakable without the key, so prevention beats cure.
  • Offline backups are the strongest defence: they make an attack survivable.
  • Paying is risky and discouraged: there is no guarantee you get your files back.

Frequently asked questions

What exactly does ransomware do to my files?

It encrypts them, scrambling the data into an unreadable form using a key held only by the attacker. The files are still on your disk, but without the key they cannot be opened. Many strains also rename files or add a new extension so you can see at a glance what has been hit.

How does ransomware usually get onto a computer?

Most infections start with a phishing email, a malicious or pirated download, or an unpatched software vulnerability. The first two rely on tricking a person into acting, while the third lets attackers in automatically through a known security hole that was never updated.

Should I pay the ransom to get my files back?

Security agencies generally advise against it. There is no guarantee the attacker will send a working key, the payment funds further crime, and paying marks you as a target for future attacks. Restoring from a clean backup is the only reliable recovery, which is why backups matter so much.

Can antivirus software stop ransomware?

Good security software catches many ransomware families before they run, but no tool is perfect against brand-new variants. Treat antivirus as one layer among several. Updates, careful email habits and offline backups together provide far stronger protection than any single tool.

Will backups really protect me from ransomware?

Yes, as long as the backup is kept somewhere the ransomware cannot reach. An always-connected external drive can be encrypted along with everything else. An offline or versioned, off-site backup means you can wipe the infected machine and restore your data without paying anyone.

What should I do the moment I notice an infection?

Disconnect the device from the internet and any network immediately to stop the ransomware spreading to other machines and drives. Do not pay right away. Then seek recovery options, including checking whether a free decryptor exists for that strain through projects like No More Ransom.

Sources & references

This explainer draws on official cybersecurity guidance and public incident reporting.

  1. CISA: StopRansomware: official US government ransomware guidance. cisa.gov
  2. No More Ransom: Free decryption tools and prevention advice. nomoreransom.org
  3. UK NCSC: Mitigating malware and ransomware attacks. ncsc.gov.uk
  4. FBI: Ransomware guidance and the case against paying. fbi.gov
  5. Internal analysis: common attack patterns across reported ransomware incidents, TechNewsKB, 2026.
Comments (3) Moderated
P
Priya N. · 3 days ago

Method 2 saved me. I had no idea Shadow Copy kept snapshots with File History turned off. Found a clip from two weeks back.

↑ Helpful (14)Reply
M
Marcus T. · 5 days ago

The stage diagram finally made this click for me. I always wondered how it actually spreads. Setting up offline backups this weekend.

↑ Helpful (9)Reply
D
Dana R. · 1 week ago

Our small business got hit two years ago. The only thing that saved us was an offline backup. Cannot stress this enough.

↑ Helpful (6)Reply
Keep reading

Related articles

Back to feed
Security

The WannaCry Ransomware Attack Explained

TechNewsKB5 min
Windows

Fix Error 0x80780119 When Creating a Volume Shadow Copy

TechNewsKB4 min
Storage

What Is NAS? Network Attached Storage Explained

TechNewsKB6 min