A pillar guide to ransomware: how it spreads, why backups matter, what individuals and small teams can do, and what to avoid during an incident.
Last checked: May 19, 2026. If a business, school, clinic, or government system is affected, involve qualified incident response, legal, insurance, and reporting contacts immediately.
Quick answer
Ransomware is malware that blocks access to files, devices, or systems and demands payment. Modern ransomware attacks may also steal data before locking files, then threaten to publish it.
The best defense is boring but powerful: updated software, strong unique passwords, multi-factor authentication, careful email habits, limited admin rights, and backups that ransomware cannot reach.
What ransomware does
Ransomware usually has one or both goals:
- Encrypt files so you cannot open them.
- Steal data and pressure you with publication threats.
For a home user, that may mean losing family photos, school work, tax files, or personal documents. For an organization, it can stop operations, affect customers, trigger legal obligations, and damage trust.
How ransomware gets in
Common entry points include:
- Phishing emails with malicious links or attachments.
- Fake invoices, delivery notices, resumes, or legal documents.
- Cracked software and unofficial downloads.
- Weak or reused remote-access passwords.
- Unpatched servers, routers, or apps.
- Compromised third-party accounts.
- Malicious browser extensions or fake updates.
Attackers often start with a small foothold, then move through accounts and shared folders.
Basic protection checklist
| Control | Why it helps |
|---|---|
| Software updates | Fix known vulnerabilities attackers use. |
| Unique passwords | Stop one stolen password from opening many accounts. |
| Multi-factor authentication | Adds friction even if a password is stolen. |
| Offline or protected backups | Gives you a recovery path without paying. |
| Limited admin rights | Reduces what malware can change. |
| Email caution | Blocks many first-stage attacks. |
| App allowlisting for teams | Limits unknown programs from running. |
No single control is enough. Ransomware defense works best in layers.
Why backups matter
A backup is only useful if ransomware cannot encrypt it too. If your backup drive is always connected or your cloud folder syncs every encrypted file instantly, the backup may fail when you need it.
Use a mix of:
- Cloud backup with version history.
- Offline backup stored separately.
- External drive disconnected after backup.
- Tested restore process.
- Separate admin account for backup management.
Testing matters. A backup you have never restored is only a hope.
What individuals should do
For a personal laptop or phone:
- Keep the operating system and browser updated.
- Use a password manager.
- Turn on two-factor authentication for email and cloud storage.
- Avoid cracked apps and unknown installers.
- Back up important files.
- Be careful with attachments you did not expect.
- Use standard user accounts where practical.
If ransomware appears, disconnect from the network, stop using the device, and get trusted technical help before making changes.
What small teams should do
Small businesses, schools, and nonprofits often have high exposure because they use shared drives, remote access, and many cloud accounts without a large security team.
Minimum controls should include:
- MFA on email, admin accounts, cloud apps, and remote access.
- Separate admin accounts for IT tasks.
- Device updates and endpoint protection.
- Regular backups with restore testing.
- Staff reporting process for suspicious emails.
- Inventory of critical systems and files.
- Incident contact list stored offline.
Do not wait until an incident to decide who calls the bank, insurer, hosting provider, lawyer, or IT vendor.
Remote access is a common weak point
Remote desktop tools, VPN accounts, admin dashboards, and cloud consoles should never rely on weak passwords alone. Require MFA, remove old users, close unused access, and watch login alerts. If a vendor needs access, give the minimum access needed and remove it when the work is done.
What not to do during an incident
Do not rush into payment. Payment does not guarantee recovery, and it may create legal, ethical, and practical problems. Do not delete evidence before responders can assess it. Do not keep infected devices connected to shared networks.
If a workplace is affected, report internally immediately. If customers, students, patients, or regulated data may be involved, legal and reporting obligations may apply.
Warning signs
- Files suddenly have strange extensions.
- A ransom note appears.
- Shared folders become inaccessible.
- Antivirus tools are disabled.
- Many failed login attempts appear.
- Admin accounts behave strangely.
- Backups stop running or become inaccessible.
Early reporting can reduce damage.
FAQ
Should victims pay the ransom?
This is a serious decision for legal, financial, operational, and ethical reasons. Payment does not guarantee recovery. Organizations should involve professional incident response and legal counsel.
Can antivirus stop ransomware?
Security tools help, but they are not enough alone. Backups, MFA, updates, password hygiene, and access controls are also needed.
Are cloud files safe from ransomware?
Not automatically. If ransomware can sync encrypted files to the cloud, cloud copies may be affected. Version history and protected backups are important.
Sources
- CISA StopRansomware: cisa.gov
- CISA Secure Our World: cisa.gov
- NCSC ransomware guidance: ncsc.gov.uk
Before you move on
Defensive security explainers. Use this short checklist to turn the article into action.
- Change reused passwords on important accounts.
- Enable multi-factor authentication or passkeys where available.
- Keep a separate backup for files you cannot afford to lose.
This guide is written for practical user safety. For account, platform, or legal decisions, confirm critical steps with the official help center or your service provider.