Glossary
What is ransomware? How it works, how it gets in, and how to avoid paying
Ransomware is malware that encrypts your files and demands a ransom. Modern attacks add 'double extortion' — stealing data and threatening to leak it. How it works, the main entry routes (phishing, exposed VPN/RDP, unpatched flaws), and how to recover without paying — defense-only.
"Holding your files hostage and demanding a ransom" — that's ransomware. Here's how it works and how to avoid paying (no attack steps).
How it works: a business model, not just a virus
Classic ransomware encrypts every file it can reach on a device or server and leaves a note: "pay if you want the decryption key." But the real nature of today's threat is less about the technology and more about how it makes money.
In double extortion, attackers exfiltrate data before encrypting. So even if a victim restores from their own backups, a second threat remains: "pay or we publish what we stole." That shift is why "we have backups, so we're fine" no longer holds on its own. On top of that, RaaS (Ransomware-as-a-Service) splits the work — those who build the tooling and those who run the attacks are now different people — which has sharply lowered the barrier to entry.
Main entry routes (close the door)
Ransomware doesn't appear by magic; it comes in through a predictable set of doors. Closing them is the first line of defense.
1. Phishing
via email attachments / links. The most common door. defense = MFA, mail filtering, training
2. Exposed VPN/RDP
weak / no-MFA remote access. defense = require MFA, reduce exposure
3. Unpatched flaws
known holes in internet-facing software. defense = patch promptly
A real example we've covered, the mass MOVEit breach (Cl0p), exploited an unpatched vulnerability in internet-facing software and stole large volumes of data before a fix was available — a double-extortion case. It's a good reminder that "an email attachment" is not the only way ransomware gets in.
Defense: make recovery-without-paying possible
Keep offline / immutable backups (most important)
Backups are what decide recovery. But an always-online, writable backup can be encrypted along with the rest, so keep at least one offline or immutable (tamper-proof) copy, and run restore tests regularly to confirm you can actually get data back. See backup and recovery essentials (3-2-1).
Close the entry: MFA and patching
Require multi-factor authentication (MFA) on the biggest doors — phishing-prone logins and exposed remote access — and patch known vulnerabilities promptly on anything internet-facing. This alone stops a large share of intrusions (→ choosing MFA).
Limit the blast radius: least privilege and segmentation
So one compromise doesn't encrypt the whole company, keep privileges to the minimum needed and segment the network. Designing so a single compromised machine can't spread everywhere keeps damage local.
Have detection and an 'after we're hit' plan
Even with the doors closed, prevention is never perfect. So detect anomalies early and decide in advance — in an incident response plan — who does what (isolate, notify, restore, in that order). Build the ability to contain and restore before anyone panics and pays.
This site's view: paying isn't even the last resort — preparation is the point
On whether to pay, our position is clear: build the ability to not pay, in advance. Paying doesn't guarantee decryption; with double extortion it doesn't stop the leak either; and it funds crime while marking you as a payer who gets targeted again. So the real work is preparation, not incident response. An offline backup you can restore plus an entry that's closed with MFA and patching — with both in place, ransomware drops from "catastrophic event" to "annoying but recoverable incident."
Blind spot: "we have backups" no longer means "we're safe"
Backups used to make ransomware harmless. But now that double extortion is the norm, being able to restore is a different problem from preventing data theft. Attackers pull the data out before encrypting and then demand payment "or we publish it." So defense is two-layered — not just able to restore (backups) but also don't let them in or out (entry-point defense). The starting point for modern ransomware defense is refusing to stop at "but we have backups."
Read next
- Learn: backup and recovery essentials (the foundation for recovering without paying — the 3-2-1 rule)
- Learn: choosing MFA the right way (close the biggest entry)
- Glossary: what phishing is (cut off the top entry route itself)
- Case: the mass MOVEit breach (Cl0p) (double extortion via an unpatched flaw)
FAQ
QIf I'm hit by ransomware, should I pay?
Lean strongly toward not paying. Paying doesn't guarantee you get your files back, and it doesn't guarantee the stolen data won't be leaked. It also funds criminal groups and marks you as someone who pays, making you a repeat target (and paying sanctioned groups can carry legal risk). Many authorities discourage paying. That's exactly why preparation — offline backups you can restore without paying — matters most.
QHow does ransomware get in?
Three main routes. (1) Phishing email attachments or links — the most common entry. (2) Internet-exposed remote access (VPN/RDP) that is weak or has no multi-factor authentication (MFA). (3) Unpatched, known vulnerabilities in internet-facing software. In short: human action, exposed entry points, and missing patches — all of which you can close with defenses.
QIs having backups enough?
Backups are the most important control, but with conditions. An always-online, writable backup can be encrypted along with everything else, so keep at least one offline or immutable (tamper-proof) copy and run restore tests regularly. And because modern attacks steal data before encrypting (double extortion), backups let you 'recover' but don't stop a leak — you also need entry-point defenses so attackers don't get in and exfiltrate in the first place.