See all Security articles
See all Privacy articles
See all Performance articles
Select language
Select language
Avast Academy Security Ransomware The Essential Guide to Ransomware

The Essential Guide to Ransomware

As one of today’s most pressing cyberthreats, ransomware kidnaps your sensitive files and holds them hostage unless you pay up. To keep your files and data safe, learn what ransomware is, how it works, and how you can prevent it from infecting your devices with a world-class anti-malware tool like Avast One.

Editors' choice
Top Rated

What is ransomware?

Ransomware is a type of malware that encrypts files and even entire computer systems, then demands a ransom payment in exchange for returning access. Ransomware uses encryption to block access to infected files or computer systems, making them unusable to the victims. Ransomware attacks target all kinds of files, from personal to business-critical.

Hamburguer menu icon

This article contains:

    After a ransomware attack, the hackers or cybercriminals behind it will contact victims with their demands, promising to unlock their computer or decrypt their files after a ransom is paid, usually in bitcoin or some other cryptocurrency.

    Though awareness of ransomware’s increasing danger has been growing since the mid-2000s, ransomware attacks have targeted individuals, businesses, and governments for decades. The first documented ransomware attack, known as the AIDS Trojan, or the PC Cyborg, was launched in 1989 by Dr. Joseph Popp, a Harvard-educated evolutionary biologist.

    Dr. Popp stored his virus on floppy disks that appeared to contain an AIDS education program, then mailed the infected disks to his victims. Once activated, the AIDS Trojan encrypted files on the victim’s computer and demanded a ransom of $189 to unlock the files.

    The AIDS Trojan ransomware note from 1989.The AIDS Trojan ransomware note. (Source: Wikipedia)

    Today, attackers have easy access to open-source ransomware programs. Successful attacks can be extremely lucrative, netting some hijackers millions of dollars and forcing individuals, companies, or governments to clean up the mess. The potential rewards for cybercriminals have led to a surge in ransomware attacks.

    The COVID-19 pandemic brought with it another spike, which included cybercriminals hitting a string of hospitals with ransomware — making an already bad situation that much worse.

    How ransomware infects your device

    Some types of ransomware can infiltrate your device and take over your files without any action on your part. Other ransomware attacks rely on more traditional methods of malware infection.

    Here’s an overview of how different types of ransomware work:

    • Exploit kits: Malicious actors develop exploit kits to take advantage of vulnerabilities in applications, networks, or devices. This type of ransomware can infect any network-connected device running outdated software. Keep your systems and apps updated to shield your hardware and files from attacks.

    • Phishing: In a phishing attack, cybercriminals will impersonate trusted contacts or organizations and send you an email with a seemingly legitimate attachment or link. This type of social engineering attack often includes a fake order form, receipt, or invoice.

      Typically, the attachments have file extensions that make them appear as PDFs or Microsoft Office files (XLS, DOCX) — in reality, these are executable files in disguise. If you download and open the file, the ransomware attack is triggered.

      An example of a phishing email with a malicious linkPhishing emails often include authentic-seeming attachments and links.

    • Malvertising: Attackers can distribute malware by embedding it in fake online ads in a practice known as malvertising. Even the most trustworthy sites can be compromised with malvertising.

      While some malvertising ads only install ransomware onto your device after you click, others will download the ransomware as soon as they load on the webpage — without requiring a click. An ad blocker, such as the one in Avast Secure Browser, can protect you against these malicious ads.

    • Drive-by downloads: Attackers can prime websites with malware so that when you visit, the site automatically and secretly downloads the malware onto your device. If you’re using outdated browsers and apps, you’re especially vulnerable to this technique, but a free antivirus app can help.

    Ransomware attacks may not begin immediately. Some ransomware is designed to lie dormant on your device to keep you from identifying its source. For example, the AIDS Trojan strain did not activate until the 90th reboot of the computers it infected.

    How a ransomware attack works

    Once the ransomware is on your device, the hostage-taking begins. Depending on the strain, a ransomware attack works by encrypting files or locking up your entire device. The ransomware then displays a ransom note that demands money in exchange for a decryption key.

    Here are the two steps to a ransomware infection:

    1. The ransomware encrypts your files. This means it scrambles files or file structures so they become unusable until you decrypt them. Ransomware tends to use data encryption methods that can only be reversed with a specific decryption key, which is what the ransomware attacker is asking you to pay for.

    2. Then, a ransom note appears on your screen after the malware finishes encrypting your files. The note tells you how much you’ll need to pay, how to transfer the ransom, and the deadline — after which point the fee may increase, or the attacker may threaten to permanently encrypt or delete your files.

    While your device is infected with ransomware, any attempts to open your encrypted files will most likely be met with an error message informing you that your files are corrupt, invalid, or cannot be located.

    And it’s not just Windows users who need to be worried. Ransomware can affect Macs and mobile devices, too.

    What the experts say

    “The threat actors responsible for this malware generally rely on spreading through the use of third party app stores, game cheats, and adult content applications. A common infection technique is to lure users through popular internet themes and topics – we strongly recommend that users avoid attempting to download game hacks and mods and ensure that they use reputable websites and official app stores.”

    Ondřej David, Malware Analysis Team Lead & Jakub Vávra, Threat Operations Analyst

    Avast Threat Labs

    How to prevent ransomware

    The best way to protect your devices is to keep ransomware from infecting them in the first place. By practicing smart internet habits and using a reliable ransomware prevention tool, you’ll be a much tougher target for cyberattackers to hit.

    Our detailed guide on ransomware prevention has everything you need to know about staying safe — in the meantime, here are a few tips to prevent ransomware:

    • Keep your software updated. Making sure your OS and apps get new updates as soon as they’re released will plug security holes and prevent hackers from using exploits to deploy ransomware.

    • Back up your system regularly. Ransomware gains its power from blocking access to important files. If you have the files backed up safely elsewhere, you’ll never have to pay a ransom. Perform regular backups of your system and files — cloud services and physical storage are both viable options, and you should use both if you can. If your device lets you set an automatic backup schedule, do that as well.

    • Use an ad blocker. Load up your browser with one of the ad best blockers to shield yourself from malvertising and drive-by-downloads: two ad-related ways ransomware can make its way into your system.

    • Be skeptical. Be wary of strange links sent in emails or on other messaging platforms. Even if the link comes from someone you know, they could have been hacked. Learn the signs of unsafe websites and avoid visiting them.

    • Use an antivirus. Ransomware can hurt you only if it can reach you. Employ a robust cybersecurity app that blocks malware and viruses before they can get anywhere near you. Avast One blocks unsafe links, sketchy downloads, and unsecure websites. Get 24/7 protection and never worry about a scary ransom note.

    Types of ransomware

    The four different forms of ransomware attack range from annoying to life-threatening. Some lock you out of your computer, while others can eradicate your files and render your operating system useless. The one thing they all have in common is a ransom demand.

    While new strains of ransomware are in development, here’s an overview of the different types of ransomware that currently exist:

    • Filecoders: Also known as encryptors, filecoders make up 90% of ransomware strains. Filecoders encrypt and lock files on infected devices. The attackers demand payment for decryption keys, usually by a deadline after which they may damage, destroy, or permanently lock your files.

      The CryptoLocker ransomware noteThe CryptoLocker ransomware note.

    • Screenlockers: These lock you out of your device completely. Screenlockers tend to mimic government institutions, like the US Department of Homeland Security or the FBI, and inform you that you broke the law and must pay a fine to unlock your device.

      Screenlockers are now more common on Android devices than Windows PCs, though cybercriminals have also targeted Apple devices with browser-based screenlockers.

      An example of screenlocker ransomwareA screenlocker ransomware example.

    • Doxing: Doxing is not technically a form of ransomware, but it is a serious digital threat that can involve a ransom demand. Through a malicious file or link, the attacker gains access to your sensitive personal data, including usernames, passwords, credit card numbers, and passport details.

      You then get a message telling you that unless you pay a fee, your attacker will publish your information. Our free Avast Hack Check tool can tell you whether any of your passwords have leaked or been stolen. For stronger protection, get our advanced identity theft monitoring tool, Avast BreachGuard.

      An example of a malware-based doxxing threatAn example of a malware-based doxing threat.

    • Scareware: Scareware is a fake software program that claims to have found issues on your computer and demands payment to fix them. Scareware typically bombards your screen with pop-ups and alert messages. Some strains behave more like screenlockers, locking up your computer or mobile device until you pay.

    Ransomware’s rise in popularity is due in part to its availability and ease-of-use. Criminals can buy customizable open-source tools that let them launch new malware attacks. And hackers are constantly updating their code to strengthen their encryption, giving new life to some ransomware strains.

    Ransomware examples

    The vast majority of ransomware attacks target Windows PCs. But Macs, iOS devices, and Android devices have all been hit. The following sections look at examples of more prevalent ransomware strains that criminals have deployed over the years.

    PC ransomware

    Windows PCs are still the most popular targets for computer ransomware attacks. Malicious hackers can exploit Windows-specific vulnerabilities relatively easily, and there are a lot more PC users than Mac users.


    The WannaCry strain shows how extensive a PC-based ransomware attack can be. In May 2017, WannaCry spread across the globe and ultimately attacked over 100 million users while causing hundreds of millions of dollars in damage.


    Emerging in 2018 and estimated to have affected over 1.5 million users, the GandCrab family of ransomware was nullified in 2019 thanks to a coalition of state and private cybersecurity researchers.

    Like its predecessor Cerber, GandCrab operated on a ransomware-as-a-service (RaaS) model, in which cybercrime hopefuls could rent it out in exchange for a cut of their takings. With the decryptor now available online for free, GandCrab is fortunately no longer a serious threat.


    The Petya strain, which first appeared in 2016 and returned in a more advanced form in 2017, uses the screenlocker approach by encrypting your hard drive’s master file table to lock up your computer. Some versions came bundled with a secondary strain of ransomware known as Mischa, a conventional filecoder that took over if Petya couldn’t activate on a victim’s computer.

    Popcorn Time

    Since ransomware attackers can maximize their profits by infecting as many devices as possible, they’ve started encouraging victims to infect others. The Popcorn Time strain asks you to infect two other users with the malware. If both of those users pay the ransom, you will receive your files back, free of charge.

    Many of the most well-known ransomware strains are currently inactive due to software updates having patched the vulnerabilities they targeted. But if you’re still using old software, you’re vulnerable. Learn more about different Windows computer ransomware strains in these articles:

    Mobile ransomware

    Ransomware attacks on mobile devices are on the rise. Examining data from the first half of 2019, research firm Check Point saw a 50 percent year-on-year rise in cyberattacks targeting smartphones and tablets. In 2019, Android users were warned about a new strain that infects devices via SMS.

    Ransomware often makes its way onto Android devices through third-party download portals. But there have been cases where ransomware was hidden within seemingly legitimate apps in the Google Play Store.

    Apple ransomware

    Though Apple devices are less susceptible to malware attacks, their continuously growing user base has gained them more attention from malware developers.

    In 2017, two security firms uncovered ransomware and spyware programs that specifically targeted Apple users. During their investigation, researchers determined that software engineers who specialize in macOS developed these programs and made them available for free on the dark web.

    Malicious attackers have also accessed Mac users’ iCloud accounts and used the Find My iPhone service to launch screenlocker attacks.

    Is ransomware a virus?

    Although it is malicious software, ransomware is not a virus. Many people use the term virus to refer to all forms of malware. In fact, a computer virus is just one type of malware, and each type behaves differently.

    Viruses, worms, and Trojans can all be delivery methods for ransomware. Though the ransomware might be spread by a virus, it’s not a virus itself.

    Our research suggests that most ransomware spreads through Trojan malware, which means the ransomware program is hidden inside a file or link that seems both harmless and important enough for you to open. When ransomware is delivered via a computer worm, it spreads automatically, like WannaCry, or it can spread via the user, like Popcorn Time.

    Can ransomware be removed?

    Depending on your device and the strain, you may be able to get rid of ransomware. The ransomware removal process is the relatively easy part, but recovering your encrypted files can be impossible — sometimes even after the ransom has been paid.

    Removing the ransomware from your device is far from a guarantee that you will succeed in negating its effects. If you’re struggling with ransomware, consult our guides to removing ransomware from PC and removing ransomware from Mac.

    If you’re looking for a way to unlock files after a ransomware attack, you might find the solution you need in this list of Avast ransomware decryption tools.

    Should I pay the ransom?

    We strongly recommend that you don’t pay the ransom. And don’t attempt to negotiate with your attacker. Giving in to their demands will only inspire cybercriminals to continue developing and launching new ransomware strains. These attackers could also be using their ill-gotten gains to fund other illegal activities.

    If you get hit with ransomware, don't pay the ransom.If you get hit with ransomware, don’t pay the ransom.

    Paying the ransom doesn’t guarantee that your attacker will delete the ransomware or unlock your device. While they want a reputation for keeping their word so victims are more likely to pay up, some hijackers have collected ransoms and disappeared or sent useless decryption keys. You could even end up paying a completely different ransomware attacker.

    If you can’t recover your files following a ransomware attack, hold out for a decryption tool. Sometimes, there’s a flaw in the cryptography the ransomware code uses, and the malware exposes lines of code that allow cybersecurity researchers to develop a fix.

    Keep your treasured data safe from ransomware

    It just takes one click to inadvertently download ransomware. Once you do, it’s too late to fight back — unless you’ve already installed a strong anti-ransomware program. Fortify your device’s defenses easily with the powerful Ransomware Shield in Avast One.

    It’ll alert you to any signs of ransomware and other malware and remove them from your device before they can infect it. Protect your most important files with award-winning and absolutely free cybersecurity software trusted by more than 400 million people worldwide.

    Protect your iPhone against security threats with Avast One


    Protect your Android against ransomware with Avast One

    Patrick Seguin & Nica Latto