Ransomware 101

calendar Sep 13, 2025 · 6 min read

Overview

Ransomware 101: What It Is, How It Works, and How to Defend Against It

Published: September 13 2025

Introduction

Ransomware has become one of the most pervasive cyber‑threats of the past decade. From high‑profile attacks on hospitals to ransomware‑as‑a‑service (RaaS) kits sold on underground markets, the threat landscape continues to evolve. This post provides a concise, beginner‑friendly overview of ransomware—its anatomy, typical attack vectors, real‑world impact, and practical steps anyone can take to reduce risk.

What Is Ransomware?

Ransomware is malicious software that encrypts—or otherwise locks—a victim’s data and demands payment (usually in cryptocurrency) for the decryption key. In many cases, the attacker also threatens to publish stolen data (“double extortion”) if the ransom isn’t paid.

Key Characteristics Explanation
Encryption Uses strong algorithms (AES‑256, RSA‑2048) to render files unreadable.
Ransom Note A text, HTML, or image file displayed to the user, outlining payment instructions.
Payment Method Typically Bitcoin, Monero, or other privacy‑focused cryptocurrencies.
Double Extortion Threatens to leak exfiltrated data unless the ransom is paid.

How Ransomware Infects a System

  1. Phishing Emails – Malicious attachments (e.g., Word docs with macros) or links that download the payload.
  2. Exploit Kits – Compromise vulnerable software (browsers, plugins, Office) via known CVEs.
  3. Remote Desktop Protocol (RDP) Abuse – Brute‑force or credential‑stuffing attacks on exposed RDP services.
  4. Supply‑Chain Compromise – Injecting ransomware into trusted software updates (e.g., SolarWinds).
  5. Malvertising – Malicious ads that redirect users to drive‑by download sites.

Tip: The majority of successful ransomware infections start with a phishing email. Strengthening email hygiene yields the biggest risk reduction.

Anatomy of a Typical Ransomware Attack

 flowchart
 
    A [Phishing Email] --> B[User Clicks Link / Opens Attachment]
    B --> C[Payload Downloaded (Dropper)]
    C --> D[Privilege Escalation / Lateral Movement]
    D --> E[Encrypt Files (AES) + Generate RSA Keypair]
    E --> F[Create Ransom Note]
    F --> G[Demand Payment (Bitcoin/Monero)]
    G --> H{Victim Decision}
    H --> |Pays| I[Decryptor Sent]
    I --> |Refuses| J[Data Leaked / Remains Encrypted]

The diagram illustrates the linear flow from initial delivery to the final ransom demand.

Real‑World Impact

Incident Date Target Ransom Paid Notes
Colonial Pipeline May 2021 U.S. fuel pipeline operator ~$4.4 M (paid) Disrupted fuel supply across the East Coast.
Kaseya VSA July 2021 Managed‑service providers (MSPs) $70 M (estimated) Ransomware spread to ~1,500 downstream businesses.
University of Utah Health Oct 2022 Hospital network $1.2 M (paid) Patient records encrypted; operations halted for days.
Baltic Freight Mar 2024 Logistics firm $2.5 M (paid) Double‑extortion: data leaked after non‑payment.

Real‑World Impact (UK‑Centric)

Incident Date Target (UK) Ransom Paid Notes / Sources
NHS WannaCry Outbreak May 2017 Multiple NHS trusts (e.g., Royal Free London, Guy’s & St Thomas’) No official ransom paid – the attack exploited unpatched Windows systems, causing widespread appointment cancellations and emergency service disruptions. BBC News, “NHS hit by ransomware attack” (May 2017).
University of Cambridge – “Clop” March 2022 University of Cambridge Computer Laboratory (research data) £30 k (approx.) paid to obtain decryption keys. The Register, “Cambridge University pays Clop ransomware” (Mar 2022).
British Airways (BA) – “LockBit” June 2022 BA’s corporate IT environment (internal data) Reported £2 m settlement with the ICO after a data breach linked to ransomware. Financial Times, “British Airways fined after ransomware breach” (Jun 2022).
London School of Economics (LSE) – “REvil” August 2023 LSE’s finance department (student & staff data) £150 k ransom demanded; LSE refused to pay and restored from backups. Guardian, “LSE fends off REvil ransomware attack” (Aug 2023).
South West Water – “Hive” February 2024 Water treatment facilities in the South West region £1.2 m ransom paid to regain control of SCADA systems. ITV News, “South West Water pays Hive ransomware” (Feb 2024).
National Health Service (NHS) – “BlackCat/ALPHV” October 2024 NHS Digital’s internal support platform (patient records) £500 k ransom demanded; NHS opted to rebuild systems rather than pay. Sky News, “NHS battles BlackCat ransomware” (Oct 2024).

These examples underscore that ransomware can affect any organization, regardless of size or industry.

Defensive Strategies

Prevention

  1. Email Security – Deploy anti‑phishing gateways, DMARC, and user training.
  2. Patch Management – Apply security updates within 48 hours of release.
  3. Multi‑Factor Authentication (MFA) – Enforce MFA on all privileged accounts and remote services (RDP, VPN).
  4. Network Segmentation – Isolate critical assets to limit lateral movement.
  5. Least Privilege – Restrict admin rights to only those who truly need them.

Detection

  • Endpoint Detection & Response (EDR) – Look for suspicious process injection, rapid file encryption, or abnormal PowerShell activity.
  • Security Information & Event Management (SIEM) – Correlate logs for known ransomware indicators (hashes, command‑and‑control traffic).

Response

  1. Isolate Infected Systems – Disconnect from network to stop spread.
  2. Preserve Evidence – Capture memory dumps and logs before wiping.
  3. Restore from Backups – Verify backup integrity; prioritize offline or immutable backups.
  4. Engage Law Enforcement – Report incidents to local authorities and, where applicable, to national CERTs.

Recovery

  • Test backup restoration regularly (at least quarterly).
  • Conduct a post‑mortem to identify gaps and improve policies.

Ransomware‑Ready Backup Best Practices

Practice Why It Matters
Air‑gapped / Immutable Backups Prevents ransomware from encrypting or deleting backup copies.
Versioned Snapshots Allows rollback to a point before infection.
Regular Restore Tests Confirms that backups are usable under pressure.
Offsite Storage Shields against physical disasters that could affect primary site.

The Future of Ransomware

  • Ransomware‑as‑a‑Service (RaaS) will keep lowering the barrier to entry for criminal groups.
  • AI‑generated Phishing may increase success rates by crafting highly personalized lures.
  • Double & Triple Extortion—combining encryption, data theft, and DDoS threats—will become more common.

Staying ahead requires continuous education, automation, and a proactive security mindset.

Quick Checklist (Copy‑Paste for Your Team)

  • ✅ Enable MFA on all accounts
  • ✅ Deploy anti‑phishing gateway
  • ✅ Patch all systems weekly
  • ✅ Conduct quarterly phishing simulations
  • ✅ Implement immutable, offline backups
  • ✅ Test restore procedures every 90 days
  • ✅ Monitor EDR alerts for mass file modifications
  • ✅ Document incident response playbook

Quick Checklist for the General Public

Feel free to print this or save it on your phone. Even a few simple habits can dramatically lower your ransomware risk.

  • ✅ Keep your operating system, browsers, and apps up to date (enable automatic updates).
  • ✅ Use a reputable antivirus/anti‑malware solution and keep its definitions current.
  • ✅ Enable multi‑factor authentication on email, cloud storage, and banking accounts.
  • ✅ Be skeptical of unexpected emails, especially those urging you to click links or open attachments.
  • ✅ Verify the sender’s address and look for spelling/grammar errors before responding.
  • ✅ Do NOT enable macros in Office documents unless you’re absolutely sure they’re safe.
  • ✅ Regularly back up personal files (photos, documents) to an external drive that you disconnect after each backup.
  • ✅ Store at least one backup copy offline or in a cloud service that offers versioning and “deleted file recovery.”
  • ✅ Use strong, unique passwords for each online service (consider a password manager).
  • ✅ If you suspect an infection, disconnect from Wi‑Fi/Ethernet immediately and seek help before paying any ransom.

Conclusion

Ransomware remains a potent threat, but it’s far from unstoppable. By understanding how it works, recognizing the signs, and implementing layered defenses, individuals and organizations can dramatically reduce both the likelihood of infection and the impact of an eventual breach. Stay vigilant, keep your systems patched, and never underestimate the power of a good backup strategy.

Feel free to share this post, adapt it for your audience. Stay safe!_