What Is Ransomware? How It Works and How to Protect Your Business

Ransomware is malicious software that encrypts your files — or locks you out of your systems entirely — and demands payment, usually in cryptocurrency, for the decryption key. It's the most financially damaging form of cybercrime for small and medium businesses: the average ransomware incident costs far more in downtime, recovery and reputational damage than the ransom itself.

And it's not just large companies. Attackers increasingly target small businesses precisely because they're less likely to have robust backups, security monitoring or incident-response plans.

How a ransomware attack unfolds

A typical attack follows a predictable sequence:

1. Initial access — the attacker gets a foothold: a credential-phishing email that tricks an employee into entering their password on a fake page, a brute-forced Remote Desktop Protocol (RDP) port exposed to the internet, an unpatched vulnerability in a VPN or web application, or malware downloaded via a drive-by attack on a compromised website.
2. Persistence and lateral movement — once inside, the attacker moves across the network to find more systems, elevate privileges, and reach backups and file servers. This phase can take days or weeks — attackers often wait until they have maximum reach.
3. Exfiltration — many modern ransomware groups steal data before encrypting, creating a second lever: "pay or we publish your customer data" (double extortion).
4. Encryption — the ransomware executes, encrypting files across every accessible drive and network share. Backups connected to the network are often targeted first.
5. Ransom demand — a note appears demanding payment, typically within 72 hours, in Bitcoin or Monero. The note usually includes a contact address and sometimes a "proof of decryption" offer where they decrypt one file for free.

The most common entry points

• Phishing emails — the leading cause. A convincing email tricks an employee into clicking a link, opening a macro-laced document, or entering credentials on a fake page. Training and email authentication both help: DMARC enforcement stops external attackers from sending phishing email that appears to come from your own domain.
• Exposed RDP — Remote Desktop Protocol on port 3389, reachable from the internet, is one of the most exploited entry points. Attackers brute-force credentials or use stolen ones. RDP should never be exposed publicly — use a VPN or jump server.
• Unpatched software — known CVEs in VPNs, web servers, Exchange and other internet- facing systems are weaponised within hours of public disclosure. Patch cycles longer than 24–48 hours for critical internet-facing vulnerabilities are a major risk.
• Compromised credentials — passwords leaked from other breaches, reused across services, let attackers walk straight in. Password managers and unique passwords per service are essential.
• Malvertising and drive-by downloads — malicious ads or compromised websites that silently install malware when visited by a vulnerable browser or plugin.

Should you pay the ransom?

Most security agencies and law enforcement advise against paying: it funds criminal organisations, doesn't guarantee you'll get working decryption keys, and marks you as a target who pays. In practice, some businesses with no backups and critical data held hostage do pay — but it should be a last resort after all other recovery options are exhausted. The only reliable protection is not being in that position.

How to protect your business

1. Offline and offsite backups — the non-negotiable control

The single most important protection is a backup that ransomware can't reach. This means backups that are disconnected from the network (or held in an immutable cloud bucket that can't be deleted remotely), tested regularly, and stored offsite. A backup that's mounted as a network drive is just another target. Test restoration regularly — an untested backup is a guess, not a plan.

2. Multi-factor authentication everywhere

2FA on email, VPNs, RDP, cloud services and any admin panel means compromised passwords alone aren't enough to break in. This single control eliminates most credential-based initial access.

3. Patch fast, especially internet-facing systems

Critical patches for VPNs, firewalls, mail servers and web applications should be applied within hours of release, not on a monthly cycle. Ransomware groups actively monitor CVE disclosures and scan for vulnerable hosts within hours.

4. Stop phishing at the source

Email authentication — SPF, DKIM and a DMARC policy of at least p=quarantine — prevents attackers from sending phishing emails that look like they come from your domain. It won't stop all phishing, but it closes the easiest and most convincing attack vector. Staff training to spot suspicious emails is the complementary control.

5. Segment your network and limit lateral movement

If ransomware lands on one machine, network segmentation limits how far it can spread. Separate your servers, workstations, backups and guest Wi-Fi. Apply the principle of least privilege — accounts should only have access to what they need.

6. Endpoint protection

Modern endpoint detection and response (EDR) tools detect ransomware behaviour patterns (mass file encryption, shadow-copy deletion) and can stop an attack mid-execution. This is different from traditional antivirus and is worth the investment for businesses handling sensitive data.

What to do if you're hit

1. Isolate immediately — disconnect infected machines from the network to stop spread.
2. Don't wipe yet — forensic evidence may be needed, and decryptors sometimes emerge later.
3. Contact your incident response provider or insurer — if you have cyber insurance, call them first; they usually have IR contacts.
4. Report to authorities — ransomware is a crime. Report to national cybercrime agencies (IC3 in the US, Action Fraud in the UK, etc.).
5. Restore from clean backups — only after verifying the initial access vector is closed.

FAQ

Can ransomware spread from one computer to others?

Yes — modern ransomware actively moves laterally across networks before triggering encryption. This is why isolating infected machines immediately matters, and why network segmentation limits damage.

Is ransomware the same as a virus?

Ransomware is a type of malware. It's often delivered by other malware (trojans, loaders) but the ransomware component itself is specifically designed to encrypt data and demand payment.

Will my security scan detect ransomware?

A passive DNS and email security scan (like Kalenfy's) checks your public attack surface — email authentication, open records, missing security headers — not the endpoint or network. Endpoint protection (EDR/antivirus) is the right tool for detecting malware on devices.