Quick Answer
Ransomware is malicious software that encrypts your files and demands payment (usually cryptocurrency) to restore access. It spreads via phishing emails, infected downloads, and remote desktop vulnerabilities. Common variants include LockBit, Cl0p, and ALPHV. Never pay the ransom — contact IT Cares or check NoMoreRansom.org for free decryption tools.
You turn on your computer and your desktop wallpaper has been replaced by a chilling message: "Your files have been encrypted. Pay 3 Bitcoin within 72 hours or your data is gone forever." Every document, photo, and spreadsheet now has a strange extension and refuses to open. That is a ransomware attack — and it is one of the most destructive cyber threats facing individuals and businesses in 2026.
This guide gives you a complete understanding of what ransomware is, exactly how it works under the hood, the real groups operating right now, and — most importantly — what to do in the first five minutes if it happens to you.
In This Article
1. What Is Ransomware? (Definition & How Encryption Works)
Ransomware is a type of malicious software (malware) that encrypts the victim's files — making them completely inaccessible — and then demands payment in exchange for the decryption key. The term combines "ransom" and "software": the attacker holds your data hostage until you pay.
Unlike a regular virus that deletes files or a spyware program that runs silently in the background, ransomware is designed to be impossible to ignore. The goal is extortion — typically demanding payment in Bitcoin or Monero because cryptocurrency transactions are difficult to trace.
How the Encryption Actually Works
Modern ransomware uses sophisticated, legitimate encryption technology — the same algorithms used by banks and governments — to lock your files. Here is the typical sequence:
- The ransomware executes on your machine. It immediately contacts the attacker's command-and-control (C2) server over the internet.
- A unique encryption key pair is generated. The ransomware generates a public key (used to encrypt your files) and a private key (held only by the attacker and needed for decryption).
- File scanning begins. The malware recursively scans your drives — including network shares and connected USB drives — targeting documents, images, databases, and other high-value file types.
- Encryption is applied file by file. Each file is encrypted using AES-256 (a symmetric algorithm) with a unique key, and that key is itself encrypted with the attacker's RSA-2048 or RSA-4096 public key. This layered approach means cracking the encryption by brute force is computationally impossible.
- Shadow copies are deleted. Most modern ransomware immediately deletes Windows Shadow Volume Copies using
vssadmin delete shadows /all /quietto eliminate your most accessible backup option. - The ransom note appears. After encryption, a ransom note (
README.txt,HOW_TO_DECRYPT.txt, or a full-screen overlay) is displayed with payment instructions.
Because the private key exists only on the attacker's server, decryption without it is mathematically infeasible with current computing technology — which is exactly why having proper backups is the only reliable defense.
2. How Ransomware Spreads
Ransomware does not materialize out of thin air — it requires a delivery mechanism to reach your computer. Understanding these vectors is the first step to blocking them.
Phishing Emails (Most Common)
The majority of ransomware infections begin with a phishing email. The attacker crafts a convincing message — a fake invoice, a shipping notification, a job offer, or an urgent HR document — with a malicious attachment or a link to a malware-laden website. Once you open the attachment (usually a Word document with macros, a PDF, or a ZIP file containing an executable), the ransomware installs silently.
Remote Desktop Protocol (RDP) Vulnerabilities
RDP (Windows Remote Desktop) allows computers to be controlled remotely. When left exposed to the internet with weak passwords or unpatched vulnerabilities, attackers can brute-force their way in and install ransomware manually. This is the dominant attack vector for businesses and is how the LockBit and Dharma groups operate at scale.
Malicious Downloads and Software Cracks
Downloading pirated software, game cheats, or fake "free" versions of paid software is a common infection route for home users. The downloaded file contains the ransomware payload bundled with the promised software — or instead of it entirely.
Unpatched Software Vulnerabilities
Attackers exploit known vulnerabilities in unpatched operating systems and software. The Cl0p ransomware group famously exploited a zero-day vulnerability in MOVEit Transfer software in 2023–2024 to compromise hundreds of organizations without any user interaction required — just having vulnerable software installed was enough.
Infected USB Drives
Physical USB drives — whether found in a parking lot, borrowed from a colleague, or purchased from an unverified source — can carry ransomware that executes automatically when plugged in. This is less common but remains a real threat in environments where users plug in unknown devices.
Supply Chain Attacks
Attackers compromise a trusted software vendor and inject ransomware into legitimate software updates. When organizations install what they believe is a routine update from a trusted vendor, they unknowingly install ransomware. This technique was used in the Kaseya VSA attack (2021) which affected over 1,500 businesses simultaneously.
3. Types of Ransomware
Not all ransomware works the same way. Understanding the four main categories helps you recognize what you are dealing with and what recovery options exist.
Crypto Ransomware
Encrypts your files using strong cryptography. Files are still present but inaccessible. The most common and most damaging type. Examples: LockBit, STOP/Djvu, Ryuk.
Locker Ransomware
Locks you out of your entire operating system — you cannot log in or use any applications. Your files are not encrypted, just inaccessible. Easier to remove than crypto ransomware.
Scareware
Displays alarming fake alerts (fake antivirus warnings, "FBI notices") demanding payment to "fix" problems that do not exist. No actual encryption occurs. Often the least harmful type.
Doxware / Leakware
Threatens to publicly release your sensitive files (personal photos, confidential business data) unless you pay. Often combined with crypto ransomware in a double-extortion strategy.
Double Extortion: The New Normal
Since 2020, most professional ransomware groups have adopted double extortion: they both encrypt your files AND steal a copy of your data before encrypting it. They then threaten to publish it on their "leak site" on the dark web if you do not pay — making backups alone insufficient protection against the reputational damage of a breach.
4. Real Ransomware Examples in 2026
Ransomware is not just a theoretical threat. These are the active groups causing the most damage to organizations worldwide right now.
LockBit 3.0
LockBit has been one of the most prolific ransomware groups in history, responsible for thousands of attacks globally. Despite law enforcement disruption in 2024 (Operation Cronos), LockBit 3.0 rebuilt operations and continues targeting healthcare, manufacturing, and government organizations. It operates as a Ransomware-as-a-Service (RaaS) platform, meaning criminal affiliates can rent the ransomware and keep 70–80% of ransoms collected.
Cl0p
Cl0p distinguishes itself by targeting software vulnerabilities at scale rather than phishing individual victims. The group's MOVEit Transfer exploitation in 2023 affected over 2,600 organizations including Shell, BBC, British Airways, and the U.S. Department of Energy — all without a single phishing email. In 2025–2026, Cl0p continued exploiting enterprise file-transfer vulnerabilities with industrialized speed.
ALPHV / BlackCat
ALPHV (also known as BlackCat) was the first major ransomware written in the Rust programming language, making it exceptionally fast and difficult to detect. The group executed one of the most impactful healthcare attacks in U.S. history — the Change Healthcare attack in February 2024 — disrupting prescription processing for thousands of pharmacies across America for weeks. The FBI seized their infrastructure in late 2024, but the threat actors resurfaced under new branding.
RansomHub
Emerging in early 2024, RansomHub quickly became one of the most active ransomware groups after recruiting displaced affiliates from LockBit and ALPHV following law enforcement actions. By mid-2025, RansomHub had claimed over 500 victims globally, targeting critical infrastructure, healthcare, and financial services. The group offers affiliates an unusually high 90% revenue share, making it extremely attractive to cybercriminals.
5. What Happens During a Ransomware Attack (Step by Step)
A ransomware attack rarely happens instantaneously. Professional groups spend days or weeks inside your network before triggering the encryption. Here is the full lifecycle:
Initial Access (Day 1)
The attacker gains a foothold via phishing email, RDP brute-force, or software vulnerability. A small backdoor or remote access tool (RAT) is installed on one computer — often going completely unnoticed.
Reconnaissance & Lateral Movement (Days 1–14)
The attacker maps your network, identifies other computers, domain controllers, backup servers, and file shares. They escalate privileges to administrator level and move laterally across the network — compromising more machines silently.
Data Exfiltration (Days 7–21)
In double-extortion attacks, the attacker identifies your most sensitive files and exfiltrates them to external servers before encrypting anything. This ensures they have leverage even if you restore from backup.
Pre-Encryption Preparation
Attackers disable security software (antivirus, EDR tools), delete backup shadow copies, and establish persistence mechanisms. They also prepare the ransomware payload and ensure it is deployed to as many machines as possible simultaneously.
Encryption Trigger (D-Day)
Often executed in the middle of the night on a weekend to maximize disruption, the encryption payload is triggered across all compromised machines simultaneously. Files are encrypted within minutes to hours. Every machine displays the ransom note.
Ransom Demand & Negotiation
The ransom note directs victims to a Tor-based negotiation portal. Professional groups often have customer service representatives, respond quickly, and sometimes offer proof-of-decryption for a few sample files. Average response-to-payment pressure window: 3–7 days before the ransom doubles.
6. Should You Pay the Ransom?
No. The overwhelming consensus from law enforcement, cybersecurity experts, and the FBI is: do not pay the ransom. Here is why:
- No guarantee of recovery. Approximately 20% of victims who pay the ransom never receive a working decryption key. Another significant portion receive a key that only partially works, leaving many files permanently corrupted.
- You become a repeat target. Paying signals to attackers that you will pay again. Many organizations that pay get re-attacked within 12 months — sometimes by the same group.
- It funds more attacks. Ransom payments directly fund the development of more sophisticated ransomware and the recruitment of more affiliates to conduct more attacks.
- It may be illegal. In some jurisdictions, paying ransoms to sanctioned entities (certain ransomware groups are on government sanctions lists) can expose your organization to significant legal and financial liability.
- It does not fix the breach. Even after paying, the attacker still has your exfiltrated data. The double-extortion threat remains.
150+ Free Decryptors Available
NoMoreRansom.org — a collaboration between Europol, the FBI, and cybersecurity companies — provides free decryption tools for over 150 ransomware variants. Always check this resource before considering payment. Upload your encrypted file and ransom note to identify your strain and see if a free tool exists.
7. How to Protect Yourself Against Ransomware
The good news: ransomware is largely preventable with the right combination of habits, settings, and tools. These are the highest-impact measures you can take today.
The 3-2-1 Backup Rule (Most Important)
Keep 3 copies of your data, on 2 different media types, with 1 copy stored offsite or in the cloud. Your cloud backup (OneDrive, Google Drive, Backblaze, iCloud) must have versioning enabled so you can restore a previous version of files even if the current version gets encrypted. Test your backups regularly — a backup you have never tested is not a backup you can trust.
Keep Windows and All Software Updated
The majority of successful ransomware attacks exploit known vulnerabilities that already have patches available — the victim simply had not applied them. Enable automatic updates for Windows, your browser, and all third-party software. Pay particular attention to VPN clients, remote access software, and file-transfer applications — these are high-value targets for ransomware groups like Cl0p.
Use Multi-Factor Authentication (MFA) Everywhere
MFA makes it dramatically harder for attackers to use stolen credentials to access your systems. Enable MFA on your Microsoft 365 or Google Workspace account, your VPN, and any remote access tools. If RDP must be exposed to the internet, require MFA for all connections — this alone blocks the vast majority of RDP-based ransomware attacks.
Enable Controlled Folder Access (Windows)
Windows Defender includes a feature called Controlled Folder Access that prevents unauthorized applications from modifying files in protected folders (Documents, Desktop, Pictures, etc.). Enable it via: Windows Security → Virus & Threat Protection → Ransomware Protection → Controlled Folder Access. This is one of the most underused and most effective built-in ransomware defenses on Windows.
Train Yourself and Your Team on Phishing
Since phishing is the leading ransomware delivery mechanism, the ability to recognize phishing emails is the single most valuable skill in ransomware defense. Look for: unexpected urgency, sender addresses that do not match the displayed name, requests to enable macros in documents, and links that point to unusual domains. When in doubt, call the supposed sender directly to verify before opening any attachment.
Disable or Restrict RDP
If you or your business do not use Remote Desktop Protocol, disable it entirely (Control Panel → System → Remote Settings → Don't allow remote connections). If you do need RDP, put it behind a VPN, restrict access to specific IP addresses, and use network-level authentication (NLA). Never expose RDP (port 3389) directly to the internet.
Install Reputable Security Software
Windows Defender (built into Windows 10/11) is genuinely capable ransomware protection when kept updated and configured correctly. For additional protection, Malwarebytes Premium and Bitdefender both offer dedicated real-time ransomware protection layers. Avoid free "antivirus" tools from unknown publishers — many of these are themselves malware.
Not Sure If Your System Is Protected?
IT Cares technicians review your backup strategy, Windows Defender settings, and RDP configuration remotely — and fix any gaps. Starting from $59. No fix = no charge.
8. What to Do If Infected RIGHT NOW (5 Immediate Steps)
If You See a Ransom Note on Your Screen
Do NOT pay. Do NOT restart your computer. Disconnect from the internet immediately. Every second matters — ransomware may still be encrypting files right now. Follow the steps below.
Disconnect from the Network Immediately
Unplug the Ethernet cable and turn off Wi-Fi from your device settings — do not wait for Windows to do it gracefully. If you are on a business network, disconnect every computer from the network switch. Ransomware spreads laterally; isolation stops the bleeding.
Do Not Restart — Leave the Machine Running
Restarting can trigger additional ransomware components, destroy forensic evidence, or in rare cases of locker ransomware, prevent you from accessing anything at all. Leave the machine on but disconnected from the network while you take the next steps.
Photograph the Ransom Note and Note the File Extensions
Use your phone to photograph the ransom note screen. Then check your Documents folder and note the new file extension on your encrypted files (e.g., .lockbit, .djvu, .crypt). This information identifies the ransomware strain and tells you whether a free decryptor exists.
Check NoMoreRansom.org for a Free Decryptor
From a different device (your phone, another computer), go to nomoreransom.org and use the "Crypto Sheriff" tool. Upload one of your encrypted files and the ransom note. The tool will identify your strain and tell you if a free decryption tool is available. For many common strains — especially STOP/Djvu, Dharma, and GandCrab — free decryptors exist.
Call a Professional — Do Not Attempt DIY Removal Blindly
Incorrect removal attempts can destroy forensic evidence, trigger self-destruct mechanisms in some ransomware variants, or make file recovery harder. A professional technician can safely identify the strain, remove the malware, assess recovery options (backups, shadow copies, decryptors), and help you restore your system properly. IT Cares responds within 1 hour for ransomware emergencies.
150+ Free Decryptors at NoMoreRansom.org
Before paying anything, check NoMoreRansom.org. Over 150 ransomware variants have free official decryption tools available — built by cybersecurity companies and law enforcement. Millions of victims have recovered files for free using this resource.
Infected by Ransomware? We Respond Within 1 Hour.
IT Cares provides emergency ransomware response across Canada — remotely, securely, and on a no-fix-no-charge basis. We identify the strain, check for free decryptors, remove the malware, and help you recover your files.
For more detail on recovering a compromised system, see our guides on ransomware removal service in Canada, what is malware, and how to remove a virus for free.
Frequently Asked Questions About Ransomware
Ransomware is a type of malware, but technically it is not a virus. A virus replicates itself by attaching to other programs and spreading between files. Ransomware is typically a standalone malicious program — usually a trojan — that is delivered through phishing or exploits and executes its encryption payload directly. Both fall under the broader category of malware, but they work differently and require different removal approaches.
Yes. The ransomware program itself can almost always be removed from your computer using professional anti-malware tools or by a skilled technician. The more complex question is whether your encrypted files can be recovered — which depends on whether you have current backups, whether Windows Shadow Volume Copies still exist, or whether a free decryption tool is available for your specific ransomware strain at NoMoreRansom.org. Removing the ransomware stops further damage but does not automatically decrypt already-encrypted files.
No. The FBI, CISA, and cybersecurity experts universally advise against paying the ransom. Paying does not guarantee file recovery — roughly 20% of victims who pay receive no working decryption key. It funds criminal operations, makes you a target for future attacks, and may violate sanctions laws if the group is on a government sanctions list. Always check NoMoreRansom.org for free decryptors first, restore from backup if you have one, or contact a professional like IT Cares for assistance.
The most obvious sign is seeing a ransom note on your screen — either as a text file that opened automatically, a desktop wallpaper replacement, or a full-screen overlay. Your files will have been renamed with an unfamiliar extension (such as .locked, .crypt, .djvu, or a random string of characters) and will no longer open. You may also notice your computer becoming extremely slow as encryption processes run in the background. If you suspect ransomware, disconnect from the internet immediately before taking any other action.
Yes. While macOS ransomware is significantly less common than Windows ransomware — largely because Windows is a much larger target — it does exist and has caused real damage. Notable examples include KeRanger (2016), the first true macOS ransomware distributed through a compromised BitTorrent client, and ThiefQuest (2020) which also functioned as spyware. Mac users should maintain regular Time Machine backups to an external drive, keep macOS fully updated, and avoid downloading software from outside the Mac App Store or from unverified developers.
Comments
Our accounting firm got hit with LockBit last year. The hardest part was not knowing what to do in the first hour. I wish I had read this guide beforehand. We called IT Cares and they were connected within 45 minutes. They identified the strain, found a partial shadow copy, and recovered about 80% of our files. The other 20% came from our OneDrive backup. The article is spot on — do NOT restart the machine.
I opened what I thought was a shipping notification and suddenly everything was renamed .djvu. I panicked and nearly paid the $500 ransom. Googled first, found this article, checked NoMoreRansom.org, and there was a free decryptor for my exact strain. IT Cares walked me through the whole process over the phone. Saved me $500 and got all my files back. Incredible resource.
Leave a Comment