See all Security articles
See all Privacy articles
See all Performance articles
Select language
Select language
Avast Academy Security Ransomware The Essential Guide to Ransomware

The Essential Guide to Ransomware

A ransomware attack can result in the loss of important personal and business-critical data. To keep your devices and files safe from this prevalent threat, you should understand what you’re up against. Read on for a definition of ransomware that will help you take the proper precautions — and learn how to use a free software tool to prevent ransomware.


What is ransomware?

Ransomware is a type of malware, or malicious software, that takes files — and sometimes entire computers or mobile devices — hostage. We can define ransomware by this behavior: hackers will request a ransom payment in exchange for returning access, or decrypting your files.

Hamburguer menu icon

This article contains:

    You’ll know immediately if you have ransomware, as it cuts off access to your infected device and usually encrypts your files. In both cases, you can no longer open and work with vital data, such as work documents and personal photos and videos. The cybercriminals behind the attack will contact you with their demands, promising to unlock your computer or decrypt your files once you’ve paid the ransom (usually in Bitcoin).

    Mainstream awareness about ransomware’s steadily increasing danger dates back to the mid-2000s, though ransomware attacks have been targeting individuals, businesses, and governments for over 30 years. The first documented attack, known as the AIDS Trojan, or the PC Cyborg, was launched in 1989 by Dr. Joseph Popp, a Harvard-educated evolutionary biologist.

    The AIDS Trojan was the first case of ransomware, distributed via floppy disks delivered through postal services.Image Source:

    Dr. Popp stored his virus on floppy disks that appeared to contain an AIDS education program. He then distributed these disks to his victims via postal services. Once activated, the AIDS Trojan encrypted filenames on the victim’s computer, then demanded a ransom of $189, or $391 in today’s dollars.

    Technological progress has practically eliminated all the effort and investment Dr. Popp’s scam must have required. We live in an interconnected world with easy access to open-source ransomware programs. Successful attacks can be extremely lucrative, netting some hijackers six-figure payouts and costing cities millions in clean-up processes. These factors have led to a surge in ransomware’s popularity among cybercriminals.

    How a ransomware attack works

    Unlike most malware, which requires you to download a malicious file or click on a malicious link, some ransomware can infiltrate your devices without any action on your part. Other ransomware attacks rely on traditional methods. Here’s an overview of how different forms of ransomware work:

    • Exploit Kits: Malicious attackers develop exploit kits that contain prewritten code designed to take advantage of vulnerabilities in applications, networks, or devices. This type of ransomware can infect any network-connected computer or mobile device running obsolete software, so keep your systems and apps updated to shield your hardware and files from attacks.

    • Social Engineering: Rather than develop a software exploit, many cyberattackers rely on more traditional methods. They’ll use social engineering tricks to fool you into downloading their ransomware from an attachment or URL in a type of attack known as phishing.

    • Phishing: The cybercriminal will mask themselves as a trusted contact and send you an email containing a seemingly legitimate attachment or link. Common examples include an order form, receipt, or invoice. Typically, the attachments have file extensions that make them appear to be PDFs or Microsoft Office files (i.e. .pdf, .xls, .docx) — in reality, these are executable files in disguise. When you download and open the file, you’ll launch the ransomware attack.

      An example of a phishing email containing a ransomware-infected link.Be aware that an attack may not begin immediately. Some ransomware is designed to hide on your device for a designated amount of time to keep you from pinpointing its source. For example, the AIDS Trojan strain did not activate until the 90th reboot of the computers it infected.

    • Malvertising: Attackers can distribute their malware by embedding it in fake online ads in a practice known as malvertising. Cybercriminals can place their ads on almost any website, even the most trustworthy sites. If you click on a malicious advertisement, you’ll download ransomware onto your device. This is a great reason to avoid clicking on any internet ads you encounter.

    • Drive-by downloads: Attackers can prime websites with malware so that when you visit, the site automatically and secretly downloads the malware onto your device. If you’re using out-of-date browsers and apps, you’re especially vulnerable to this technique.

    Regardless of where ransomware comes from, and no matter how it gets on your device, here’s a likely worst-case scenario for what might happen once you open or activate a malicious program of this type. Unfortunately, this is also the most common scenario when it comes to ransomware infection:

    1. The ransomware encrypts your files. This means it changes files or file structures in such a way that you’ll only be able to read or use them again by restoring them to their original state; that is, you’ll need to decrypt your files.

      This isn’t something you can easily do on your own — ransomware tends to use hard-to-crack encryption methods that can only be reversed with a specific decryption key. This is what the ransomware attacker is asking you to pay for.

    2. Once the malware finishes encrypting your files, a ransom note appears on your screen, telling you:

      1. How much you’ll need to pay, typically in Bitcoin, to get the decryption key, or to have the hijacker decrypt your files.

      2. Where and how to transfer the ransom.

      3. The deadline: if you don’t pay by a certain date and/or time, the ransom may increase, or the attacker may threaten to permanently encrypt or delete your files.

    While your device is infected with ransomware, any attempts to open your encrypted files will most likely be met with an error message informing you that your files are corrupt, invalid, or cannot be located.

    Types of ransomware

    There are four different forms of ransomware attack that vary in severity, ranging from annoying to life-threatening. Some lock you out of your computer, while others can eradicate your files and render your operating system useless. The one thing they all have in common is a ransom demand. Here’s an overview of the different types of ransomware that currently exist. It’s also worth noting that new types are continuously being developed.

    • Filecoders: Also known as encryptors, these programs make up 90% of ransomware strains. This type of malware encrypts and locks files on infected devices. The attackers demand payment for decryption keys that enable you to access your files, usually by a deadline after which they may damage, destroy, or permanently lock your files.

      The CryptoLocker filecoder is ransomware that encrypts the victims files and demands payment for the decryption key.            Image Source:

    • Screenlockers: These lock you out of your computer, smartphone, or tablet completely. They tend to look like they’re from a government institution, like the US Department of Homeland Security or the FBI, and inform you that you broke the law and must pay a fine to unlock your PC. Screen lockers are now more common on Android devices than Windows PCs, though cybercriminals have also targeted Macs with browser-based screenlockers.

      The FBI / MoneyPak ransomware strain locks the Safari browser, but can be resolved in minutes.Image Source:

    • Doxxing: The act of doxxing is not technically a form of ransomware, but it is a serious digital threat that can involve a ransom demand. Through a malicious file or link, the attacker gains access to your sensitive personal data, including usernames, passwords, credit card numbers, and passport details. You then get a message telling you that unless you pay a fee, your attacker will publish your information. Visit our free Avast Hack Check tool to make sure none of your passwords have leaked or been stolen.

      One variant of the Jigsaw ransomware virus includes a doxing threat.
    • Scareware: Scareware is a fake software program that claims to have found issues on your computer and demands payment to fix them. Scareware typically bombards your screen with pop-ups and alert messages. Some strains behave more like screenlockers, locking up your computer or mobile device until you pay.

    Ransomware’s rise in popularity is due in part to its availability and ease-of-use. Criminals can buy customizable open-source tools that enable them to build and launch new malware attacks. At the same time, cyber-hijackers are continuously updating their code to strengthen their encryption, giving new life to some ransomware strains.

    Ransomware examples

    While the vast majority of ransomware attacks target Windows PCs, all four variants can infect Macs, iOS devices, and Android devices. The following sections look at examples of more prevalent strains that criminals have deployed over the years.

    PC ransomware

    Windows PCs are still the most popular targets for computer ransomware attacks. Malicious hackers can exploit Windows-specific vulnerabilities relatively easily, and there are a lot more PC users than Mac users.


    The WannaCry strain shows how extensive a PC-based ransomware attack can be. In May 2017, WannaCry spread across the globe and ultimately attacked over 100 million users.The WannaCry ransom note. The malware is easy to remove, recovering your files can be complicated to impossible.

    WannaCry exploited a known Windows vulnerability called EternalBlue, a bug that allows cybercriminals to execute code remotely through a Windows File and Printer Sharing request. Microsoft had issued a patch for EternalBlue two months before WannaCry was launched; unfortunately, many individuals and businesses did not perform the update in time to ward off the attack. EternalBlue dates back to the Windows XP operating system, which Microsoft stopped supporting. Therefore, WannaCry impacted Windows XP users the most.


    Emerging in 2018 and estimated to have affected over 1.5 million users, the GandCrab family of ransomware has recently been nullified thanks to a coalition of state and private cybersecurity researchers. Like its predecessor Cerber, GandCrab operated on a ransomware-as-a-service (RaaS) model, in which cybercrime hopefuls could rent it out from its creators in exchange for a cut of their “earnings.” With the decryptor now available online for free, GandCrab is fortunately no longer a serious threat.


    The Petya strain, which first appeared in 2016 and returned in a more advanced form in 2017, uses the screenlocker approach by encrypting your hard drive’s master file table to lock up your computer. Some versions came bundled with a secondary strain of ransomware known as Mischa, a conventional filecoder that took over if Petya wasn’t able to activate on the victim’s computer.

    The Petya ransomware strain evolved into a more serious threat to Windows PC users.

    Popcorn Time

    Since an attacker’s ultimate goal is to spread the ransomware to as many machines as possible in order to make the most money, an alternative ransom tactic has emerged — a tactic that is both social and sinister. A prime example of this tactic is the Popcorn Time strain, which asks you to infect two other users with the malware. If both of those users pay the ransom, you will receive your files back, free of charge.

    image11The Popcorn Time ransomware strain tries to get its victims to spread the virus.Image Source:

    Like WannaCry, many of the most well-known ransomware strains are currently inactive due to software updates which patched the vulnerabilities the malware had been exploiting. That means if you’re still using old software, you’re vulnerable — so make sure to update. You can learn more about different Windows computer ransomware strains in these articles:

    Mobile ransomware

    Ransomware attacks on mobile devices are growing in frequency. Examining data from the first half of 2019, research firm Check Point saw a 50 percent year-on-year rise in cyberattacks targeting smartphones and tablets. At the end of July 2019, Android users were warned about a new strain that infects devices via SMS.

    Ransomware often makes its way onto Android devices through an app from a third-party site. However, there have been cases where ransomware was successfully hidden within seemingly legitimate apps in the Google Play Store.

    Apple ransomware

    Apple devices may come with a more secure operating system compared to others, but that doesn’t mean your macOS or iOS device is immune to ransomware. Though they’re less susceptible to malware attacks, Apple computers and mobile devices have a continuously growing user base, which has gained them more attention from malware developers.

    Advanced Mac Cleaner is scareware that tries to con users into paying for a bogus solution to a fake problem.Image Source:

    In 2017 two security firms uncovered ransomware and spyware programs that specifically targeted Apple users. During their investigation, researchers determined that software engineers who specialize in macOS developed these programs and made them available for free on the dark web. Malicious attackers have also accessed Mac users’ iCloud accounts and used the Find My iPhone service to launch screenlocker attacks.

    Is ransomware a virus?

    Most of us are familiar with the term “virus” and many people often use it to refer to all forms of malware. In fact, a virus is just one type of malware, with each type of malware having different characteristics.

    A virus is designed to infect your devices, damage your files, replicate itself, and spread to new hosts, just like a flu virus infects your body, makes you sick, and, in some cases, spreads to others who have come in contact with you.

    Our research suggests that most ransomware spreads through Trojans, which means the ransomware program is hidden inside a file or link that seems both harmless and important enough for you to open or click. When ransomware is wormable it spreads automatically, like WannaCry, or it can spread via the user, like Popcorn Time.

    Viruses, worms, and Trojans can all be delivery methods for ransomware. Though the ransomware might be spread by a virus, it’s not a virus itself.

    Can ransomware be removed?

    Depending on your device and the strain, you may be able to rid your computer, smartphone, or tablet of ransomware. The malware removal process is the relatively easy part, but recovering your encrypted files can be impossible, sometimes even after the ransom has been paid. Removing the ransomware from your device is far from a guarantee that you will succeed in negating its effects.

    To help you deal with ransomware on any device, we’ve prepared these handy guides for you:

    If you’re looking for a way to unlock files after a ransomware attack, you might find the solution you need in this complete list of Avast ransomware decryption tools.

    Should I pay the ransom?

    We get that you want a quick fix, but we strongly recommend that you don’t pay the ransom. And don’t attempt to negotiate with your attacker. Giving in to their demands will only support future ransomware attacks and inspire cybercriminals to continue developing and launching new strains. These attackers could also be using their ill-gotten gains to fund other illegal activities.

    Avast free ransomware decryption keeps your Mac and files safe from cybercriminals.

    Image Source:

    Also, paying the ransom does not guarantee that your attacker will delete the ransomware, unlock your device, or give you the decryption tool for their strain. While they want a reputation for keeping their word so victims are more likely to pay up, some hijackers have collected ransoms and disappeared or sent useless decryption keys. You could even end up paying a completely different ransomware attacker.

    If you can’t recover your files following a ransomware attack, we urge you to hold out for a decryption tool for the strain that has infected your computer or mobile device. Sometimes, there’s a flaw in the cryptography the ransomware code uses, and the malware exposes lines of code which can lead to a fix.

    Prevention is the best policy

    The best way to protect your devices is to keep ransomware from infecting them in the first place. If you can ward off ransomware attacks, you’ll never have to worry about the consequences of an infection. By practicing smart internet habits and using a reliable ransomware prevention tool, you’ll be a much tougher target for cyberattackers to hit. Head to our detailed guide on ransomware prevention in order to learn everything you need to know about fighting this troublesome malware.

    If you do get infected, having a current backup of your important documents will render the ransomware threat harmless. Perform regular backups of your system and files — cloud services and physical storage are both viable options, and you should use both if you can. If your device allows you to set an automatic backup schedule, do that as well.

    Keep your treasured data safe from ransomware

    It just takes one click to inadvertently download ransomware onto your device, and once you do, it’s too late to fight back — unless you’ve already installed a strong anti-ransomware program. You can fortify your device’s defenses easily with the powerful Ransomware Shield in Avast Free Antivirus. It’ll alert you to any signs of ransomware and other malware and remove them from your device before they have a chance to infect it. Protect your most important files with the cybersecurity solution trusted by over 400 million users worldwide.

    Protect your Android from threats

    with free Avast Mobile Security


    Protect your iPhone from threats

    with free Avast Mobile Security