How ransomware actually works

Ransomware is malicious software that encrypts your files — documents, databases, backups it can reach — and then demands a ransom for the key. Modern attackers often also steal a copy of your data first, threatening to publish it if you do not pay. That means even good backups may not fully remove the pressure.

How it gets in

  • Phishing emails with malicious attachments or links — the most common entry point.
  • Exposed remote access (RDP, VPNs) with weak or reused passwords.
  • Unpatched software with known vulnerabilities.
  • Compromised third parties or infected USB devices.

How to prevent it

Prevention is far cheaper than recovery. The core defenses are practical and within reach of any SME:

  • Offline, tested backups. Keep at least one backup copy disconnected from the network so it cannot be encrypted. Test restores regularly.
  • Multi-factor authentication on email and all remote access.
  • Patch quickly. Prioritize internet-facing systems.
  • Least privilege. Limit who can install software and access critical shares.
  • Email filtering and staff awareness to stop phishing before it spreads.
  • Network segmentation so an infection in one area cannot spread everywhere.

The 3-2-1 backup rule: keep 3 copies of your data, on 2 different types of media, with 1 copy offline or off-site. This single practice is the most reliable defense against ransomware.

If you are hit

  1. Isolate. Disconnect affected devices from the network immediately to stop the spread.
  2. Do not rush to pay. Payment does not guarantee recovery and may break local law — get expert and legal advice first.
  3. Preserve evidence. Do not wipe systems before they can be examined.
  4. Recover from clean backups once the cause is understood and removed.
  5. Report the incident to the relevant authorities and notify affected parties as required.

Be ready before it happens

A short incident response plan — who to call, how to isolate systems, where the backups are — is the difference between a few hours of disruption and weeks of crisis. We help businesses build that readiness through assessments and practical guidance.

Request a Security Assessment Back to blog