What is ransomware? A plain-language guide for 2026

Ransomware is malicious software that encrypts files on the systems it infects and demands payment — usually in cryptocurrency — in exchange for the decryption key. Modern ransomware operations almost always also steal data before encrypting, then threaten to publish it: this is called double extortion.

How a typical attack works

1. Initial access: stolen credentials (RDP, VPN), phishing, or exploitation of an unpatched internet-facing system. This stage often relies on initial access brokers who specialize in selling footholds.
2. Reconnaissance and lateral movement: the attackers use legitimate tools (PsExec, PowerShell, Cobalt Strike) to map the network, find domain admins, and identify the most valuable systems.
3. Privilege escalation: targeting Active Directory, Okta, or other identity infrastructure. Once they own identity, they own the environment.
4. Data exfiltration: bulk transfer of valuable data to attacker-controlled servers (cloud storage, MEGA, attacker VPS).
5. Encryption: deploying the encryptor across the environment, often timing it for nights or weekends. Modern encryptors target backups, virtual-machine snapshots, and ESXi hypervisors to amplify damage.
6. Extortion: the ransom note appears. Victims are given a deadline and a payment URL, and named publicly on a "leak site" if they refuse.

Who is targeted

Anyone with money or sensitive data — but in practice, healthcare, manufacturing, government, education, and finance are the most-attacked sectors. Small and mid-sized organizations are over-represented because they often lack security staff but pay rather than face downtime.

What to do if you are hit

• Contain first: disconnect affected hosts from the network. Preserve memory and disk snapshots — they will be needed for the investigation and any insurance claim.
• Engage incident response: an experienced IR firm, your cyber insurance, and (depending on jurisdiction) law enforcement.
• Decide on payment with eyes open: weigh the legal status (some threat actors are sanctioned), the operational reality (decryptors are often slow and incomplete), and your backup posture.
• Notify: regulators (GDPR, HIPAA, state breach laws), customers, and partners. The notification window is often 72 hours.

How to defend

The fundamentals have not changed:

• Multi-factor authentication on every external-facing system, every administrative account, every identity provider.
• Offline, immutable backups, tested regularly. Backups that the attacker can reach are not backups.
• Patch the internet-facing edge: VPN gateways, Citrix, MOVEit-class file transfer appliances. The same five products account for a large share of intrusions every year.
• EDR on every endpoint and server, tuned and monitored. Visibility is the whole game.
• Tabletop exercises: simulate a ransomware incident with the executive team before you need to do it for real.

Related reading on Cyber Breaches

• Change Healthcare ransomware (2024) — the largest U.S. healthcare breach on record.
• MGM Resorts ransomware (2023) — a ten-minute help-desk call brought down the Las Vegas Strip.
• Colonial Pipeline ransomware (2021) — a reused VPN password triggered a national emergency.
• LockBit threat actor profile — the dominant RaaS operation of 2022–2024.