Ransomware is malware that encrypts your files and demands payment (usually in cryptocurrency) to unlock them. It can hit anyone – individuals, small businesses, hospitals, schools. If you have backups, ransomware is an annoying disruption. If you don't, it can mean losing everything.

The single most important thing you can do right now: set up backups. Seriously. If your files exist somewhere else, ransomware loses all its power.

How ransomware works

Ransomware gets onto your device, silently encrypts your documents, photos, and other files, then shows you a message demanding payment – typically hundreds to thousands of dollars in Bitcoin or another cryptocurrency. You get a deadline. The price often goes up if you wait.

Modern ransomware is sophisticated. Some variants steal your data before encrypting it, then threaten to publish it online if you don't pay (this is called "double extortion"). Others spread across networks, encrypting every computer they can reach.

How you get infected

• Phishing emails – The most common way. An email with an attachment or link that looks legitimate but installs ransomware when you open it. See recognizing and avoiding phishing
• Malicious downloads – Software from untrustworthy websites, pirated programs, or fake "updates" that pop up in your browser. Those are never real
• Unpatched software – Ransomware exploits known security holes in outdated operating systems and applications. Keeping your OS updated closes these holes
• Infected USB drives – Less common but still a real vector. Don't plug in USB drives you find lying around
• Compromised websites – Visiting a hacked website can sometimes trigger a drive-by download, though modern browsers block most of these

What to do if you're hit

If you see a ransom message on your screen, here's what to do immediately:

1. Don't pay. There is no guarantee you will get your files back. Many victims pay and receive nothing. Paying also funds more attacks
2. Disconnect from the network – Unplug the ethernet cable, turn off Wi-Fi. This stops the ransomware from spreading to other devices on your network
3. Don't turn off the computer – Some recovery tools can work with the system still running. Shutting down may destroy encryption keys stored in memory
4. Take a photo of the ransom screen – This helps identify the specific ransomware variant, which can be important for recovery
5. Contact a professional – If you have an IT department, call them. If not, contact a reputable computer repair service. Some ransomware strains have known decryption tools available for free
6. Check No More Ransom – The site nomoreransom.org (run by law enforcement and security companies) has free decryption tools for many ransomware variants
7. Report it – File a report with your local authorities and with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov if you are in the US
8. Restore from backup – If you have backups that weren't connected during the attack, you can wipe the infected device and restore your files. This is by far the best outcome

Prevention

Ransomware is almost entirely preventable with basic precautions:

• Back up your files – This is the number one defense. Follow the 3-2-1 backup rule: 3 copies, 2 different storage types, 1 offsite. Make sure at least one backup is not always connected to your computer (an always-connected drive can also get encrypted)
• Keep your OS and apps updated – Updates patch the security holes ransomware exploits. Don't put them off
• Don't open suspicious email attachments – Especially .exe, .zip, .scr, or .js files from unknown senders. Even .pdf and .docx files can carry malware. See avoiding phishing
• Use strong, unique passwords – Weak passwords let attackers into your accounts and devices remotely. See creating strong passwords and consider a password manager
• Enable two-factor authentication – Adds a second layer even if your password is stolen. See two-factor authentication
• Be skeptical of downloads – Only install software from official sources. If a website tells you to "update Flash" or your browser is "out of date," it's a scam

The 3-2-1 rule is ransomware insurance

The 3-2-1 backup rule deserves extra emphasis because it changes the entire equation. With proper backups:

1. Ransomware encrypts your files
2. You wipe the infected device
3. You restore everything from backup
4. You lose a few hours, not years of files

Without backups, you're choosing between paying criminals (with no guarantee) and losing everything. That's not a choice anyone wants to make.

The key detail: your backup drive can't be permanently connected to your computer. If it is, ransomware will encrypt the backup too. Use a drive you disconnect after backing up, a cloud backup service, or both.