best ransomware protection

Ransomware Attacks: How They Work and How To Prevent Them

Last updated on January 12, 2021

Have you ever accidentally saved over an important document? Had your phone stolen, along with all your contacts? Lost access to an important resource?

Now imagine waking up to find that your laptop, every critical document you need, perhaps every stored photo with sentimental value, had been stolen from right under your nose and locked in a vault you can’t access… and you’ll have to pay a ransom to have a chance of getting it back. That’s what happens when you’re hit with file-encrypting malware.

What is Ransomware?

Ransomware is a pernicious form of malware that encrypts your files and folders, then demands a “ransom” in return for a decryption key. Typically, the victim will be asked to pay, in cryptocurrency, anything from hundreds to thousands of dollars.

Often the ransomware will be sent to the victim as an email attachment or download link. Sometimes it’s sophisticated enough to exploit security vulnerabilities and infect your computer on its own. Usually, though, you’re tricked into installing the program and giving it administrator access, either because you think it’s harmless/legitimate or it seems to have been sent by someone you know.

While there’s been one successful (if short-lived) case of ransomware designed for Mac, ransomware is typically only a problem for Windows users. Malicious apps are also used to install ransomware on mobile devices.

How a Ransomware Attack Works

Imagine you get an urgent email from someone saying they’re from the company that does your workplace’s accounting. They need you to sign an expense form so they can process a payment but using their in-house program, attached to the email.

You follow their instructions, clicking “yes” on all the standard pop-up boxes asking if this program can make changes to your computer. Except this is malware, sent by a cybercriminal, and you just gave the program the administrator permissions it needs to take over your computer and encrypt your files. Now you have to decide whether to follow the instructions on the screen and transfer a Bitcoin payment in order to get the decryption code.

Or another common scenario; one that affected millions of people worldwide. You click on an ad on a porn site, which opens an automatic download link for malware, including the Angler Exploit Kit (AEK). This bypasses your permissions by exploiting a security vulnerability and installs a screen-lock, so you can’t access anything else on your computer. A message flashes up, claiming to be US law enforcement, saying you just tried to access illegal content and must pay a fine. If you don’t, not only will your laptop stay locked, you may also be arrested.

This kind of ransomware terrifies people into complying. Even if they realize it’s not really from law enforcement (either at the time or after they’ve paid), the fact that it came from a porn site means most people will be too embarrassed to raise a complaint.

How to Prevent Ransomware Infection

There are a number of simple privacy and security-boosting steps you can take to reduce your risk of inadvertently downloading ransomware.

To start with, backup all your files to an external hard drive or cloud storage that is kept separate from your device. Never download an attachment or click on a link in an email from a source you don’t recognize, even if they say they’re from your organization. Consider encrypting your emails altogether, as if a cybercriminal intercepts or hacks them, this could be used to disseminate ransomware in your name. For the same reason, use password encryption and management tools and connect to public WiFi using a VPN.

These steps won’t detect or block ransomware, though – they just make it less likely you’ll be targeted in the first place. The only reliable way to keep ransomware at bay is to invest in top-of-the-range antivirus software that protects you against advanced malware attacks – including, of course, ransomware.

Once installed on all your devices, this software should scan your internet connection, apps and downloaded programs continually, identifying viruses, spyware, trojans and other vulnerabilities by cross-referencing them against known lists of malware. It also needs to be powerful enough to identify “zero-day” threats, typically by building on machine learning algorithms to predict that an unrecognized program or link is dangerous. Since the most successful ransom attacks are those that are developed for a particular target, or have just been created, this zero-day threat feature is absolutely vital.

It’s important to note that this functionality does not come as standard, even among top-rated antivirus providers. When choosing your antivirus software, you must look out for those that specifically list anti-exploit technology and/or ransomware protection as key features. Focus on those that perform well in independent testing for zero-day threats, too. Below are two excellent examples.


Bitdefender is an all-around excellent antivirus software that is incredibly reliable when it comes to detecting viruses, filtering out malicious URLs, flagging phishing attempts, and protecting your privacy when you’re banking or shopping online – and it comes with a built-in password manager. All of this helps keep you safe, but where Bitdefender really shines is in its multi-layer ransomware protection.

Even if a completely new ransomware program slips through initial detection, the software will block any unauthorized program from creating, modifying or deleting files in protected folders, which includes your Desktop, Documents, Pictures, and so on, as well as file-synching platforms like Dropbox and Google Drive. You can also scan all your devices for threats simultaneously, using the Bitdefender Central app on mobile devices.

Visit Bitdefender


Kaspersky is another highly-rated antivirus software that performs consistently well in independent testing, including for zero-day threats. Most antivirus software scouts for ransomware by creating a “bait” file and seeing if the downloaded program bites, which is far from foolproof. Instead, Kaspersky (even the free version) uses behavior-based detection to track how the downloaded file tries to interact with other documents on your device. If anything raises the alarm, the program is quarantined.

While this will be adequate for most home users, Kaspersky also offers an excellent anti-ransomware tool for business. This needs to be purchased separately from your main internet security suite but is well worth it. The tool monitors the whole network continuously, looking out for suspicious activity.

Visit Kaspersky

Weighing the Price of the Ransom

Once the ransomware has successfully encrypted your files, there is no way to unencrypt them unless you get the code. Occasionally, a decryptor may become available for a particular type of malware, but generally, there’s no way to get around this without the cybercriminal giving you the code. Generally speaking, this means that, if you want your files back, your only option is to pay the ransom and hope they do as promised.

If the files aren’t worth all that much to you, it should be an easy decision not to pay this extortion money. If it’s an old laptop, perhaps you’re willing to discard and replace it, too. (Although, it is possible to remove the ransomware itself, as long as you accept the loss of the files). However, if you cannot do your job without those files, if losing this information will damage your business, or if irreplaceable personal documents have been encrypted, this will be a much harder call. Remember, though, that there’s no guarantee that you really will get the code.

How to Remove Ransomware

The good news is that you can remove the malware itself from a Windows operating system in just 5 steps:

  1. Reboot to Safe Mode
  2. Install some form of antivirus software that, as explained above, is effective on sophisticated malware, including ransomware
  3. Run a system scan to locate any malware
  4. Follow the instructions to remove the ransomware program once caught
  5. Restore your computer to a previous state

Unfortunately, if your files have been encrypted, they will stay locked. Removing the malware means you’re giving up on ever getting the decryption key, so while you’ll get your device back, your files are lost.

Ransomware Attacks on Businesses

Unsurprisingly, companies are prime targets for ransomware attacks. They’re more likely to have valuable documents stored on the device or network. The business disruption caused by the attack may be losing them money by the minute, or sending waves of panic through their customer base.

All-in-all, the financial hit from not paying the ransom is likely to be higher than paying it – and they’ll probably have the money to pay it more readily than an individual, too.

One of the worst ransom attacks in recent years was WannaCry, which has infected over 300,000 computers since 2017. Believed to have been created by government-affiliated North Korean cyber attackers, this ransomware worm exploits an SMB protocol vulnerability in Windows OS. Microsoft had already spotted the problem and released a critical patch update, but not for Windows XP. Many large organizations, including the National Health Service in the UK, were still using XP, so when their system got infected, it burrowed through the network, infecting computers and locking up important patient data. This cost the NHS around $120 million.

The Good News… And the Bad

Okay, now for some more positive news. Overall, infection volumes of ransomware are decreasing. In other words, you are statistically less likely to get hit by ransomware now than you were a few years ago.

However, it’s not time to get the champagne out just yet. Cybercriminals haven’t given up, they’ve just got smarter and more focused about who they attack. Instead of putting a malicious download link in an ad and hoping to get a few hundred dollars from tens of thousands of people, they’re more likely to design really sneaky campaigns for a few hundred high-value targets, with a view to extorting tens of thousands of dollars from each one. That includes people who work in big companies with deep pockets. It’s not just CEOs, either… HR and IT professionals are frequent targets, too.

What’s more, some cybercriminals have moved on to exploiting victims in ways they aren’t even aware of. Take cryptojacking, where the victim is tricked into downloading crypto-mining malware in much the same way as ransomware. Instead of demanding payment, they sneakily continue their mining operations using that person’s hardware and internet connection, draining their memory and slowing their internet. This doesn’t hit you as hard financially in the short term, but it may shorten the lifespan of your device – and besides, it’s just creepy having someone digitally squatting in your computer without you knowing it.

Stay vigilant. Install reliable antivirus software. Be wary of email links and attachments. And bear in mind that every time someone pays the ransom, cybercriminals aren’t just rewarded in the short term, they’re also incentivized to try again.

Ransomware FAQ

Ransomware is a type of malware that encrypts your files or locks your screen completely, preventing you from accessing your documents. Once installed, the malicious software will try to lock files on the system by encrypting them. Since many people are tricked into downloading malware thinking it is something harmless, during installation some types of ransomware will ask permission to make changes to your computer or gain administrator access. This makes it easier for the ransomware to take control of your device. After your files are encrypted, the ransomware will then demand payment (the “ransom”) in return for decrypting these files or unlocking your screen. Sometimes, ransomware attackers pretend to be members of law enforcement to fool the victim into believing that they have to pay a fine for engaging in illegal activity online. This is not always the case, though. Some forms of ransomware simply inform you that your documents have been taken hostage and that you need to make a payment to get them back. Often, payment is demanded in Bitcoin to shield the identity of the recipient. Without a decryption key, it is not usually possible to regain access to encrypted files. However, payment of the ransom does not guarantee that the attackers will honor their side of the bargain and decrypt the files as promised.
You can remove ransomware in much the same way that you remove any other type of malware. However, when most people ask “how do I remove malware?” what they really mean is “how do I reverse the damage done by the malware?” This is much more complicated. Many of the top antivirus and antimalware software packages on the market include tools for locating, quarantining, and removing malicious programs that are already present on your device. There are also a number of specialist tools available, such as the SpyHunter Free Malware Remover, or the TrendMicro Screen Locker removal tool. However, ransomware is unique in that the biggest problem isn’t removing the malware itself, but rather restoring access to the other files and documents on your device. Removing the malware will not unlock these files. When encryption is properly applied, it is mathematically impossible to crack the code. This means that, if the creators of the ransomware really knew what they were doing, you would not be able to regain access to your encrypted files without obtaining the decryption key from them. Removing the malware before you’ve unlocked the files will take away your line of communication with the criminals and makes your device safe to use again, but will not deliver an encryption code. Your existing files will remain inaccessible. That said, the good news is that not all ransomware has been encrypted to the military-grade levels required to make it uncrackable. For example, any ransomware that uses symmetric-key encryption (like Apocalypse) is a lot weaker, meaning it is relatively straightforward for cybersecurity experts to figure out the decryption algorithm by themselves. There have been other cases where the decryption key has been found leaked into samples of the ransomware, or where the author of the ransomware has even decided to release the “master key” themselves, as was the case with the TeslaCrypt strain of ransomware. All of this means that decryption keys, codes, and step-by-step instructions have been made publicly available for many common types of ransomware. For example, AVG has published free ransomware decryption tools for Apocalypse, BadBlock, Bart, Crypt888, Legion, SZFLocker, and TeslaCrypt. Note that, as well as decrypting your files, you must ensure that the ransomware has been completely removed to avoid future, repeat attacks.
There are various routes the ransomware could take to get onto your computer or mobile device. For example, you might be tricked into downloading the ransomware program as an email attachment as part of a phishing scam, having been led to believe it is a legitimate form of software or has been sent to you by a friend or colleague. Or you might download it automatically by clicking a link to a malicious URL. Increasingly, cybercriminals choose specific people within a company to target with ransomware in order to cause the most disruption and expense, thus increasing the likelihood that a high ransom will be paid. High-risk organizations like hospitals are also frequent targets, as being locked out of sensitive files can literally be a case of life or death, piling on the pressure for managers to give in and pay up. In these cases, to increase their chances, cybercriminals may use sophisticated social engineering techniques to trick the recipient into thinking that this is an email from someone they know or work with, and/or to make them believe that they need to download the attachment or click the link as a matter of urgency. Meanwhile, other, more aggressive types of ransomware can infect your device simply by exploiting known security vulnerabilities. For example, in early 2020, the technology company Citrix announced that it had found a vulnerability in computer infrastructure sold to customers, which could give unauthenticated attackers a way to connect to a computer remotely and execute codes. Cybercriminals quickly exploited this to launch ransomware on affected computers. While companies that discover vulnerabilities like these typically release security updates and patches immediately to fix the problem, individual users or large organizations don’t always install these updates quickly enough, leaving them open to attack. It’s important to note that no kind of computer, operating system, or mobile device is immune to ransomware infection. While PCs are most commonly hit, mobile devices are increasingly affected, and at least one strain of ransomware has been used successfully to infect Macs. Ransomware can also spread from your computer to other connected devices, for example, external hard drives.

Article comments