In February 2024, Change Healthcare — the largest medical payment processor in the US — was hit by the ALPHV/BlackCat ransomware gang, taking down insurance claims processing for thousands of hospitals and pharmacies for weeks. The parent company ultimately paid $22 million in ransom. In 2025, ransomware attacks expanded from large enterprises to small businesses, schools, and individuals, with the average attack causing 21 days of business disruption. Understanding how ransomware works has never been more important.
1. How Ransomware Works
Ransomware uses a combination of symmetric encryption (AES-256) and asymmetric encryption (RSA) to lock victims out of their files:
- Initial access: Enters via phishing email, vulnerability exploit, RDP brute force, or compromised software
- Lateral movement: Spreads across the network, attempting to infect more devices — especially backup servers
- Encryption phase:
- Generates a random AES-256 symmetric key locally
- Uses that AES key to encrypt all target files (fast)
- Encrypts the AES key using the attacker's RSA public key
- The RSA private key exists only on the attacker's infrastructure — the victim cannot recover it
- Ransom demand: Displays a ransom note demanding Monero or Bitcoin in exchange for the RSA private key
- Double extortion (modern variant): Exfiltrates data before encrypting, threatening to publish it if ransom isn't paid
Why this combination is nearly unbreakable: AES-256 is considered computationally infeasible to brute-force, and the RSA private key is held only by the attacker.
2. Major Ransomware Incidents (2024–2026)
Change Healthcare (February 2024)
ALPHV/BlackCat attacked UnitedHealth's payment subsidiary, disrupting US healthcare payment processing nationwide. The parent company paid $22 million, still didn't recover all data, and was then extorted by a second gang.
UK NHS Attack (June 2024)
The Qilin gang attacked NHS partner Synnovis, forcing London hospitals to cancel over 3,000 surgeries and appointments. NHS refused to pay the $50 million ransom demand.
Semiconductor Supply Chain Attacks (2025)
Multiple ransomware attacks targeted Taiwanese and East Asian semiconductor supply chain manufacturers, exploiting IT/OT network boundaries to steal production data for double extortion — disrupting component supply for several global tech companies.
3. Common Entry Vectors
| Vector | Share (approx.) | Typical scenario |
|---|---|---|
| Phishing email | ~40% | Malicious attachment (Office macros, PDF) or phishing link |
| Remote Desktop (RDP) | ~25% | RDP exposed to the public internet with weak or brute-forced credentials |
| Software vulnerabilities | ~15% | Unpatched VPN, firewall, or application vulnerabilities |
| Supply chain | ~10% | Compromised third-party software update (SolarWinds-style) |
| Stolen credentials | ~10% | Dark web credential purchase used to log into corporate systems |
4. The 3-2-1 Backup Rule: Your Best Defense
Against ransomware, the single most effective protection is a well-implemented offline backup strategy. The industry-standard framework is the 3-2-1 rule:
- 3: Keep at least 3 copies of your data (1 original + 2 backups)
- 2: Store on at least 2 different media types (e.g., internal drive + external drive)
- 1: At least 1 copy stored offsite or offline (air-gapped, not connected to your network)
Why the last point is critical: modern ransomware actively scans and deletes network-accessible backups before encrypting. If your backup drive or NAS is always mounted, it will be encrypted too. An air-gapped backup (physically disconnected) is the only backup type immune to ransomware.
Backup validation — the step everyone skips
A backup is only as good as its restore. Test the actual restore process at least quarterly. You can also compute the checksum (SHA-256) of important backup files, record it, and recheck it later to confirm the backup hasn't been corrupted or tampered with.
5. Prevention Checklist
Individuals
- ✅ Enable automatic OS updates (Windows/macOS/mobile)
- ✅ Back up important files to an external drive (disconnect after backup) or cloud with version history enabled
- ✅ Don't open attachments from unknown senders, especially Office documents that ask to "Enable Macros"
- ✅ Use strong, unique passwords and enable two-factor authentication (2FA)
Small and medium businesses
- ✅ Disable or restrict public RDP exposure; protect with VPN + MFA if needed
- ✅ Apply the Principle of Least Privilege — accounts only get access they need
- ✅ Segregate backup networks from production networks (backup servers should not be directly reachable from workstations)
- ✅ Conduct phishing awareness training regularly — employees are the most common entry point
6. If You've Been Hit: Response Steps
- Isolate the infected machine immediately: Unplug the network cable or disable Wi-Fi to stop lateral spread
- Preserve the crime scene: Don't immediately format — a disk image of the encrypted state may enable future decryption
- Identify the ransomware strain: Visit nomoreransom.org (led by Europol) to check for free decryption tools
- Assess your backups: Check whether offline backups are intact and how recent they are
- Report to authorities: File a report with your national cybercrime unit or CISA (US)
- Think carefully before paying: Payment doesn't guarantee a working decryption key; some jurisdictions restrict payments to sanctioned groups
Summary
- Ransomware encrypts files with AES-256, then encrypts the AES key with the attacker's RSA public key — without the private key, decryption is computationally infeasible
- Phishing emails and RDP brute force account for over 60% of all ransomware incidents
- The 3-2-1 backup rule is the most effective defense; the "offline" component is the critical piece
- If hit: isolate, check nomoreransom.org for free decryptors, assess backups before considering payment
- No More Ransom has helped over 1.6 million victims decrypt for free, saving an estimated $3+ billion in ransom