I used to think ransomware was something that only hit big companies with weak security and older systems. Then I watched a small business owner lose 10 years of files in one weekend and realized how naive that was.
Ransomware is simple at its core: malicious software sneaks into your system, encrypts your files so you cannot read them, and then the attacker demands money (usually in cryptocurrency) for the decryption key. To prevent it, you need a mix of technical controls (backups, patching, antivirus, email filters, access control) and human habits (not clicking random links, using strong passwords, turning on multi-factor authentication, and having a response plan).
What ransomware actually is (without the buzzwords)
At its simplest, ransomware is just software with one job: lock your data and make you pay to unlock it.
It does three main things:
1. It runs on your computer or server.
2. It scrambles your files with strong encryption.
3. It shows a message asking for money to decrypt those files.
There are many strains (LockBit, Ryuk, Conti, REvil, and others), each with its own quirks. But the basic mechanics are roughly the same.
Ransomware is not about technical brilliance as much as it is about attackers exploiting human and process weaknesses.
Some key traits that almost every ransomware family shares:
- Encryption-based lockout: It does not just “hide” files. It uses real cryptography that is practically impossible to break by guessing.
- Payment in cryptocurrency: Bitcoin, Monero, or similar, because they are harder (not impossible) to trace.
- Automated spread: Many variants scan the network and try to spread to other machines.
- Psychological pressure: Countdown timers, threats to leak data, and rising ransom amounts.
There are two broad “business models” that attackers use now:
| Type | What it does | Why attackers like it |
|---|---|---|
| Traditional ransomware | Encrypts your files and locks you out. | Simple model: you pay or you lose access. |
| Double extortion ransomware | Steals your data first, then encrypts it. | Even if you have backups, they can threaten to leak your data. |
Double extortion is now very common. Attackers know that more organizations have backups, so encrypting files alone does not guarantee a payout. Stealing sensitive information first gives them leverage.
How ransomware infections usually start
This is where many people get it wrong. They imagine some “super hacker” manually breaking through firewalls like a movie scene. In reality, attackers usually do the digital equivalent of walking through an unlocked side door.
The main entry points look very ordinary:
- Phishing emails with malicious attachments or links.
- Exposed services with weak or reused passwords.
- Software vulnerabilities that have not been patched.
- Malicious downloads from websites and “cracked” software.
- Supply chain attacks through third-party tools and remote access software.
1. Phishing emails and malicious attachments
This is still the most common starting point.
You get an email that looks like:
– An invoice
– A shipping notice
– A DocuSign type request
– A shared document (Excel, Word, PDF, ZIP)
You open the attachment or click the link. A macro runs, or a small loader file downloads the actual ransomware from a remote server.
A common pattern:
1. Email arrives with an “urgent” title.
2. Attachment uses a convincing name: “Invoice-December-2025.xlsm”.
3. You open it, Excel warns about macros.
4. The document tells you to “Enable Content” to see the details.
5. Once you click that button, malicious code runs and pulls in the ransomware.
Ransomware often arrives in two stages: a small loader sneaks in first, the heavy encryption payload follows.
If an attacker wants to be patient, they might stay hidden for days or weeks after that initial access, exploring your network before they launch the final attack.
2. Remote access abuse (RDP, VPN, remote tools)
Remote access is convenient, which also makes it attractive for attackers.
Common scenarios:
- Remote Desktop Protocol (RDP) exposed directly to the internet, often with weak passwords.
- VPN accounts with no multi-factor authentication.
- Remote management tools (TeamViewer, AnyDesk, VNC) with reused or leaked passwords.
Attackers either:
– Guess or “brute force” weak passwords, or
– Buy leaked credentials from previous breaches on underground markets.
Once they get in, they often behave like a real user at first. They may:
– Check what privileges the account has.
– Scan the internal network.
– Install additional tools like credential stealers.
Then at some point, they push the ransomware to as many machines as possible.
3. Exploiting unpatched software
When a software vendor fixes a security bug, they publish details about the issue. Attackers read those notes. They then build scanners that search the internet for systems that have not been updated.
Some usual targets:
- VPN appliances and firewalls.
- Email servers.
- Content management systems.
- File sharing and collaboration tools.
If a system has a known remote code execution vulnerability and it is not patched, it is an open invitation.
Unpatched internet-facing systems are often the first foothold for ransomware groups that act more like organized crime than lone hackers.
4. Malicious downloads and cracked software
Free “cracked” versions of paid apps are a common trap.
You search for a free copy of an expensive tool, find a shady download site, deactivate your antivirus because the “instructions” say so, and run an installer that is bundled with malware.
Ransomware groups like this route because:
– The victim disables security tools voluntarily.
– The victim might feel embarrassed and delay reporting the incident.
Even legitimate looking software from smaller vendors can be a risk if their own systems are compromised and attackers slip malware into their installers.
5. Supply chain and managed service provider (MSP) attacks
If attackers can compromise a software vendor or an IT service provider, they can reach many victims at once.
Examples:
– An update server gets compromised, and malicious updates go out to all customers.
– An MSP’s remote management platform is hijacked and used to push ransomware to client networks.
This is less common for individuals, but more common for businesses that rely heavily on third-party IT support.
How ransomware behaves once it gets in
Once the initial entry happens, the real work begins for the attacker. Ransomware campaigns often follow a rough playbook.
1. Establishing persistence
The first step is usually to make sure the attacker does not lose access if the system restarts.
They may:
- Create new user accounts with admin rights.
- Add startup entries in the registry or scheduled tasks.
- Install remote control tools disguised as legitimate software.
If the initial access came through a vulnerability, they might also install a web shell or another backdoor.
2. Privilege escalation
Attackers want “administrator” or “domain admin” level access. That level of control allows them to hit as many machines as possible and disable defenses.
Common techniques:
- Dumping password hashes from memory.
- Reusing saved credentials (for example from browsers or remote desktop clients).
- Exploiting known privilege escalation vulnerabilities on the system.
Once they have higher privileges, they can move more freely through the network.
3. Lateral movement inside the network
With administrative access, attackers start mapping out the environment:
– File servers
– Domain controllers
– Backup servers
– Important application servers
They use standard tools like:
– PowerShell
– Remote Desktop
– Windows Management Instrumentation (WMI)
Sometimes they use the same remote management tools that IT teams use, which makes detection harder.
Ransomware attacks are often the final stage of a longer intrusion where attackers quietly explore and prepare.
They may:
- Identify where key data lives (finance, HR, customer data).
- Locate and assess backup systems.
- Map who has which access rights.
4. Data theft (exfiltration)
For double extortion, they need to grab sensitive files before they encrypt anything.
Typical targets:
– Customer lists
– Financial records
– Legal documents
– Intellectual property
– Credentials and configuration files
They compress the data, encrypt it again for their own protection, and send it to remote servers that they control.
To reduce detection, they may:
- Send data in small chunks over encrypted channels.
- Use common cloud storage providers as “dead drops.”
5. Disabling backups and security tools
If they can delete or corrupt backups, your chances of easy recovery drop sharply.
Attackers love:
– Backup servers that share the same network with everything else.
– Backup credentials stored on normal servers.
– Snapshots that can be deleted using standard admin rights.
Common actions:
- Turning off antivirus and endpoint protection.
- Deleting or encrypting backup catalogs.
- Destroying snapshots on virtual machines.
If your backups are always online and accessible from normal accounts, attackers will treat them like just another folder to destroy.
6. Mass encryption and ransom note drop
Once everything is ready, the actual ransomware payload is launched.
Technically, the encryption process usually looks like this:
1. The ransomware generates a random key on the victim machine.
2. It uses that key with a fast symmetric algorithm (often AES) to encrypt files.
3. It then encrypts that key with the attackers public key (RSA or similar).
4. It deletes originals and sometimes shadow copies.
5. It changes file extensions or leaves them but corrupts the content.
Why this design? Because:
– Symmetric encryption is fast enough to handle many files quickly.
– Public key encryption ensures only the attacker can decrypt the symmetric key.
To the victim, it feels like:
– Files suddenly do not open.
– File extensions change.
– CPU and disk usage spike during the encryption phase.
– A text or HTML ransom note appears in every folder.
The ransom note usually explains:
- What happened (your files are encrypted).
- How to contact the attacker (email or chat portal on Tor).
- How much to pay, and where to send cryptocurrency.
- Warnings against using “third-party decryption” or contacting law enforcement.
Some groups offer to decrypt one or two files for free as “proof” that they can restore data.
Why paying the ransom is risky (and often a bad idea)
I know the thought process. Systems are down, people are panicking, and the attacker promises a key. The temptation to pay and move on is very real.
But there are some tough realities:
| Risk | What it means |
|---|---|
| No guarantee of decryption | Attackers are criminals. Some never send a working key. |
| Slow or partial recovery | Decryption tools may be buggy, and some files stay corrupted. |
| Future targeting | Once you pay, your organization may be tagged as “willing to pay.” |
| Legal and regulatory issues | Paying certain groups may violate sanctions or raise compliance problems. |
| Data already stolen | Even if you get your files back, leaked data stays out there. |
Paying the ransom buys a chance at recovery, not certainty, and it never rewinds the fact that your systems were compromised.
Some organizations still choose to pay, sometimes through a cyber insurance provider or specialist negotiator. But from a planning point of view, you should design your security posture on the assumption that you will not pay.
That means:
– Strong backups.
– Tested restoration procedures.
– Clear communication plans.
You want the decision to pay to be a last resort that you are not forced into because there is no other path.
How to prevent ransomware: layered defense that actually works
You cannot get risk to zero. But you can cut it to a level where random or semi-skilled attackers move on to easier targets.
Think in layers:
- Reduce ways in (attack surface).
- Reduce what an attacker can do if they get in.
- Improve your ability to detect and respond.
- Prepare to recover quickly if encryption still happens.
1. Strong backups that attackers cannot easily destroy
If you remember only one thing, make it this: good backups turn a ransom event into a painful outage rather than a total disaster.
You want:
- 3-2-1 rule: 3 copies of your data, on 2 different types of media, with 1 copy offsite and offline.
- Immutable or write-once backups: Snapshots or backup targets that cannot be altered for a set period.
- Separate credentials: Backup systems that do not share normal admin credentials.
- Regular restore tests: Not just “backup completed,” but “we restored and it worked.”
Table of common backup mistakes:
| Mistake | Why it is dangerous |
|---|---|
| Backups always online on the same network | Ransomware can encrypt or delete them like normal files. |
| No restore tests | You discover corrupt or incomplete backups during an incident. |
| Backup admin account reused elsewhere | Credential theft gives attackers direct access to backups. |
| Backups only daily or weekly | High data loss window if an incident happens just before backup time. |
Backups are your real negotiation lever. If you can restore fast, the ransom note loses much of its power.
2. Patch management and reducing attack surface
Less exposed and more up to date systems mean fewer ways in.
Practical steps:
- Maintain an inventory of internet-facing systems (VPN, firewalls, servers).
- Apply security updates on those systems as quickly as operationally possible.
- Disable or remove services that you do not actually need exposed.
- Use a VPN for remote access instead of exposing services like RDP directly.
For smaller environments, automatic updates on desktops and servers help a lot, even if they are not perfect. For larger environments, a central patch management tool is better, but also needs process behind it.
3. Strong authentication and access control
If attackers make it to a login prompt, you want that to be a hard wall, not a thin curtain.
Core elements:
- Multi-factor authentication (MFA): Especially for remote access, VPNs, email, and admin accounts.
- Unique, strong passwords: No reuse of personal or shared passwords.
- Least privilege: Users have only the access they actually require.
- Separate admin accounts: No day-to-day browsing or email with admin rights.
This does not require complex tools at first. Even basic hygiene like:
– Regularly reviewing who has admin rights.
– Disabling old or unused accounts.
can reduce the blast radius if one account gets compromised.
4. Email security and user awareness
Since email is such a frequent channel, improving it pays off quickly.
Technical controls:
- Use email filtering to block known malicious attachments and links.
- Quarantine or rewrite links to go through click-time scanning.
- Block executable attachments from unknown senders.
- Disable macros by default and only allow signed macros from known publishers.
Human controls:
- Teach people to be suspicious of unsolicited attachments and urgent requests.
- Run periodic phishing simulations with feedback, not shaming.
- Make “report phishing” easy, with a clear button or simple process.
You do not need every employee to be a security expert, but you do need them to pause before clicking and feel safe reporting mistakes quickly.
If people fear punishment, they hide mis-clicks, and you lose valuable early warnings.
5. Endpoint protection and application control
Traditional antivirus still has value, but ransomware groups constantly change their code to slip past signature-based detection.
Modern endpoint protection tools look for:
– Suspicious behavior (mass file modifications, encryption patterns).
– Known attack techniques (credential dumping, lateral movement).
Practical tactics:
- Use reputable endpoint security software with behavioral detection.
- Keep that software up to date and monitor alerts.
- Restrict which applications can run on critical systems (application allowlisting).
- Block obvious risky file types from running in user folders (for example, .exe from Downloads).
For higher risk environments, application control (only allowing pre-approved software) is very powerful, even if it needs more setup.
6. Network segmentation and limiting spread
If every machine can talk freely to every other machine, ransomware has an easy time moving laterally.
Network segmentation means:
– Putting critical servers on separate network segments.
– Restricting communication between segments based on actual needs.
– Using firewalls or access controls between important zones.
Simple versions of this:
- Separate guest Wi-Fi from internal systems.
- Isolate management interfaces (for switches, firewalls, hypervisors) from normal user networks.
- Keep backup infrastructure on a restricted network segment.
More advanced setups use:
– VLANs with tight firewall rules.
– Identity-based access controls where access is based on user and device identity, not just IP ranges.
The goal is not to create an impenetrable wall, but to slow attackers down and make their activity more obvious.
7. Monitoring, logging, and early detection
You cannot respond to what you never see.
At the basic level:
- Enable logging on servers, firewalls, and important applications.
- Centralize logs where possible so you can correlate events.
- Set alerts for suspicious behavior: many failed logins, new admin accounts, unusual remote connections.
For many smaller organizations, a managed security monitoring service (MDR / SOC-as-a-service) makes sense. You get:
– Experts watching your environment.
– Faster detection of known attacker patterns.
I used to think these services were “nice to have.” After watching a few cases where early detection stopped an attacker before encryption, it is hard to ignore their value, especially if you lack a large internal security team.
What to do if ransomware hits you
Prevention is the goal, but you should assume that at some point something will slip through. Having a clear response plan reduces panic and mistakes.
1. Contain the incident quickly
Speed matters.
Immediate actions:
- Disconnect affected systems from the network (unplug network cable, disable Wi-Fi).
- Turn off shared drives or storage if you suspect they are being encrypted.
- Avoid powering off everything blindly; some forensics may require a running system, but stopping spread comes first.
If you have central management for your endpoints, use it to:
– Isolate machines remotely.
– Push emergency rules to block suspicious processes.
The goal in the first minutes is not to understand every detail, but to stop the bleeding.
2. Notify the right people
You need a predefined contact tree.
Typically:
- Internal IT or security lead.
- Executive sponsor or crisis coordinator.
- Legal counsel.
- Cyber insurance provider, if you have one.
Depending on your jurisdiction and the nature of the data involved, you may also have obligations to notify regulators or customers, especially if personal data has been exfiltrated.
3. Assess the scope and identify the ransomware
While containment continues, start a structured assessment:
– Which systems are encrypted?
– Which systems are still clean?
– Are backups affected?
– Is there evidence of data exfiltration?
The ransom note usually includes a reference or branding that points to a known ransomware family. Security researchers often maintain lists of:
– Known behaviors.
– Existing decryption tools (when law enforcement has seized keys or found weaknesses).
Websites hosted by trusted security organizations occasionally provide tools to check if a free decryptor exists for a given strain. Be careful with random sites promising decryption; many are scams.
4. Preserve evidence where possible
It can feel tempting to wipe everything and start over immediately. But evidence helps:
– Understand how attackers got in.
– Close that path before you rebuild.
– Support any law enforcement or regulatory processes.
Basic actions:
- Keep copies of logs and ransom notes.
- Take disk images or snapshots of key systems if practical.
- Document timeline and actions taken.
For severe incidents, bring in a digital forensics team. Some cyber insurance policies cover this.
5. Decide on recovery strategy (with or without paying)
This is where planning and previous decisions come into play.
You need to weigh:
– Quality and availability of backups.
– Time to rebuild vs. business impact of downtime.
– Legal and ethical considerations around paying.
– Whether attackers have stolen sensitive data and are threatening to leak it.
There is no simple formula that fits every case. I would push hard to rely on backups where at all possible. Paying still leaves you with a compromised environment if you do not rebuild carefully.
Typical recovery path without paying:
- Wipe and rebuild affected systems from clean images.
- Restore data from known-good backups.
- Rotate passwords and keys, especially for admin and service accounts.
- Harden configurations to close the discovered entry paths.
Recovery with paying (if chosen) still needs:
- Careful testing of decryption tools on copies of encrypted data.
- Full environment review, assuming backdoors or other malware may remain.
- Improved controls, since the attackers already know your environment.
Practical checklist: what to start doing this week
Sometimes the whole topic feels overwhelming. If you want a straightforward starting plan, break it down into steps.
Foundational steps (short term, high impact)
- Enable multi-factor authentication on:
- Email accounts.
- VPN and remote access.
- Admin accounts.
- Review and improve backups:
- Confirm that backups are running.
- Test restoring at least one critical system and data set.
- Create an offline or immutable backup copy if you do not have one.
- Patch internet-facing systems:
- Check VPN, firewalls, and remote access gateways for updates.
- Apply pending security updates.
- Disable any exposed services that you do not need.
- Harden email:
- Block macro-enabled Office attachments from unknown senders.
- Limit executable attachments.
- Turn on advanced phishing protection features if your email provider offers them.
Intermediate steps (next few months)
- Roll out an endpoint security solution with behavioral detection.
- Segment your network, starting with:
- Isolating backups.
- Separating guest Wi-Fi and internal networks.
- Formalize access control:
- Reduce admin rights to only those who truly need them.
- Separate admin and user accounts.
- Review old accounts and disable unused ones.
- Create a written incident response playbook:
- Who to contact.
- Immediate technical steps.
- Templates for internal and external communication.
Longer term maturity steps
- Engage a managed detection and response service if you lack in-house expertise.
- Run regular phishing awareness and security training with simulated campaigns.
- Conduct periodic security assessments or penetration tests.
- Integrate security checks into procurement and vendor management so third-party tools and MSPs are reviewed.
Ransomware prevention is not one big project you finish once. It is a set of habits, tools, and reviews that you keep refining.
You do not need perfection to make a real difference. You just need enough layers that an attacker moves from “easy win” to “too much effort” and looks elsewhere.
