Ransomware is malicious software that locks or encrypts your files and then demands a payment — usually in cryptocurrency — to unlock them. Modern attacks go a step further: criminals also steal your data first and threaten to leak it. Here’s how ransomware works, why AI has made it more dangerous, and how to protect yourself.
Reviewed and kept current by the Coppers.io editorial team — see how we research .
What is ransomware?
Ransomware is a type of malware built entirely around extortion. Once it runs on a device, it encrypts your files — documents, photos, databases — so they can’t be opened, then displays a ransom note demanding payment for the decryption key. Some strains lock you out of the whole system instead.
It hits individuals, but the costliest attacks target businesses, hospitals, schools, and government agencies, where every hour of downtime is unaffordable. That makes ransomware one of the most damaging cyberthreats today — it features heavily in our roundup of the biggest cybersecurity threats in 2026 .
How a ransomware attack works
A typical attack unfolds in stages:
- Access. Attackers get in through a phishing email, a malicious attachment or download, stolen or weak credentials, or unpatched software.
- Spread. The malware moves across the network, escalating privileges to reach as many systems as possible.
- Exfiltration. Before encrypting anything, modern groups quietly copy your sensitive data out.
- Encryption. It encrypts your files using strong cryptography — the same encryption that normally protects you, turned against you. Without the key, the data is effectively gone.
- Extortion. A ransom note demands payment (often in cryptocurrency) for the key — and threatens to leak or sell the stolen data if you don’t pay.
That last twist is called double extortion: even a perfect backup doesn’t stop criminals from publishing what they stole. It’s now the norm rather than the exception.
How AI made ransomware worse
Ransomware was already an industry — Ransomware-as-a-Service (RaaS) lets low-skill criminals rent ready-made attack kits and split the profits. AI has poured fuel on that fire:
- More convincing lures. AI writes flawless, personalized phishing emails — and even voice deepfakes — making the social-engineering step that starts most attacks far more effective.
- A lower skill bar. Generative AI can help adapt malicious code and automate tasks that once needed expertise, widening the pool of people capable of launching attacks.
- Faster, smarter targeting. AI speeds up reconnaissance and vulnerability discovery, helping attackers find weak points and high-value victims at scale.
The result is more attacks, launched more cheaply, that are harder for an ordinary user to spot.
Should you pay the ransom?
Generally, no. Security and law-enforcement agencies — including the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI — advise against paying. Payment doesn’t guarantee you’ll get your data back, marks you as a willing target for repeat attacks, funds criminal operations, and in some cases may even breach sanctions rules.
The real insurance is being able to recover without the key — which comes down to backups.
How to protect yourself from ransomware
- Back up — the 3-2-1 way. Keep three copies of important data, on two types of media, with one stored offline or off-site. An offline backup is what lets you rebuild without paying. CISA’s StopRansomware guidance puts backups first for a reason.
- Patch promptly. Update your operating system and apps to close the holes attackers exploit.
- Use phishing-resistant logins. A password manager plus passkeys or multi-factor authentication means a stolen password alone won’t get an attacker in.
- Think before you click. Most infections start with phishing — verify unexpected attachments and links before opening them.
- Run reputable security software. Endpoint protection catches many known strains, though it’s a layer, not a guarantee.
What to do if you’re hit
- Isolate the device. Disconnect it from Wi-Fi and the network immediately to stop the malware spreading.
- Don’t rush to pay. Check No More Ransom — a law-enforcement project that offers free decryptors for many ransomware families.
- Report it. Notify CISA or the FBI (in the US) or your local authorities; reporting helps disrupt the groups behind these attacks.
- Restore from a clean backup. Wipe the affected system and rebuild from a backup made before the infection.
The bottom line
Ransomware turns your own files into hostages, and AI has made the attacks cheaper to launch and harder to spot. You can’t make yourself a zero-risk target, but solid offline backups, prompt updates, and phishing-resistant logins strip away most of an attacker’s leverage. Build those habits before you need them — not the day a ransom note appears.
Next: close off the easiest way in by switching to passkeys and passwordless login .
FAQs
- Not exactly. Ransomware is a type of malware (malicious software), and a virus is one specific kind of malware that self-replicates. Some ransomware spreads like a virus, but the defining feature of ransomware is extortion — encrypting your files and demanding payment.
- You can remove the malware itself with security tools, but that doesn't decrypt files it already locked. Recovery usually means restoring from a clean backup, or using a free decryptor from No More Ransom if one exists for that strain.
- Agencies like CISA and the FBI advise against it. Paying doesn't guarantee you'll get your files back, encourages repeat attacks, funds criminals, and may breach sanctions rules. Good offline backups let you recover without paying.
- Most often through phishing emails and malicious attachments or downloads, but also via weak or stolen passwords and unpatched software with known vulnerabilities. AI has made the phishing lures far more convincing.
- It helps by catching known strains, but it isn't foolproof — new variants appear constantly. Treat antivirus as one layer alongside backups, prompt updates, and phishing-resistant logins, not a complete solution.