Ransomware explained: How it works and how to remove it


Read Time: 8 minutes

Despite a recent decline, ransomware is still a serious threat. Here’s everything you need to know about the file-encrypting malware and how it works.

Ransomware definition

Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. 

Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.

[ Learn why ransomware might be your biggest threat and how to protect backups from ransomware. | Get the latest from CSO by signing up for our newsletters. ]

How ransomware works

There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they’re downloaded and opened, they can take over the victim’s computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.

There are several things the malware might do once it’s taken over the victim’s computer, but by far the most common action is to encrypt some or all of the user’s files. If you want the technical details, the Infosec Institute has a great in-depth look at how several flavors of ransomware encrypt files. But the most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker.

In some forms of malware, the attacker might claim to be a law enforcement agency shutting down the victim’s computer due to the presence of pornography or pirated software on it, and demanding the payment of a “fine,” perhaps to make victims less likely to report the attack to authorities. But most attacks don’t bother with this pretense. There is also a variation, called leakware or doxware, in which the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid. But because finding and extracting such information is a very tricky proposition for attackers, encryption ransomware is by far the most common type.

Who is a target for ransomware?

There are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.

On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — and these organizations may be uniquely sensitive to leakware attacks.[ ]

But don’t feel like you’re safe if you don’t fit these categories: as we noted, some ransomware spreads automatically and indiscriminately across the internet.

How to prevent ransomware

There are a number of defensive steps you can take to prevent ransomware infection. These steps are a of course good security practices in general, so following them improves your defenses from all sorts of attacks:

  • Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
  • Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
  • Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting softwarewhich prevents unauthorized applications from executing in the first place.
  • And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.

Ransomware removal

If your computer has been infected with ransomware, you’ll need to regain control of your machine. CSO’s Steve Ragan has a great video demonstrating how to do this on a Windows 10 machine:

The video has all the details, but the important steps are to:

  • Reboot Windows 10 to safe mode
  • Install antimalware software
  • Scan the system to find the ransomware program
  • Restore the computer to a previous state

But here’s the important thing to keep in mind: while walking through these steps can remove the malware from your computer and restore it to your control, it won’t decrypt your files. Their transformation into unreadability has already happened, and if the malware is at all sophisticated, it will be mathematically impossible for anyone to decrypt them without access to the key that the attacker holds. In fact, by removing the malware, you’ve precluded the possibility of restoring your files by paying the attackers the ransom they’ve asked for.

Ransomware facts and figures

Ransomware is big business. There’s a lot of money in ransomware, and the market expanded rapidly from the beginning of the decade. In 2017, ransomware resulted in $5 billion in losses, both in terms of ransoms paid and spending and lost time in recovering from attacks. That’s up 15 times from 2015. In the first quarter of 2018, just one kind of ransomware software, SamSam, collected a $1 million in ransom money.

Some markets are particularly prone to ransomware—and to paying the ransom. Many high-profile ransomware attacks have occurred in hospitals or other medical organizations, which make tempting targets: attackers know that, with lives literally in the balance, these enterprises are more likely to simply pay a relatively low ransom to make a problem go away. It’s estimated that 45 percent of ransomware attacks target healthcare orgs, and, conversely, that 85 percent of malware infections at healthcare orgs are ransomware. Another tempting industry? The financial services sector, which is, as Willie Sutton famously remarked, where the money is. It’s estimated that 90 percent of financial institutions were targeted by a ransomware attack in 2017.   

Your anti-malware software won’t necessarily protect you. Ransomware is constantly being written and tweaked by its developers, and so its signatures are often not caught by typical anti-virus programs. In fact, as many as 75 percent of companies that fall victim to ransomware were running up-to-date endpoint protection on the infected machines.

Ransomware isn’t as prevalent as it used to be. If you want a bit of good news, it’s this: the number of ransomware attacks, after exploding in the mid ’10s, has gone into a decline, though the initial numbers were high enough that it’s still. But in the first quarter of 2017, ransomware attacks made up 60 percent of malware payloads; now it’s down to 5 percent.  

Ransomware on the decline?

What’s behind this big dip? In many ways it’s an economic decision based on the cybercriminal’s currency of choice: bitcoin. Extracting a ransom from a victim has always been hit or miss; they might not decide to pay, or even if they want to, they might not be familiar enough with bitcoin to figure out how to actually do so.

As Kaspersky points out, the decline in ransomware has been matched by a rise in so-called cryptomining malware, which infects the victim computer and uses its computing power to create (or mine, in cryptocurrency parlance) bitcoin without the owner knowing. This is a neat route to using someone else’s resources to get bitcoin that bypasses most of the difficulties in scoring a ransom, and it has only gotten more attractive as a cyberattack as the price of bitcoin spiked in late 2017.

That doesn’t mean the threat is over, however. There are two different kinds of ransomware attackers: “commodity” attacks that try to infect computers indiscriminately by sheer volume and include so-called “ransomware as a service” platforms that criminals can rent; and targeted groups that focus on particularly vulnerable market segments and organizations. You should be on guard if you’re in the latter category, no matter if the big ransomware boom has passed.

With the price of bitcoin dropping over the course of 2018, the cost-benefit analysis for attackers might shift back. Ultimately, using ransomware or cryptomining malware is a business decision for attackers, says Steve Grobman, chief technology officer at McAfee. “As cryptocurrency prices drop, it’s natural to see a shift back [to ransomware].”

Should you pay the ransom?

If your system has been infected with malware, and you’ve lost vital data that you can’t restore from backup, should you pay the ransom? 

When speaking theoretically, most law enforcement agencies urge you not to pay ransomware attackers, on the logic that doing so only encourages hackers to create more ransomware. That said, many organizations that find themselves afflicted by malware quickly stop thinking in terms of the “greater good” and start doing a cost-benefit analysis, weighing the price of the ransom against the value of the encrypted data. According to research from Trend Micro, while 66 percent of companies say they would never pay a ransom as a point of principle, in practice 65 percent actually do pay the ransom when they get hit.

Ransomware attackers keep prices relatively low — usually between $700 and $1,300, an amount companies can usually afford to pay on short notice. Some particularly sophisticated malware will detect the country where the infected computer is running and adjust the ransom to match that nation’s economy, demanding more from companies in rich countries and less from those in poor regions.

There are often discounts offered for acting fast, so as to encourage victims to pay quickly before thinking too much about it. In general, the price point is set so that it’s high enough to be worth the criminal’s while, but low enough that it’s often cheaper than what the victim would have to pay to restore their computer or reconstruct the lost data. With that in mind, some companies are beginning to build the potential need to pay ransom into their security plans: for instance, some large UK companies who are otherwise uninvolved with cryptocurrency are holding some Bitcoin in reserve specifically for ransom payments.

There are a couple of tricky things to remember here, keeping in mind that the people you’re dealing with are, of course, criminals. First, what looks like ransomware may not have actually encrypted your data at all; make sure you aren’t dealing with so-called “scareware” before you send any money to anybody. And second, paying the attackers doesn’t guarantee that you’ll get your files back. Sometimes the criminals just take the money and run, and may not have even built decryption functionality into the malware. But any such malware will quickly get a reputation and won’t generate revenue, so in most cases — Gary Sockrider, principal security technologist at Arbor Networks, estimates around 65 to 70 percent of the time — the crooks come through and your data is restored.

Ransomware examples

While ransomware has technically been around since the ’90s, it’s only taken off in the past five years or so, largely because of the availability of untraceable payment methods like Bitcoin. Some of the worst offenders have been:

  • CryptoLocker, a 2013 attack, launched the modern ransomware age and infected up to 500,000 machines at its height.
  • TeslaCrypt targeted gaming files and saw constant improvement during its reign of terror.
  • SimpleLocker was the first widespread ransomware attack that focused on mobile devices
  • WannaCry spread autonomously from computer to computer using EternalBlue, an exploit developed by the NSA and then stolen by hackers.
  • NotPetya also used EternalBlue and may have been part of a Russian-directed cyberattack against Ukraine.
  • Locky started spreading in 2016 and was “similar in its mode of attack to the notorious banking software Dridex.” A variant, Osiris, was spread through phishing campaigns.
  • Leatherlocker was first discovered in 2017 in two Android applications: Booster & Cleaner and Wallpaper Blur HD. Rather than encrypt files, it locks the home screen to prevent access to data.
  • Wysiwye, also discovered in 2017, scans the web for open Remote Desktop Protocol (RDP) servers. It then tries to steal RDP credentials to spread across the network.
  • Cerber proved very effective when it first appeared in 2016, netting attackers $200,000 in July of that year. It took advantage of a Microsoft vulnerability to infect networks.
  • BadRabbit spread across media companies in Eastern Europe and Asia in 2017.
  • SamSam has been around since 2015 and targeted primarily healthcare organizations.
  • Ryuk first appeared in 2018 and is used in targeted attacks against vulnerable organizations such as hospitals. It is often used in combination with other malware like TrickBot.
  • Maze is a relatively new ransomware group known for releasing stolen data to the public if the victim does not pay to decrypt it.
  • RobbinHood is another EternalBlue variant that brought the city of Baltimore, Maryland, to its knees in 2019.
  • GandCrab might be the most lucrative ransomware ever. Its developers, which sold the program to cybercriminals, claim more then $2 billion in victim payouts as of July 2019.
  • Sodinokibi targets Microsoft Windows systems and encrypts all files except configuration files. It is related to GandCrab
  • Thanos is the newest ransomware on this list, discovered in January 2020. It is sold as ransomware as a service, It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.           

This list is just going to get longer. Follow the tips listed here to protect yourself.


147 thoughts on “Ransomware explained: How it works and how to remove it

  1. Having read this I thought it was extremely enlightening.
    I appreciate you finding the time and energy to put this short article together.
    I once again find myself spending a lot of time
    both reading and leaving comments. But so what, it was still worth it!

  2. Greetings from Florida! I’m bored to tears at work so
    I decided to check out your site on my iphone during lunch break.
    I enjoy the knowledge you present here and can’t wait to take a look when I
    get home. I’m surprised at how fast your blog loaded on my phone ..
    I’m not even using WIFI, just 3G .. Anyhow, amazing blog!

  3. I’m curious to find out what blog platform you happen to
    be working with? I’m experiencing some small security problems with my latest blog and I would like to find
    something more risk-free. Do you have any suggestions?

  4. Great blog! Is your theme custom made or did you download it from somewhere?
    A theme like yours with a few simple adjustements would really make my blog stand out.

    Please let me know where you got your design.
    Thank you

  5. Pretty nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed surfing around your blog posts. In any case I’ll be subscribing to your feed and I hope you write again very soon!

  6. Does your site have a contact page? I’m having problems locating it but, I’d like to shoot you an email.

    I’ve got some ideas for your blog you might be interested in hearing.
    Either way, great blog and I look forward to seeing
    it develop over time.

  7. What i don’t realize is if truth be told how you are no longer actually much more neatly-liked than you may be now. You are so intelligent. You understand thus considerably on the subject of this topic, produced me personally believe it from a lot of various angles. Its like women and men aren’t involved except it is something to do with Woman gaga! Your individual stuffs nice. All the time care for it up!

  8. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three emails with the same comment. Is there any way you can remove people from that service? Thanks!

  9. I highly advise to avoid this site. My personal experience with it has been purely frustration as well as doubts about scamming practices. Exercise extreme caution, or better yet, look for a trustworthy platform for your needs.

  10. I highly advise to avoid this platform. My own encounter with it was purely disappointment along with doubts about scamming practices. Exercise extreme caution, or better yet, find an honest platform to fulfill your requirements.

  11. I strongly recommend stay away from this platform. The experience I had with it has been only disappointment along with suspicion of fraudulent activities. Be extremely cautious, or alternatively, seek out a trustworthy site to fulfill your requirements.

  12. I highly advise to avoid this platform. My own encounter with it was only frustration along with doubts about deceptive behavior. Exercise extreme caution, or better yet, look for an honest platform for your needs.

  13. I highly advise steer clear of this platform. My own encounter with it has been only dismay as well as doubts about fraudulent activities. Proceed with extreme caution, or even better, look for a trustworthy platform to fulfill your requirements.

  14. I urge you steer clear of this site. My personal experience with it has been purely dismay and concerns regarding deceptive behavior. Proceed with extreme caution, or alternatively, find a trustworthy platform to meet your needs.

  15. I highly advise steer clear of this platform. My personal experience with it has been only frustration along with concerns regarding deceptive behavior. Proceed with extreme caution, or even better, seek out an honest platform to meet your needs.

  16. I strongly recommend steer clear of this platform. My own encounter with it was only dismay along with suspicion of deceptive behavior. Proceed with extreme caution, or better yet, look for a more reputable site to fulfill your requirements.

  17. I highly advise steer clear of this site. My personal experience with it was only disappointment along with doubts about deceptive behavior. Be extremely cautious, or even better, look for a trustworthy platform for your needs.

  18. I strongly recommend stay away from this site. My own encounter with it has been purely frustration along with suspicion of fraudulent activities. Exercise extreme caution, or even better, seek out a more reputable platform to meet your needs.

  19. I urge you steer clear of this site. My own encounter with it was purely disappointment and concerns regarding scamming practices. Be extremely cautious, or even better, find a trustworthy site for your needs.

  20. I highly advise stay away from this platform. The experience I had with it was only dismay and concerns regarding fraudulent activities. Proceed with extreme caution, or better yet, find a more reputable platform to meet your needs.

  21. I highly advise to avoid this site. The experience I had with it has been purely frustration along with concerns regarding deceptive behavior. Exercise extreme caution, or alternatively, find a more reputable site to fulfill your requirements.

  22. What’s Taking place i am new to this, I stumbled upon this I have
    discovered It absolutely helpful and it has helped me out loads.
    I am hoping to contribute & aid other customers like its helped
    me. Great job.

  23. I strongly recommend stay away from this site. My own encounter with it has been nothing but frustration along with doubts about scamming practices. Be extremely cautious, or even better, look for an honest site to fulfill your requirements.I highly advise stay away from this site. The experience I had with it has been purely frustration as well as concerns regarding fraudulent activities. Proceed with extreme caution, or alternatively, seek out an honest service to meet your needs.

  24. I highly advise to avoid this site. The experience I had with it was purely frustration as well as concerns regarding fraudulent activities. Proceed with extreme caution, or even better, find a more reputable platform to fulfill your requirements.I urge you to avoid this platform. The experience I had with it has been only disappointment along with concerns regarding fraudulent activities. Proceed with extreme caution, or better yet, seek out a more reputable service for your needs.

  25. There are some fascinating cut-off dates on this article however I don’t know if I see all of them heart to heart. There is some validity but I’ll take maintain opinion until I look into it further. Good article , thanks and we wish more! Added to FeedBurner as effectively

  26. I strongly recommend steer clear of this platform. My own encounter with it was nothing but disappointment as well as suspicion of scamming practices. Exercise extreme caution, or alternatively, find an honest site to fulfill your requirements.

  27. I urge you stay away from this platform. My own encounter with it has been only frustration as well as concerns regarding deceptive behavior. Exercise extreme caution, or even better, look for a trustworthy platform to meet your needs.

  28. I strongly recommend to avoid this site. The experience I had with it has been purely dismay as well as suspicion of deceptive behavior. Exercise extreme caution, or alternatively, look for a more reputable site to fulfill your requirements.

  29. I urge you steer clear of this site. The experience I had with it has been only disappointment along with suspicion of scamming practices. Proceed with extreme caution, or better yet, look for an honest service to meet your needs.

  30. I strongly recommend stay away from this site. My personal experience with it has been nothing but disappointment as well as suspicion of scamming practices. Be extremely cautious, or even better, seek out an honest site to fulfill your requirements.

  31. I strongly recommend to avoid this platform. My own encounter with it was nothing but frustration and suspicion of scamming practices. Be extremely cautious, or even better, look for an honest site to fulfill your requirements.

  32. I highly advise to avoid this platform. My own encounter with it has been nothing but frustration along with suspicion of deceptive behavior. Proceed with extreme caution, or alternatively, find an honest service for your needs.

  33. I strongly recommend to avoid this site. My personal experience with it has been nothing but disappointment and concerns regarding deceptive behavior. Proceed with extreme caution, or even better, look for a trustworthy platform to fulfill your requirements.

  34. I strongly recommend steer clear of this site. My own encounter with it has been nothing but dismay and concerns regarding fraudulent activities. Exercise extreme caution, or alternatively, find an honest site to meet your needs.

  35. Great blog! Do you have any tips and hints for aspiring writers? I’m hoping to start my own website soon but I’m a little lost on everything. Would you recommend starting with a free platform like WordPress or go for a paid option? There are so many choices out there that I’m completely confused .. Any ideas? Thanks!

  36. I urge you steer clear of this platform. My personal experience with it was purely disappointment along with concerns regarding scamming practices. Exercise extreme caution, or better yet, look for a more reputable site to meet your needs.

  37. I strongly recommend to avoid this site. My own encounter with it has been purely frustration as well as concerns regarding fraudulent activities. Be extremely cautious, or even better, find an honest platform to meet your needs.

  38. I in addition to my friends have already been digesting the nice recommendations from your site then all of the sudden I got a horrible feeling I had not thanked the blog owner for those strategies. These women are already absolutely excited to learn all of them and have now really been having fun with these things. Many thanks for genuinely so thoughtful and for making a decision on variety of very good tips most people are really eager to learn about. Our own honest apologies for not saying thanks to earlier.

  39. I have been browsing on-line more than 3 hours as of late, yet I never found any interesting article like yours. It’s pretty value sufficient for me. In my opinion, if all web owners and bloggers made just right content as you probably did, the internet shall be much more useful than ever before. “It’s all right to have butterflies in your stomach. Just get them to fly in formation.” by Dr. Rob Gilbert.

  40. My brother suggested I might like this website. He was totally right.
    This post actually made my day. You cann’t imagine just how
    much time I had spent for this information! Thanks!

  41. Hello to every body, it’s my first go to see of this website; this web site contains remarkable and in fact fine material in support
    of visitors.

  42. Hi to all, how is everything, I think every one is getting more from this web site, and your views are pleasant for new viewers.

  43. You actually make it seem so easy with your presentation but I find this matter to
    be actually something that I think I would never understand.
    It seems too complex and extremely broad for me. I’m looking forward
    for your next post, I will try to get the hang of it!

  44. I don’t even know how I ended up here, but
    I thought this post was good. I don’t know who you are but certainly you’re
    going to a famous blogger if you are not already 😉 Cheers!

  45. Hi would you mind stating which blog platform you’re using?
    I’m going to start my own blog in the near future but I’m having a difficult time deciding between BlogEngine/Wordpress/B2evolution and Drupal.

    The reason I ask is because your design and style seems different then most blogs and I’m looking for something unique.
    P.S My apologies for being off-topic but I had to ask!

  46. Great beat ! I wish to apprentice while you amend your
    website, how could i subscribe for a blog site? The account aided me a acceptable deal.
    I had been a little bit acquainted of this your broadcast offered bright clear concept

  47. Hey, you used to write magnificent, but the last few posts have been kinda boring… I miss your great writings. Past few posts are just a bit out of track! come on!

  48. Howdy this is kinda of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding knowledge so I wanted to get guidance from someone with experience. Any help would be enormously appreciated!

  49. Magnificent site. A lot of useful information here. I’m sending it to some friends ans also sharing in delicious. And naturally, thanks on your effort!

  50. Some genuinely superb articles on this web site, regards for contribution. “For today and its blessings, I owe the world an attitude of gratitude.” by Clarence E. Hodges.

  51. There are some interesting points in time in this article however I don’t know if I see all of them middle to heart. There may be some validity however I will take maintain opinion until I look into it further. Good article , thanks and we wish more! Added to FeedBurner as well

  52. We’re a gaggle of volunteers and starting a new scheme in our community. Your website offered us with useful information to work on. You’ve performed an impressive task and our entire neighborhood can be thankful to you.

  53. I wanted to send a quick message in order to say thanks to you for some of the precious advice you are sharing at this site. My extensive internet research has now been honored with reasonable content to talk about with my good friends. I would suppose that most of us website visitors actually are undeniably lucky to live in a great place with many awesome professionals with very beneficial secrets. I feel really lucky to have seen your web pages and look forward to some more entertaining moments reading here. Thanks a lot again for everything.

  54. After research a few of the blog posts on your web site now, and I really like your approach of blogging. I bookmarked it to my bookmark web site checklist and shall be checking again soon. Pls check out my website as properly and let me know what you think.

  55. Youre so cool! I dont suppose Ive learn anything like this before. So good to search out anyone with some authentic thoughts on this subject. realy thank you for beginning this up. this web site is one thing that’s needed on the internet, someone with just a little originality. useful job for bringing one thing new to the internet!

  56. A person essentially help to make seriously posts I would state. This is the very first time I frequented your web page and thus far? I amazed with the research you made to make this particular publish extraordinary. Fantastic job!

  57. I like what you guys are up too. Such intelligent work and reporting! Carry on the excellent works guys I have incorporated you guys to my blogroll. I think it’ll improve the value of my web site :).

  58. Hello my family member! I wish to say that this article is
    awesome, great written and come with almost all vital infos.
    I’d like to see extra posts like this .

  59. I will right away take hold of your rss feed as I can’t find your email subscription hyperlink or newsletter service. Do you have any? Kindly let me realize in order that I may just subscribe. Thanks.

  60. I simply needed to appreciate you all over again. I am not sure what I would have followed in the absence of those solutions revealed by you about such a topic. Previously it was the troublesome crisis for me personally, however , noticing the very specialized tactic you dealt with that made me to jump for fulfillment. I will be grateful for your guidance as well as trust you comprehend what a powerful job you’re putting in instructing some other people through the use of your web blog. More than likely you haven’t come across any of us.

  61. Good day! I know this is kinda off topic but I was wondering which blog platform are you using for this website? I’m getting tired of WordPress because I’ve had issues with hackers and I’m looking at alternatives for another platform. I would be awesome if you could point me in the direction of a good platform.

Leave a Reply

Your email address will not be published. Required fields are marked *