Understanding ransomware is no longer optional for any business operator. Ransomware is the category of cyberattack where attackers encrypt a victim’s files and demand payment (usually in cryptocurrency) for the decryption key. Over the past decade it has grown from a niche threat to one of the most consequential security risks any business faces, with incident costs running into hundreds of thousands of dollars per attack for small businesses and into the millions or higher for larger organizations. The good news is that prevention and resilience are largely a matter of disciplined fundamentals, not exotic technology. The bad news is that "disciplined fundamentals" is exactly where most organizations have gaps.
This post walks through what ransomware actually is, how a typical attack unfolds, the main categories you’ll encounter, why paying the ransom is rarely the clean answer it sounds like, the prevention practices that actually move the needle, and a realistic response framework if an attack happens anyway.
What ransomware actually is
Ransomware is malicious software that encrypts files on a victim’s system using strong cryptography, making the files unreadable without a decryption key the attacker controls. The attacker then demands payment (the "ransom") for that key. Without the key, decryption is mathematically infeasible; the files remain unreadable even with unlimited computing time.
The economic mechanism is what makes ransomware so distinctive as a category of attack. Most cybercrime sits in adversarial relationships where the attacker steals something and disappears: credit card numbers, personally identifiable information, login credentials. Ransomware flips this: the attacker doesn’t try to steal your data per se, they try to prevent you from using it, then sell you back access. The financial pressure on the victim is direct and immediate.
The earliest ransomware appeared in the late 1980s (the "AIDS Trojan" in 1989), but modern ransomware as a serious threat dates to the early-to-mid 2010s with the rise of strong cryptography deployed at scale, the emergence of cryptocurrency (which let attackers receive payments anonymously), and the maturation of professional cybercrime organizations that treated ransomware as a business.
How a typical ransomware attack unfolds
Ransomware attacks vary in sophistication, but a common pattern includes several distinct phases.
- Initial access: the attacker gets a foothold in the victim’s environment. The most common methods are phishing emails (a user clicks a link or opens an attachment), compromised credentials (often from credential-stuffing attacks against weak or reused passwords), exploitation of unpatched software (especially internet-facing services like VPN gateways or remote desktop), and supply-chain compromises (malicious updates to legitimate software).
- Reconnaissance and lateral movement: once inside, the attacker explores the network, identifies high-value targets (file shares, backup systems, domain controllers, databases), and moves between systems. Modern ransomware operators often spend days or weeks inside an environment before triggering encryption, mapping the territory thoroughly.
- Privilege escalation and credential theft: the attacker captures administrative credentials, often by extracting them from memory on compromised systems or by exploiting weak password practices. Admin access lets them deploy ransomware across the entire environment rather than just the initial foothold.
- Data exfiltration (in modern attacks): many recent ransomware operators steal copies of sensitive data before encrypting. The stolen data becomes a second leverage point: pay the ransom or we’ll publish your customer data publicly. This pattern is called “double extortion” and has become the norm rather than the exception.
- Backup destruction or encryption: before encrypting production data, sophisticated attackers find and disable backup systems. The point is to remove the obvious response option (restore from backup) so the victim has fewer choices besides paying.
- Encryption deployment: ransomware is deployed across as many systems as possible, encrypting files using strong cryptography. The attacker reveals their presence with a ransom note explaining what happened and how to pay.
- Negotiation and payment: the victim either pays (and hopes for a working decryption key), restores from backups (if backups survived), or accepts the loss.
The reconnaissance-to-encryption window in modern attacks is often days to weeks, not minutes. This matters operationally: there’s usually a detection window where the attack can be interrupted before encryption begins, if the organization has visibility into its environment.
The main categories of ransomware
Ransomware variants come and go (specific names like CryptoLocker, WannaCry, Ryuk, LockBit, BlackCat trend through the news cycle), but the underlying categories are reasonably stable.
Locker ransomware locks the user out of the operating system entirely. Common in older attacks against individual users; less common against businesses today.
Crypto ransomware is the dominant modern form: files are encrypted but the system itself remains usable. The victim can see their files; they just can’t open them.
Double-extortion ransomware combines encryption with data exfiltration. Even an organization with perfect backups (which solves the encryption problem) still faces the threat of stolen data being published.
Triple-extortion ransomware adds additional pressure tactics: contacting the victim’s customers or partners, threatening DDoS attacks, regulatory threats, or harassment of executives. The escalation reflects how professionalized the operator economy has become.
Ransomware as a Service (RaaS) is the operating model rather than a technical category: ransomware developers license their tools to "affiliates" who carry out attacks, with payments split. RaaS lowered the technical bar to running ransomware attacks and is one reason the threat has expanded so broadly.
Why paying the ransom isn’t a clean answer
The natural reaction when ransomware hits is to pay and move on. The reality is more complicated.
You may not get the data back. Even after payment, decryption keys don’t always work, decryption tools can be buggy, and some attackers simply don’t deliver. Industry surveys consistently show that a meaningful percentage of paying victims don’t fully recover their data.
Payment funds the next attack. Every ransom payment confirms the business model and funds the next round of victims. Law enforcement agencies in many countries publicly discourage payment for this reason.
Sanctions and legal exposure. In several jurisdictions, paying ransomware operators on sanctioned lists is itself illegal. The US Treasury’s Office of Foreign Assets Control (OFAC) has issued advisories warning that payments to sanctioned actors can result in civil penalties for the paying organization, even if the connection was not known at the time of payment.
Repeat victimization. Organizations that pay are statistically more likely to be attacked again. Some attackers explicitly tag known payers for repeat targeting.
Reputation and disclosure obligations. Many jurisdictions now require breach disclosure regardless of whether ransom was paid. Payment doesn’t make the incident disappear; it just adds a payment to the cost.
None of this means payment is always wrong. Some organizations face genuinely existential decisions and may rationally pay. But the framing of payment as "the easy way out" doesn’t survive contact with reality.
Prevention practices that actually work
Ransomware prevention is a layered discipline. No single control is sufficient; the combination is what creates real resilience.
Backups, tested, isolated, immutable. The single highest-impact defense. Backups that can be restored from cleanly defeat the encryption side of ransomware entirely. The discipline has several non-obvious parts:
- Backups must be tested regularly. An untested backup is a hope, not a recovery plan.
- Backups must be isolated from production. Attackers who compromise production systems should not be able to reach the backup system. Common patterns include offline (air-gapped) backups, cloud backup providers with separate authentication, and immutable backup snapshots that can’t be deleted even by privileged accounts.
- Backups must be frequent enough that recoverable data is current. A daily backup means up to 24 hours of data loss in a worst case; weekly means up to a week.
- Backups must be comprehensive. Anything not backed up is unrecoverable.
Multi-factor authentication on everything. Most ransomware attacks start with compromised credentials. MFA blocks the vast majority of credential-based attacks even when passwords are stolen. Our piece on multi-factor authentication covers the details.
Patching discipline. Many ransomware attacks exploit known vulnerabilities in unpatched software. Internet-facing services (VPN gateways, remote desktop, web servers, file transfer appliances) are particularly important to keep current.
Email security and phishing-resistant defenses. Email remains a primary delivery vector. Strong email filtering, secure email gateways, and phishing-awareness training all contribute.
Endpoint detection and response (EDR). Modern endpoint security tools detect ransomware behavior (mass file encryption, suspicious process activity) and can block or interrupt attacks in progress. EDR is now table stakes for businesses of any size.
Least-privilege access. Limit what each user account can do. Most users don’t need admin access; admin accounts shouldn’t be used for daily work. The principle of least privilege limits the damage when any single account is compromised.
Network segmentation. Internal networks should be segmented so that compromise of one segment doesn’t immediately give the attacker access to everything. Segmentation slows lateral movement and creates additional detection opportunities.
Incident response planning. Before an incident happens, decide who makes decisions, who calls outside help (incident response firms, legal, law enforcement), what the communication plan is, and where the playbooks live. Response planning under pressure is much worse than planning in advance.
A realistic response framework if it happens anyway
If a ransomware attack occurs despite prevention, the response sequence matters.
Isolate, don’t power down (initially). Disconnecting affected systems from the network limits spread; powering off can destroy forensic evidence that’s useful for both investigation and decryption work. Most incident response guidance recommends network isolation first.
Engage qualified incident response help. Few organizations have the in-house expertise to handle a ransomware incident alone. Professional incident response firms have playbooks, tools, and negotiation expertise that are hard to assemble during a crisis.
Notify the right people. Internal stakeholders, leadership, legal counsel, your insurance carrier if you have cyber insurance, and (per jurisdiction) potentially law enforcement and regulators. Communication discipline early is much easier than reconstructing the timeline later.
Don’t communicate with the attacker directly without professional help. Negotiation with ransomware operators is a specialized skill, and amateur responses can make outcomes worse. Incident response firms typically have negotiators or can recommend specialists.
Preserve evidence. Logs, memory dumps, disk images of affected systems all matter for investigation, decryption (sometimes free decryptors exist for specific variants), and post-incident learning. Destroying evidence in the rush to recover is a common mistake.
Restore from clean backups if possible. If isolated, tested backups exist and haven’t been compromised, restoration is the clearest path. The work is still substantial; reinstalling clean systems, validating backup integrity, and bringing services back online takes days to weeks at scale.
Post-incident review. What gave the attacker access? What slowed the response? What controls failed? The discipline of running an honest post-mortem is what turns one painful incident into reduced risk on the next one.
Frequently Asked Questions
How long does it take to recover from a ransomware attack?
For small businesses with good backups, recovery can take a few days to a week or two of intensive work. For larger organizations or those without clean backups, recovery commonly runs weeks to months. Some incidents take a year or longer to fully resolve, particularly when data exfiltration leads to ongoing regulatory or customer-notification work. Recovery time correlates strongly with backup discipline before the incident: organizations with tested, isolated backups recover much faster than those without.
Will cyber insurance cover a ransomware incident?
Many cyber insurance policies cover ransomware response costs (incident response, restoration, business interruption, legal). Coverage of the ransom payment itself varies by policy and by jurisdiction; some insurers no longer cover ransom payments, and several jurisdictions restrict insurance coverage of ransom payments. Coverage also depends on whether the organization had the security controls the policy required. Reading the policy carefully before an incident is much better than discovering exclusions during one.
Are small businesses really at risk of ransomware?
Yes, and small businesses are often more attractive targets than large ones from the attacker’s perspective. Small businesses typically have weaker security controls, fewer dedicated security personnel, less mature backup discipline, and faster decision-making under pressure (which can mean faster payment). Industry data consistently shows small and mid-sized businesses among the most-attacked organization categories, not the least.
Can antivirus software stop ransomware?
Traditional signature-based antivirus catches some ransomware but misses much of it because attackers continuously vary the code to evade signature detection. Modern endpoint detection and response (EDR) tools that watch for behavioral patterns (mass file encryption, suspicious process activity) are substantially more effective. Antivirus alone is not a sufficient defense; EDR, MFA, backups, and patching together are the realistic baseline.
Should I pay the ransom if I’m hit?
The honest answer is: probably not, but the decision is situational. The case against paying: no guarantee of recovery, funds future attacks, may violate sanctions laws in some jurisdictions, increases the probability of repeat targeting. The case for paying: in some organizations, the alternative (data loss without recovery options) is genuinely worse than the payment plus the risks above. The decision should be made with legal counsel, incident response professionals, and (where applicable) law enforcement, not in panic. Organizations with disciplined backups rarely face this decision in its sharpest form.
