What You Need to Know About Ransomware – And How to Remove It

Folder and a flash drive held hostage chained to a chair
In a hurry? Here's a short summary about ransomware!
Everything You Need to Know About Ransomware - A Quick Guide

Ransomware is a kind of malware that takes over users’ computers and networks and prevents them from accessing their data. Ransomware does this by encrypting files and locking up devices, networks and entire systems so users can’t get to them. The only way to restore the files or network access is to obtain a decryption key, which only the hacker knows. In exchange for the key, the hacker demands a ransom payment in Bitcoin. Ransom demands can be hundreds of dollars for smaller-scale attacks or millions for large companies.

There are ways to protect yourself from ransomware attacks:

  1. Invest in reliable anti-virus software: For ransomware protection, we recommend Malwarebytes.
  2. Back up your files: If you are subject to a ransomware attack and can’t get access back, having a backup of your files is essential.
  3. Update your operating system and software: This keeps your device up to date on the latest patches and vulnerability fixes.

If you want to learn more about ransomware, how to protect yourself against attacks and how to remove it, read our full article below.

Ransomware is used by cybercriminals to cripple corporate and private networks and devices by taking important files or entire systems hostage, typically through a Trojan. Once inside the system, the ransomware begins to encrypt the victim’s files so they can’t be accessed.

When the files are locked up and the ransomware infection is complete, the attacker sends a message instructing the victim to pay a ransom to get the files or access to devices back — hence, the “ransom” in ransomware. Unfortunately, in many cases, victims pay the ransom and still don’t get the files back or systems back, which can have devastating effects on businesses and individuals.

With the recent barrage of ransomware attacks and the emergence of ransomware-as-a-service on the dark web, it’s more important than ever to learn about how ransomware works, how you can prevent attacks, and how to remove it if you’ve been infected.

What is Ransomware? How Does Ransomware Work?

What-is-Ransomware-IconRansomware is a type of malware that takes over users’ computers and encrypts their files, thus preventing them from accessing their data. Most commonly, ransomware codes encrypt files so users can’t get to them. Restoring the files requires a decryption key that only the hacker holds. The hacker demands a ransom in exchange for the encryption key.

The malicious software sends a message to the users stating that their files are inaccessible, and will only be decrypted if they send a Bitcoin payment to the attacker. The users are then given directions for paying the ransom in exchange for the decryption key. The fees vary widely, from a few hundred dollars for small targets, to millions of dollars for huge corporate scores.

Common Ransomware Examples

Though there are many different types of ransomware available to hackers and cybercriminals, three ransomware threats have emerged as the most popular in recent years due to their effectiveness and profitability for ransomware attackers. These are:


1. Encrypting ransomware

This is a type of ransomware infection where an attacker seizes the user’s files and encrypts them, then demands payment in exchange for returning the data. Once your files are encrypted, the only way to get them back is by using a decryption key. But even if you pay the ransom, there’s no way to know if the criminals will actually give your data back. This is the most common for corporate networks and targeted attacks on businesses.

2. Locker ransomware

This kind of ransomware was one of the first malware that hackers used. It not only encrypts files but also locks the users out of the device or system entirely. Since there’s no way to get in, you have to pay a ransom to access your device and get to your encrypted files. Again, the problem remains that if you pay the ransom, you may not actually be able to regain access to the infected system. This is another common ransomware attack on business networks as well as individual systems.

3. Scareware

Commonly used by security and tech support scammers, scareware usually has a message pop on the screen saying that malware was discovered. Users are informed that the only way they can get rid of it is to pay a fee. However, with scareware, if they do nothing, their files will most likely remain safe. The cybercriminals haven’t actually encrypted data, but are merely pretending that they have. This is very common when attacking individual devices and systems.

Different ransomware variants

While all ransomware is similar in its execution and functionality, there are many different codes and strains. Here are some common modern types of ransomware variants:

  • Ryuk: It’s estimated that Ryuk (thought to originate in Eastern Europe) was responsible for nearly a third of all cyberattacks in 2020 and 2021, and has become one of the go-to ransomware codes for major attacks for its efficacy and ability to draw ransoms in the multi-millions. Ryuk was responsible for attacks on US hospitals in California, New York, and Oregon, as well as in the UK and Germany. Ryuk ransomware was also behind cyberattacks on Universal Health Systems, the Seyfarth Shaw Law Firm, and the Sopra Steria attack in Europe.
  • REvil (Aka: Sodinokibi): REvil code was responsible for nearly 13% of all attacks in 2021, including the $70 million Kaseya cyberattack and the extortions of the massive food supplier JBS Foods, and electronics giant Acer. REvil was also one of the leading ransomware-as-a-service gangs that emerged in recent years.
  • WannaCry: WannaCry is another ransomware code hailing from Eastern Europe. This particular variant was responsible for attacks that froze up the UK’s National Health Service (NHS). In addition to the high-profile attack on the NHS, it’s responsible for attacks on over 125,000 organizations across 150 countries.
  • CryptoLocker: One of the most notorious ransomware attacks was CryptoLocker, which took place in 2013 and infected around 500,000 computers worldwide. The ransomware spreads in the form of attachments in spam emails. Once you opened the attachment the hackers had access to your files and could encrypt them. CryptoLocker was eventually contained by Operation Tovar, but it inspired many other ransomware attacks.
  • Bad Rabbit: This variant infects systems through a phony Adobe Flash update on malicious websites. Once injected, victims are redirected to a page that requires them to pay Bitcoin.
  • Jigsaw: Named after the villain in the hit horror movie franchise, Saw, this ransomware variant first encrypts files, then starts a countdown to a deadline for making the ransom payment. During the countdown, the malware begins deleting files one by one. Once the countdown is finished and the ransom isn’t paid, all the files will be deleted.
  • Petya: This member of the malware family is especially hard to get rid of because it overwrites the entire master boot program of the operating system on a device. It encrypts the entire system, making it nearly impossible to reboot and dig out the malware.

How Does Ransomware Infect Your Computer?

How-Does-Ransomware-Infect-Your-Computer-iconAn infected computer will run normally for a while and the user generally doesn’t realize that ransomware has been installed. Once the ransomware begins running on the computer and encrypting files, it’s usually too late to save the data. A ransom note will then appear on the user’s screen, and the files will become inaccessible.

There are many ways ransomware can infect your computer or corporate network. For the majority of ransomware attacks — both corporate breaches and infection of a private computer system — we’ve seen five main methods.

  1. Phishing: One of the most common ways is by phishing, where an attacker poses as a legitimate institution such as a bank or tech company. They often contact you by email and request that you download a file or open a malicious attachment. If you download or open the file, the ransomware can be injected into your computer or network.
  2. Malicious advertising or malvertising: Another common tactic is malicious advertising or malvertising. This is when an attacker spreads malware using online advertising. It’s important to understand that malvertising does not require the user to take any action at all. While browsing trusted sites on the internet you can connect to malicious servers. These servers record information about your computer and location, and then send malware to your computer.
  3. Exploiting vulnerabilities: Attackers may also use exploit kits, which is a hacking tool consisting of pre-made code. The kits work by identifying security gaps on other people’s computers and then infecting them.
  4. Social engineering: Social engineering is a manipulation technique that malicious actors use to gain access to a network or system. Cybercriminals often pose as customer service, technical support reps, new employees, and authority figures to gain remote access to devices, passwords or other login information. Once they’ve got access, they can commence with ransomware spreading. Check out our full article on social engineering here for more information.
  5. Drive-by downloads: Some attackers use a tactic known as drive-by downloads to install malware on users’ computers without their knowledge. This typically happens when users unknowingly visit a malicious website, using an outdated browser. While they browse the website, it automatically downloads malware onto their computers.

How to Remove Ransomware

How-Can-You-Remove-Ransomware-iconThe first thing you need to do is regain control of your computer before you can proceed with ransomware removal. If you are a Windows user, you have to reboot Windows to safe mode and install anti-malware software. For ransomware protection, we recommend Malwarebytes antivirus software.

You then need to run a scan, find the ransomware program, and remove it. Then you can exit safe mode and reboot your computer.

The problem is these steps will allow you to remove the malware, but they won’t restore your files. There are some free decryptors that might help you get some data back, but there’s no guarantee. In many cases, it’s impossible to restore your data without a decryption key.

Some companies and individuals pay the ransom in the hopes of getting their files back, but this is a gamble. Many times the attackers take the money without handing over the decryption key.

As a result, the best course of action you can do is to protect yourself against ransomware attacks. Ransomware removal is never guaranteed, so if you are wondering how to remove malware from your computer, don’t fall for scammers who ask money for decryption. In most cases, you’ll just end up losing money too.

How to Prevent Ransomware Attacks

There are some steps you can take to reduce your chances of a ransomware attack. Here are some of the most important ones:

How-Can-You-Prevent-Ransomware-Attacks-infographic with three prevention options

  • Invest in cybersecurity: Installing antivirus software can help protect you from ransomware. It’s a good idea to look for antivirus software that will protect vulnerable programs and has an anti-ransomware feature. As we mentioned before, we recommend Malwarebytes.
  • Back up your files: It’s important to back up your files regularly, and to keep them safe using cloud storage with high-level encryption and multiple-factor authentication. If your files are permanently lost and your device compromised, a good backup is key.
  • Update your operating system and software: Some ransomware attacks take advantage of vulnerabilities in your software or operating system. By always installing updates, you can help protect your devices from the latest ransomware threats.

Verizon’s Data Breach Investigations Report revealed that most kinds of malware, including ransomware, invade devices through email. Companies are actually three times more likely to become compromised by social engineering attacks than security vulnerabilities. This suggests that cyber education is another important tool for preventing ransomware attacks.

We have created an easy guide that will help you stay safe online in only 8 steps. If you follow this guide, the chance of becoming a ransomware victim is far less.

Ransomware and Ransomware-as-a-Service on the Rise

Ransomware-on-the-Rise-IconUnfortunately, 2020 and 2021 saw an unprecedented surge in ransomware attacks — most targeting large companies and businesses, universities, hospitals and other huge organizations for multi-million dollar payouts. For a business or huge operation, it can be a financial nightmare if they aren’t able to use their systems and files. So sometimes simply paying the criminals seems like the best all-around option.

The US Department of the Treasury announced in late September 2021 that they would be taking action in response to the growing threat.

This rise in attacks also corresponds with the rise in the underground business model ransomware-as-a-service (RaaS) — copied from the legitimate Software-as-a-Service (SaaS) model. The developer at the top of a ransomware syndicate perfects a ransomware code, but instead of the syndicate carrying out cyberattacks on organizations themselves, they lease the malware out to affiliate hackers.

While these affiliate hackers might be lesser skilled and can’t develop their own code, they can still carry out a debilitating ransomware attack on a corporate network with the most effective criminal tech available on the dark web. As affiliates earn ransom payouts, they give a percentage back to the RaaS operators, thus increasing profits for the syndicate.

For a deep dive into RaaS, take a look at our full article here.

What are the Risks of Ransomware?

What-are-the-Risks-of-Ransomware-iconWhile ransomware can prevent individuals from accessing important files, it can be even more dangerous for companies. In recent years, attackers have been targeting companies over individuals, and the loss of essential data can be devastating for an organization. Ransomware attacks disrupt business operations and can cost companies large sums of money. Companies might pay large fees to attackers, and are likely to pay professionals to help them deal with the attack.

In addition, attackers don’t always restore the encrypted files. An Osterman survey of 540 organizations found that 28% of companies that refused to pay their attackers lost data despite having backups.

In some cases, malware like ransomware is used, not just for financial gain of the cybercriminal that orchestrates the attack, but to do actual, physical harm to human beings. This new kind of malware, also called killware, could even result in death.

Given the challenges of getting your data back and the possible horrible consequences, it’s best for individuals and companies to do everything they can to prevent ransomware attacks.

Ransomware also attacks mobile devices, with Android mobile devices generally at a higher risk. You may want to check out our Android malware removal guide if you feel your device was exposed.

Prevention is Better Than the Cure

Cyberattacks involving ransomware remain a major threat to companies and individuals. The most troubling trend is that ransomware attacks are becoming more sophisticated and increasingly target businesses. And in many cases, the victims are unable to recover their data. For this reason, organizations and individuals need to take preventative measures to defend themselves from these kinds of cyberattacks. Using strong antivirus can also protect your computer from advanced malware like the BloodyStealer.

What You Need to Know About Ransomware - Frequently Asked Questions

Looking for some quick information about ransomware and how to protect yourself? Here are some frequently asked questions!

Ransomware is a form of malware used to encrypt and hijack a network’s or system’s sensitive files and data. The hacker who launched the attacks holds the files, network or devices hostage until the victim pays a Bitcoin ransom for a decryption key. The decryption key restores the encrypted files and gives the victim access again. Cybersecurity experts are divided on whether or not victims should pay ransoms, though, as they may not get their files back.

Ransomware attacks are usually executed in one of five ways: phishing emails or calls, social engineering, exploitation of network and system vulnerabilities, drive-by downloads, or malicious advertising (malvertising) on compromised sites. For more information, read our full article on ransomware.

To remove ransomware, you’ll need to reboot your system in safe mode and install anti-malware security software. Run a scan and remove it, then reboot your computer. Unfortunately, this will only remove the malware. It won’t decrypt your files if they’ve already been compromised.

Typically ransomware is injected through clicking malicious links or downloading infected files in phishing emails. This can also occur if you’ve navigated to a compromised website with an out-of-date browser and no anti-virus software. A hacker can also infect a network if someone has given up sensitive login data after falling victim to social engineering tactics.

Factory reset and rebooting Windows in safe mode won’t get rid of the ransomware in itself, you’ll still need to install strong anti-virus software to remove, quarantine and delete the malware. For more information on getting rid of ransomware and our recommendations, check out our full article.

Yes, hackers that have compromised a Wi-Fi network are able to release ransomware code to infect devices using that connection. So anyone connected — say an entire office Wi-Fi network — could potentially be infected through that network.

Windows 10 does have ransomware protection, which you can easily turn on. The simplest way is to type it into your search bar next to the Windows icon. The Windows Defender logo with “Ransomware Protection” will pop up and let you toggle the feature within Defender. For extra ransomware and malware protection, we recommend going with a premium antivirus program.

Tech journalist
Tove has been working for VPNoverview since 2017 as a journalist covering cybersecurity and privacy developments. She has broad experience developing rigorous VPN testing procedures and protocols for our VPN review section and has tested dozens of VPNs over the years.