Skip to content

What is ransomware and how do you prevent it?

Read about what ransomware is and shield your business from ransomware attacks with our guide. Plus, discover best practices for detection, prevention and recovery.


Ransomware is one of the most popular forms of cyber attack. In fact, it’s so popular, you can even buy Ransomware as a Service (RaaS) on the dark web.

From phishing emails to USB drops or drive-by downloads, malicious actors will use every trick in the book. Take the bait, and all your data is gone. Want it back? Then you’ll need to pay up. Hackers will demand a ransom. 

In this detailed guide to ransomware, we’ll be covering all you need to know, including:

  • What is a ransomware attack?
  • A brief history of ransomware
  • Types of ransomware
  • How does ransomware work?
  • How ransomware impacts businesses
  • Real-life examples of a ransomware attack
  • How to detect ransomware
  • How to protect against ransomware and prevent attacks
  • How to respond to and recover from a ransomware attack
  • FAQs
  • Final thoughts

What is a ransomware attack?

Ransomware refers to malicious software that encrypts files or restricts access to a victim’s computer system. This form of cyber attack aims to exploit individuals or organizations by demanding payment in exchange for restoring access to compromised data.

The hackers, seeking to maximize their gains and evade detection, commonly demand payment in cryptocurrency, adding another layer of anonymity that makes tracking the transactions back to the perpetrator significantly challenging.

As the use of ransomware continues to rise, it’s crucial you remain vigilant. 

A brief history of ransomware

The first known ransomware attack was the AIDS Trojan in 1989, which occurred back when floppy disks were still a thing. The virus encrypted all file names on the victim’s hard drive and demanded payment to a PO box in Panama to restore access.

In the early 2000s, encryption-based ransomware emerged, which was spread via email. Hackers distributed the virus known as GPCoder through the victim’s computers, encrypting MS Office and media files. This time, the ransom was demanded via a premium rate phone number. 

In recent years, ransomware attacks have become increasingly common, and increasingly lucrative for attackers, with hundreds and thousands of victims affected and millions of dollars lost. Notable examples include the WannaCry and NonPetya attacks in 2017 and the LockerGoga attack in 2019.

As technology continues to advance, ransomware attacks will become even more sophisticated and difficult to detect. If you want to protect your bottom line, you must learn how to prevent ransomware attacks. 

Types of ransomware

Keeping up with the latest types of ransomware and taking proactive measures to mitigate their impact is vital.

Here are seven examples of ransomware you should be aware of.

  1. Encrypting ransomware – the most common type of ransomware. It encrypts the victim’s files, making them inaccessible without a decryption key.
  2. Locker ransomware – locks the victim out of their device completely, preventing them from accessing any files or applications.
  3. Master boot record ransomware – targets the master boot record of a victim’s hard drive, rendering the entire system inoperable.
  4. Mobile device ransomware – targets mobile devices like smartphones and tablets.
  5. Scareware ransomware – displays fake messages on the victim’s screen, claiming that a virus has been detected, and demanding payment to remove it.
  6. Ransomware as a Service – RaaS allows cyber criminals to create and distribute ransomware easily, even if they lack the technical expertise to do so themselves.
  7. Doxware – sometimes called ‘leakware’, it not only encrypts files but also threatens to leak sensitive data unless a ransom is paid.

How does ransomware work?

Its primary function of ransomware is to encrypt the victim’s files and lock them out of their device. This allows hackers to demand payment to unlock the device or in exchange for the decryption key.

Let’s take a closer look at how ransomware works.


The attacker gains access to the victim’s system through various means, such as a phishing email, malicious download, or exploiting a vulnerability in the software.


Once inside the system, the attacker uses encryption to lock the victim’s files or the entire system. Without a decryption key, access is denied.

Ransom demand

The attacker demands payment, typically in cryptocurrency, in exchange for the decryption key or to unlock the device. The victim is given a deadline to pay, and the ransom amount may increase the longer they wait.


If a victim agrees to pay a ransom, they send the payment to the attacker’s wallet address. Once payment is confirmed, the attacker sends the decryption key or provides instructions on how to unlock the device.

However, paying the ransom does not guarantee the retrieval of data. Nor does it safeguard against the possibility of future attacks. That’s why paying the ransom is not advised. Instead, victims of ransomware should seek advice from experts on how to  restore access to the device. 

How ransomware impacts businesses

Ransomware attacks are ruthless. Not only will they affect your finances, but also your reputation.

Here are just some of the ways a ransomware attack can impact business:

Financial losses

Depending on the size of the business and the extent of the attack, ransomware can result in significant financial losses. Aside from the ransom demand, businesses may incur costs related to data recovery, system restoration, and increased cybersecurity measures.


Ransomware attacks can cause significant downtime for businesses, as employees may be unable to access critical systems and data. This can result in lost productivity, missed deadlines, and decreased revenue.

Data loss

Ransomware attacks can result in the loss of critical business data, including customer information, financial records, and intellectual property. This can have long-term consequences, such as legal liabilities and loss of competitive advantage.

Reputation damage

Ransomware attacks can also damage a business’s reputation, particularly if sensitive data is compromised. Customers and stakeholders may lose trust in the business’s ability to protect their information, which can lead to lost business and profits.

Legal and regulatory implications

Depending on the industry and location, businesses may be subject to legal and regulatory requirements related to data protection and cybersecurity. A ransomware attack could result in violations of these requirements, leading to fines, legal action, and further reputational damage.

Real-life examples of a ransomware attack

One of the most notable ransomware attacks in recent years was the WannaCry attack that occurred in May 2017. Over 75,000 cases were recorded in 99 countries across the globe costing victims an estimated $4 billion in losses. 

The WannaCry attack was carried out using a ransomware variant known as “WannaCrypt.”

Hackers identified a fatal flaw in the Microsoft Windows operating system and used it to their advantage. They exploited this vulnerability, infected computers with ransomware, encrypted files, and demanded a Bitcoin payment to unlock them. 

The attack affected businesses and organizations across various industries, including healthcare, finance, and government agencies. The UK’s National Health Service was one of the high-profile victims of the attacks. In total, hospitals and clinics experienced 20,000 canceled appointments, 600 disrupted GP surgeries, and various diverted ambulance services. 

The WannaCry attack was a wake-up call for businesses and organizations worldwide. It reinforced the importance of keeping software up-to-date and having robust cybersecurity measures in place to mitigate these types of attacks.

How to detect ransomware

Ransomware detection is challenging, especially as the methods attackers employ are increasingly sophisticated.

Here are some telltale signs to look out for:

  • Unusual file extensions: if you notice that your files have unusual file extensions, such as .encrypted or .locked, it may indicate that they have been encrypted by ransomware.
  • Ransom notes: ransomware attacks often come with a message or note that demands payment in exchange for the decryption key to unlock the device. These messages may appear on the desktop or in a file within the affected system.
  • Slow system performance: ransomware attacks can slow down your system’s performance, especially if the attacker is encrypting large amounts of data.
  • Unusual network activity: if you notice unusual network activity, such as increased outgoing traffic, it could indicate that ransomware is communicating with the attacker’s command-and-control server.
  • Strange pop-ups or messages: ransomware can generate fake pop-ups or messages that claim to be from law enforcement or other authorities, demanding payment in exchange for avoiding legal action.
  • Disabled security software: ransomware attacks may disable security software to avoid detection.

How to protect against ransomware and prevent attacks 

To prevent ransomware attack you’ll need to adopt a multi-layered approach that involves both technical and non-technical measures.

Here are some of the best techniques you can adopt to protect against ransomware attacks.

  1. Keep software up to date: regularly update your operating system, web browser, and other software to stay protected against known vulnerabilities that ransomware attackers may exploit.
  2. Use up-to-date antivirus software: install and use reputable antivirus software to improve ransomware detection and remove known malware
  3. Backup data regularly: regularly backup your files to an external hard drive or cloud storage service to prevent data loss in case of a ransomware attack.
  4. Be wary of email attachments and downloads: do not open email attachments or download files from unknown or suspicious sources.
  5. Use strong passwords: use strong and unique passwords for all accounts and enable multi-factor authentication (MFA) for added security.
  6. Educate employees: train employees on how to stop ransomware attacks by educating them on the dangers of phishing scams and other social engineering tactics. 
  7. Limit access to sensitive data: only provide full access to those who require it and monitor it regularly. 
  8. Create an incident response plan: develop a coordinated incident response plan in case of a ransomware attack or hire an organization that provides incident response services.

Adopting these best practices is crucial. Refusing to do so could increase your risk of falling victim to a ransomware attack. Don’t think twice when it comes to amping up your security posture. 

How to respond to and recover from a ransomware attack

Your network is under attack. You can no longer access your most valuable data. Your system is infected with a ransomware virus. Now what?

Ransomware recovery requires a coordinated approach with technical expertise, communication, and planning. Here’s what you need to do:

Isolate the infected device

Disconnect the infected computer or system from the internet and remove network connections to prevent the ransomware from spreading to other devices or systems.

Assess the damage

Determine the extent of the damage caused by the ransomware, including which files and systems have been encrypted or locked.

Contact law enforcement

Report the attack to law enforcement agencies, such as the local police department, to assist with the investigation and potential prosecution of the attackers.

Contact cybersecurity professionals

Seek assistance from cybersecurity professionals to remove the ransomware and recover data from backups or other sources.

Communicate with stakeholders

Notify all relevant stakeholders, such as employees, customers, and partners, about the attack, and provide updates on the recovery efforts.

Restore data from backups

If possible, restore data from backups to recover lost or encrypted data. Only use backups that were created before the attack occurred.

Implement additional security measures

Once the system is restored, implement additional security measures to prevent future attacks, such as updating software and installing security patches, using antivirus software, and implementing access controls.


Why do ransomware attacks exist?

Ransomware attacks exist because they’re a lucrative way for hackers to make a quick chunk of change. More often than not, malicious actors use ransomware as a means to extort money. They block your access to critical systems or encrypt valuable data and demand money in return.

Who’s usually targeted by ransomware?

Hackers seek out targets with vulnerabilities in their systems and networks that are easy to exploit. Individuals, businesses, even governments – anyone can fall victim to a ransomware attack. No matter your size or industry, you too are a potential target.

Should I pay the ransom?

No, you should avoid paying the ransomware at all costs.

However, it’s a complex decision that should be carefully evaluated. Ideally, you should report the incident to law enforcement, seek assistance from a cybersecurity firm, and focus on implementing strong security measures to prevent any future attacks.

Why shouldn’t I pay the ransom? 

There’s no guarantee you’ll get your data back. And, even if you do, you’ve just proven yourself to be a lucrative target for future attacks.

By paying the ransom, you’re simply putting money into the pocket of malicious actors and fuelling the growth of cybercrime. You may even be at risk of violating local laws or regulations.

Is ransomware on the decline or is it still a threat?

Ransomware remains a significant threat in the cybersecurity landscape and its complexity only continues to evolve.

Cyber criminals constantly adapt their tactics, techniques, and ransomware strains to bypass the latest security measures and exploit your vulnerabilities. Therefore, you must remain proactive in your stance against ransomware attacks.

How do I remove ransomware?

Ransomware removal is a complex process. The best course of action is to enlist the help of cybersecurity professionals.

However, the steps to remove ransomware typically involve isolating the infected system, disconnecting it from your network, identifying the ransomware variant, researching available decryption tools, and restoring backups. 

Final thoughts

Preventing ransomware is daunting, but restoring your reputation after an attack is even more challenging.

It’s a technique that hackers have been using for decades. And their methods are only increasing in sophistication. Staying one step ahead of these threats requires continuous vigilance and an expert team of cybersecurity defenders. 

With decades of collective experience under our belts and wide coverage of assistance, our support is as ongoing as it gets. Our service is great as a one-off engagement; it’s even more valuable as an ongoing subscription. We will raise the alarm bells when a threat is imminent, so you can rest easy knowing your data is safe. Ready to put your system to the test? Enquire about our ransomware attack simulation.