Home»Ransomware»How Does Ransomware Work – All You Need to Know

How Does Ransomware Work – All You Need to Know

The ransomware threat is huge, and it gets bigger every day. Chances are, it’s already affected you or someone you know, or will affect in the nearest future. Some estimates of the damages exceed one billion dollars, taking into account data loss, service outages, disrupted operations, and recovery.

But how does ransomware work? In this article, we will take a detailed look at how ransomware works, how your data can be corrupted and encrypted by it, and what you can do to decrease this probability as much as possible!

Key Information About Ransomware

  • Ransomware is in the top-five threats in all fields and the second biggest cybersecurity threat in the retail business.
  • The most preferred method of ransom payment is cryptocurrency because it is hard to track.
  • Most antiviruses don’t protect against ransomware. Ransomware is ever-evolving – cybercriminals always find new ways to get into the system and stay undetected.
  • The range of systems and devices ransomware can affect are always growing. A few years ago it was hard to imagine ransomware affecting cloud, but now this practice is usual.
  • Ransomware is designed primarily for extorting money, but it can also be used for politically motivated attacks. The example – NotPetya cyberattack against Ukraine in 2017.
  • There is no 100% working method to protect from ransomware, which means you need to combine a set of different protection methods and regularly back up data with proven services.

How Does Ransomware Work: In-depth Look

Let’s take an all-around look at ransomware to understand how it operates and what to expect from it.

Ransomware Definition

Ransomware is a type of malware that encrypts users’ files and makes them inaccessible unless they pay a ransom in a given time. It is created to generate revenue from people who want their data back.

In most cases, ransomware doesn’t harm the device it infects. Its main goal is to encrypt files on it and get money for their decryption, not to actually harm the device or data. Even the type of ransomware that locks the screen leaves the underlying system unharmed. But of course, there still are a lot of exceptions.

Types of Ransomware

There are only three types of ransomware that work and, therefore, look and infect in a different way. Let’s understand this difference.

Screen lockers

How ransomware works: locker ransomware

Locker ransomware is created to block users’ access to their devices. Usually, it looks like this: a user tries to turn on his/her computer, but stumbles upon a blocked interface. They can’t interact with a computer in any way: the keyboard, mouse, and screen are locked.

The only thing they can interact with is ransomware. For example, it lets the user type digits in a field for their banking data.

This type of malware usually leaves the underlying system unharmed. The goal is to prevent access to the system and extort money for getting it back.

Now, the popularity of locker ransomware is decreasing because of its inefficiency – tech-savvy users can figure out how to cleanly remove it from the device. That is why hackers use social engineering tricks to pressure victims into paying a ransom.

Encrypting ransomware

Ransomware examples: Cerber ransomware

This type of ransomware blocks the access to user’s data by encrypting it. The data can be anything: photos, videos, documents, emails, presentations. When a user tries to open an infected file, they see a sign that says that data is encrypted, and to access it a user needs to buy a decryption key.
It works: nearly 40% of victims pay the ransom to regain access to their data. The average ransom demand starts from $300 and goes up to hundreds of thousands of dollars depending on the type of victim. SMBs and enterprises are usually asked for larger payments.

The reason behind the effectiveness of ransomware is simple: most people don’t back up their data regularly; some of them don’t back up data at all. Therefore, whey will be desperate to get it back and likely to pay the ransom.

This type of ransomware reached its peak popularity in the years 2013-2018. In 2019 the game has changed: general ransomware activity has dropped, but the number of attacks targeting enterprises has increased by 12%. Also, mobile ransomware infections increased by 33%.

How Ransomware Works

Ransomware is a malicious code (malware) that is designed to block access to the users’ files by encrypting them. To decrypt files and regain access to them, a user needs a decryption key that he can get only by paying a ransom to the hackers.

There are so many types of ransomware they usually have to group in “families”. “Family” is a group of different codes that have the same “relative” – the initial code that later has been modified.

Each type of ransomware has its own unique features and special decryption key, determining what does ransomware primarily do. Some of the ransomware types not only encrypt particular files but affect the whole operating system and a hard drive. But, in most cases, it is just a side effect.

Modern crypto-ransomware typically uses both symmetric and asymmetric encryption techniques. In symmetric encryption, a single key is used to encrypt the data and the same key is used to decrypt the encrypted data. Ransomware that uses symmetric encryption usually generates a key on the infected computer and sends this to the attacker or requests a key from the attacker before encrypting the user’s files.

The main goal of ransomware is data, so it can affect every system the data is located at:

– Computer

– Server

– Cloud

– Mobile

How ransomware spreads

Ransomware has many ways to infect files, which usually depend on the targeted files and the system they are located at.


Phishing is a fraudulent practice that tricks people into opening malicious emails and clicking on fake links that infect your computer with ransomware. It can use many ways to reach its target: emails, SMS, calls. The main point of phishing is to make the message look trustworthy and convince a user to take the required action.

There are two ways phishing scams operate:

  • The email/SMS contains a link leading to a scam website. That website requires entering some user credentials, which are used by a hacker to enter the computer (or another system) and encrypt files.
  • The email contains an attachment with ransomware in it. When a user downloads the attachment, the virus spreads on the device and infects files with ransomware.

Exploits in systems and networks

Some sophisticated types of ransomware don’t need to trick users into making a required action to infect the system. Instead, they use exploits (vulnerable spots in the system) to infect it “from the inside”.

This is precisely what happened in 2017 when the WannaCry ransomware attack hit the world using an exploit in Microsoft Windows operating system. Even though Microsoft released patches right before to close the security loopholes, not all users had installed them. In the end, the attack affected 200 000 computers across the world and caused damage for hundreds of millions of dollars.


Another way to “catch” ransomware is to add or download a fake application. Fraudulent apps are becoming one of the most notorious threats since the popularity of different applications is on the rise. Hundreds of them are added in the Play Market every single day, so it is very hard to identify the validity of an application. Only special services can monitor apps and identify whether they are trustworthy or not.

Fake apps statistic:

How do you get ransomware via the apps

How does Google apps ransomware work? Through permissions. The downloading itself won’t infect your device or cloud. But if you provide permissions that the application requests, it will infect the files in the pointed location. For example, a fake application for photo editing will ask access to a photo gallery and then will encrypt it.

USB and other physical carriers

The most popular method in the past is infecting devices through physical carriers. For example, you insert an infected USB on the computer, and it spreads the virus across the device.

Read our comprehensive article How Do You Get Ransomware: 5 Main Sources to be prepared for all possible attack vectors.

Who is the target of ransomware?

Literally, any individual or organization that has important data they rely on is a potential target for ransomware. Over the decades, hackers acted on the principle “the wider the impact, the more chances to get paid”. Even if three hundred users out of 10 000 pay a ransom, the game is worth the candle.

But recently there are more and more personalized attacks appearing every month. They are targeted directly on a particular organization(s) and their vulnerabilities. Those attacks are more sophisticated and dangerous; therefore, they are harder to remove, and the ransom payments are usually enormously high.

Let’s take a closer look at all possible ransomware targets.

Regular users

This group of users may be the easiest to prey on since they are the less technically aware. As so, they mostly don’t know how ransomware works and tend to panic more when they encounter it. Therefore, the panic dictated by the feeling of technical helplessness pressures them to pay the ransom to get their files back.

Also, home users do not tend to back up their data, which they store mostly on their devices. All family pictures, agreements, resume, projects, etc. Some of them don’t have a backup at all; others can back up data infrequently, like once a month or even less often.

In fact, only 25% of home users have automatic weekly backups. This leaves them highly exposed to attacks and desperate in returning their data in case of infection.


Data is the life source of business. And when this source is cut, the whole business processes stop dead. Information about customers, valuable emails, documents, and presentations – encryption of all those will cause critical damage to the work process and lead to money losses.

This makes them an attractive target for hackers. Since the stakes are higher for businesses than for individuals, they are more likely to pay the ransom and even are willing to pay more. Also, though a lot of companies have backup and disaster recovery plans, there is always a chance those haven’t been tested and do not work properly. And this is precisely what makes hackers’ plan work.

Public organizations

Education, government, healthcare, finance, law enforcement – the occurrence of ransomware in these sectors is quadrupled in the past few years. Hackers leave police departments without data that have been gathered for years. Hospitals lose access to all patients’ records so they can’t cure them. Districts can be left without electricity for days.

The data in these sectors is time-sensitive and crucial, and this sense of urgency makes ransom demands to skyrocket.

Ransomware examples

There are thousands of different ransomware families, all of which pursue one goal but with different methods. Here we will mention the most dangerous and/or widespread ransomware families.


Sodinokibi ransomware example

Sodinokibi is Ransomware-as-a-Service that appeared in April of 2019 under the parenting of the GrandCrab founders and became the 4th most distributed ransomware in the world since then. High level of evasiveness and constant upgrades made this ransomware known as highly dangerous for organizations. But countries that were a part of the former USSR can stay calm – the group behind Sodinokibi avoids infecting systems from these regions.


WannaCry ransomware example

This ransomware first appeared in May 2017 and has left the major mark in the history of cyberattacks. WannaCry brought down more than 200 000 systems across 150 countries, causing financial losses of more than $4 billion. This, for sure, makes it one of the most notorious ransomware examples in history. Some countries like the USA, the United Kingdom, and Australia insisted that North Korea was behind the attack.


Ryuk ransomware example

The family that has produced this virus started its way in 2018 and since then has earned around $3,7 million in 52 payments only. It targets big organizations and other high-value figures, using military encryption algorithms that are extremely hard to decrypt.

When infiltrating the system, Ryuk converts non-executable files in the .ryk file extension. Then it drops a notification with ransom demands and guidelines in the folders that have been processed and names them RyukReadMe (.html or .txt). The ransom demand is insane: from 15 to 50 Bitcoins.

Petya and NotPetya

Petya and NotPetya ransomware examples

One of the most dangerous ransomware families that can destroy the whole Microsoft operating system.

The Petya cyber attack happened in 2017 and was mostly targeted against Ukraine, but later got around as usual ransomware. The overall damage Petya and NotPetya have caused estimated at more than $10 billion, which makes it, probably, the most destructive attack in history. And while Petya malware is shaped only to make a few Bitcoins, NotPetya evolved as a full-scale political cyberattack.

Should you pay a ransom?

You turn on your computer and find out that your files have been encrypted. You have 3-5-7 days to pay a ransom in bitcoins; otherwise, hackers will destroy your files. You are not tech-savvy yourself, and you don’t have such people to help you.

So, what to do?

A fellow from McAfee and chief scientist Raj Samani says “Oh, it’s really simple – don’t pay”. But of course, when it’s not your data at stake, it’s easy to give such advice.

There are two opposite positions on this. The first one suggests that you should pay because, for some individuals, there is no other way around: you pay or you lose data. And sometimes, like in healthcare industry cases, this data can literally mean someone’s life.

But still, the weights are on the second choice side which suggests that paying a ransom is a bad idea.

Many reasons support this idea:

  1. You have no guarantee that hackers will bother with sending you a decryption key after the ransom is paid. Also, even if they send a key, it may not fit for the particular type of ransomware you have. In fact, there is a high chance that the key for your type of ransomware doesn’t even exist.
  2. There were a number of cases when a victim paid the ransom, got partial data recovery and then was asked for more money to recover the rest.
  3. Hackers usually have a special list where they put people who are willing to pay a ransom. It means that victims who paid a ransom have much higher chances to get retargeted.
  4. In some cases, there is a chance to get your data back without paying a ransom. For example, projects like NoMoreRansom own a repository of decrypting keys for some ransomware types. Its repository is continually replenishing with decrypting keys for new ransomware strains. If you were hit by one of those strains, you can get your files back for free.
  5. Paying the ransom encourages hackers to keep doing their thing and “feeds” the industry in general. Basically, it is the reason behind the ransomware boom of recent years. Paying only makes this circle more vicious.

How to prevent ransomware

Even though you can’t avoid ransomware in 100% of cases, you can drastically decrease the chances to get infected by following some simple rules.

Find a more detailed guide on ransomware protection in our article How to Protect Against Ransomware.

For those who need a shortcut in the form of short recommendations, here are six simple rules to follow:

  1. Keep all your systems up-to-date. Install newly released patches for your operating system; don’t use old versions of operating systems because their security is outdated, which makes them the most vulnerable to malware attacks.
  2. Never rush to click on anything that looks even slightly suspicious. Don’t provide your passwords to unreliable sites.
  3. Pass some security awareness courses for beginners. Check out our article with 7 best cyber security courses online for beginners, some of which are free. It will navigate you in the existing threats, educate you on what to do in case of an attack. Or you can subscribe to our mailing list and read our articles on cybersecurity.
  4. Use antivirus. Yes, ransomware can seep into the system bypassing the antivirus, but it still raises your chances to be protected.
  5. Use ransomware prevention services. SpinOne uses machine learning algorithms to detect and block the attack.

Back up your data. Because even following all the rules above steadily can’t guarantee you won’t lose data.

SpinOne protects your Office 365 and G Suite data from ransomware. Get SpinOne Free Trial now!

Office 365 Ransomware Protection Free Trial

G suite Ransomware Protection Free Trial

Sergiy Sergiy Balynsky VP of Engineering
About Author

Sergiy Balynsky is the VP of Engineering at Spin.AI, responsible for guiding the company's technological vision and overseeing engineering teams.

He played a key role in launching a modern, scalable platform that has become the market leader, serving millions of users.

Before joining Spin.AI, Sergiy contributed to AI/ML projects, fintech startups, and banking domains, where he successfully managed teams of over 100 engineers and analysts. With 15 years of experience in building world-class engineering teams and developing innovative cloud products, Sergiy holds a Master's degree in Computer Science.

His primary focus lies in team management, cybersecurity, AI/ML, and the development and scaling of innovative cloud products.

Frequently Asked Questions

How do ransomware attacks occur?

Ransomware attacks occur mostly because people fall to the social engineering techniques of cyber criminals. They either download a malicious code on their PC, or provide the credentials to their cloud accounts.

Does ransomware steal data or just encrypt it?

Ransomware can do both depending on its strain. Data theft is a technique to ensure the victim will pay in fear of data exposure.

What happens if you don't pay for ransomware?

You will most likely not get your files back and will have to wipe your data and start from scratch. Hackers can also leak or sell your data on the Dark Web.