Should I pay the ransom if my files are encrypted?

The FBI, CISA, and most independent security professionals recommend not paying. Payment is no guarantee you will receive a working decryption key — multiple research reports including those from Sophos and Coveware show that a meaningful share of paying victims either get partial recovery or none at all. Payment also funds the next attack, may violate U.S. Treasury OFAC sanctions if the operator is on a sanctions list, and marks you as a paying target for future incidents. Restoring from clean backups is almost always the better path.

Can antivirus software stop ransomware?

Modern antivirus suites from AV-TEST top-rated vendors stop the large majority of known ransomware before encryption begins, because they monitor behavior — a process trying to encrypt many files in seconds is a clear red flag. AV-Comparatives' Anti-Ransomware tests published in 2024 and 2025 show top suites blocking 100% of tested samples. However, no antivirus is perfect against zero-day ransomware, which is why offline backups remain non-negotiable as a second layer.

How does ransomware actually encrypt files?

Most modern crypto-ransomware uses a hybrid encryption scheme: it generates a fast symmetric key (typically AES-256) for each victim, encrypts every targeted file with that symmetric key, then encrypts the symmetric key itself with the attacker's public RSA key. Only the attacker's matching private key can recover the symmetric key, and only the symmetric key can decrypt the files. This design lets encryption run quickly on the victim machine while keeping the master key cryptographically out of reach without paying.

What is double extortion ransomware?

Double extortion is a tactic where the attacker steals copies of sensitive files before encrypting them, then threatens to publish or auction the stolen data if the ransom is not paid — even if the victim restores from backup. CISA and the FBI have documented this as the dominant 2024-2025 pattern, used by groups like LockBit, BlackCat (ALPHV), and Akira. Some operators escalate to triple or quadruple extortion, adding distributed denial-of-service attacks or harassment of the victim's customers and partners.

Are Macs and phones safe from ransomware?

Macs face less ransomware than Windows but are not immune — strains like ThiefQuest and Atomic Stealer have been documented, and AV-TEST's macOS testing now includes ransomware samples. Android has seen mobile-locker ransomware that prevents access to the home screen, often delivered via malicious apps from outside Google Play. iPhones are the hardest target because of strict sandboxing, but iCloud account hijacks have been used to remotely lock devices and demand payment via Find My iPhone. The best defenses on every platform are current OS updates, official app stores, and offline backups.

How can I tell if I'm being targeted by ransomware before it encrypts?

Early warning signs include unexpected administrative login attempts, the antivirus suddenly being disabled, new admin accounts appearing on the system, large numbers of files being read or modified at unusual hours, and the use of legitimate but unusual tools like PsExec, Cobalt Strike beacons, or PowerShell scripts running in odd locations. Many ransomware operators dwell on the network for days or weeks before triggering encryption. If you spot these signals, disconnect immediately and consult an incident response professional — early intervention can prevent the encryption phase entirely.

education

What Is Ransomware? How It Works & How to Defend Against It (2026)

Ransomware encrypts your files and demands payment to unlock them. Learn how it works, real 2026 attack examples, and the defenses that actually stop it.

Last updated · April 25, 2026·By Liang Chen (Senior Security Researcher)

10 min read · 2,413 words

Ransomware is a category of malware that encrypts a victim's files — or locks the victim out of their device entirely — and demands payment, usually in cryptocurrency, in exchange for the decryption key. According to CISA's joint cybersecurity advisories with the FBI throughout 2024 and 2025, ransomware remains among the most financially damaging cyber threats facing U.S. consumers, small businesses, hospitals, and schools. The Sophos State of Ransomware 2024 report estimated the average ransom payment in healthcare alone at well over $2 million, and the average total recovery cost — payment, downtime, and remediation — at multiples of that. Even the strongest antivirus is not a substitute for offline backups, because ransomware's payload is not "infect and steal" but "deny access until you pay."

Last updated: April 25, 2026 — Reviewed by Liang Chen (CISSP)

Quick Answer / TL;DR

Ransomware is malware that encrypts your files and demands payment for the key.
Most modern variants use military-grade hybrid encryption (AES-256 + RSA-2048 or higher) — without the attacker's private key, recovery is mathematically infeasible.
Double and triple extortion — stealing data first, then threatening to leak it — is now the default tactic for major operators like LockBit, BlackCat, and Akira.
Defense in depth works: top-rated antivirus + offline backups + email skepticism + patched OS stops the vast majority of attacks based on AV-Comparatives Anti-Ransomware testing in 2024 and 2025.
Paying is discouraged by the FBI, CISA, and most security professionals — it funds the next attack and offers no guarantee of recovery.

How does ransomware encrypt files?

Modern ransomware does not encrypt your files with the attacker's key directly — that would be far too slow on a hard drive full of data. Instead it uses a hybrid encryption scheme:

The malware generates a unique symmetric key (almost always AES-256) on the victim machine.
It uses that symmetric key to encrypt every targeted file — documents, images, databases, virtual machine disks, and often shadow copies — at high speed.
It then encrypts the symmetric key itself using the attacker's public RSA key (typically 2048-bit or higher), which was hard-coded into the malware binary.
The encrypted symmetric key is written into the ransom note or a metadata file. The original symmetric key is wiped from memory.

The result: only the attacker's matching private RSA key — held on a server you cannot reach — can recover the per-victim symmetric key. Only that recovered symmetric key can decrypt the files. AES-256 with a properly random key is not breakable by brute force in any practical timeframe, which is why "just crack it" is not an option for victims of well-implemented ransomware.

A small number of older or amateur strains have used flawed key generation, hard-coded keys, or recoverable randomness, and security firms occasionally release free decryptors for those families. The No More Ransom Project, a joint initiative by Europol and several private cybersecurity firms, maintains a current catalog of free decryptors for known-broken families. Always check there before considering payment.

What are the main types of ransomware?

The category has fragmented into several distinct flavors, each with its own typical victims and tactics:

Type	What it does	Typical target	Notable example
Crypto-ransomware	Encrypts files using strong hybrid cryptography; demands payment for the key	All operating systems; Windows is the leading target	WannaCry (May 2017), LockBit
Locker ransomware	Locks the user out of the operating system or screen, but does not encrypt files	Mostly mobile devices and older Windows	Mobile Android lockers
Double-extortion	Crypto-ransomware plus theft of data, with leak threats	Mid-to-large organizations	BlackCat (ALPHV), Royal, Akira
Triple/quadruple-extortion	Adds DDoS attacks, customer harassment, or regulator notification	Larger enterprises and hospitals	Variants of LockBit and Hive
Ransomware-as-a-Service (RaaS)	Operator builds the malware and "rents" it to affiliates who do the breaches	Anyone the affiliates can reach	LockBit, REvil/Sodinokibi
Wiper malware (ransomware-mimicking)	Pretends to be ransomware but cannot actually decrypt — designed purely for destruction	Often political targets	NotPetya (June 2017), HermeticWiper
Scareware	Fake "ransomware" pop-ups that demand payment but did not actually encrypt anything	Browser-based scams	Tech-support scam pop-ups

The most damaging modern incidents almost always involve double extortion. Stealing data first means even a perfect backup strategy doesn't fully neutralize the threat — restored systems can still face leaked customer records, intellectual property, or regulatory consequences.

How does a typical ransomware attack unfold?

Ransomware does not usually pop up the moment a user clicks a bad link. Modern attacks are multi-stage and often unfold over days or weeks. The pattern documented across CISA advisories and incident-response reports from firms like Mandiant and Sophos in 2024-2025 looks like this:

Initial access. The attacker breaches the environment — most commonly through a phishing email, an unpatched internet-facing service, exposed Remote Desktop Protocol, or stolen credentials sold on infostealer marketplaces.
Privilege escalation and reconnaissance. Once inside, the attacker quietly explores the network, harvests more credentials, and escalates to administrator rights. This phase often uses legitimate tools — PowerShell, PsExec, Cobalt Strike — making it hard for old-style signature scanners to detect.
Defense evasion. The attacker disables endpoint protection, modifies firewall rules, deletes Volume Shadow Copies on Windows so victims cannot roll back, and may even tamper with backup software to prevent restoration.
Data exfiltration. Before encrypting, the attacker copies sensitive files — financial records, customer data, intellectual property — to attacker-controlled cloud storage. This is the "double extortion" leverage.
Encryption. The ransomware binary is finally deployed, often pushed simultaneously to every reachable endpoint via Group Policy, RMM tools, or scripted SSH for cross-platform attacks. Encryption is fast — full-disk encryption of an average corporate file server completes in tens of minutes.
Ransom demand. A note appears in every encrypted folder. It typically lists a Tor hidden-service URL where the victim can chat with the operator, see proof of decryption (one or two files decrypted for free), and receive a payment address.
Negotiation, payment, or rebuild. Victims either negotiate (often via specialized incident-response firms), pay (discouraged by the FBI and most security professionals), or restore from clean backups and rebuild — accepting the data-leak risk.

What are the most notable ransomware attacks?

Several historical incidents shaped how the security industry — and how regulators — think about ransomware:

WannaCry (May 2017): A worm-style ransomware that exploited the EternalBlue SMB vulnerability, infecting an estimated 200,000+ machines across 150 countries. It caused major disruption to the U.K.'s National Health Service. The attack accelerated industry adoption of automatic patching and was attributed by the U.S. and U.K. governments to a North Korean state actor.
NotPetya (June 2017): Disguised as ransomware but actually a wiper that destroyed data permanently. Initially spread through compromised Ukrainian accounting software, it quickly went global and caused billions in damage to multinationals like Maersk and Merck. The U.S. government attributed NotPetya to Russian military intelligence.
Colonial Pipeline (May 2021): A DarkSide ransomware affiliate compromised Colonial Pipeline using a leaked password for a legacy VPN account. The company shut down the largest U.S. refined-oil pipeline for several days, triggering fuel shortages on the East Coast. Colonial paid roughly $4.4 million in cryptocurrency, of which the FBI later recovered a portion. The incident reshaped U.S. critical-infrastructure cybersecurity policy.
Kaseya VSA Supply-Chain Attack (July 2021): REvil affiliates exploited a vulnerability in Kaseya's IT-management software to push ransomware to roughly 1,500 downstream small businesses through their managed service providers, demonstrating how a single supply-chain compromise can scale.
Change Healthcare (February 2024): A BlackCat/ALPHV ransomware attack disrupted U.S. healthcare claims processing for weeks, affecting pharmacies and providers across the country. Parent company UnitedHealth disclosed the incident in regulatory filings; the breach exposed personal and medical data on what U.S. officials described as a substantial portion of the American population.
Ongoing 2024-2025 LockBit operations: Despite the international "Operation Cronos" takedown in early 2024, LockBit and rebrands have continued attacks. The FBI and U.K. National Crime Agency continue to publish updates and seized leak-site data.

Who is the typical ransomware target in 2026?

The romantic image of a "shadowy hacker targeting one corporate giant" is misleading. Modern ransomware operates at industrial scale, and consumer-facing risk is real but indirect — most consumers are affected when an organization holding their data gets hit. Common 2026 target categories:

Hospitals and healthcare networks — high pressure to restore service quickly creates strong payment incentive
K-12 school districts and universities — limited cybersecurity budgets, high data sensitivity
Local and state government — public-safety pressure, dated infrastructure
Small and mid-sized professional services — law firms, accounting practices, real estate agencies
Manufacturing — operational downtime is extremely costly
Managed service providers (MSPs) — single compromise unlocks many downstream victims

Individual consumers do still face ransomware, often through cracked software, fake game installers, or compromised home networks. The volume is lower than corporate attacks, but the personal cost — losing decades of family photos and tax records — can be devastating.

How can you protect against ransomware?

Defense in depth is the only consistently effective approach. The layers below, drawn from CISA's #StopRansomware Guide and validated against AV-Comparatives Anti-Ransomware test results, repeatedly stop ransomware in independent testing:

Layer	Action	Why it works
Backups (most important)	3-2-1 rule: 3 copies, 2 different media types, 1 offline or immutable	If files are encrypted, you simply restore — no payment needed
OS patching	Enable automatic updates on Windows, macOS, iOS, Android, and your router firmware	Closes the vulnerabilities used for initial access
Antivirus	Run a real-time AV-TEST or AV-Comparatives top-rated antivirus with ransomware-specific behavior detection	Modern engines stop encryption-style behavior before damage spreads
Email	Treat unsolicited attachments and login links as guilty until proven innocent	Phishing remains a leading initial-access vector
Identity	Phishing-resistant MFA (passkeys or hardware keys) on email, banking, and cloud storage	Stolen passwords power most modern intrusions
Macros	Disable Office macros by default; enable only for explicitly trusted sources	Macro-laden documents are a common malware delivery method
RDP / remote access	Don't expose Remote Desktop directly to the internet; require VPN + MFA	Internet-exposed RDP is a top corporate ransomware vector
Network segmentation	Separate guest Wi-Fi from main network; isolate IoT devices	Limits lateral movement if one device is compromised
Software hygiene	Avoid cracked software and unofficial app stores	Pirated installers are a major delivery channel
Test your backups	Periodically restore a test file to confirm backups actually work	Untested backups have a way of being silently broken when needed

A backup is only useful if it is isolated from the live system. Ransomware operators specifically hunt for connected backup drives and cloud-sync folders — anything that's mounted is at risk. Use external drives that are physically disconnected after each backup, or cloud services with versioning and immutable retention policies.

What should you do if you're hit by ransomware?

Move quickly but deliberately:

Disconnect affected devices from the network — pull Wi-Fi, unplug Ethernet — to stop lateral spread.
Do not pay yet. Pause and consult resources before any payment decision.
Take photographs of the ransom note and any visible attacker communication. Note the strain name, file extensions, and any contact addresses.
Check No More Ransom and the CISA #StopRansomware site for known free decryptors. Some families have been broken; others have not.
Report to law enforcement. In the U.S., file with IC3.gov (FBI Internet Crime Complaint Center) and contact your local FBI field office. Reports help track campaigns, may unlock seized decryption keys, and create paper trail for insurance.
Engage a qualified incident-response firm before negotiating. Specialized firms can verify the operator's track record, negotiate down ransom demands, and screen for OFAC-sanctioned operators (paying a sanctioned operator is a U.S. legal violation).
Restore from clean backups if available. Validate the restore environment is fully patched and the entry point closed before reconnecting.
Do a thorough post-incident review. Identify the initial access path, close it, and audit privileged accounts. Many victims are re-hit because the original entry point is never fixed.

How is ransomware evolving in 2026?

Several trends are visible across CISA advisories and lab reporting:

AI-assisted phishing is making initial-access lures harder to spot — fewer typos, better local-language fluency, more personalized hooks scraped from social media.
Targeting cloud and SaaS data is increasing as more organizations move data off endpoints. Attackers now go after Microsoft 365, Google Workspace, and SaaS backup providers directly.
Initial-access brokers specialize in selling network footholds to ransomware affiliates — division of labor makes the ecosystem more efficient and harder to disrupt.
Law-enforcement disruption is real but limited — Operation Cronos hit LockBit hard in early 2024, but rebrands and new entrants continue to emerge.
Cyber insurance market changes are reshaping incentives — insurers increasingly demand MFA, EDR, and tested backups before underwriting, which is quietly raising the security baseline.

The Bottom Line

Ransomware is the cyber threat that combines the highest financial damage with the cleanest defensive playbook. Strong antivirus stops most attempts before encryption begins, offline backups neutralize the rest, and phishing-resistant MFA closes the most common door. None of these defenses is exotic — they're widely available, the testing data is public, and the cost of getting hit without them is multiples higher than the cost of putting them in place.

For our latest, lab-data-driven antivirus picks based on AV-TEST and AV-Comparatives results — without paid placements influencing the order — see Best Antivirus. For broader context on the malware ecosystem ransomware sits inside, read What Is Malware, and for the social-engineering attacks that most often kick off ransomware incidents, read What Is Phishing next.

References: CISA #StopRansomware Guide · FBI IC3 Annual Report · No More Ransom Project · AV-Comparatives Anti-Ransomware Test · AV-TEST Independent Antivirus Lab

FAQ

Frequently Asked Questions

If a question is missing, write to corrections@safescannow.com and we will add and answer it on the page.