Ransomware is a form of malicious software that encrypts the files on your device — every document, every photo, every video, every spreadsheet — and then demands a payment, typically in cryptocurrency, for the decryption key that will restore them. Without that key, your files are permanently unreadable. With it, there is still no guarantee they will be restored. Ransomware attacks have shut down NHS trusts, crippled schools, paralysed council services, and caused irreparable damage to businesses of every size. They also happen to individual people with devastating frequency.
Understanding ransomware is not just relevant to businesses or IT professionals. If you have a computer with files you care about — family photographs, financial records, work documents, creative projects — ransomware is a direct threat to you.
How ransomware works
When ransomware executes on a device, it typically begins by connecting to a remote server operated by the attackers to receive an encryption key unique to your infection. It then begins systematically encrypting every file it can access — starting with personal documents, images, and databases, then spreading to network shares and any connected drives. Modern ransomware can encrypt hundreds of thousands of files in minutes.
The encryption used is typically the same standard as legitimate encryption software — AES-256 or RSA — which means there is no practical way to decrypt the files without the key. Once encryption is complete, the ransomware displays a ransom note explaining what has happened, how much to pay, and how to pay it. The demand is typically between a few hundred and several thousand pounds for individual victims, and can run to millions for businesses.
Some modern ransomware also exfiltrates data before encrypting it — meaning the attackers steal your files and threaten to publish them publicly if you do not pay, in addition to encrypting them. This “double extortion” technique removes the option of simply restoring from backup without worrying about the ransom.
How ransomware gets onto devices
Phishing emails with malicious attachments remain the most common delivery method. An email arrives with a Word document, PDF, ZIP file, or executable attached. When you open it, the malware installs. The email may appear to be from a courier company about a delivery, an invoice from a supplier, a tax document from HMRC, or any number of convincing pretexts.
Malicious links in emails or messages direct you to a website that exploits a vulnerability in your browser or a plugin to install malware without any file download required. This is known as a drive-by download attack.
Exploiting vulnerabilities in unpatched software allows ransomware to spread without any user interaction at all. The notorious WannaCry ransomware attack in 2017 — which affected the NHS and dozens of other organisations worldwide — spread entirely by exploiting a vulnerability in Windows that Microsoft had patched two months earlier. Every organisation that had applied that patch was immune. Every one that had not was potentially vulnerable.
Remote Desktop Protocol (RDP) attacks target computers with RDP enabled and accessible from the internet. Attackers use automated tools to discover and brute-force the login credentials, then connect directly to the machine and install ransomware manually.
Should you pay the ransom
The short answer from law enforcement agencies including the National Crime Agency, FBI, Europol, and NCSC is a consistent no. There are several reasons. Paying directly funds criminal organisations and enables them to conduct more attacks. It marks you as a target willing to pay, making you more likely to be attacked again. There is no guarantee you will receive a working decryption key — some ransomware groups take payment and disappear. And in some cases, ransomware decryption tools provided after payment are buggy and fail to restore all files.
The only reliable defence against ransomware is a backup that exists completely independently of your main device — one that ransomware cannot reach and encrypt along with everything else.
The 3-2-1 backup rule: your complete protection
Security professionals recommend the 3-2-1 backup rule: maintain three copies of your important data, on two different types of storage media, with one copy in a different location from the others (offsite or cloud).
In practice for a home user: your files on your main computer (copy 1), a copy on an external hard drive that you keep at home (copy 2), and a copy in cloud storage (copy 3 — offsite). If ransomware encrypts your computer, your external hard drive that was connected at the time might also be encrypted — but your cloud backup is unaffected. Restore from cloud. Done.
For cloud backup, iCloud works for Mac and iPhone, Google One for Android and Windows, and OneDrive for Windows. For unlimited comprehensive backup of a full computer, Backblaze is a highly regarded option at around £7 per month. For the external drive, simply enable Windows Backup or Mac Time Machine and connect the drive periodically.
Other essential protections
- Keep Windows, macOS, and all applications updated — apply updates promptly and enable automatic updates
- Never open unexpected email attachments, even from people you know — verify with them first by another channel
- Use reputable security software with real-time protection enabled
- Disable Remote Desktop Protocol if you do not need it; if you do, restrict it to specific IP addresses and use strong credentials
- Back up your data regularly and test that your backups can actually be restored