What is a ransomware attack? How it works and prevention tips

The idea behind ransomware, a form of malware, is simple: Lock and encrypt a victim’s computer or device data, then demand a ransom to restore access. A mid-2025 Gen Threat Report describes FunkSec as an early example. The group used generative AI in parts of its operation and went on to target more than 100 victims. The ransomware was designed to encrypt files and deliberately shut down dozens of services, including browsers, media players, email clients, and even Task Manager.

Researchers later found a flaw that allowed some data to be recovered without paying, and FunkSec has now gone quiet. But the threat remains, as the ransomware ecosystem fragments into smaller groups and copycat tools built on leaked code. And FunkSec isn’t the only ransomware around.

Learn more about what a ransomware attack is, how it works and how to respond to it, so you know what to do (and what to avoid) if you’re ever under attack. 

How does a ransomware attack work?

Ransomware attacks work by gaining access to a device through security vulnerabilities or human error and encrypting the data stored on it. Some common ways attackers gain access include:

• Social engineering attacks: These include phishing emails from an attacker posing as someone you trust, like a co-worker, to trick targets into clicking deceptive links or opening malicious files that trigger hidden ransomware downloads.
• Remote Desktop Protocol (RDP) abuse: This occurs when attackers log in to a device remotely by guessing or stealing weak passwords. Then, they can log in as a user and install or launch ransomware across a system or network. 
• Exploit kits: These kits hide malicious code on compromised websites or ads and automatically exploit unpatched software vulnerabilities to silently install ransomware when someone visits.

Here’s how a ransomware attack plays out, step by step:

1. Initial infection: Attackers gain a foothold through phishing, stolen credentials, or unpatched software vulnerabilities, then install ransomware directly onto the device or network.
2. Encryption: Depending on the type of ransomware, it may encrypt only personal files like documents and photos, or also interfere with system functions — like locking down your entire device.
3. Ransom demand: You get a message demanding payment in exchange for a decryption key, along with instructions on how to make the payment.

However, while a ransom is demanded, there’s no guarantee your data will be restored if you pay that ransom. Even if you pay, the cybercriminals may never give you the decryption key. 

Common targets of ransomware attacks

While ransomware can spread broadly, the nature of file-encrypting malware allows cybercriminals to choose targets they believe are more likely to feel pressure to recover data or restore operations. 

A Gen Threat Report from earlier this year on ransomware statistics found fewer mass-spread ransomware examples and more small, targeted attacks. A top example is Trinity ransomware, which targeted small- and mid-sized businesses, threatening to lock files and leak stolen data.

Here are five target groups and how each may be impacted:

• Groups with smaller security teams: This includes universities and similar institutions that have broad file-sharing processes and uneven security controls. Comparitech recorded 180 ransomware attacks in the U.S. education sector in the first nine months of 2025. The average ransom demand across these attacks was $444,400 USD (approximately £330,500)
• Organisations that can and will pay quickly: Another target is government agencies and other essential services, as downtime here creates immediate operational pressure.
• Firms that hold sensitive data: Law firms and professional services are at risk, as exposed data carries both legal and reputational consequences. Because when these firms don’t pay up, the sensitive data isn’t deleted, but rather, released to the public.
• Small and mid-sized businesses: Recent trends in SMB ransomware show attackers prioritizing smaller businesses as they often lack enterprise-level defences but rely heavily on digital systems.
• Businesses in the Western markets. Cybercriminals go for the bigger payouts, which means targeting corporate entities. Part of this involves focusing on the United Kingdom, the United States, and Canada due to greater wealth and personal-computer use.

Should you pay the ransom?

No, you shouldn’t pay the ransom. Once money changes hands, the victim has little leverage and no assurance that the attack is actually over. The FBI also warns that this can incentivise attackers to target more people, not to mention encourage other criminals to join the crime.

Beyond that, paying a ransom doesn’t guarantee you’ll get your files back. In many cases, attackers either don’t provide a working decryption key (the code needed to unlock files encrypted by ransomware) or stop responding after payment. Even when decryption works, files can remain corrupted or unusable. 

Finally, there’s the issue of data exposure. Paying to unlock files doesn’t mean stolen data hasn’t already been copied. Attackers may still sell data on the dark web or demand a second payment to prevent a public leak.

We’re already seeing this shift in mindset away from paying. Coveware reported that only about 23% of ransomware victims paid in late 2025. While larger organisations increasingly refused to pay, mid-sized firms have started to push back on demands.

How to respond to a ransomware attack

Responding to a ransomware attack generally involves containing the infection, gathering basic information, reporting what happened, and restoring the device safely. The goal isn’t to negotiate with attackers, but to limit damage and reduce the risk of further data loss. 

Here’s a step-by-step guide to respond to ransomware attacks:

• Isolate the infected device: Disconnect it from Wi-Fi, wired networks, Bluetooth, and external drives. This helps stop the ransomware from spreading to other devices or shared storage.
• Identify the ransomware type: If possible, note the ransom message, file extensions, or filenames used. This can help determine whether a known decryptor exists or whether recovery options are available.
• Collect evidence: Save screenshots of ransom notes, filenames, and any messages shown on screen. Keep copies of encrypted files, as they can help with reporting and later analysis.
• Report the attack: Report the attack to local authorities, the National Cyber Security Centre or ReportFraud. Even if recovery isn’t possible, reports help track active campaigns and support broader takedown efforts.
• Wipe and restore: Once evidence is collected, the safest option is often to fully wipe the device and restore data from clean data backups made before the attack. Avoid restoring files unless you’re confident they’re not infected.
• Update all passwords: Create secure passwords for email, cloud storage, financial accounts, and any services accessed from the infected device. Credentials may have been exposed, especially if the attack involved data theft.

In some cases, a ransomware decryptor may also be available. These are tools created by security researchers or law enforcement when a weakness is found in a specific ransomware strain or when keys are recovered after a takedown. 

For example, researchers at Gen Digital created a free decryptor tool for the Midnight ransomware, allowing victims to escape without paying the ransom. This is why noting the ransomware type early on can be helpful.

How to help prevent ransomware

Reducing the risk comes down to habits that limit how ransomware gets in and spreads. That includes keeping devices up to date, being cautious with email and downloads, using a VPN on public Wi-Fi, and learning how to recover your data without negotiating with attackers.

Keep in mind these dos and don’ts to avoid ransomware attacks:

• Use security software: Install and use a trusted ransomware protection tool that offers more than just antivirus features. Some security software also helps detect and protect against threats to your identity and your devices, including your mobile phones.
• Keep your security software updated: New ransomware variants continue to appear, so update your internet security software to protect your devices against cyberattacks.
• Update your operating system and apps: Software updates frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
• Don’t automatically open email attachments: Avoid opening emails and attachments from unfamiliar or untrusted sources. Phishing spam in particular can fool you into clicking on a legitimate-looking link in an email that actually contains malicious code. 
• Be wary of email attachments that ask to enable macros: Macros are small programmes built into documents that can automate tasks. If enabled, they can secretly run malicious code that spreads ransomware to your files and contacts. So, unless you’re absolutely sure you can trust the email sender, ignore the request.
• Back up data offline: Attackers can gain leverage over their victims by encrypting valuable files and making them inaccessible. If the victim has backup copies stored offline or in the cloud, the cybercriminal loses some advantage. But they may up the ante by threatening to leak or sell sensitive data if the ransom isn’t paid.
• Use cloud services: This can help mitigate a ransomware infection, since many cloud services retain previous versions of files, allowing you to “roll back” to the unencrypted form.
• Be cautious on public Wi-Fi: Avoid using public Wi-Fi for sensitive activity when possible. If you do connect, use a trusted VPN to encrypt your traffic and reduce the risk of attackers intercepting logins or injecting malicious content.
• Don’t pay the ransom: Keep in mind, you may not get your files back even if you pay a ransom. A cybercriminal could ask you to pay again and again, extorting money from you, backups but never releasing your data.

Finally, plan ahead with an incident response plan. It can be as simple as knowing where you are, which accounts to secure first, and how to disconnect a device quickly. Deciding these steps in advance makes it easier to act calmly and limit damage if ransomware ever does hit.

Protect against ransomware

Ransomware is a real risk, and your best bet is to stop it before it runs. That means spotting scams before you click, and having basic safeguards in place if something slips through. Modern security tools like Norton AntiVirus Plus are designed for exactly this layer of defence. 

Norton provides real-time protection against ransomware and includes a smart firewall to prevent unauthorised connections. You also get features like AI-powered scam detection and a built-in password manager to reduce common entry points that cybercriminals rely on. 

FAQs

What's the main cause of ransomware attacks?

Most ransomware attacks start with social engineering attacks like opening a malicious email attachment, clicking a deceptive link, or downloading infected software. Unpatched software vulnerabilities can also be exploited, but they’re less common for personal devices.

Can ransomware spread through Wi-Fi?

Yes, ransomware can spread over Wi-Fi when devices on the same network allow shared folders, reuse simple passwords, or run outdated software with known vulnerabilities. An infected device can then scan the network and try to access other connected devices.

How do I know if I have ransomware?

The most common sign is a ransom note or payment demand appearing on your screen or via a message. If you use antivirus software, it may also flag the ransomware in real time before files are fully encrypted. 

Finally, in some cases, you might notice files behaving oddly beforehand, but a ransom note is almost always shown once the attack completes.

Can ransomware be removed?

Ransomware itself can usually be removed by wiping the device or using security software, but that doesn’t restore encrypted files. For this, you need data backups or a decryptor tool.

Does antivirus software stop ransomware?

Yes, antivirus software can stop ransomware, especially before it encrypts files. Modern tools use real-time monitoring and behavior detection to block ransomware as it runs. But be sure to keep your security software up to date so it can recognise newer threats.

What does the law say about ransomware?

Ransomware is illegal in the UK, having evolved to a serious cybercrime threat in recent years. It’s highly discouraged to pay the ransom, as it perpetuates the threat and targeting of business across the UK.