How Ransomware Actually Works and How to Never Pay the Ransom

The Attack Nobody Saw Coming — Until It Was Too Late

Every year, thousands of businesses, hospitals, and government agencies get hit by ransomware and face a brutal choice: pay up or lose everything.

It happened to a small dental clinic in Ohio. They came in on a Monday morning, opened their computers, and saw nothing but a red screen demanding $18,000 in Bitcoin. Patient records. Billing software. Everything encrypted. The IT guy they called said it could take weeks to recover — if they even could.

That’s the real face of ransomware. Not a movie hacker in a dark room. It’s a criminal business model that generated over $1 billion in ransom payments in 2023 alone — and it’s getting worse.

The scariest part? Most victims had no idea they were already compromised for weeks before the ransom note appeared.

This guide cuts through the noise. You’ll learn exactly how ransomware works, step by step, and how to build a defense so strong you’ll never have to think about paying a ransom.

The Scale of Ransomware in 2026 {#scale}

Ransomware isn’t slowing down. It’s accelerating — and getting smarter.

In 2025, the average ransom payment hit $2.73 million, up from $1.54 million the year before. Healthcare, education, and municipal governments are the top targets. But no industry is safe anymore.

⚠️ ALERT: The FBI’s Internet Crime Complaint Center (IC3) reported that ransomware losses exceeded $59.6 million in just reported cases in 2023. The real number is estimated to be 10x higher due to unreported incidents. Read the FBI’s cybercrime report (opens in new tab)

Small businesses think they’re too small to be targeted. They’re wrong. Cybercriminals use automated tools that scan millions of IP addresses daily. If your firewall is weak or your systems are unpatched, you’re in the crosshairs — size doesn’t matter.

The average downtime after a ransomware attack is 21 days. That’s three weeks of lost revenue, reputation damage, and chaos. For many small businesses, it’s a death sentence. You can read more about this reality in our post on why small businesses close after a cyberattack.

How Ransomware Actually Works: The Full Attack Chain {#how-ransomware-works}

Most people think ransomware is a single event. It’s not. It’s a multi-stage operation that unfolds over days, weeks, sometimes months.

Here’s the full attack chain from first contact to ransom note:

RANSOMWARE ATTACK CHAIN
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[STAGE 1] INITIAL ACCESS
     │
     ▼
Phishing email → User clicks → Malware drops
     OR
RDP brute force → Credentials stolen → Remote login
     OR
Unpatched software → Exploit → System compromised
     │
     ▼
[STAGE 2] PERSISTENCE & RECONNAISSANCE
     │
Attacker installs backdoor
Moves laterally across network
Maps backups, servers, databases
Steals sensitive data (double extortion)
     │
     ▼
[STAGE 3] EXFILTRATION
     │
Critical data sent to attacker servers
Leverage for second ransom threat
     │
     ▼
[STAGE 4] ENCRYPTION
     │
Ransomware deploys across all connected systems
Files encrypted with AES-256 or RSA keys
Backups targeted and destroyed first
     │
     ▼
[STAGE 5] EXTORTION
     │
Ransom note appears on every screen
Bitcoin wallet address displayed
Countdown timer starts (usually 72 hours)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The critical detail most people miss: Stage 2 can last weeks. The attacker is already inside your network, quietly mapping everything, while your team goes about their day completely unaware.

Modern ransomware groups also practice “double extortion.” They encrypt your files and steal them. So even if you restore from backups, they threaten to publish your customer data, financial records, or trade secrets publicly. It’s a two-punch knockout.

🔴 WARNING: The CISA (Cybersecurity and Infrastructure Security Agency) has documented ransomware groups spending an average of 8-16 days inside a network before deploying encryption. If you don’t detect lateral movement early, you won’t detect it at all. See CISA’s ransomware guidance (opens in new tab)

How Hackers Get In: The Most Common Entry Points {#entry-points}

Understanding how ransomware actually gets into your network is the first step to shutting the door.

Phishing Emails (The #1 Entry Point)

Over 90% of ransomware attacks start with a phishing email. Someone on your team clicks a link or opens an attachment. That’s all it takes. The attacker doesn’t need to hack your firewall. They hack your people.

Exposed Remote Desktop Protocol (RDP)

RDP lets employees log in remotely — but leaving port 3389 open to the internet is an open invitation. Attackers use automated tools to hammer exposed RDP ports with stolen credential lists. One match, and they’re inside.

Unpatched Software Vulnerabilities

Every unpatched vulnerability is a door with no lock. Attackers scan for known CVEs (Common Vulnerabilities and Exposures) constantly. If your systems are running software from six months ago with known exploits, you’re already exposed.

Compromised VPNs

Many VPN products have had critical vulnerabilities in recent years. Fortinet, Pulse, and others released emergency patches that thousands of organizations ignored. Attackers exploited those unpatched VPNs to walk straight into corporate networks.

If your team connects remotely, make sure your VPN and access controls are locked down. Our article on router settings you must change covers some of the basics that most businesses skip.

What Happens After Encryption: The Ransom Demand

The ransom note appears. Everything stops.

Here’s what attackers typically include in a modern ransom demand:

1. A deadline — Usually 48-72 hours before the price doubles
2. A Bitcoin wallet address — Untraceable cryptocurrency only
3. A “proof of life” decryptor — They’ll decrypt one file for free to prove they can
4. A dark web negotiation portal — Yes, ransomware groups have customer service

Modern ransomware operations run like businesses. Groups like LockBit, BlackCat (ALPHV), and Cl0p have full negotiation teams. They’ll respond within hours. They’ll offer payment plans. Some even have customer satisfaction ratings.

That should terrify you. These aren’t script kiddies. They’re professional criminal enterprises generating millions of dollars per month.

⚠️ ALERT: NIST’s Cybersecurity Framework specifically addresses ransomware response under the “Respond” and “Recover” functions. Having a documented Incident Response Plan before an attack is the single most important preparation step. Read NIST’s ransomware resources (opens in new tab)

The ransom amounts vary wildly. Small businesses might see demands of $5,000–$50,000. Mid-sized companies often face $200,000–$2 million. Large enterprises and hospitals have paid $10 million or more in single incidents.

Why Paying the Ransom Is Almost Always a Mistake

Here’s the brutal truth about paying: it doesn’t actually fix your problem.

You fund the next attack: Every payment goes directly into developing better ransomware tools and recruiting more attackers. You’re financing the industry that just hit you.

You become a repeat target: Ransomware groups keep lists of who pays. Once you pay once, you’re marked as willing to pay again. Re-attacks are documented and common.

The decryptor might not work: In 2023, 19% of organizations that paid a ransom didn’t get full data recovery. Some decryptors are buggy. Some attackers disappear after payment. You paid for nothing.

You may violate federal law: The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned several ransomware groups. Paying a sanctioned group — even unknowingly — can result in federal fines. You need to check OFAC lists before any payment.

Your insurance may not cover it: Cyber insurance policies are getting tighter. Many now exclude payments to sanctioned entities, or require proof of specific security controls before covering ransomware claims.

How to Never Pay the Ransom: Your Defense Plan

This is where we get practical. The goal isn’t to survive a ransomware attack. It’s to make one irrelevant.

Here’s the step-by-step framework that works:

Step 1: Implement the 3-2-1 Backup Rule Three copies of your data. Two different storage types. One copy offsite or in an air-gapped location. Test your restores monthly — a backup you’ve never tested isn’t a backup.

Step 2: Network Segmentation If ransomware hits one segment of your network, it shouldn’t be able to spread to everything else. VLANs are your friend. Keep critical systems, operational systems, and guest access completely separated. Our guide on VLAN for home network 2026 shows how this works even at the small business level.

Step 3: Deploy a Next-Generation Firewall Basic firewalls don’t catch modern ransomware. You need deep packet inspection, intrusion prevention, and threat intelligence feeds. This is where hardware matters enormously.

Step 4: Multi-Factor Authentication Everywhere RDP, VPN, email, cloud services — every single one needs MFA. Stolen credentials are useless to an attacker who can’t pass the second factor.

Step 5: Patch Management Policy Define a 72-hour patch window for critical CVEs. No exceptions. Most ransomware attacks exploit vulnerabilities that had patches available weeks or months before the attack.

Step 6: Employee Security Training Run phishing simulations quarterly. Train staff on what to look for. One click is all it takes — one informed employee could stop everything.

Step 7: Endpoint Detection and Response (EDR) Traditional antivirus doesn’t catch ransomware before encryption. EDR tools monitor behavior in real time and can stop ransomware mid-execution before it encrypts a single file.

Step 8: Incident Response Plan Write it before you need it. Who calls who? What systems get isolated? When do you call the FBI? When do you engage a ransomware response firm? Answer these questions now, not at 2 AM with a red screen staring at you.

🔴 WARNING: Microsoft’s Security Intelligence team has documented that organizations without endpoint detection and response tools take an average of 197 days to identify a breach. With EDR deployed, that drops to under 30 days. Detection speed determines how much damage gets done. Read Microsoft’s security research (opens in new tab)

The Hardware That Stops Ransomware Cold

Your software controls are only as strong as the hardware enforcing them.

A next-generation firewall sitting at your network perimeter is the single most effective tool for blocking ransomware before it reaches a single device. It inspects traffic, blocks command-and-control communications that ransomware needs to receive encryption keys, and stops lateral movement cold.

We carry enterprise-grade firewalls from the brands that real security teams trust — Fortinet, SonicWall, and WatchGuard. These aren’t consumer routers. They’re purpose-built security appliances running full threat intelligence feeds, SSL inspection, and behavioral analysis.

Here’s how the top firewall options compare for ransomware defense:

Ransomware also spreads laterally over your network using SMB protocols and shared drives. Proper network switches with VLAN enforcement and port security stop that lateral movement at the hardware level.

Network segmentation combined with a next-gen firewall is the one-two punch that makes ransomware nearly impossible to spread even if it does get in. Also check our article on the hidden danger of public WiFi in 2026 for more context on attack vectors that hardware protects against.

Quick Reference Checklist

Run through this monthly. Every unchecked box is a risk.

RANSOMWARE DEFENSE CHECKLIST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

BACKUPS
[ ] 3-2-1 backup rule implemented
[ ] Backups tested and verified this month
[ ] Air-gapped or offsite backup confirmed
[ ] Backup software access requires separate credentials

NETWORK SECURITY
[ ] Next-gen firewall deployed and updated
[ ] Network segmented with VLANs
[ ] RDP port closed or behind VPN only
[ ] Unnecessary ports closed at perimeter
[ ] DNS filtering enabled

IDENTITY & ACCESS
[ ] MFA enabled for all remote access
[ ] MFA enabled for email (M365, Google Workspace)
[ ] Admin accounts separate from daily-use accounts
[ ] Privileged Access Management (PAM) in place

ENDPOINT PROTECTION
[ ] EDR solution deployed on all devices
[ ] All OS patches applied within 72 hours
[ ] Software inventory maintained and audited
[ ] USB ports restricted where possible

PEOPLE & PROCESS
[ ] Phishing simulation run this quarter
[ ] Incident Response Plan documented and current
[ ] Key contacts list ready (FBI: 1-800-CALL-FBI)
[ ] Cyber insurance policy reviewed
[ ] OFAC sanctions list checked for compliance

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Frequently Asked Questions

Q: Should I ever pay the ransomware ransom?

A: Almost never. The FBI recommends against paying. Payment doesn’t guarantee data recovery, funds criminal organizations, and can expose you to OFAC sanctions if the group is on a federal watchlist. Only in extreme cases — where human life is at stake and no other option exists — should payment be considered, and always with legal counsel and law enforcement notification first.

Q: How long does a ransomware attack take to recover from?

A: The average is 21 days of downtime. Organizations with tested backups, segmented networks, and an Incident Response Plan can cut that to 2-5 days. Those without any preparation can face months of disruption or permanent data loss.

Q: Can ransomware encrypt cloud backups like OneDrive or Google Drive?

A: Yes. If your cloud backup is connected and syncing, ransomware can encrypt or delete those files too. You need versioned backups with retention periods long enough to go back before the encryption event, or a truly air-gapped backup that ransomware cannot reach.

Q: What’s the first thing to do when you see a ransomware note?

A: Isolate immediately. Disconnect affected systems from the network — pull the ethernet cable, disable Wi-Fi. Don’t turn systems off (this can destroy forensic evidence). Then call your IT team, your cyber insurance provider, and the FBI’s IC3 at ic3.gov. Don’t pay anything until you’ve consulted with a ransomware response professional.

Q: Do small businesses really get targeted by ransomware?

A: Absolutely. In fact, small businesses are often preferred targets because they have less security. Ransomware groups use automated scanning tools that hit millions of IP addresses looking for easy entry points. A small accounting firm with exposed RDP is just as attractive as a corporation — often more so, because they’re less likely to have good defenses or detection tools.

Conclusion

Ransomware is a business model. Criminals have industrialized it, professionalized it, and scaled it into a multi-billion-dollar industry. Understanding how ransomware actually works — from the phishing lure all the way through to the ransom note — is the foundation of defending against it.

The good news is that the defense is knowable. Tested backups, network segmentation, next-generation firewalls, MFA, and a real Incident Response Plan will make you resilient against the vast majority of attacks. Not because ransomware won’t try — but because when it does, it won’t get far.

You don’t have to be the victim on the phone with an FBI agent at 3 AM wondering if you’ll ever see your files again. Build the defenses now. Test them regularly. And if you need enterprise-grade hardware to enforce those defenses, browse our firewall collection to find the right solution for your network.

Related Reading

• Why Small Businesses Close After a Cyberattack
• VLAN for Home Network 2026: Why You Need One
• Router Settings You Must Change Right Now
• The Hidden Danger of Public WiFi in 2026
• How Hackers Break Into Security Cameras