What is Ransomware? How it Works + What to Do

Ransomware is a major global threat

Gaining access to ransomware and attacking a business is a lot easier than most people realize. In fact, it can be as simple as buying prepackaged software online and following the instructions.

Now more than ever your company must be ready for ransomware. That means knowing what threats to watch out for, having appropriate defenses in place, and writing a plan of action for the event that an attack gets through.

So how do you protect your company against ransomware?

What is ransomware?

Ransomware is a type of malware (computer virus) designed to lock access to files, devices and even entire networks. If the victim wants to regain their access, they must pay a ransom – hence the name. 

Usually the ransom must be paid within a strict time limit, or else the attacker may never give back the victim’s data – they might even go on to sell it on the black market, or release it publicly. In fact, on average, companies can only restore 65% of their lost data per attack (Sophos).

Learn more: 6 examples of major ransomware attacks + how they happened

What is the average ransomware payout? 

Figures differ depending on the source. However, a report by Coveware found the median ransomware payment for Q1 2022 had dropped to US$36,360 (€20,883). Some reports indicate the average is much higher, though most use a mean average rather than a median – so outliers pull the figure up.

Coveware’s relatively small median represents a change in trend: where once attackers used to attack big brands for seven-figure payouts, they have been shifting to lower-profile, mid-market victims in order to escape media headlines and, thus, scrutiny by law enforcement. 

That said, the total cost of a data breach can be much higher

While ransoms may not be what they once were, the total cost of a data breach – when taking into account people or outsourced firms, technology fixes, reputational harm and even fines – is much higher.

In 2022, the average cost of a data breach was $9.44 million (€9.5 million) (IBM).

What are the different types of ransomware?

The three most popular are:

  1. Crypto ransomware (aka encryptors): This is the classic ransomware, and the most common. It encrypts data so that users can no longer gain access, although they may still be able to see their files and use the system.
  2. Lock screen ransomware (aka lockers): As suggested by the name, lock screen ransomware locks people out of a device entirely. A ‘lock screen’ appears instead, displaying the ransom demand and any further details (i.e. deadline).
  3. Ransomware-as-a-service (aka RaaS): RaaS is a SaaS-like business model, but for malware. ‘Affiliates’ can purchase the use of someone else’s ransomware and receive training, assistance deploying the malware, and assistance gathering payment from victims. RaaS groups used to provide additional services – e.g. managing negotiations, assisting with stolen data storage and more – but are increasingly offering fewer in order to shrink their operation and better hide from law enforcement.

Three other ransomware types are also relatively common:

  1. Double extortion ransomware: This is where ransomware is used to extort victims twice. The first extortion is the lock screen or encryption – “pay up, or you won’t get your data back”. The second extortion is where ransomers threaten to publish or sell stolen data if their demands are not met. By using double extortion, the attackers are able to apply more pressure on victims to pay quickly.
  2. Leakware: Leakware is a bit like fake ransomware. Here, attackers send a message to victims or display a pop-up on their screen that threatens them and demands a payment. The attacker may claim to have stolen personal data or explicit images of the victim, or in one variation of leakware, claim to be a law enforcement agency which has detected illegal activity on the device – “pay or face jail time”. The difference between leakware and real ransomware is that leakware may in fact be a bluff.
  3. Scareware: This is another type of malware with similarities to ransomware, which sometimes acts in the same capacity. Here, the objective is to scare users into making a prompt payment or downloading a malicious file. Scareware might lock a computer and claim to have detected a virus, which can only be removed if the victim downloads a particular file (which may be real ransomware). Or, it could flood their screen with pop-ups until the victim pays up to stop it.

How does ransomware work?

Ransomware as a piece of malware can be quite simple – all it needs to do is encrypt data or replace access to a device with a lock screen. Additionally, it may enable communication between attacker and victim. 

However, ransomware is more than just malware. It requires an entire, multi-stage attack strategy in order to succeed – meaning there are a lot of steps involved leading up to the deployment itself. Some of these steps will leave a trace in the victim’s system, meaning cyber security professionals defending against ransomware can often block an attack long before it occurs (more on that below).

Step 1: Reconnaissance

Choice of target is an important part of a ransomware attack. Cyber criminals must find not only a company that they believe will be willing and able to pay up, but also one that has enough weak points in its security that the attack will actually succeed.

As mentioned above, cyber attackers are starting to shift away from previous big-ticket attack targets. In the past, cyber crime almost exclusively struck significant brands and ransom payments could be in the millions. But, these days anyone can be a target – it’s often safer for cyber criminals to hit smaller, mid-market enterprises with lower ransom demands, as they stand a better chance of evading the attention of law enforcement.

Wide-net phishing attacks

We’re seeing a lot more targeting in modern cyber crime, but ‘wide-net’ attacks are still fairly common. This is where attackers let victims essentially choose themselves. They send out phishing scams to as many people as possible, in the hopes that just a few who are easy to dupe will respond and grant them access to a system, or download their malware.

Attacks from within

Because of the accessibility of ransomware thanks to RaaS, a ransomware attack may also originate from within a company – just about anybody can pick up a ransomware package and utilize it, it’s that easy. 

Current or ex-employees have been known as potential attack vectors. Sometimes these individuals grow disgruntled with their employer and attack it out of retribution, other times they may have been radicalized by others and used as a weapon.

This is known as a ‘malicious insider’, ‘turncoat’ or ‘insider threat’ attack.

Learn more: Malicious insiders + 6 more top cyber attack vectors

Step 2: Gain access

At this point, our attacker knows who they want to target. This might be a company as a whole, or one or two specific employees at that company (yes – reconnaissance can get that detailed).

The next step is all about getting the right malware into the network undetected.

‘Hacking’ is often viewed as a feat of brute force, where someone sits behind a computer, types a lot, and ‘breaks into’ a system. But while brute force is a possible technique, it’s far more common that attackers will use subtlety, trickery and time to sneak in.

So how are attackers getting in?

Loading ransomware into a system may require a few steps, depending on the chosen attack vector.

For example, the first step is often to steal login credentials. Then the attacker can install a backdoor allowing them to come and go as they please. Once inside they can adjust firewall and other security settings, or turn them off entirely. From here they will load their malware.

Alternatively, an attacker may trick victims into downloading a ‘dropper’, which is a piece of code that disguises itself as something else (software, an app or a document). Once downloaded onto the system, it is free to install other malware behind the firewall. This type of trick file is also known as a ‘trojan’

Common infection and distribution methods include:

  • Social engineering: The act of tricking someone into performing an action. Social engineering includes simple phishing scams, elaborate fake social media profiles, trust building, even phone calls.
  • Credential harvesting: The act of stealing someone’s login credentials. Trickery is a big part of credential harvesting, where attackers pretend to be someone or something else so the victim hands over their password willingly. For example, creating a realistic (but fake) duplicate of a popular website and luring someone into logging into their account on the fake – thus delivering their email and password into the hands of the attacker. Passwords can also be brute forced, especially if they’re weak.
  • Third-party compromise: Attackers can often slip into someone’s network by first compromising one of their vendors. If a cyber criminal can get into a SaaS vendor’s system and inject their own code into the latest patch, whenever that vendor’s customers download the new update they will also download the malware. This happened to SolarWinds.
  • Software exploitation: There are many more complex ways an attacker can exploit software. A popular example is a ‘code injection’, where an attacker tricks an app or website into running a malicious script by sending it little more than an adjusted piece of text, or a modified URL. This modification makes the software – using its administrative privileges – download malware, or perform other actions (like shutting down a computer’s firewall).

Ransomware can come from any of the above, in any combination. However, each of the attack techniques we’ve described are preventable. Even very basic best practice cyber security and training can make a huge difference – keep reading this article to learn more about how to prevent ransomware attacks.

Step 3: Encryption or screen locking

At this point our attacker has found their victim and broken into the system one way or another. Now they are free to utilize their ransomware to prevent access to their chosen file or system.

How does a ransomware attacker choose what to encrypt/lock?

If they’ve had reasonably free access to the company network, they may have been able to view sensitive files and databases, allowing them to spot a target in advance. In this case, they will hone in on what they know to be business-critical and encrypt it.

Or, they may go more broad and encrypt large portions of the network so they catch both critical and non-critical files. Usually it’s obvious which data is valuable, as most companies have similar file structures. Of course, lock screen attackers will just shut the whole thing down.

Ransomware can also act on its own

Ransomware can be designed to seek out certain file types (i.e. spreadsheets, PDFs or databases), encrypting all of them. Then, if programmed to do so, it’ll spread into other areas of the network and keep looking for more files to encrypt.

Depending on how the network is set up, it may spill into other devices, or perhaps piggy-back into another company’s system (if they’re integrated sufficiently). Ransomware is also often programmed to look for backups, encrypting or deleting them so the victim cannot restore their system and circumvent the ransom demand.

Without the encryption key – held by the attacker – it is next to impossible to decrypt the locked data.

Step 4: The ransom demand

Finally comes the ransom part of ransomware.

The ransom note itself will usually come in the form of a lock screen, or a text file added to the system. This note is where the attacker demands their money, offers basic instructions on how to pay, and sets a time limit. If using double extortion, they will also add their second threat.

Cryptocurrency is the most common form of ransom payment type thanks to its perceived anonymity. The payment window is usually very short (even as little as 24 hours), to put maximum pressure on the victim and prevent their ability to negotiate.

When the payment is made, theoretically the attacker will hand back access. But, as noted earlier, not always.

It sounds crazy, but there are even victim hotlines

Some RaaS comes with more than just malware – it also comes with a victim hotline. In these cases, a phone number or other contact information is displayed alongside the ransom note encouraging victims to call. Then, a member of the criminal group will walk them through how to purchase cryptocurrency and send it to the attacker.

Negotiating with ransomers

Depending on the situation, victims may be able to negotiate for a reduced ransom. Many companies have in the past successfully bargained with cyber criminals – either by themselves or with the help of professional hostage negotiators – to reduce their ransoms. For example, JBS Foods managed to get their 2021 ransom down from US$22.5 million to $11 million.

Download now: Should you pay a ransomware ransom? Preparing for a ransomware attack

Bonus step: Data exfiltration

We’ve mentioned a couple of times how many ransomware attackers don’t just lock data, but steal it and sell it – that extra layer of threat requires an additional step, called data exfiltration.

Unfortunately, this is growing increasingly popular. As awareness of ransomware grows among the global business world and cyber security experts get better at dealing with it, ransomers need a new way to put pressure on their victims and double extortion is the way to do that.

Double extortion also prevents a company from restoring from backups as a means to get around paying the ransom – they might regain access by themselves, but their data has still been stolen.

Are ransomware attacks common?

Oh yes, exceedingly so. More than people tend to realize.

Two thirds of organizations (measured across 31 countries by Sophos) were hit by a ransomware attack or an attempted attack in the 12 months leading to February 2022. A huge figure! However, not all of those attacks were successful – 65% had their data encrypted, leaving 35% whose data remained safe. But, that 65% is an increase from 54% the year prior (Sophos). 

Remote working as a result of the COVID-19 pandemic has exposed a great number of companies to new cyber security vulnerabilities, leading to a marked increase in the scale of attacks worldwide. The sudden uptick in the use of SaaS has had a profound impact in particular – notably, Verizon found that 62% of network intrusions came through an organization’s partners.

Download now: Is your business secure? A cyber maturity checklist

Ransomware frequency is down, targeting is up

If you think a lot of companies are being struck now, it used to be worse. The total number of cyber attacks has actually come down in recent years, as cyber attackers get more targeted and significantly more sophisticated in their techniques.

From 2015 to 2018, the number of worldwide malware (not just ransomware) attacks per year rose from 8.2 billion to 10.5 billion at its peak, coming down to 2.8 billion in the first half of 2022 (Statista). 

What causes ransomware attacks?

Leading causes of ransomware attack: Technological

Social engineering

Social engineering, specifically email phishing, was observed by Coveware to account for not only about a third of all ransomware infections at time of writing, but to have proportionally risen since 2018. In addition, Verizon analysis found the ‘human factor’ (such as human error or falling victim to scams) was involved in 82% of breaches in 2021.

As mentioned, trickery is at the heart of social engineering. It is about pretending to be someone or something legitimate so that you can lure a victim into handing over login credentials, downloading malware, or giving you remote access to their device.

Examples of social engineering tactics include:

  • Building fake websites to scam login credentials.
  • Creating an email account pretending to be someone trustworthy (e.g. a company IT technician), asking the victim to download a file or grant remote access.
  • Compromising real people’s accounts and sending emails, DMs or SMS messages via their name.
  • Building fake social media profiles and networking over a long period of time in order to appear legitimate.

RDP compromise

RDP is Windows’ Remote Desktop Protocol – a piece of software that enables remote workers to access and manage their work computer via their home computer. Thanks to the rise in remote working, RDP use saw a spike of activity in 2020 – leading to a similar spike in RDP attacks.

Brute force attacks (cracking someone’s login credentials through repeated trial and error) in particular saw a surge starting in around March 2020 and skyrocketing in a matter of days. Kaspersky found that, to use Spain as an example, the number of brute force RDP attacks rose from less than 200,000 to over 1.2 million (Kaspersky).

Compromising external remote services like RDP remains a popular access method for ransomware. Indeed, Kroll noted its use in about 67% of cases in Q2 2022 – rising 700% since Q4 2021.

CVEs and zero-day exploits

CVE, or Common Vulnerabilities and Exposures, refers to a list of publicly known security vulnerabilities in the world’s software. It’s a list that’s curated by MITRE, which also operates the popular threat intelligence database MITRE ATT&CK. 

A zero-day exploit or zero-day attack is where cyber criminals attack a software vulnerability that they have discovered before the developers, or before the developers have had a chance to fix it. Hence the name ‘zero-day’, referring to the number of days the developer has left to patch the issue before it becomes a problem.

CVE and zero-day exploitation was noted in about 19% of ransomware attacks, found Knoll. This further highlights the risks of third-party vendor relationships from a security standpoint, and the need for security teams to be involved in those partnership negotiations.

Learn more: 10 known cyber espionage groups & their preferred attack techniques

Leading causes of ransomware attack: Victim profile

Essentially all organizations from across sectors have some degree of cyber security risk relating to ransomware. But, the world’s attacks show us that some targets are more popular than others.

Does your company fit into this victim profile (data from Trellix)?

Most commonly targeted countries

  • US (34%)
  • Turkey (12%)
  • Germany (11%)
  • Israel (8%)
  • Switzerland (7%)

Most commonly targeted sectors:

  • Finance and banking (22%)
  • Utilities (20%)
  • Retail (16%)
  • Education (9%)
  • Government (8%)

Ransomware vs. companies which can’t afford downtime

Some companies say they can’t afford downtime, but they can. If only for a while. But, some organizations genuinely can’t – it puts people’s lives at risk. Healthcare is perhaps the biggest example here, and unfortunately ransomware attacks on the healthcare sector are also on the rise.

Sophos surveyed over 300 healthcare organizations and found that the number who had been hit by ransomware in the year leading to 2022 effectively doubled from the year prior (34% to 66%). Of those attack attempts, 61% resulted in data encryption.

Can ransomware be removed?

No, not really. Ransomware is best prevented, not removed. It’s a lot easier to mitigate the risk than it is to decrypt files, as encryption technology is by design almost impossible to crack.

So what steps can a business follow if it’s hit by ransomware?

We’ll cover this more extensively below so if you need this information now, keep scrolling.

In short, you’re going to need to have an incident response team ready to go, who will review what’s happened and respond accordingly. Because each attack is so different, it’s hard to predict how best to act (although, again, we’ve offered some generalized tips below).

Some of the steps they may follow include:

  1. Isolating infected files, devices or networks.
  2. Scanning the network to look for more malware, as well as the initial breach point.
  3. Removing the ransomware to leave only the encrypted data.
  4. Restoring from backups where available.
  5. Negotiating with ransomers where necessary.

There do exist some ransomware decryptor tools. These purport to be able to decrypt files, but they tend to be specific to independent ransomware strains – if you are infected by the right malware, you may be able to try them out. If not, they might not work at all.

We recommend consulting a security expert before giving these decryptors a go. If your data has been locked by ransomware, trying to break the encryption could escalate rather than de-escalate the situation.

How to protect against ransomware

1. Backup your system

Ensure that your entire system – or your critical data, if you can’t afford to backup the entire thing – is backed up to a separate, secure location on a regular basis. This backup should not be connected to the main network in any way that stray ransomware could find and get into.

Test your backups to ensure that they are actually restorable.

2. Operate on a ZeroTrust basis

ZeroTrust sounds harsh, but it’s important. It’s a security principle that says ‘trust no one’. With a ZeroTrust model, access to the network is never assumed – it’s always granted on a limited basis, to ensure that employees have the access they need and never the access they don’t.

With ZeroTrust, if any one of your employees is compromised, their login credentials either have no access at all, or have only limited access to do damage.

Learn more:

3. Keep everything up to date

PC versions, mobile device OS, app versions – all software and hardware used for business purposes should be kept up to date with the latest version. While zero-day attackers may still be able to exploit the software, it will ensure that any vulnerabilities on MITRE’s CVE list have been patched over, and you aren’t left exposed to any security flaws present in older technology that has, quite simply, gotten out of date.

4. Raise awareness

From the highest-level board member right down to entry-level interns, everyone at your company (whether in-office or remote) should receive a base level of cyber security awareness training, and then regular updates from there on.

Base level training will give your people the skills they need to spot common attack techniques, and the confidence to speak up if they see anything suspicious. Then, regular reviews (monthly, or at least quarterly) will give you a place to update everyone on the evolving cyber warfare landscape and how it may impact your business.

Learn more: Top 10 tips for educating employees on cyber security (Kaspersky)

5. Follow best practice vendor risk management

Third-party risk, vendor risk and supply chain risk are all terms for the same thing – managing the cyber security risk of your partnerships.

Adopting a staunch third-party security policy does not need to negatively impact your relationship with a vendor or your employees’ productivity using their software. It’s just a way to assess risk, plan for it, and reduce the likelihood that your business can be compromised through its integrations.

Some quick tips:

  • Don’t just generate threat intelligence about your own sector, but your vendors’ sectors as well. You need to know what might come for them, and therefore you.
  • Talk to your vendors about their security practices to see if they are protecting themselves to your standards.
  • Review your existing vendor agreements with a cyber security expert.
  • Don’t sign any new agreements until a cyber security expert has helped you review the contract.
  • Keep a diverse set of suppliers, so you don’t get locked into one vendor.
  • When downloading a new software patch, test it in an isolated environment first for security weaknesses, before rolling out to the entire business.

Learn more: Managing third-party risks

6. Keep your antivirus up to date

Antivirus software isn’t just for personal devices, it’s also an important line of defense for all work devices too.

Go through all of your company devices and ensure that each has proper, up-to-date antivirus. Additionally, you’ll want to write a policy (or update an existing security policy) that specifies who owns the process of checking and updating antivirus at your business, so this process is repeated regularly.

7. Follow best practice remote security

Your remote workers could be some of your most vulnerable. Many aspects of remote work can create weak points in a company’s security perimeter, which cyber attackers have been increasingly seeking to exploit since the COVID-19 pandemic. Such weak points include unsecured personal devices used for work purposes, use of RDP or other exploitable software, a lack of cyber awareness relating to remote security, non-private Wi-Fi security, and more.

So how do you keep your remote workers safe from ransomware attacks? You’ll need:

  • A remote work security policy that outlines who is allowed to work remotely, and what steps they must take to ensure they’re secure.
  • A bring-your-own-device (BYOD) policy and accompanying mobile device management (MDM) solution to allow employees the use of their own devices in a safe manner.
  • Best practice identity & access management as well as ZeroTrust.
  • A well-configured cloud storage system.
  • An alternative to RDP – such as a secure VPN.

Learn more: Everything you need to know about remote work security

8. Create a whitelist

As you try to protect your employees from unsafe apps or website domains, you may be tempted into creating a blacklist – that is, a list of blocked apps/domains which you know to be risky. However, a blacklist isn’t sufficient for the modern world. There are too many apps and domains you’d need to block.

Instead, look to create a whitelist. This is a list of allowed apps/domains – everything else gets blocked. Create this whitelist in conjunction with your people to ensure it has on it everything they need to be able to do their work effectively, as well as a degree of non-work activity (many employees desire access to social media at work, for example).

You’ll also need to create a communications policy that allows people to request new apps or domains be added to the whitelist, and this whitelist should be reviewed regularly for effectiveness.

9. Restrict certain functions

While you can’t create a blacklist of apps or domains, you can create a blacklist of restricted file types and functions. The functions we’ve listed below have all been exploited by ransomware attackers in the past, so restricting them could help prevent certain attack vectors entirely.

Steps to take include:

  • Disable Macros.
  • Disable PowerShell.
  • Restrict the ability of apps to access Command Prompt.
  • Restrict the downloading of .exe, .pif files, and other similar file types.

10. Make sure every process has an owner

Every process we’ve mentioned in this list needs an owner. This person (or rather, this role, as the person may change regularly as people come and go from the business) will be the owner of the process, and is accountable for overseeing that it takes place. Ownership of the process(es) must be written into their job description to ensure it doesn’t get sidelined.

Owners should review their policies at least annually to ensure they remain fit for purpose as the business, and technology landscape, evolves. This will also allow them to perform updates or optimizations as necessary, and gives other employees a clear point of contact to talk to if there’s a problem.

11. Write an incident response policy

Like everything in security (and business generally!) it’s good to have a policy in place to standardize your approach. This will allow you to train the people you’ll need for dealing with a ransomware breach, practice the steps, and optimize.

The six components of a good ransomware incident response policy are:

  • The strategic mission of the plan.
  • Strategies and goals to be used during the response.
  • Standard organizational incident response approach, laid out step by step.
  • Internal and external communication methods.
  • Roadmap for maturing incident response capabilities over time.
  • List of accountable people.

12. Assemble an incident response team

Your incident response team are The Avengers of your cyber security response. When trouble comes calling, they’ll get together and tackle the issue head-on.

A good incident response team should bring together not just IT expertise, but a broad range of disciplines to ensure the team has access to the skills it needs for each step of the plan.

Your team should include experts from:

  • Cyber security
  • IT
  • DevOps where applicable
  • Legal
  • PR
  • Financial where applicable
  • Leadership

This can help you cut some of your costs. In fact, IBM found in 2022 that such a team (with a tested plan) can reduce the cost of a breach by an average of $2.66 million (€2.4 million).

What to do if you are hit by a ransomware attack

1. Contain the breach

Set your incident response team to the task of containing the breach. They must figure out which systems have been compromised (it may be more than you think!), how the attacker got in, and whether or not anything was stolen.

2. Investigate the incident further

With the ransomware contained, your IR team can start to slow down and think more carefully about the attack vector and its fallout.

If you’re still not sure how they got in or to what extent they have infiltrated the system, this must be identified now. Can you determine what their objective was? That might help.

You’ll also need to figure out the root cause of the breach. Not just the specific place they broke in, but all of the steps that led up to that point. As we’ve seen in this article, chances are it was either human error or a software exploit.

3. Document everything

Everything must be documented. Because your company has been breached, a lot of other parties are going to want to see what has happened, and what you’re doing about it. That includes key business stakeholders, shareholders, customers, some business partners and regulators.

4. Notify the relevant people

The extent of the breach will determine who you need to notify. The legal and cyber security experts on your team will help the group advise which parties must be notified.

At minimum you are going to need to tell business leaders and local regulators. Regulators in particular are going to want to see all of the documentation you’ve collected, and they will likely scrutinize your cyber security top to bottom.

Customers and other stakeholders may need to be informed if their data has been compromised.

5. Determine how to proceed

The next steps are hard to estimate as it’ll depend on the extent of the ransomware attack. If you can’t restore from backup or your company is being double-extorted, you’re probably going to need to negotiate with the attackers and, potentially, pay up.

You will also need to feed any learnings from this process back into your business to ensure it can learn from the issue and close the gaps, while improving its defenses against future attacks.

Learn more: How to respond to a cyber breach

Negotiating with ransomware attackers

Cyber security is not 100% effective, and anyone who says that their solution is fool-proof is probably lying. The reality is that you can only ever mitigate, never entirely prevent, cyber attacks. Technology and techniques always advance, making it easy to slip behind in the cold war of cyber warfare. Plus, human error can mean even the best defense fails.

This means that at some point, you may suffer a ransomware attack and that will put you in a position where you must make a hugely difficult decision: To pay or not to pay.

Quick ransomware payment FAQ

Should you pay the ransom?

It’s likely that, unless you live in a country where paying such a ransom is illegal, you will need to pay up. But, that doesn’t mean you must pay the entire thing.

With the help of a professional police negotiator or private hostage negotiator, you may be able to bring the costs down. This could make your company a more frustrating target, which itself is a type of defense against future attack.

Here’s the link again to our downloadable guide on whether or not to pay a ransomware ransom. It goes into more detail on this topic, and offers more tips for protecting against ransomware.

Should you report a ransomware attack to the police?


They may not have the resources to track down your attacker and bring them to justice, but they may be able to lend you a veteran negotiator to help you reduce the price of the ransom and make yourself a harder target. 

Additionally, you’ll be adding to their data which will help the police make strategic decisions moving forwards about how best to tackle the ransomware problem in your particular country. Police usually need data in order to change strategy.

What happens if you don’t pay?

Unless you can decrypt your own data, which is unlikely, or restore from backups, you will probably lose your data forever.

Depending on the ransomware and the threats made, your attack may go on to sell your data on the black market or release it publicly in order to damage your reputation.

Will you get your data back if you do pay?

In most cases, yes. But, perhaps not all of it as we’ve mentioned earlier in this article. Most companies receive data back after paying, but it may not be wholly intact.

Additionally, even if you do get your data back, you may face punitive measures from your regulatory body. Regulators understand that breaches do occur, but tend to come down heavily on companies which could have done more to prevent the breach from occurring. Heavy fines and even jail time could apply.


Ransomware is a major threat affecting nearly all businesses around the world. Attacks are growing increasingly targeted and sophisticated, and even smaller companies aren’t necessarily safe – as attacking smaller targets draws less attention from law enforcement agencies.

In order to protect yourself against ransomware, your business must:

  • Identify the threats it faces.
  • Take every step it can to mitigate those threats.
  • Ensure its people are appropriately trained in cyber security.
  • Write policies to control and regularly update all aspects of cyber security.
  • Assemble an incident response team, and ensure they’re trained for a real-life breach.

Not sure you can go it alone? We’re here to help

If you’re worried about any of the above, or lack the in-house experience to implement best practice ransomware protection measures, we can help. Contact us today for a free maturity consultation and we’ll talk to you about your unique needs.

Share :