Ransomware attacks: What they are, how they work, and how to protect your business

Ransomware attacks pose a significant and accelerating threat to businesses, government institutions, and individuals worldwide. While such attacks have been part of the cybersecurity and technology landscape since 1989 (when the first ransomware case was documented), they have increased in number, magnitude, and cost in recent years. 

No business or individual can afford to ignore the threat posed by ransomware. In this post, we will discuss the essentials of ransomware attacks: what they are, how they work, and what steps you can take to protect your business.

What are ransomware attacks?

Ransomware is a particularly harmful cyber threat that allows cybercriminals to gain access to files or systems and holds the data hostage, usually through encryption. Until the person or business targeted by the attack pays a ransom, the attacker will hold their data or systems hostage. In 2024, the average ransom paid soared to an astonishing amount of $2 million.

The demand for payment usually comes with a deadline. Failure to pay the ransom fee can lead to the permanent loss of data or, in some cases, the publication of confidential information. 

Ransomware differs from other types of malware in that the affected parties are notified about the attack and provided with instructions for paying the ransom and recovering the encrypted data. The rapid rise of cryptocurrency has directly impacted the increase in ransomware attacks in recent years. Attackers have increasingly required payments in such digital currencies since they are anonymous and untraceable. 

The two most common forms of ransomware are encrypting ransomware and screen lockers. Encrypting ransomware encrypts the victim’s data, while screen lockers lock users out of their computers and data systems entirely.

How does ransomware work?

Ransomware is one of the most financially damaging types of cyberattacks. But how exactly do they work? And what can you do to avoid them? Let’s take a closer look at how cybercriminals use ransomware to exploit sensitive business systems and data. 

1. Attacker gains access to a system

For a cybercriminal to be able to exploit a company’s data and demand a ransom, they must first gain access to the system. There are many different ways that attackers do this, thanks to recent improvements in technology and the explosion of AI into mainstream markets. Here are a few of the most common:

• Phishing: Easily the most common way that cybercriminals gain access to systems. Phishing attacks trick users into downloading malware through deceptive emails, messages, or websites.
• Spearphishing: A particularly sophisticated phishing method, spearphishing involves attackers doing prior research to target specific individuals and networks to maximize their chances of success.
• Drive-by attacks: No, we aren’t talking about drive-by shootings. In the cybersecurity world, a drive-by attack is when malicious code is injected into a website, infecting a user’s device when they visit the site. This often occurs without any action from the user.
• Malvertising: A method where cyber criminals use online ads to distribute malware, often through legitimate ad networks.
• Stealing log-in credentials: Cybercriminals also often use tactics, such as keyloggers, credential stuffing, and fake login pages, to steal usernames and passwords. Once obtained, they can then use the credentials to access sensitive accounts.

2. Exploits additional security vulnerabilities

Once inside the system, the attacker works to strengthen their hold by exploiting security weaknesses. This may include disabling security measures, deactivating antivirus software, and moving laterally to infect several devices in a single network. Essentially, at this stage, the attacker cements their hold and weakens the company’s security to ensure that the ransomware can spread undetected.

3. Identifies valuable and vulnerable data or systems

At this stage, the cybercriminal has a foothold in the breached system. They then look for sensitive data or critical systems to infiltrate and hold ransom. The type of data that attackers target varies depending on the situation but may include medical records, financial information, intellectual property (trademarks, patents, etc.), personal information, and customer data. Some severe types of ransomware will even lock entire files or systems on servers, which can essentially shut a business down until the ransom is paid or resolved, causing costly system downtime and business interruption.

4. Attacker encrypts the data

After identifying sensitive information, ransomware attackers encrypt files and add a new extension, making the targeted files or systems inaccessible. The impacted parties are locked out of their data without a decryption key. 

5. Notification and payment demand

Once the ransomware has successfully encrypted the data, the attacker notifies the affected organization and demands a ransom in exchange for a description key. Most ransomware attacks demand that the ransom is paid in cryptocurrency.

If those impacted choose to pay the ransom, they might receive the decryption key, although that is not guaranteed. And even if a decryption key is received, it isn’t guaranteed that it will completely reverse the damage. In some cases, cybercriminals do not release or even delete sensitive information after a ransom has been paid.

How to respond to a ransomware attack

Identified a ransomware attack in your system? The good news is that there are steps you can take to minimize the damages and avoid paying the ransom while retaining data. 

The Cybersecurity and Infrastructure Security Agency (CISA) lays out a clear framework and recommendations for responding to a ransomware attack.

Here is a step-by-step process for responding effectively to ransomware:

1. Immediately notify your IT security team: One of the first things you should do after identifying a ransomware attack is contact your IT security team so that they can initiate your organization’s cyber incident response plan.
2. Isolate affected systems: Immediately disconnect impacted systems from the network to prevent the ransomware from spreading. If multiple devices are affected, take the network offline at the switch level.
3. Switch data backups to offline: Ransomware often targets backups to make it more difficult to recover from an attack, so it’s important to store backups offline and restrict access. 
4. Determine the scope of the attack: Identify which systems and files have been encrypted and whether attackers have gained access to sensitive data.
5. Prioritize critical systems: Start by protecting essential systems that are critical for operations, such as databases, financial systems, and customer information. 
6. Eliminate any identified ransomware: Kill or disable any known ransomware processes, remove malicious registry values, and delete associated files.
7. Restore data from clean backups: Use offline, encrypted backups to recover critical data. Ensure backups are not connected to the network before restoring to avoid re-infection.
8. Notify the authorities: Ransomware is a serious crime, so it’s important to report incidents to the authorities. The most important authorities to notify are the FBI’s Internet Crime Center and CISA.

Should you pay the ransom?

The consensus on whether to pay attackers is clear: Security and law enforcement agencies, including the FBI, advise against paying the ransom. The reason is that you simply can never be certain that you will receive the decryption key in exchange for the ransom. In many cases, companies pay the ransom only to receive a decryption key that does not fully resolve the issue.

Paying a ransom also sets a risky precedent. Other criminals might be encouraged to target your organization, knowing that you have a history of paying ransom. On a broader scale, it encourages criminal activity by incentivizing ransomware. 

Some organizations, however, may have no choice but to pay the ransom. Healthcare facilities and public utilities, for example, may be forced to pay because the prospect of extended downtimes is too risky and potentially life-threatening to patients and customers. Businesses might decide that the cost of lost revenue and profits from downtime will be in excess of the ransom demanded. For some individuals and organizations, the threat of sensitive data being released might pose too great a danger to their safety or reputation. 

Insurance is a lifeline for the worst-case scenario

Whether you choose to pay the ransom or not, ransomware attacks are costly. As mentioned above, the average ransom hovered around $2 million in 2024. But, even without paying the ransom, the cost of recovering from any ensuing data breaches or reputational damage can be extremely high.

This is why we always recommend having a cyber liability insurance policy as a lifeline to protect your business from ransomware. Cyber insurance takes some of the weight off of your shoulders and prevents you from having to cover all of the financial responsibilities on your own.

Different types of ransomware

The primary goal of all ransomware attacks is to gain unauthorized access to a business’ systems or data and get a business to pay a ransom. However, there are several different ways that cybercriminals infiltrate systems and extort companies for ransom. 

Crypto-ransomware

The most common type of ransomware, crypto-ransomware, encrypts files and data, allowing the target to see encrypted files but not access them. The defining feature of this type of ransomware is that the ransoms are demanded in cryptocurrencies such as Bitcoin, Ethereum, or Ripple.

Locker ransomware

Certain types of ransomware attacks lock out users entirely from the system or device instead of encrypting files. This blocks users from accessing their systems, and a ransom demand appears on the screen. While the operating system will remain intact, all functionality is disabled until the company pays the ransom. This differs from crypto-ransomware, as it doesn’t target files specifically but instead prevents access to the entire device or network.

Doxware

Instead of holding data or entire operating systems ransom, Doxware attacks threaten to publicly release private and sensitive information. This type of ransomware can be particularly dangerous for major corporations, government agencies, and individuals with confidential data, as the threat of exposure and cost of data breaches can be just as damaging as losing files.

Scareware

As the name of this variety of ransomware suggests, “Scareware” uses fear tactics to coerce businesses into paying a fake fee. For example, a fake security alert may appear on a device claiming that the device is infected with a virus and that the business should pay a fee in order to fix the issue. Alternatively, a scareware pop-up may convince a user to give them sensitive information such as log-in credentials. Scareware differs from other types of ransomware as it doesn’t necessarily block access to data — instead, it floods the system with pop-ups, pressuring the intended target into paying for fake services.

Ransomware-as-a-Service

Ransomware-as-a-Service (RaaS) allows attackers to launch ransomware attacks with little prior technical or cybersecurity experience. Similar to SaaS, RaaS allows cybercriminals to temporarily use advanced tools and hackers in exchange for a share of the ransom profits.

Ransomware attacks: Targets and effects on businesses 

Although ransomware attacks were originally focused on targeting personal computers and individual users, they have increasingly shifted their focus to businesses, from small and mid-sized firms to large corporations. Government institutions, public utilities, and healthcare networks have also become significant targets.

Such organizations are prime targets because they have greater financial resources, and their data is more critical, making it more likely that they will pay a large ransom. 

Ransomware poses a serious threat to businesses of all sizes. Beyond the obvious financial impacts, there are also reputational and operational threats to consider. Here are some of the effects that ransomware has on companies.

• Loss of important confidential data
• Damage to a business’ data infrastructure 
• Loss in revenue and earnings from downtime
• Financial losses from recovery costs and/or ransom payment
• Loss in productivity and labor
• Long-term (potentially permanent) damage to data, software, and hardware 
• Reputational damage to the business and its leadership
• Loss of customer and client confidence in the business 
• Potential personal harm to patients/customers of healthcare/public utility targets

Given the dire consequences of ransomware, it is crucial for businesses to protect themselves effectively against such attacks.

How to prevent ransomware attacks

Individual users and employees are both the weakest and strongest links that businesses have when it comes to ransomware attacks. Organizations must train their employees in cybersecurity and implement proper security measures to prevent attacks. Here are some of our top tips for preventing ransomware attacks:

Practice good “cyber hygiene”

• Use multifactor authentication
• Utilize password managers
• Back up devices regularly 
• Implement a thorough and strict password policy for all users
• Urge staff not to open any attachments from suspicious emails

Improve network security

• Limit data and network access to trusted individuals
• Implement network segmentation
• Monitor all networks and connections for any suspicious activity
• Use secure email gateways (SEG) to filter out malicious emails
• Use secure web gateways (SWG)
• Use mobile device management (MDM) software

Protect software and devices

• Update all software, operating systems, and security patches regularly
• Download software only from known and trusted sources
• Avoid using USB sticks or external storage devices of unknown origin
• Back up devices regularly to ensure data recovery if needed

Craft a strong incident response plan

• Isolate and shut down any compromised parts of the system 
• Consult security professionals to identify vulnerabilities

The future of ransomware 

Based on recent data and trends, we can safely assume that the frequency and severity of ransomware attacks are bound to increase in the future. Due to technological improvements such as artificial intelligence, the sophistication and range of targets for ransomware have also improved. 

In the past, ransomware attackers primarily targeted small, vulnerable companies, but in recent years, attacks on critical institutions such as healthcare systems, utilities, and public infrastructure have become more and more common.

Today’s businesses need to ensure that their cyber security measures and risk management technology keep up with advancements in technology used by cybercriminals. 

The mixed use of personal devices and work computers by businesses also increases the risk level, exposing the entire work network to threats transmitted through personal devices, which tend to be more vulnerable to ransomware attacks.

For more on how cyber threats, including ransomware, affect businesses, check out our full on-demand Cyber Threats Webinar. Additionally, for more information on cyber attacks and how to prevent them, head over to our Resource Hub.