1 What is ransomware?
Ransomware is a type of malware that encrypts the files on your computer and demands a ransom — usually in cryptocurrency — in exchange for the decryption key. It is one of the most profitable and destructive categories of cybercrime, affecting hospitals, municipalities, small businesses and individuals alike. Once the encryption process starts, your documents, photos and databases become unreadable in minutes.
$1.1B+
Ransom payments tracked in 2023
21 days
Average downtime after an attack
4%
Victims who fully recover their data after paying
2 How ransomware infects a machine
Ransomware rarely arrives as a mysterious zero-day exploit. Most infections come through mundane vectors: a malicious email attachment, a cracked software installer, a phishing link, or an exposed Remote Desktop (RDP) service.
Email attachments
Office documents with malicious macros, ISO/ZIP archives hiding executables, fake invoices.
Drive-by downloads
A compromised legitimate site silently delivers a payload through an unpatched browser.
Exposed RDP / VPN
Attackers brute-force weak passwords on Remote Desktop or VPN portals to get a foothold.
Supply chain
A trusted software update is tampered with upstream, infecting every customer who installs it.
3 The attack lifecycle
1. Initial access
The attacker gets a foothold (phishing email, stolen credentials, vulnerable service).
2. Reconnaissance & lateral movement
They explore the network, steal credentials, and identify critical servers and backups.
3. Data exfiltration
Modern ransomware crews copy your data before encrypting — for double extortion.
4. Encryption & ransom note
Files are encrypted, backups are wiped, and a ransom note points you to a .onion portal.
5. Negotiation or leak
Pay and hope for a working decryptor, or refuse and see your data published on a leak site.
Analyze a suspicious file on mlab.sh
Received a weird attachment? Check its hash and verdict on the mlab.sh file scanner before opening it.
Scan a file on mlab.sh4 How to protect yourself
Keep offline, versioned backups (3-2-1 rule)
3 copies, on 2 different media, with 1 copy offline. Test restoration regularly.
Patch operating systems and applications
Most ransomware exploits bugs patched months earlier. Enable automatic updates.
Enable multi-factor authentication everywhere
Especially on VPN, email, admin and cloud accounts. It stops 99% of credential stuffing.
Block Office macros from the internet
One Group Policy setting that neutralizes a huge share of email-based ransomware.
Do not pay the ransom if you can avoid it
Payment funds the criminal ecosystem, does not guarantee recovery and may be illegal in your jurisdiction.
Ransomware FAQ
Is ransomware the same as a virus?
No. Ransomware is a specific category of malware whose goal is extortion through encryption. Traditional viruses simply replicated.
Can antivirus software stop ransomware?
Modern EDR solutions stop most known strains, but a fresh variant can slip through. Backups remain your last line of defense.
Should I pay the ransom?
Law enforcement agencies consistently advise against it. Payment does not guarantee a working decryptor and funds further attacks.
What should I do first if I am hit?
Disconnect the infected machine from the network immediately, preserve logs, and contact your national CERT. Do not shut down — memory may contain keys.
Related Modules
What is malware?
Viruses, ransomware, trojans: understanding the different families of malicious software.
Password security best practices
Strong passwords, password managers, passphrases: how to build a password strategy that actually works.
What is 2FA / MFA?
Two-factor authentication (2FA) and multi-factor authentication (MFA): why a password alone is not enough.
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/ransomware
Module: What is ransomware? — Digital Hygiene
Disclaimer: This content is for awareness purposes only.