Ransomware: Don't Let Anyone Hold Your Files Hostage
Ransomware can lock every file you own in seconds. This guide shows you how to make sure it never happens — and what to do if it does.
What is ransomware?
Ransomware is malicious software that encrypts your files or locks your systems and demands payment, usually in cryptocurrency, for the key to restore access. Modern ransomware operations are run by organized criminal enterprises with dedicated development teams, customer support, and negotiation specialists.
Crypto Ransomware
The most common variant. Encrypts your files using strong cryptographic algorithms (typically AES-256 combined with RSA-2048) and demands payment for the decryption key. Without the key, files are mathematically impossible to recover. Modern crypto ransomware also targets backup files and shadow copies to eliminate recovery options.
Locker Ransomware
Locks you out of your operating system entirely. You cannot access your desktop, applications, or files. A full-screen ransom message prevents any interaction. The underlying data is usually not encrypted, which means a skilled technician can often recover files by removing the hard drive and connecting it to another computer.
Double Extortion
Attackers steal your data before encrypting it, then threaten to publish the stolen information on leak sites if you refuse to pay. Even if you restore from backups, you face the risk of client data, trade secrets, or financial records being posted publicly. Over 70% of ransomware attacks now include data exfiltration.
Ransomware-as-a-Service (RaaS)
Criminal organizations build and maintain ransomware platforms, then lease them to affiliates who carry out the attacks. The RaaS operators handle the encryption technology, payment infrastructure, and decryption key management while affiliates focus on gaining access to victim networks. This model has dramatically lowered the barrier to entry for attackers.
How ransomware spreads
Understanding the most common entry points helps you prioritize your defenses where they matter most.
The most common delivery method. Attackers send emails with malicious attachments or links to compromised websites that download the ransomware payload. A single employee clicking one link can compromise your entire network.
Attackers scan the internet for exposed RDP ports and brute-force weak credentials or use stolen passwords. Once inside, they have direct access to the system and can deploy ransomware across the network.
Unpatched software provides attackers with known exploits to gain initial access. Critical vulnerabilities in VPN appliances, web servers, and remote access tools are routinely exploited within days of disclosure.
Attackers compromise legitimate software vendors or managed service providers to distribute ransomware through trusted update channels. Because the malware arrives through a trusted source, it bypasses many security controls.
A four-person healthcare clinic opens an email attachment that looks like an insurance claim. By lunchtime, every computer in the office displays a ransom note demanding $85,000 in Bitcoin. Their backups? Stored on a shared drive on the same network — encrypted too. They pay the ransom, but the decryption tool only recovers 60% of their files. They lose three weeks of productivity, spend $40,000 on recovery, and face a HIPAA investigation.
The clinic had backups. They just weren't offline. One air-gapped backup would have made this a bad afternoon instead of a business crisis.
Ransomware prevention strategies
No single control stops ransomware. Effective defense requires multiple layers working together so that if one layer fails, the next catches the threat.
Email Security
Deploy advanced email filtering with sandboxing. Block macro-enabled Office documents from external senders. Implement DMARC, SPF, and DKIM email authentication. Train employees monthly on recognizing phishing attempts.
Network Security
Disable RDP on internet-facing systems. Segment your network. Deploy next-generation firewalls. Monitor DNS queries. Implement zero-trust architecture.
Endpoint Protection
Deploy EDR on every endpoint. Patch within 48 hours of critical updates. Disable unnecessary PowerShell. Enforce application whitelisting. Remove local admin privileges.
Access Controls
Require MFA on all accounts. Implement least privilege. Use PAM tools. Disable dormant accounts. Deploy conditional access policies.
Ransomware recovery plan
Even with strong defenses, you need a plan for the worst-case scenario. Organizations with a tested incident response plan reduce the average cost of a ransomware attack by over $2 million.
Isolate Immediately
Disconnect infected systems from the network immediately. Unplug Ethernet cables and disable Wi-Fi. Do not power off the systems as this may destroy forensic evidence in memory. The goal is to stop lateral movement and prevent the ransomware from spreading to additional systems, file shares, and backup infrastructure.
Assess the Scope
Determine which systems are affected, what data was encrypted, and whether data was exfiltrated. Check if backups are intact and uncompromised. Identify the ransomware variant using the ransom note, encrypted file extensions, or services like ID Ransomware. Some older variants have known decryption tools available for free.
Report the Incident
Notify law enforcement (FBI IC3 or local field office), your cyber insurance carrier, and legal counsel. Many jurisdictions require breach notification within specific timeframes. Your cyber insurance carrier should be contacted before engaging any incident response firms to ensure coverage and approved vendor lists.
Activate Your Incident Response Plan
Follow your documented incident response plan. Engage your incident response team or retained IR firm. Establish communication channels outside the compromised network (personal phones, alternate email). Assign roles: incident commander, communications lead, technical lead, and legal liaison.
Restore from Backups
Begin restoring systems from verified clean backups, starting with the most critical business systems. Verify backup integrity before restoring. Rebuild systems from clean images rather than simply decrypting files to ensure no persistent backdoors remain. Test restored systems in an isolated environment before reconnecting to the production network.
Harden and Monitor
Before bringing restored systems back online, patch the vulnerability that allowed initial access, reset all credentials, and deploy enhanced monitoring. Assume the attacker still has access until proven otherwise. Conduct a thorough review within 30 days to document lessons learned and update your security controls.
Why backups are your most critical defense
Reliable, tested, immutable backups are the single most important factor in ransomware recovery. Organizations with verified backups recover in days. Those without can be down for weeks or permanently lose their data.
3-2-1-1 rule
Follow the 3-2-1-1 rule: 3 copies, 2 different media types, 1 off-site, and 1 immutable or air-gapped copy that ransomware cannot reach
Immutable backups
Implement immutable backups that cannot be modified or deleted for a defined retention period, even by administrators
Air-gapped copies
Air-gap at least one backup copy by physically disconnecting it from the network after each backup cycle
Encrypt all backups
Encrypt all backups with AES-256 encryption and store encryption keys separately from the backup infrastructure
Test monthly
Test backup restoration monthly. A backup that has never been tested is a backup you cannot rely on during an incident
Monitor daily
Monitor backup jobs daily for failures, and investigate any backup that fails to complete successfully
Flexible restore options
Ensure your backup solution can restore individual files, entire systems, and bare-metal images depending on the recovery scenario
Separate credentials
Store backup credentials in a separate identity system so that compromised domain credentials cannot be used to delete backups
Your Checklist
Print this page or screenshot it. Do one step today — you'll be ahead of 90% of people.
- Set up automatic backups using the 3-2-1 rule: 3 copies, 2 media types, 1 offsite
- Keep at least one backup offline or air-gapped — ransomware encrypts cloud backups too
- Install endpoint detection (EDR) — basic antivirus hasn't been enough since about 2018
- Update your OS and software within 48 hours of patches being released
- Disable Remote Desktop Protocol (RDP) if you're not using it — top attack vector
- Segment your network so one infected device can't spread to everything
- Train everyone to spot phishing emails — 90% of ransomware starts with phishing
- Write down your incident response plan before you need it (we can help with this)
Still Have Questions? We're Happy to Chat.
Book a free 15-minute call with our team. No sales pitch, no jargon — just straight answers about staying safe online.