What is ransomware?

Ransomware attacks remain one of the most costly information security risks. Not just in financial terms but reputationally too. Here, we explain both how ransomware works and how you can best defend against it. Jump to each section using the following links:

Back to basics

Ransomware is, as the name implies, a type of malware designed to hold a network and its data hostage until a fee is paid to the criminals responsible. That, however, is too simplistic a definition, especially as ransomware techniques and tactics have changed over the years.

The basic premise of compromising a network to access and encrypt the data within remains. However, both the methods of compromise and the nature of the extortion have evolved to make avoiding payment a harder and costlier option for the victim organisation.

It’s unusual for the encryption of data to be the only impact of a successful ransomware attack anymore. Instead, that data will likely have been exfiltrated by the attackers before encryption, adding the threat of publication or sale to the extortion equation. This is sometimes known as double-extortion ransomware.

In addition, ransomware groups may subject victims to denial of service attacks of still-operational websites and services to further add to the pressure to pay.

Who is at risk from a ransomware attack?

Going back in time, ransomware was aimed mostly at individuals. That’s when the ransoms were relatively small and people’s cybersecurity awareness likewise.

While individuals aren’t immune to the ransomware threat today, the criminal groups behind this business target the most “profitable” of organisations. Not profit in terms of their profit-and-loss, but who are the most vulnerable and likely to pay a big ransom.

This is why you hear of hospitals, government agencies and legal firms being hit with alarming regularity. Medical targets are likely to pay up fairly quickly as access to their data can be either life-critical or, in the case of government and law, the data accessed could be highly sensitive.

But any organisation can be a victim, from universities, charities, public services, and even small businesses. The prime driver for ransomware attackers is a double-whammy of how valuable the data is and how likely the target will be to pay up. Larger enterprises will likely have costly ransomware insurance than smaller ones, while smaller businesses may have less robust defences.

Why do ransomware threats matter?

Ransomware attacks matter because they cause both financial and reputational harm to an organisation. The latter more so if the attack becomes headline news. Financial harm isn’t just limited to ransoms, if paid, but comes by way of productivity hits and even litigation from impacted customers.

How does ransomware get onto PCs and networks?

One of the main ways ransomware gets onto PCs is through emails. A user opens one, clicks on a link and is sent off to a malicious website that delivers its payload. You used to be able to spot such dubious emails through bad spelling and dodgy English, but with the help of AI the cyberattackers behind ransomware have become much more convincing.

All this means that you must be vigilant at all times when opening emails, clicking links on Facebook (another route is to duplicate someone’s account and then attempt to befriend all their existing friends) and social media in general.

How can you best mitigate against a ransomware attack?

Let’s deal with the elephant in the mitigation room first: data backups alone won’t protect your business against ransomware attacks.

Backups can still help individuals, whose access to systems isn’t mission critical, but that’s about it. But this doesn’t mean businesses shouldn’t be backing up according to the 3-2-1 rule: three backups across two different media, including one offsite.

Dual-extortion ransomware attacks confirm that proactive defence is the best mitigation. Cyber-insurance policies will likely demand the same before providing cover. Measures including endpoint protection, patch management, penetration/vulnerability scanning, and identity & access management are all recommended.

Experts to follow

We’ve put together a short list of 5 experts in the field of cybersecurity that we believe you should follow. Here are their Twitter handles:


  • Groups target everyone from small businesses to large enterprises and government departments. 
  • Data is usually stolen before networks are encrypted, with threats to publish or sell. 
  • Financial harm isn’t limited to ransoms: productivity loss, legal action, and reputational damage all hit the bottom line. 
  • Backing up data alone doesn’t help; proactive security measures trump reactive ones. 
Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.