AVG Signal Blog Security Ransomware What Is Ransomware: The Ultimate Guide

Written by Nica Latto & Monica Mateiu
Published on August 28, 2021

What is ransomware?

Ransomware is a type of malicious software that encrypts files on your computer or locks your device — and then demands a ransom in exchange for decryption. Hackers usually demand the ransom in bitcoin or other cryptocurrency, and there’s no guarantee that paying up will actually get your files decrypted.

This article contains:

    The first recorded ransomware attack occurred in 1989, when evolutionary biologist Joseph Popp infected floppy disks with the AIDS Trojan and distributed them to fellow researchers. The malware didn’t run immediately, but instead waited until victims booted their PCs 90 times. Finally, it encrypted all system files and asked users to pay $189 to undo the damage. Luckily, experts came up with tools to remove the malware and decrypt the infected files.

    In recent years, ransomware has grown astronomically. Hospitals, governments, and large corporations have been hit with large-scale ransomware attacks that forced them to choose between paying thousands of dollars in ransom to cybercriminals or absorbing millions in recovery costs.

    But is ransomware a virus? No, it’s a different type of malicious software. Viruses infect your files or software, and have the ability to self-replicate. Ransomware scrambles your files to render them unusable, then demands you pay up. Ransomware and viruses can both be removed with an antivirus — but if your files are encrypted, it’s unlikely you’ll ever get them back.

    Types of ransomware

    Ransomware comes in all shapes and sizes. Some variants are more harmful than others, but they all have one thing in common: ransomware by definition requires a demand of payment.

    Crypto malware or encryptors

    Crypto malware or encryptors are the most common type of ransomware, and they can do a lot of damage using super-strong data encryption methods. While extorting more than $50,000 from victims and causing hundreds of millions in additional damages, WannaCry put thousands of lives at risk when it hit hospitals around the world and blocked medical staff from accessing patient files.


    Lockers infect your operating system to completely lock you out of your computer and make it impossible to access any apps or files.


    Scareware is fake software (like a fake antivirus or cleaning tool) that claims to have found issues on your PC and demands money to fix them. Some scareware variants lock your computer, while others flood your screen with annoying alerts and pop-ups.


    Doxware (or leakware) threatens to publish your stolen information online if you don’t pay up. We all store sensitive files on our PCs — from contracts and personal documents to embarrassing photos — so it’s easy to see why that might cause panic.

    Ransomware as a Service

    RaaS (Ransomware as a Service) is malware hosted anonymously by a hacker who handles everything — distributing the ransomware, collecting payments, managing decryptors — in exchange for a cut of the ransom.

    Android ransomware

    Your Android mobile devices aren’t safe from ransomware either. Android ransomware is most likely to be a locker, which prevents you from accessing your device via the UI or a pop-up that won’t go away. Android ransomware started making news in 2016, tripled in 2017, and has continued to grow ever since.

    There’s even a WannaCry copycat — WannaLocker — which spreads on gaming forums and targets Android devices in China. Since data can easily be restored by syncing devices, cybercriminals often prefer blocking your smartphone instead of just encrypting files.

    Mac ransomware

    Even though Apple devices are a bit more resistant to malware than Windows PCs, Mac ransomware is also on the rise.

    Early examples of Mac ransomware weren’t exactly coded like ransomware. There was a fake FBI ransom scam that was actually a browser hijacker masquerading as ransomware. Then there was the Oleg Pliss attack, where the hacker used leaked iCloud passwords to remotely lock people’s iOS devices through Find My iPhone and demand a ransom to unlock them. These ransom attacks set the stage for real Mac ransomware.

    The latest malware affecting Macs appears to have been coded by software engineers with a specialty in macOS. While some cybercriminals are still targeting iCloud accounts, other Mac ransomware like KeRanger has evolved more similar to Windows ransomware.

    The most well-known ransomware strains and attacks

    With dozens of malware toolkits available on the internet’s black market, hackers have a solid base to build on. Recent attacks have shown that cybercriminals put a lot of effort into improving their code, adding features that make detection more difficult, and fine-tuning malicious emails to make them look legitimate.

    While almost anyone can launch their own small ransomware strain, some ransomware attackers developed massive strains that rocked the cybersecurity landscape and became known worldwide. Let’s take a closer look at some of the most well-known ransomware strains and attacks.


    After infecting more than 10,000 organizations and 200,000 individuals in over 150 countries, the WannaCry strain earned its reputation as the most widespread ransomware attack to date. It used an exploit known as EternalBlue, which takes advantage of a Windows SMB (Server Message Block, a network file-sharing protocol) vulnerability labeled as MS17-010. By the time it was shut down, WannaCry had attacked over 100 million Windows users.

    The WannaCry ransomware note on an infected computer.The WannaCry ransomware note. (source: Wikimedia Commons)


    The Petya ransomware attack (and similar strains dubbed Petna, NotPetya, EternalPetya, or Nyetya) gave everyone a big scare, but it was far less damaging than WannaCry. Petna affected victims mainly in Ukraine (more than 90% of attacks), but we’ve seen attempts in the US, Russia, Lithuania, Belarus, Belgium, and Brazil as well.


    First seen in February 2016, Locky was reportedly sent to millions of users around the world, in an email scam that claimed to be an invoice or a receipt of order. The emails contained an illegible Word document which asked users to enable macros to view its content before downloading the malware. With every attack, Locky’s authors keep improving the code to make it difficult to detect on your computer.

    Cerber ransomware

    This malware comes as a toolkit, freely available for anyone to download, set up, and spread. It’s distributed via an email attachment or the Unsubscribe link in a spam email, which redirects victims to the same attachment. It can operate even if you’re offline, and it can encrypt more than 400 file types, including database files.

    COVID-19 related scams and ransomware

    The widespread emergence of the COVID-19 pandemic in 2020 saw a rise in pitiless cybercriminals taking advantage of a fearful atmosphere. There were many scams around masks and vaccines, and countless hospitals were hit with ransomware, despite the strain they already faced due to the pandemic.

    Other well-known strains of ransomware include Bad Rabbit, Cryptolocker, GoldenEye, Jigsaw, Maze, and Ryuk. As hackers keep improving their code, any of these variants could reappear at any point.

    How to prevent ransomware

    The best way to avoid ransomware and other malware is to practice smart digital habits. That means avoiding suspicious websites, links, attachments, spam, and practicing good email security. Here are some additional tips to help you learn how to protect against ransomware:

    Back up your important files

    Back up important files or clone your entire hard drive to save everything. You can use an external drive, a cloud service, or both. Choose from Dropbox, Google Drive, Mega, or another free cloud service to securely store your important documents and photos. Find a service that lets you roll your data back to a previous version in case something happens to your account.

    If cybercriminals lock up your important files, but you have a backup stored safely, then they have no leverage. You can simply remove the ransomware, restore your files, and ignore any ransom demands.

    Backing up your files takes the sting out of ransomware attacks.Backing up your files takes the sting out of ransomware attacks.

    Use an updated antivirus

    Antivirus software offers essential protection against anything trying to mess with your computer. Try AVG AntiVirus FREE for 24/7 protection against ransomware and all kinds of other malware. And AVG Internet Security offers even greater defense against ransomware with its powerful Enhanced Ransomware Protection feature.

    See our ransomware prevention guide to set up your protection in AVG AntiVirus FREE.

    Update your operating system

    Security updates are vital for your computer’s safety. Outdated software makes you more vulnerable to all kinds of malware, including ransomware like WannaCry. Always keep your operating system and apps updated — use auto-update wherever possible, and if not, install updates as soon as they are available.

    Are you a ransomware target?

    If you aren’t protecting yourself against ransomware with updated software and a reliable anti-ransomware tool, then yes, you can be targeted by ransomware. Ransomware is often designed to take advantage of security holes in older software and unsecured devices.

    For example, WannaCry leveraged a Windows vulnerability to infect more than 200,000 people as well as 10,000 companies, public authorities, and organizations worldwide. Anyone who hadn’t installed the security patch Microsoft released earlier that year was vulnerable.

    Windows XP users were hit hardest: Microsoft had ended support for that version of Windows three years ago, and was spurred into releasing a patch for it only well after the attack had become severe. If you’re still using Windows XP, we strongly recommend that you update your operating system.

    While installing security updates is generally quick and easy for regular users, larger organizations are far more vulnerable. They often run sensitive custom-made software and need to deploy the fixes on massive numbers of devices, making the update process much more difficult and time-consuming.

    Some organizations also lack the funds to afford new software. Hospital budgets are expected to save lives, not computers — but those can be one and the same when their systems get taken over and hospital staff are locked out of patient records.

    Cybercrime is the top concern for organizations working with sensitive data, but that doesn’t mean regular PC users are safe — your family photos and personal files are just as valuable to hackers.

    How ransomware infects your PC

    Ransomware can find its way into your computer through malicious email attachments, ads, or links; drive-by-downloads; and exploits of security vulnerabilities. After infecting your PC, some ransomware strains can spread to your contacts and infect them — and then their contacts’ contacts, and so on.

    Ransomware spreads quickly and hits hard. Here’s how it gets on your computer:

    • Social engineering: A fancy term for tricking people, social engineering is often used to fool people into downloading malware from a fake attachment or link. Malicious files are often disguised as ordinary documents (order confirmations, receipts, bills, notices) and appear to have been sent by a reputable company or institution. When you download one of these to your computer and open it, you’ll be infected with ransomware.

    • Malvertising: Malicious advertising embeds ransomware, spyware, viruses and other nasty things into ads and advertising networks. Hackers will even buy ad space on popular websites (including social media networks or YouTube) to spread ransomware.

    • Exploit kits: Cybercriminals can package prewritten code into a ready-to-use hacking tool. These kits are designed to exploit vulnerabilities and security holes caused by outdated software.

    • Drive-by downloads: Some malicious websites take advantage of outdated browsers or apps and silently download malware in the background, while you’re browsing an innocent-looking website or watching a video.

    How ransomware works

    Ransomware works by preventing you from accessing your data. After gaining access to your computer, it silently encrypts your files, then demands a ransom payment in exchange for returning access to the encrypted data. At this point, it’s too late to recover your files, as they’re already encrypted.

    How a ransomware attack happens

    Ransomware attacks follow distinct attack patterns. First, the malware must get onto your computer. Then, it begins encrypting your data. Finally, it reveals its presence with a ransom demand.

    Here’s how ransomware attacks happen:

    Step 1: Infecting your device

    A ransomware attack may start with an innocent-looking email, supposedly sent from a legitimate source, asking you to download an invoice or some other important document. Hackers often mask the file’s real extension to trick victims into thinking it’s a PDF, DOC, or Excel sheet — but it’s actually an executable file which starts running in the background when you click it.

    Step 2: Encrypting your data

    For a while, nothing out of the ordinary happens. Your files can still be accessed and everything works just fine, as far as you know. But the malware is silently contacting the hacker’s server, generating a pair of keys — a public one to encrypt your files, and a private one, stored on the hacker’s server, used to decrypt them.

    Once the ransomware hits your hard drive, you don’t have much time to save your data. From here on, your input is no longer needed. The ransomware simply starts running and encrypting your files, and only reveals itself once the damage is done.

    Step 3: The ransom note

    A ransom note pops up on your screen, telling you how much you’re expected to pay and how to transfer the money. Once the clock starts ticking, you'll typically have a few days to pay the ransom, and the price goes up if you don’t make the deadline.

    Example of a ransom note left by CryptoLocker ransomware.Example of a ransom note left by CryptoLocker ransomware.

    You won’t be able to open your encrypted files, and if you try to do so, you’ll get an error message saying your file can’t be loaded, is corrupt, or not valid.

    How to remove ransomware

    Unless you’re locked out of your PC, deleting ransomware is pretty easy. In fact, it’s the same as removing a virus or any other common type of malware. But removing the ransomware will not decrypt your files.

    Removing ransomware is similar to removing other malicious software — download trusted antivirus software, run a scan to identify the ransomware, and then quarantine or delete the malware. (Though it’s trickier, you can also remove all kinds of malware manually.)

    Things are a bit more complicated if your PC is infected with a locker, which prevents you from entering Windows or running any programs. There are three ways to fix a locker infection:

    • Do a System Restore to restore Windows to a point in time where your PC was safe.

    • Run your antivirus program from a bootable disk or an external drive.

    • Reinstall your operating system.

    A reliable antivirus tool like AVG AntiVirus FREE will not only remove ransomware and other malware as soon as it’s detected on your system, but it’ll prevent these infections from happening in the first place.

    System Restore on Windows 10, 8.1, or 8:

    1. Turn your PC on and hold the Shift key to enter the recovery screens (restart if it didn’t work).

    2. Select Troubleshoot.

    3. Go to Advanced Options.

    4. Click System Restore.

    System Restore on Windows 7:

    1. Turn your PC on and press F8 to enter the Advanced Boot Options menu.

    2. Select Repair Your Computer and press Enter.

    3. Log in with your Windows account name and password (or leave that field blank if you don’t have one).

    4. Click System Restore.

    How to recover your files

    If you regularly back up your data, you don’t need to worry much about ransomware recovery. Simply delete the ransomware and then restore your files from the backup.

    If you don’t have anything backed up, then you might be out of luck. It’s sometimes possible to crack 32-bit and 64-bit encryption, so you might get lucky if that’s what the cybercriminals used. Additionally, cybersecurity researchers have been able to crack some ransomware strains and replicate their decryption keys.

    Prevention — using an antivirus and regularly backing up your data — is the best way to protect yourself from ransomware attacks.

    Our free ransomware decryption tools will help you recover files infected with the ransomware strains Apocalypse, BadBlock, Bart, Crypt888, Legion, SZFLocker, TeslaCrypt, and others.

    But these days many types of ransomware — including the notorious WannaCry, Locky or Cerber — use 128-bit or 256-bit encryption (and sometimes a combination of both). This complex level of encryption is also used by servers, browsers, and VPNs to protect your data, because it’s highly secure.

    If your files are infected with a ransomware variant using one of these highly secure encryption methods, recovery is nearly impossible. That’s why prevention — using an antivirus and regularly backing up your data — is the best way to protect yourself from ransomware attacks.

    Should I pay the ransom?

    Our advice is not to pay the ransom. Remember, these are cybercriminals you’re dealing with, and there’s no guarantee they’ll keep their promise. Paying ransom demands tells hackers that ransomware is a profitable business, encourages them to keep using ransomware, and funds other cybercrime.

    In some instances, the ransomware can’t actually be decrypted. That was the case with Petya — the ransomware’s encryption algorithm was irreversible. While cybersecurity professionals usually recommend not to pay the ransom, not everyone listens. And when businesses face even steeper recovery costs if they don’t pay, they sometimes give in.

    In June 2017, South Korean web hosting company Nayana paid 397.6 bitcoin (then worth approximately $1 million USD) after an Erebus ransomware attack. At the time, it was the heftiest ransom ever paid.

    Just four years later, in June 2021, meat supplier JBS paid the equivalent of $11 USD in a ransom demand. The FBI blamed Russian-speaking hacking group REvil, some of the most dangerous hackers around.

    Also in 2021, the notorious hacking group DarkSide launched a ransomware attack against the Colonial Pipeline Co., which manages a gas pipeline that transports almost half of the fuel used on the East Coast of the US. Rather than deal with the headache of rebuilding its systems, Colonial opted to pay the nearly $5 million USD ransom.

    The sharp rise in ransom demands shows that hackers are not stopping anytime soon — and that ransomware continues to get more dangerous.

    Prevent ransomware with cybersecurity software

    So should you pay the ransom? Our answer is no. Instead, get a good antivirus with free ransomware protection, so you never have to worry about paying a ransom in the first place. AVG AntiVirus FREE protects against ransomware, viruses, phishing, and all kinds of other digital threats.

    Protect your iPhone against ransomware with AVG Mobile Security

    Free install

    Block ransomware and other threats with AVG AntiVirus

    Free install
    Nica Latto & Monica Mateiu