Imagine switching on your computer to find every file — photos, documents, work, everything — scrambled into unreadable nonsense, with a message demanding money to get them back. That is ransomware, and it has become one of the most damaging and lucrative forms of cybercrime, hitting individuals, hospitals, schools and large companies alike. Understanding how it works is the first step to making sure it never happens to you.

What ransomware is

Ransomware is malicious software that encrypts your files so you can no longer open them, then demands a payment — usually in cryptocurrency — in return for the key to unlock them. The name is literal: it holds your data to ransom.

It is a specific, especially nasty member of the wider malware family. What sets it apart is its business model. Most malware tries to stay hidden; ransomware wants you to know it is there, because the whole scheme depends on frightening you into paying. Many modern strains go further with "double extortion" — they steal a copy of your data first, then threaten to publish it unless you pay, so even a good backup does not remove all the pressure.

The result is a threat that attacks two parts of the CIA triad at once: it destroys the availability of your files, and with data-leak threats, your confidentiality too.

How an infection happens

Ransomware rarely breaks in through some Hollywood-style hacking. Far more often, it walks through a door someone accidentally opens. The common routes in are:

  • Phishing emails. The most common starting point. A convincing message tricks you into opening a malicious attachment or clicking a link that quietly installs the ransomware. Learning to spot phishing emails closes off the single biggest entry route.
  • Malicious downloads. Pirated software, fake "updates", or programs from untrusted sites can carry a hidden payload.
  • Unpatched software. Attackers exploit known security holes in operating systems and applications that have not been updated. This is why updates matter so much.
  • Compromised remote access. Weakly secured remote-access tools and stolen passwords let attackers log in and deploy ransomware directly — a major route for attacks on organisations.

Once it is in, ransomware typically works fast and quietly: it scans for valuable files, encrypts them in the background, and often tries to reach connected drives and network shares so it can spread. Only when the damage is done does it reveal itself with a ransom note.

The uncomfortable truth is that most ransomware needs a little human help to get started — a click, a download, an ignored update. That is also the good news: the same habits that block it are simple and entirely within your control.

Why backups are your best defence

If there is one lesson from years of ransomware attacks, it is this: a good backup is the most powerful defence there is. If your files are safely copied somewhere the ransomware cannot reach, an attack changes from a catastrophe into a clean-up job. You wipe the infected device and restore your data — no ransom required.

But not just any backup will do. Ransomware actively hunts for connected backups to encrypt them too, so the details matter. Security experts recommend a simple rule of thumb often called 3-2-1:

ElementWhat it means
3 copiesKeep at least three copies of important data (the original plus two backups)
2 mediaStore them on at least two different types of media or location
1 offline/off-siteKeep at least one copy disconnected or off-site, beyond the reach of an attack

That last point is the crucial one. A backup drive left permanently plugged in can be encrypted along with everything else. An external drive you connect, copy to, then unplug — or a reputable cloud backup with version history — survives because the ransomware cannot touch it. And a backup is only real if it works, so test it occasionally by actually restoring a few files.

How to prevent ransomware

Beyond backups, a familiar set of habits dramatically reduces your risk — the same cyber hygiene that protects against threats generally:

  1. Keep everything updated. Turn on automatic updates so known security holes are patched before they can be exploited.
  2. Be cautious with email. Do not open unexpected attachments or click links in messages you are not sure about, even from familiar names.
  3. Use reputable security software. It can catch and block many ransomware strains before they run.
  4. Use strong, unique passwords and two-factor authentication. This blocks the stolen-password route attackers use to log in directly.
  5. Limit what an attack can reach. On shared computers, avoid using an administrator account for everyday tasks, which can restrict how far malware spreads.
  6. Secure remote access. If you use remote-access tools, protect them with strong authentication and keep them updated.

What to do if you are hit

If the worst happens, act calmly and in the right order. Panic leads to mistakes — including paying when you did not need to.

  • Disconnect the device. Unplug the network cable and turn off Wi-Fi immediately to stop the ransomware spreading to other devices or backups.
  • Do not pay reflexively. Authorities including the NCSC advise against paying. There is no guarantee you will get your files back, it identifies you as someone willing to pay, and it funds more crime.
  • Identify and assess. Note the ransom message and any file extensions added. In some cases free decryption tools exist for known strains; reputable security organisations publish them.
  • Restore from backup. If you have a clean, offline backup, wipe the affected device and restore. This is why the earlier preparation pays off.
  • Get expert help. For anything beyond a single home device — and certainly for a business — involve an IT security professional.
  • Report it. In the UK, report ransomware to Action Fraud, and businesses can also report to the National Cyber Security Centre. Reporting helps authorities track and disrupt these criminals.

A note on paying: it is understandable to be tempted when precious files are at stake, which is exactly why prevention matters. The only way to be sure you never have to make that choice is to have a backup ready before anything goes wrong.

The bottom line

Ransomware encrypts your files and demands money to release them, and it usually gets in through everyday mistakes — a phishing email, a risky download, a missed update. The defences are squarely in your hands: keep regular backups with one copy offline, stay updated, be wary of links and attachments, and use strong authentication. If you are ever hit, disconnect, resist the urge to pay, restore from your backup and report it. Treat your backups as non-negotiable, and ransomware loses almost all of its power over you.