Our Blog

What is ransomware in cyber security? Definition, How it works, Examples, Tips

What is ransomware in cyber security? Definition, How it works, Examples, Tips

Portia Linao Portia Linao
Updated on March 26, 2024, Post a comment

Ransomware attacks have plagued businesses and individuals for decades. It has evolved into a sophisticated business model that swindles millions yearly.

As an IT security services company, understanding the intricacies of ransomware operations is crucial to safeguarding your clients' digital assets. So why not learn it straight from us? 

In this article, learn what ransomware is, how it works, examples, and how you can protect your business from it. 

What is ransomware in cyber security?

Ransomware is malicious software that encrypts computer files, making them completely inaccessible until the demanded ransom gets paid. And this can come in many forms and functionalities in infecting as many users across the globe.

Other types of ransomware steal your data to either sell it to the highest bidder on the dark web or use it against you to get more money out of you in the future. This danger makes ransomware incredibly damaging to individuals and businesses, resulting in significant data and financial losses.

Ransomware has targeted individuals, businesses, and even government agencies. These cyberattacks will only require a few clicks on a phishing email (with an attached malware file or link to a suspicious website) to lock you out of your computer, infect the rest of your network, and steal your data or worse. But fortunately, there are ways to prevent and mitigate ransomware, so you won’t ever have to pay a hefty price to bring back your operations.

How ransomware works & spreads

Ransomware has one goal: to extort as much money as it can from its victims by blocking their access to data. And it’s mostly through encrypting their data or screen blocking their access. Both work differently but have a similar outcome of preventing data access. You will then see a lock screen with a message informing you your data is under their control and will need to pay a ransom fee – typically through cryptocurrency like Bitcoin – to obtain the decryption key.

The worst part is even if you pay the ransom to get the decryption key, it doesn’t guarantee that it will work or that the incident won’t happen again. For some, hackers won’t even surrender the decryption key and ghost the victim altogether after receiving the ransom payment. And even if you pay for the decryption key, there is still a chance hackers will target you again.

But how does ransomware spread in the first place?

The typical way is through phishing emails that trick users into downloading an infected attachment or clicking on a malicious link. Ransomware can also spread through drive-by downloads from infected websites or by exploiting vulnerabilities in outdated software. Attackers even use brute force attacks on remote desktop protocols (RDP) to access networks and install ransomware. Once inside a network, ransomware can quickly move laterally across systems and devices until it has encrypted all valuable data.

Ransomware attack examples

Ransomware attacks are on the rise globally, and they come in many shapes and sizes, making it difficult for individuals and organisations to protect themselves effectively. Know at least the common ransomware attacks to lessen your chances of getting its devastating effects on your data, operations, and finances.


Back in 2017, WannaCry infected over 200,000 computers worldwide. It finds and exploits vulnerabilities in Windows systems and typically targets widely outdated operating systems, which is preventable if only devices were up to date with their latest patches. One of WannaCry’s biggest victims was NHS Hospitals which cost them 92 million pounds in damages.


Petya is a devastating ransomware attack that targets hard drives. This ransomware encrypts your files and destroys the MDR (master boot record) on the infected system, making them unstable even if you pay the ransom demand. Petya spreads through emails or other venues that allow submitting (infected) links and documents.


Locky is ransomware that has a specific way of infecting your computer. It manipulates users by downloading or opening a Microsoft Word document attachment with hidden macros. Hackers use typical phishing and social engineering tactics to spread the ransomware as far and wide as possible.


Ryuk is a ransomware attack that preys on high-value targets with ransom demands that can go up to over a million dollars. What makes this ransomware dangerous is once your data gets encrypted, you can never recover your data – even if you pay the hefty ransom – because it deactivates your (Windows) operating system’s backup and recovery feature. So unless you have an external backup, your current data will cease to exist.

Also read Ransomware Examples: Top 5 Famous Ransomware Attacks of All Time

How to know if you’re hit with a ransomware attack

Here are the common signs to look out for if you’re hit with a ransomware attack:

Your files are encrypted.

The significant sign of a ransomware attack is you’re unable to access your files, such as videos, photos, documents, and emails. When you attempt to open them, all you will see are scrambled-up letters, numbers, and characters that can only be read by someone with the decryption key. And unless you have the decryption key, it is virtually impossible to read and access the data stored within.

You can’t access your apps.

Occasionally, you won’t be able to open apps (e.g., browsers, office apps, etc.). And whenever you attempt to access the app, a message gets displayed on your screen informing you that your data is under ransom with instructions on how to pay the hackers – typically via Bitcoin.

You can’t use your device.

Ransomware attacks vary, but there’s this one called Locker that denies access to your device and encrypts all your files. This ransomware is especially dangerous because it can take control over your entire machine, making it impossible for you to gain access again without paying the ransom.

You see instructions for a ransom payment.

When your computer or network gets a ransomware infection, the cybercriminal behind it will leave you instructions on how to pay the ransom.

The instructions may come as a message displayed on your screen or through an email containing information about how much money you need to pay and how to make payment. Cybercriminals will demand payment via cryptocurrencies like Bitcoin because it is near impossible to trace. The message (usually in a .txt or .html format) will include threats like deleting all your encrypted files if you fail to make payment within a specified time frame.

How to recover from a ransomware attack

Paying the ransom is never a good idea. On the contrary, it will bring more harm than good in the future if you ever decide to take that route. If you end up paying the ransom as a last resort, there’s never an assurance that you will recover data or not get targeted again.

The best way to recover from a ransomware attack is to prepare a mitigation plan to lessen the damage and reinstate your operations fast. Here’s how:

Isolate & disconnect the infected system

To prevent the spread of ransomware and minimise the damage to your network, you need to find the infected system and isolate it from the rest of the network. This step can include isolating multiple devices, disconnecting network accesses, and locking shared drives.

Assess the damage

Ransomware can spread swiftly. So, to prevent further damage to your machines or networks, you need to investigate the extent of the damage, such as looking at the devices that may have been encrypted or locked down by the malware and checking the logs. This process will give you an idea of what data has gotten compromised, how severe the damage is, and reveal when the attack occurred and if any other systems got infected.

Assessing damages will also determine whether sensitive information got stolen or leaked in the ransomware attack.

Track the infection

Tracking the infection will help you understand the extent of the damage caused by the attack and enable you to take appropriate measures. First, identify the type of malware to track the infection. You can obtain this information from a trusty anti-virus software or a cyber security expert. Once you’ve identified the malware, you can set up the right solutions and tools to restore your operations without the ransom.

Identify the ransomware

There are various types of ransomware, each with a unique characteristic that makes it identifiable. Knowing which variant you are dealing with can help you determine the appropriate security solutions since some ransomware may be reversible without paying the demanded amount. But others will require more drastic measures, such as wiping your hard drive and starting from scratch.

To identify the type of ransomware you’re dealing with, visit No More Ransom and enter the ransom demand details in their Crypto Sheriff feature. Be as accurate as possible with the messages or warnings displayed on your screen. No More Ransom will look into the clues about what specific variant is in play and provide a decryption solution.

Restore the system

The key to restoring your systems to their former glory is to rebuild them with your backup – assuming you have one. The key here is having recent backups with or without the risk of cyber attacks.

Only by restoring from backups can you get back up and running quickly without paying the ransom demands. However, it’s important to remember that all backup files are up-to-date, clean and free of malware before restoring them to your system.

After recovering, we highly recommend you update your apps and systems immediately to their latest patches to prevent hackers from exploiting any newly discovered vulnerabilities.

Professionally review the system

Second opinions are always better than one. The more cyber security professionals look into your security environment, the more likely you are to establish a better solution that withstands ransomware attacks and finds vulnerabilities before the bad guys find them.

Implement stronger security options

Recovering from a ransomware attack is not an easy endeavour. And as a responsible business owner, you will need to implement a more impenetrable security strategy – not just in your IT but with your employees – to prevent ransomware attacks in the future.

Ransomware prevention tips

Hackers can do anything to your data once they get their hands on it. As a decision-maker, you’re responsible for minimising their impact on your business and customers.

These ransomware prevention tips will help you reduce overall damages and prevent attackers from exploiting your vulnerabilities.

Implement data backups

Ransomware works by locking you out of your data. But what if you had a recent cloud backup before you got hit with a ransomware attack? Then you won’t ever have to worry about losing access to your data again!

With data backup (cloud or physical hard drive), you can restore your data without paying a ransom. If you’re under a ransomware attack, you only have to wipe the affected machine and restore the files from your trusty backup. This way, you won’t ever have to pay for ransom again! But keep in mind that having backups don’t prevent ransomware. It only reduces the damage.

We recommend you implement a 3-2-1 backup strategy wherein you store three backups in different separate locations. You can learn more about the 3-2-1 backup strategy here.

Secure your networks

Public Wi-Fi networks are a goldmine for cyber attackers. A network with bad security allows hackers to snoop around connected devices to manipulate communications and steal user data.

We don’t recommend using Public Wi-Fi networks like those in airports and cafes. Instead, we urge you to stick to your office and home network as they’re more secure and don’t have dodgy devices connected to them. You can use the Personal Hotspot on your smartphone if you're travelling.

Protect your emails

Ransomware mostly spreads through emails.

And who uses emails the most?

Your employees.

We recommend implementing anti-spam filters and endpoint protection systems to block dodgy emails with infected attachments that may land in your inbox. But even with a state-of-the-art email security system, there are still that can slip through the gaps. So, your employees must know how to spot and avoid online scams.

Install updates regularly

Software developers release updates to fix current issues. Skipping on these patches leaves you vulnerable to malicious exploitations. It’s best to turn on automatic updates so your devices and applications are always up-to-date with their latest patches.

Maintain security awareness

Ransomware attacks involve tracking individuals into divulging sensitive information or downloading malicious attachments. To combat these threats, you must provide regular security awareness training to your team on topics like phishing, avoiding suspicious links, and recognising scamming tactics.

Alternatively, you can sign up your team for our monthly security awareness webinar wherein our Security Specialist will talk about phishing, online scams, and social engineering attacks that may compromise your IT’s security measures.

Doing this will create a culture of vigilance within your business where everyone is aware of the risks and can how to deal with them effectively.

Also read Ransomware Prevention Tips: 10 Critical Things You Should Do To Protect Your Data

Should you or should you not pay the ransom?

We nor law enforcement don’t encourage paying ransomware demands. You might think you’re safe once you’ve paid the criminals the ransom, but sadly, it will only bring more dangers and uncertainties to your business, such as:

Lack of guarantee to access data/machine again

Hackers are a devious bunch. Even if you pay the hefty ransom, there’s no guarantee that you can recover your data/device to how it was before. Many individuals and organisations paid ransoms and ended up receiving nothing in return. So you're out thousands of dollars and must rebuild your IT from scratch while dealing with legal and reputation consequences.

You become a favourite target

Let’s say you paid the ransom in good faith and got the decryption key for your data. How sure are you that you won’t be targeted again? It doesn’t necessarily have to be the same group (although the same group could also attack you again after a few months/years), but once the word is out to criminal groups that you’re a good investment, you may have painted a red target sign on your back.

You’re funding criminal activities

The more you give in to ransomware demands, the more you give cyber criminals the confidence to keep doing what they're doing. Condoning their actions means you’re funding their illegal activities. Giving in to their demands means you're financing their operations and encouraging them to continue their criminal practices.

While some may argue that paying the ransom is necessary to retrieve sensitive information or safeguard business operations, doing so only encourages criminals to continue attacking vulnerable targets.

While some may argue that paying the ransom is necessary to retrieve sensitive information or safeguard business operations, doing so only emboldens criminals to continue to attack vulnerable targets.

You’ll be targeted again in the future

By giving in to the demands of cyber criminals, you’re signalling your willingness to pay and become vulnerable to repeat attackers. Paying a ransom funds criminal organisations and incentivises them to continue targeting victims (including you) with ransomware.

Ultimately, prevention is the key when it comes to combating ransomware attacks. Investing in security measures like backups and employee training can significantly reduce the risk of becoming a victim and avoid paying any ransom.


Build a digital fortress with the help of proven IT experts

Need help with your cyber security? 

No worries, let us do the hard work for you while you focus on your business.