What Is Ransomware & Can an Antivirus Prevent It?

Katarina Glamoslija
Katarina Glamoslija Lead Cybersecurity Editor
Updated on: June 15, 2024
Fact Checked by Kate Davidson
Katarina Glamoslija Katarina Glamoslija
Updated on: June 15, 2024 Lead Cybersecurity Editor

Short on Time? Here’s what you need to know about ransomware in 2024:

  • Ransomware is a type of malware that blocks or denies a user’s access to their own computer system or to certain data files until they pay ransom money to release it. It is usually targeted at specific individuals or businesses with a lot to lose. The best way to prevent a ransomware attack is to use a top-quality antivirus with ransomware protection (I recommend Norton).

Can antivirus really prevent ransomware? Yes, and no. An antivirus can prevent many types of ransomware, but it can’t stop it once it’s taken control of your system. However, antivirus programs are evolving to overcome the threat.

Ransomware works a lot differently than traditional viruses, attacking your important files by holding them hostage with encryption. The hackers try to extort money to set them free. These types of attacks are most commonly used against large businesses and individuals with valuable data, but anyone could potentially become a victim.

Hackers are interested in restricting your access to valuable data so education, government, energy and utilities, and healthcare continue to be the hardest hit industries. Some experts have described these attacks as the biggest current cybersecurity threat.

Yet, these attacks cost more than just money. They also lead to the loss of important data, costly downtime, and decreased productivity.

Prevent Ransomware With Norton 

What Is Ransomware and Where Does It Come From?

In short, ransomware is a form of malware that holds your computer or your data for ransom. Threats of this type lock all or part of your computer down and will deny you access until you’ve paid the fee. Ransomware first appeared in the 1980s but didn’t pose a serious threat to the public until the last decade.  Today, thousands of ransomware attacks occur every day.

Ransomware infects your computer like most viruses: opening an email attachment, downloading a suspicious file, or visiting a website that has already been infected. The only way to stop ransomware is to have an up-to-date antivirus.

However, the sophistication and evolution of ransomware viruses make them difficult to detect. With ransomware constantly changing, it’s difficult for some antivirus programs to pick them up until it’s too late.

How Does Ransomware Work?

Ransomware attacks tend to follow a general pattern:

  1. You Contract an Infection. Ransomware infections work similarly to other viruses. You may download it as a result of phishing, a social engineering tactic that tricks you into authorizing a download that you think is a safe or legitimate program. Alternatively, it could take the form of an exploit kit, which targets vulnerabilities in your existing software to gain backdoor access.
  2. The Wait Period. Not all ransomware acts immediately. Some take up to 15 minutes to take hold, although others do manage to cause havoc in seconds.
  3. Encryption. Your data and files will be encrypted, requiring a decryption key to access them. The specific version of ransomware determines the level of encryption. A 16-bit and 32-bit encryption can easily be disabled using ransomware decryption tools. However, a 128-bit or 256-bit encryption is so strong it parallels browser and VPN security, making it nearly impossible to reverse.
  4. Financial Demand. The final stage is a pop-up message on your screen, alerting you to the infection. It will demand a ransom, which usually falls around $300-500. Hackers only ask individuals for amounts they may have on hand to increase the chances of them paying the fee, although businesses can pay tens of thousands of dollars.

It’s also common for ransomware to mimic local authorities. The message may claim that you’ve acted illegally or accessed banned content, and that’s why you are being fined. They often use county police or government logos to increase the apparent authenticity.

Ransom payments are usually demanded in cryptocurrencies such as Bitcoin, which makes them more difficult to track.

What Are the Signs of a Ransomware Infection?

If you suspect a ransomware infection on your device, there are some telling signs to look out for. Recognizing these quickly can be crucial in mitigating damage and preventing the spread of the infection. Here are some key indicators:

  • File Access Issues: One of the most immediate signs of a ransomware attack is that you won’t be able to open your files. The files may appear corrupted or their extensions may be changed, typically to something unusual or specific to a ransomware strain.
  • Ransom Notes: Once it’s encrypted your files, ransomware typically displays a ransom note on the screen or in notes saved as text files in your affected directories. These notes contain instructions on paying the ransom — they also often include timers counting down to a deadline.
  • System Slowdown: Ransomware can significantly slow your system while it encrypts files in the background. If your computer suddenly becomes mysteriously sluggish, this could indicate an infection.
  • Suspicious Network Communications: Ransomware often communicates with a command and control server while it’s encrypting your data. If you see an increase in unusual network traffic or outbound communications to unknown IP addresses, this can indicate ransomware activity.
  • Unusual File Activity: Are your files being renamed or disappearing? This might also signal that ransomware is encrypting your files.
  • Disabled Security Tools: Some ransomware variants try to disable antiviruses and other security apps to avoid detection and removal.

If you notice any of the above, it’s important to disconnect from the internet and other network connections immediately to prevent further spread and follow our advice on what to do if your computer is infected.

Types of Ransomware

Ransomware is a general label for a group of different malware types. They all have the common feature of demanding a ransom payment for removal but they don’t all behave the same way.

The following are some of the most common types:

  • Locker ransomware is considered to be the first type ever discovered. As its name suggests, it locks users out of their computers and demands some form of payment. This is one of the most debilitating versions as it often requires a system wipe to remove. Unfortunately, paying the ransom doesn’t always save you; some hackers have embedded password-stealing software even once the ransom has been paid.
  • Crypto ransomware’s key difference is that payment is demanded in the form of a cryptocurrency. Hackers often lock the user’s files and demand payment through an anonymous cryptocurrency address.
  • Mac ransomware is a form of ransomware for Mac computers. The first known case of it, referred to as KeRanger, appeared in 2016. This version would wait three days before encrypting 300 files. At that point, it would create a text file demanding a single Bitcoin.
  • Leakware works by stealing your information and threatening to release the data if you don’t pay up. Targeted details could include your bank info, contacts, intimate photos, and personal documents. It’s an especially successful tactic as it causes the victim to panic and respond rashly.
  • Scareware usually poses as fake security software. Once downloaded, it will alert you of issues that cost extra money to fix. In some cases, you will be flooded with so many alerts and pop-ups that your computer is unusable until you take action.
  • RaaS stands for Ransomware as a Service, a meta-malware type employed by career criminals. A hacker will hire out their services creating and distributing ransomware in exchange for a cut of the fine. This kind is particularly dangerous as it can be used by anyone wanting revenge, and could target you specifically.
  • Double extortion ransomware is a newer form of ransomware that steals your data as well as encrypting it. Hackers threaten to release sensitive material unless you pay up, thus doubling the pressure to comply.

Over the years, countless instances of each type of ransomware have been detected. However, some attacks have done more damage than others.

Famous Examples of Ransomware

WannaCry, one of the most destructive cyberthreats in history, downed over 250,000 computers in 116 countries. The ransomware’s victims weren’t just personal devices; entire businesses and systems were brought to a standstill — including the British National Health Service.

In the UK, patients couldn’t make appointments, doctors couldn’t access records, and lives were put at risk. Suddenly, the cyberwarfare we see in movies such as Firewall (2006) or Goodbye World (2013) was no longer just a plot device. The threat had become a reality.

Seventy-five percent of the victims had to pay to get their data back, and ransomware increased by 350% around the world in just one year.

This attack was not the first instance of ransomware, but it was one of the most destructive. Here are some other famous examples of ransomware over the last couple of years:

  • CryptoLocker used a Trojan to target Windows computers. It affected 250,000 devices, mostly targeting users in the UK and US. The infection was spread using password-protected .zip files, which claimed to contain an important PDF.
  • TeslaCrypt was a ransomware trojan that is now, fortunately, defunct. It targeted game-players via file extensions for popular games, such as Call of Duty, WoW, and Minecraft. Once infected, the malware demanded $500 in ransom payments from the victims.
  • SimpleLocker is a type of mobile malware that mimics CryptoLocker. It blackmails victims by accusing them of committing a crime and demanding a fine. The pop-up fills the entire screen and returns even if you turn the device on and off.
  • NotPetya was a reinvention of the Petya ransomware of 2016. Potentially inspired by WannaCry, just a few weeks later NotPetya was released. It demanded $300, and 90% of the attacks were on Ukrainian victims, leading some to suggest it was organized by Russia.
  • Locky existed before the recent rise in ransomware. It affected half a million users and demanded a payment of one Bitcoin, which at the time was worth nearly $1,000. The malware was spread via an infected Word document, using social engineering tactics.
  • Cerber is another earlier form of ransomware that existed in 2016. It attacked 150,000 Windows users in July alone and continues to cost around $2.3 million a year.
  • Sodinokibi (REvil) is a ransomware-as-a-service operation which exploits vulnerabilities in remote access services. It’s know for extremely aggressive tactics and double extortion.

Although these types of ransomware are some of the most prolific, countless forms currently exist. Fortunately, you can protect yourself.

Tips to Prevent Ransomware

Simply knowing about ransomware isn’t enough to keep you safe. Your best weapon is understanding how to protect yourself. Due to its destructive nature, recovering from ransomware is a unique challenge, so it’s better to learn how to pre-empt an attack and avoid the infection altogether.

Here’s how to do it:

  • Perform Regular Backups. While it’s relatively simple to remove a ransomware infection, getting back your encrypted files without paying the ransom is more challenging. If it’s impossible to restore your data, the best tactic is to perform regular backups of your system. Then, if you are attacked, you can simply restore to a time before you’d contracted malware.
  • Update Software Regularly. Ransomware commonly exploits security holes to gain access to your device. The best way to avoid this issue is to update everything regularly. Software producers release new versions with patches for known vulnerabilities, so staying up-to-date will increase your security drastically.
  • Click Smart. Phishing scams are another common form of ransomware distribution. Avoiding social engineering isn’t impossible, as long as you know the signs. Be on the lookout for fake URLs, unexplained email attachments, and pop-ups. Never click banner ads or other “deals,” and look for typos and unrealistic claims to avoid fraudulent emails.
  • Stick to Trusted Sources. Perhaps the best tactic to avoid accidentally downloading a ransomware trojan is to stick only to sources you trust. This refers to everything onlinewebsites, software, emails, e-commerce sites, etc. Most domains and brands are highly reviewed, so it’s easy to stick to those with a good reputation.
  • Try Whitelisting Software. By creating a baseline of approved applications, whitelisting software will prevent any unknown programs from launching and running on your device. If you unwittingly download malware, the whitelisting app will compare it to its list of sanctioned programs and will block any actions that don’t match.
  • Use a Top-Quality Antivirus. Good antivirus suites are essential for combating ransomware. They will alert users as soon as they locate a problem, and can also remove the infection easily. The best antivirus companies keep a catalog of all the known threats, so they can identify ransomware quickly and effectively. Some antivirus apps also provide a free ransomware decryption tool for malware with low-level encryption. Some may feel it’s too time-consuming or expensive to invest in their computer security. However, facing a ransomware attack will be far more costly than any prevention strategy.
Save 58% on Norton 360 Deluxe!
Get Norton 360 Deluxe for only $49.99*!

How Antivirus Detects Ransomware

Known forms of ransomware are often easy for your antivirus to detect. Why? It’s all based on how ransomware behaves. Typically, your antivirus will notify you when something is trying to encrypt files out of nowhere.

Your antivirus works by constantly asking you which programs are safe, telling you about suspicious ones, and learning from the orders you give it. When a file becomes encrypted, or if subtle, uncommon changes are made to a file, your antivirus will let you know. Because of this, known ransomware is fairly easy to detect.

However, when it comes to 2nd generation ransomware, it’s a bit more difficult. Hackers are starting to employ methods that are difficult for antivirus programs to pick up.

Here’s what Cisco had to say about it:

“Many ransomware operations also have development teams that monitor updates from antivirus providers so that the authors know when a variant has been detected and it’s time to change techniques. Adversaries rely on the cryptocurrency bitcoin for payments, so transactions are more difficult for law enforcement to trace. And to maintain a good reputation in the marketplace—that is, being known to fulfill their promise to give users access to their encrypted files after the payment has been processed—many ransomware operators have established elaborate customer support operations.”

The average computer user doesn’t have the resources to take on challenges like this. They rely on their antivirus to protect them, but what should they do when even that isn’t enough?

Stopping Ransomware Before It Infects

Being proactive is still the best defense against ransomware. New updates try to combat the known versions of ransomware. And while we can’t predict what the future holds, you can protect yourself by adopting safe browsing practices.

Still, that doesn’t mean you shouldn’t install an antivirus. Some popular options include: Norton, Bitdefender, and TotalAV — these programs are capable of detecting known ransomware. It’s important that you take the right steps to reduce your chances of getting infected.

Remember, it’s easier to stop something before it starts. Once ransomware takes over your computer, removing it can be really difficult and result in data loss.

What To Do If Your Computer Gets Infected By Ransomware

Ransomware is notoriously difficult to deal with once it’s taken a hold of your files. If you do get infected, there’s more than a slim chance you won’t get your data back without paying the ransom.

Most experts, however, advise against paying the ransom. Here’s why:

  • Paying the ransom encourages the criminals to continue their scam
  • There’s no guarantee paying the ransom will get you your files back

However, if your data is extraordinarily important or sensitive, it’s completely up to you. There are plenty of documented cases of victims paying the ransom and receiving their data back in one piece.

That said, there are a few other techniques you can try before you give in to the attackers or give up on your data:

  • Disconnect From the Network. In the event of a ransomware alert, it’s crucial to disconnect from the network immediately to prevent it from spreading or accessing files on other devices in the network.
  • Remove the Ransomware. Scouring your computer and encrypting your files takes time, so you’ll want to remove the ransomware as soon as possible to minimize the damage. If you have a powerful antivirus like Norton on your computer, this should be easy. If not, you can always try one of the best free options for a quick fix. Removing the malware, however, won’t release your files.
  • Look for a Decryption Key Online. Luckily, there’s a huge community of whitehat hackers and cyber security experts working diligently to crack the latest ransomware strains. Use a tool like Crypto Sheriff to determine what strain has infected your computer, and scour resources like No More Ransom to see if a decryption key has been created yet. If you’ve been attacked by a common ransomware strain, there’s a decent chance someone will have cracked it and you may be able to recover your files.
  • Call a Professional (and Law Enforcement). If you’re still not able to recover your files or system access and you desperately need them back, you might want to call in a professional. Try your local computer repair shops or the Geek Squad — often they have antivirus or ransomware services, and they may be able to help. You should also report the ransomware attack to the local police or the FBI, which tracks cyber-attacks through its Internet Crime Complaint Center.

The Best Defense Against Ransomware Is You

Like any virus, you have to make a mistake for ransomware to infect your machine. So instead of clicking every link you see, you need to:

  • Think about the links you are clicking
  • Make sure you only browse safe websites
  • Keep your antivirus up to date
  • Change your antivirus if it doesn’t have ransomware protection
  • Back your files up using an external hard drive or in the cloud

Your antivirus will be able to protect you from basic, known forms of ransomware. With the rise in popularity of ransomware attacks, antivirus companies are working hard to increase detection and protection. But they have a long way to go before we can declare ransomware a thing of the past.

If you want to improve your security, practice safe browsing habits and take the necessary steps to keep your data safe and backed up.

Frequently Asked Questions

What is ransomware and how does it impact computer systems?

Ransomware is a type of malicious software (malware) that encrypts files on your computer or network, making them inaccessible until a ransom is paid. This ransom is usually demanded in cryptocurrency to make it harder to track. The impact of ransomware can be extremely severe, ranging from the loss of critical data to significant downtime and financial and reputational damage for businesses and other organizations. The best way to prevent ransomware is to invest in a good antivirus with ransomware protection.

Is it possible to remove ransomware once you’re infected?

Yes, it is possible, but it’s often challenging and does not guarantee the recovery of encrypted data. Removal involves using specialized security software designed to identify and eliminate the malware. However, while this deletes the ransomware, the encrypted files remain locked. The safest way to restore data is from backups that were securely made before the infection. Essentially, prevention is far more effective than cure when it comes to ransomware infections.

How did ransomware get onto my device?

There are several ways for ransomware to infect your device. The most common method is phishing emails that trick you into opening malicious attachments or clicking on links that download malware. These emails often appear legitimate, making them tricky to spot, so it’s vital to always exercise caution. Another infection vector is exploit kits, which are tools that hackers use to take advantage of vulnerabilities in your software to install ransomware. Ransomware can also spread through malicious websites or even through infected removable drives.

*1st year, terms apply
The listings featured on this site are from companies from which this site receives compensation and some are co-owned by our parent company. This influence: Rank and manner in which listings are presented. 
Learn more
About the Author
Katarina Glamoslija
Katarina Glamoslija
Lead Cybersecurity Editor
Updated on: June 15, 2024

About the Author

Katarina Glamoslija is Lead Cybersecurity Editor at SafetyDetectives. She has more than a decade of experience researching, testing, and reviewing cybersecurity products and investigating best practices for online safety and data protection. Before joining SafetyDetectives, she led several tech websites, including one about antiviruses and another about VPNs. She also worked as a freelance writer and editor for tech, medical, and business publications. When she’s not a “Safety Detective”, she can be found traveling (and writing about it on her small travel blog), playing with her cats, and binge-watching crime dramas.