Ransomware Basics

What does ransomware do to an endpoint device?

On an endpoint, ransomware typically executes a payload that enumerates files, encrypts documents and databases, deletes local backups and volume shadow copies to prevent easy recovery, and displays a ransom note. It may also disable security software and establish persistence to survive reboots.

The endpoint is where execution is visible, but the lasting damage is to the data — including data synced or backed up to other systems. Elastio inspects that data wherever it lives to determine what is actually recoverable after the endpoint is rebuilt.

Last updated May 27, 2026

Related terms

Dwell Time Double Extortion Data Exfiltration

Related Elastio resources

SolutionRansomware Readiness WhitepaperRansomware Recovery & Cyber Resilience Maturity Model BlogRansomware's Return to Encryption

See how Elastio proves clean recovery

Elastio hunts for ransomware inside your live, replicated, and backup data and pinpoints the last recovery point proven clean.

Explore the platform Request a demo

Related questions

What is an encryption key?What programming language is ransomware written in?What is ransomware-as-a-service (RaaS)?What is a ransomware campaign?What is a ransomware gang?What is triple extortion?

PreviousWhat does ransomware do?NextWhat is an encryption key?