Normally using a phishing attack, the attacker delivers cryptographic malware, such as cryptolocker, that encrypts the victim’s information so it can’t be accessed. A pop up window may appear, as in spyware, to demand a ransom for restoring access. Before doing this, though, they may degrade backups or make it look like backups are happening when they aren’t. Backups may also have backed up the infection.
Scareware looks like ransomware. This is where an attacker may make threats in a pop up window that are purely blackmail. The machine needs to be cleaned immediately, not a fine paid.