Ransomware Protection Guide: How to Prevent and Survive an Attack (2026)

Disclosure: Some links in this article may be affiliate links. If you make a purchase through them, I may earn a small commission at no extra cost to you.

Photo by Antoni Shkraba Studio — Pexels

In February 2024, Change Healthcare — a company that processes about 15 billion healthcare transactions per year in the US — got hit by ransomware. The attack disrupted pharmacies, hospitals, and insurance claims nationwide for weeks. They reportedly paid a $22 million ransom. And that was just one attack.

Ransomware isn't just a corporate problem anymore. Regular people get hit too. A family friend had every photo, document, and tax return on her computer encrypted overnight. The ransom demand? $3,000 in Bitcoin. She didn't have backups. She lost everything.

Here's what ransomware is, how it gets in, and — most importantly — what you can actually do to protect yourself before it happens.

What Is Ransomware and How Does It Work?

Ransomware is malware that encrypts your files and demands payment to unlock them. That's the short version. The longer version involves some genuinely clever (if criminal) engineering.

The typical attack flow:

1. Initial access: The malware gets onto your computer — usually through a phishing email, a malicious download, or an exploited vulnerability
2. Reconnaissance: The malware quietly spreads through connected drives and network shares, mapping out what to encrypt
3. Encryption: Using strong encryption algorithms (usually AES-256 + RSA), the malware locks your files. Photos, documents, databases, backups if they're accessible — all of it
4. Ransom note: A text file or screen appears demanding payment (typically cryptocurrency) in exchange for the decryption key
5. Double extortion (increasingly common): Before encrypting, the attackers steal a copy of your data and threaten to publish it if you don't pay. So even if you restore from backups, they still have leverage

The encryption is real. Without the key, your files are effectively gone. There are no magic decryption tools for modern ransomware variants (though older versions sometimes have known flaws — check No More Ransom if you're already hit).

How Ransomware Gets In: The 5 Most Common Entry Points

1. Phishing Emails

Still the number one delivery method. A convincing email with an attachment — maybe a "shipping notification" or "invoice" — that contains a macro-enabled document or a disguised executable. One click, and you're done. According to Verizon's 2024 Data Breach Investigations Report, phishing is involved in about 36% of all breaches.

I've seen phishing emails so well-crafted that I had to check the headers twice to confirm they were fake. They're not all Nigerian prince scams anymore.

2. Remote Desktop Protocol (RDP)

If you have Remote Desktop enabled and exposed to the internet — especially with a weak password — attackers will find it. Automated scanners sweep the internet constantly looking for open RDP ports. Once in, they deploy ransomware manually, often during off-hours when nobody's watching.

3. Software Vulnerabilities

Unpatched software is an open door. The WannaCry attack in 2017 exploited a Windows vulnerability that Microsoft had patched two months earlier. Organizations that hadn't updated got hit — 200,000+ computers across 150 countries. Keep your stuff updated. I know updates are annoying. Still update.

Photo by Tima Miroshnichenko — Pexels

4. Malicious Downloads

Pirated software, cracked games, fake browser updates, sketchy "free PDF converters" — all common ransomware delivery vehicles. If you're downloading software from anywhere other than the official source, you're playing Russian roulette. I've analyzed malware samples that were bundled with cracked versions of popular software — the ransomware payload was embedded right in the installer.

5. Drive-by Downloads

Visiting a compromised website can trigger an automatic download if your browser or plugins have unpatched vulnerabilities. This is less common than it used to be (modern browsers have better sandboxing), but it still happens — especially on sites with aggressive ad networks.

How to Protect Yourself: The Defense Playbook

Prevention is everything with ransomware. Once your files are encrypted, your options are limited to paying (which I don't recommend) or restoring from backups (which only works if you have them).

1. The 3-2-1 Backup Rule (This Is Your Insurance Policy)

If you take one thing from this article, make it this: maintain proper backups.

• 3 copies of your data
• 2 different storage media (e.g., external hard drive + cloud)
• 1 copy offsite (physically separate from your computer)

Critical detail: your backup drive should NOT be permanently connected to your computer. Ransomware encrypts everything it can access, including plugged-in external drives and mapped network shares. I keep an external SSD that I only connect when running weekly backups, then disconnect and store it in a drawer.

For cloud backups, services like Backblaze ($7/month for unlimited backup) or iDrive keep versioned copies of your files. Even if ransomware encrypts the latest version, you can roll back to a previous one.

2. Keep Everything Updated

Operating system, browser, office software, plugins — all of it. Enable automatic updates wherever possible. I know, sometimes updates break things. But unpatched vulnerabilities break things much worse.

Windows users: make sure Windows Update is running. Don't postpone it indefinitely. macOS users: same deal — System Settings → General → Software Update.

3. Use Real Antivirus Software

Windows Defender (built into Windows 10/11) is actually decent now — way better than it was five years ago. But dedicated antivirus software typically offers better ransomware-specific protection, including behavior monitoring that can detect encryption activity in real time and stop it before your files are fully locked.

Look for antivirus products with explicit "ransomware protection" or "ransomware shield" features. Some create protected folders that even admin-level processes can't modify without your approval.

4. Don't Click Suspicious Links or Attachments

I know this sounds obvious. But phishing is still the #1 ransomware delivery method because it works. Before opening any email attachment, ask yourself:

• Was I expecting this email?
• Does the sender's address look right (check the actual address, not just the display name)?
• Is there urgency or pressure to act fast?
• Does the attachment make sense in context?

When in doubt, don't open it. Contact the sender through a different channel to verify. For more on recognizing these attacks, check our detailed phishing prevention guide.

Photo by Tima Miroshnichenko — Pexels

5. Enable Controlled Folder Access (Windows)

Windows has a built-in feature called "Controlled Folder Access" that prevents unauthorized apps from modifying files in protected folders (Documents, Pictures, Desktop, etc.). It's off by default — turn it on.

How: Windows Security → Virus & threat protection → Ransomware protection → toggle on "Controlled folder access." You can whitelist specific apps that need write access to those folders.

This won't stop all ransomware, but it adds a solid layer that blocks many variants. I've tested it against a few common ransomware samples in a VM, and it blocked the encryption attempts.

6. Disable Macros in Office Documents

Macro-enabled Word and Excel documents are a classic ransomware delivery method. Unless you specifically need macros for work, disable them.

How: In Microsoft Office → File → Options → Trust Center → Trust Center Settings → Macro Settings → "Disable all macros with notification." This means you'll see a warning if a document tries to run macros, but they won't execute automatically.

7. Use Strong Authentication Everywhere

A password manager with unique passwords for every account, plus two-factor authentication on everything that supports it. If an attacker can't get into your accounts, they can't deploy ransomware through your cloud services or remote access tools.

What to Do If You're Already Hit

If you see a ransom note on your screen, here's the step-by-step response:

1. Disconnect immediately. Unplug the Ethernet cable, turn off WiFi. This limits how far the malware can spread to other devices on your network.
2. Don't pay the ransom. There's no guarantee you'll get your files back. The FBI, Europol, and virtually every security organization advises against paying. Paying also funds future attacks. That said — I understand the desperation if it's your only copy of irreplaceable files. It's a personal decision, but know the risks.
3. Take a photo of the ransom note. This helps identify the specific ransomware variant, which might have a known decryption tool.
4. Check No More Ransom (nomoreransom.org). This site, run by Europol and security companies, has free decryption tools for many older ransomware variants. Worth checking before you do anything else.
5. Report it. In the US, report to the FBI's IC3 (ic3.gov). In the EU, contact your national CERT. Reporting helps law enforcement track and eventually take down ransomware gangs.
6. Wipe and restore. If you have clean backups, wipe the infected machine, reinstall the operating system, and restore your files. If you don't have backups... this is why the 3-2-1 rule exists.

Ransomware by the Numbers (2025-2026)

Statistic	Value
Average ransom payment (2025)	~$570,000 (enterprise)
Average ransom demand for individuals	$1,000 - $10,000
Percentage of victims who pay	~37%
Percentage who get all data back after paying	~65%
Most common entry point	Phishing email
Average downtime after attack	22 days
Global ransomware damage estimate (2025)	$30+ billion

That "65% get data back" number should concern you. Paying $3,000 and having a 1-in-3 chance of still losing everything is not a good bet.

FAQ: Ransomware Protection

Can ransomware infect my phone?

Yes, though it's less common than on desktops. Android is more susceptible due to sideloaded apps and third-party app stores. iOS is relatively safe if you don't jailbreak. Keep your phone updated, don't install apps from unknown sources, and you're likely fine.

Does a VPN protect against ransomware?

Not directly. A VPN encrypts your network traffic and hides your IP, which is great for privacy. But it doesn't stop you from clicking a phishing link or downloading a malicious file. VPNs and antivirus solve different problems.

Is paying the ransom illegal?

In most countries, paying a ransom is not technically illegal for private individuals. However, the US Treasury's OFAC has warned that paying ransoms to sanctioned groups (like certain Russian or North Korean hacking gangs) could violate sanctions laws. It's a gray area, and another reason not to pay if you can avoid it.

Can Mac users get ransomware?

Yes. Macs are less frequently targeted than Windows machines, but Mac ransomware exists and is growing. The KeRanger ransomware in 2016 was one of the first major Mac variants, and new ones appear regularly. Don't assume your Mac is immune.

How often should I back up?

For most people, automated daily backups (or at minimum weekly) strike the right balance. Critical work files — back up more frequently. The question to ask yourself: "If I lost everything right now, how much work would I lose?" If the answer is more than a day's worth, you're not backing up often enough.

Build Your Defense Now — Not After the Attack

Ransomware is one of those threats where preparation makes all the difference. Once you're hit, your options range from bad to terrible. Before you're hit, protection is straightforward and mostly free.

Quick action list:

1. Set up the 3-2-1 backup system today
2. Enable automatic OS and software updates
3. Install or verify your antivirus software
4. Turn on Controlled Folder Access (Windows)
5. Disable macros in Office
6. Review your personal data protection habits

Every single item on that list takes less than 10 minutes. The ransomware gangs are betting you'll keep putting it off. Prove them wrong.