We may earn affiliate commissions for the recommended products. Learn more.

What is ransomware: how does it work and how do you remove it?

Ransomware is one of the most damaging types of malware, causing billion-dollar disasters every year. For businesses and individuals alike, a ransomware infection can mean losing irreplaceable files and spending weeks recovering computers.

In this article, we’ll explore the definition of ransomware, how it works, and how to get it off of your computer.

Ransomware definition

Like adware and spyware, ransomware is a type of malware. Unlike some other kinds of malware, ransomware has a very specific definition: it’s malicious software that encrypts the victim’s files and demands a ransom to decrypt them. Generally, the ransomware author requests their ransom in Bitcoin or another hard-to-trace cryptocurrency.

While most types of ransomware only encrypt a user’s files, others threaten to publish them as well. Because of this, ransomware can be hugely damaging to an organization, both in terms of finances and reputation.

Ransomware variants are constantly being developed. The surge of ransomware attacks spiked during the COVID-19 pandemic which revealed vulnerabilities in remote systems, since many workers switched to working from home.

How ransomware works

In a nutshell, ransomware abuses encryption, a technology for scrambling data, to prevent victims from accessing their data unless they pay up. After a victim unwittingly installs it, the ransomware follows a few general steps:

  1. In the background, the ransomware program encrypts (or scrambles) the user’s files one by one, deleting the originals.
  2. The ransomware displays the ransom message, either by changing the desktop background or by opening a custom application in full screen.
  3. In the ransom note, the user is given an ultimatum: either they pay up and have their files restored, or the attacker throws away the encryption key and the files are lost forever.
  4. On the same page as the ransom note, the program displays a Bitcoin (or other cryptocurrency) address. When the user purchases the right number of Bitcoin and sends them to the specified address, the user is given a file or password.
  5. The user inputs the unlock key into some part of the ransomware program. Theoretically, the unlocker decrypts the user’s files and deletes itself afterwards. However, this doesn’t always happen: sometimes the criminal just takes the victim’s money and does nothing.

Encryption is the same technology used to make online banking secure. It also secures your web browsing, instant messages, and emails (between major providers). However, hackers can also use encryption to lock their victims out of their own data.

Ransomware Attacks: What Are They and How to Protect Yourself video screenshot

How does ransomware spread?

There are a few different ways of infecting users with ransomware. Below, I answered some of the most burning questions about the spread of this malicious software:

  • Can ransomware spread through infected documents? Yes. Most types of ransomware arrive via infected downloads or email attachments. So-called document-based malware, where malicious Microsoft Office files house hidden malware, is becoming increasingly prevalent. All it takes is one click to “run macros” (and sometimes zero clicks, if the hacker uses a security bug) before your data is held ransom.
  • Can ransomware spread through Wi-Fi? Yes. Some ransomware spreads like a worm once it gets inside a network. In other words, it uses security vulnerabilities in software on the network to spread from computer to computer. Hackers often target vulnerabilities in file-sharing and remote desktop protocols.
  • Can ransomware spread through USB? Yes. If you borrow an infected flash drive from your friend and use it on your computer, it will catch ransomware.

Unfortunately, ransomware is extremely quick once it gets into your system. It only takes a few seconds to encrypt all your files. That’s why you should focus on avoiding it in the first place.

What are the types of ransomware?

Ransomware has been one of the most popular and successful malware types these days. With it, cybercriminals can successfully block access to your own data and devices, steal sensitive information, and earn a fortune by forcing you to pay a ransom.

That’s why ransomware is constantly evolving and even has 4 different types – locker, crypto, double extortion, and RaaS ransomware. But the two main ones are locker and crypto-ransomware.

Locker Ransomware

This type of ransomware completely blocks access to your device. It uses stolen credentials and social engineering techniques to get into the system. After it gets into the system, the cybercriminals demand for you pay the ransom. However, the damage doesn’t resolve as the intruders already have your data.


By using this type of ransomware, the hacker seeks to decrypt your sensitive information by not compromising your computer’s functionality. Once the hacker is in, you can only see your files but not access them. At this point, you also receive a message informing you about the ransom and the possible loss of files if you don’t pay the required amount of money.

As we can already see, ransomware is a quick and easy way to steal files and earn money for the bad guys. And one of the best ways to stay protected is to use the best ransomware protection from our listed software.

How to prevent ransomware

Most types of ransomware require some kind of user error to trigger. On occasion, ransomware will use security vulnerabilities in software or remote access protocols to spread.

Generally, preventing ransomware attacks is similar to preventing other kinds of attacks. Here are some more specific recommendations:

  • Avoid opening downloads from untrusted sites.
  • Be careful with emails—don’t open attachments or links from untrustworthy or unknown senders.
  • Keep your operating system and software up to date. Make sure that your web browser, antivirus, and other security-critical software gets frequent updates. This can help to avoid ransomware that exploits security vulnerabilities.
  • Use background scanning mode in your antivirus software to make sure that every download is scanned for malware. Since you can’t effectively remove ransomware after it gets installed without wiping your computer, occasional scans won’t work.

Other general security measures might keep ransomware at bay, but the user is the most important element of the security system. By being careful and skeptical of websites, emails, and other information on your computer, you can avoid ransomware.

How to remove ransomware

Since your files are completely encrypted, it’s impossible to remove ransomware without totally wiping and reinstalling your computer. You won’t be able to get back your files without having a backup from before the ransomware was installed.

Here’s how to wipe and restore your computer:

  1. On a clean computer, make a bootable recovery drive specific to your operating system. You won’t need to use a second computer if you use a Mac.
    1. On Windows, use Microsoft’s USB/DVD Download Tool. This is a free and easy download straight from Microsoft.
    2. On macOS, boot from Recovery by holding down the Command and R keys after rebooting. The recovery drive is integrated into your operating system.
  2. Reboot your computer from the external or internal recovery drive. Follow the on-screen instructions to wipe your hard drive and reinstall the operating system.
  3. Reboot your computer when prompted and remove the recovery drive. On a Mac, don’t hold down any keys.
  4. Set up your computer like new. After you finish setting it up, move your files from your backup onto your computer.
  5. Avoid doing the same thing that caused the ransomware to get installed in the first place. If you weren’t following good security practices before, take the time to reevaluate your choices and be more careful next time.

If you don’t have a backup of your files, you might be out of luck. In the final section of this article, we briefly discuss why you shouldn’t pay the ransom. There’s no guarantee that the criminal won’t simply take your money without restoring access to your files. On the other hand, if you’re fine losing your files, just wipe your computer completely and don’t restore any backups.

Ransomware examples

WannaCry ransomware example

In recent years, ransomware attacks have shown up in the news all the time. From the famous WannaCry attack that hit hundreds of major organizations to the Petya and NotPetya variants, ransomware has been a hot topic for a few years.

You can see a summary of the most significant ransomware variants here:

  • WannaCry was the most well-known ransomware attack. By exploiting the EternalBlue security vulnerability in Microsoft Windows, it spread across the globe at an unprecedented speed. According to some estimates, the losses from this attack could top four billion dollars.
  • SamSam attacked critical infrastructure using stolen Microsoft Remote Desktop credentials. Unlike many other kinds of ransomware, victims of SamSam did not necessarily commit any kind of error on their own.
  • Locky arrived on victims’ computers through a fake Microsoft Word invoice that contained malware. The document appeared to be invalid and tricked the user into enabling macros to “re-encode” the document. After enabling Word macros, the victim’s computer would be locked with ransomware.
  • Petya and NotPetya are variants of a similar ransomware program that overwrote critical boot sectors on its victims’ computers. Compared to other types of ransomware, Petya uses low-level, more complete technique that renders victim systems completely inoperable.
  • Ryuk attacked enterprise systems in late 2018, more recently than many of these other ransomware examples. It uses fileless malware (including PowerShell scripting) to spread across corporate networks, quickly encrypting as many computers as it can.

Should I pay if I get hit by ransomware?

If at all possible, do not pay the ransom. By paying the ransom, you’re encouraging the ransomware authors to continue attacking other individuals and organizations. However, sometimes you can’t avoid paying the ransom because you don’t have backups and the value of your data exceeds the cost of the ransom.

Remember that the ransomware authors have no incentive to actually unlock your files if you pay the ransom. Although most of the time they do unlock victims’ files, there is no guarantee. When a Kansas hospital was hit with a ransomware attack, their data was not returned, even after paying the ransom.

Another reason to avoid giving in is the possibility that other malware was installed at the same time. Malware often comes in groups—even if you pay to remove the ransomware, your computer might still be infected with other, more subtle malware.

If you prepared well and you have backups, wipe every infected computer and restore from your backups. This way, you’ll still have your data and won’t encourage cybercrime in the future.



prefix 1 year ago
I got infected with Jigsaw. Windows defender blocked it, but for some reason I am getting notifications that windows defender is blocking unauthorized changes to my hard drive. What do I do?
Cybernews Team
prefix 1 year ago
Hi! Your best bet would be to run a full scan with a good antivirus solution. You could look for suspicious files and delete them, look at processes happening and terminate them. But the easiest will be - AV full scan, our top suggestions are TotalAV, Norton, and Bitdefender. These are the ones that are all quite good at catching ransomware. You can read about them more in our reviews. Hope this helps!
prefix 3 years ago
I wonder how badly does ransomware affect network drives. I have shared drives, and one of the devices caught a couple of nasty viruses. I don’t have antivirus, and now I’m afraid, that other devices might lose important data.
prefix 3 years ago
antiviruses help to prevent many types of malware and ransomware. but how to get rid of fbi ransomware? as far as i know, this type is extremely dangerous and the only option is to pay the attackers? that’s quite scary, since, your PC with work data might be affected, and all secret files can be used in the wrong places.
CyberNews Team
prefix 3 years ago
To remove this type of ransomware, you’ll have to enter safe mode with networking, download RKill (link: https://www.bleepingcomputer.com/download/rkill/), and scan your system with it. It would also be a good idea to check your PC with another antivirus of your choice.
prefix 3 years ago
google is a company that must care about privacy and security, right? i understand that ransomware can affect your pc, tablet, phone, or any other device physically, but i am curious – can ransomware affect google drive? when i got it on my pc, which is connected to google drive, is there any threat that my docs and photos will be gone?
CyberNews Team
prefix 3 years ago
If you’re using Google Drive to sync files between your computer and the cloud, ransomware can also spread there. You may be able to restore the files to a previous version, but there won’t be much else to do.
prefix 3 years ago
soo not into cybersecurity. it feels like discovering something new and unheard. i have read about different types of viruses and methods of spreading them. that’s pure science to me. it might sound funny, but what to do if you get a ransomware email ? is it enough just to delete it? should i report it somewhere? can i click on it?
CyberNews Team
prefix 3 years ago
Usually, ransomware is distributed as an app. So, unless you download or run the file, you shouldn’t be affected. You should report such emails to your email service provider. It’s best to just delete them without opening them.
prefix 3 years ago
For me best antivirus for ransomware – Norton. They have a very long history in this field – round 30 years, and thei sofware is capabale of detecting almost any type of threat and malware. Sometimes it’s even way to sensitive, and finds threats in completely good and secure apps , but in this case I think it’s better worry that sorry.
Leave a Reply

Your email address will not be published. Required fields are markedmarked