Preventing Ransomware:

What Your Business Needs To Know

Learn how to protect your organization from growing ransomware threats.


What Is Ransomware?

How Ransomware Works

6 Basics of Ransomware Prevention

You’ve Fallen Victim to a Ransomware Attack: Now What?

Control Ransomware Attacks With an Incident Response Plan


Can your company afford to be without access to financial systems, critical files, and email for days or even weeks? Not many can. Ransomware is a cybersecurity threat that affects businesses and individuals, and ransomware prevention is a growing concern.

Global ransomware damage costs are expected to reach $20 billion this year, up from $325 million in 2015 — a 57x increase in only six years.

If you think ransomware attacks are perpetrated by people sitting behind a desk in a dark room, think again: Most ransomware attacks are almost entirely automated. Websites on the dark web even offer Ransomware-as-a-Service, or ransomware for rent, making the process easy for criminals. The owners of these sites take a cut if the ransom is paid.

This article will break down everything you need to know about ransomware, how it works, and how to protect your business from these increasingly sophisticated attacks.

What Is Ransomware?

Isn’t ransomware malware? What’s the difference?


is a general term used to describe any program designed to disrupt, damage, or hack a device or computer system. Ransomware is a type of malware that hackers use to encrypt files, denying victims access to their business or personal data. Hackers demand that targets pay a ransom to restore the captured data, usually requiring payment in bitcoin to maintain their anonymity.

Ransomware attacks have become increasingly elaborate, penetrating corporate networks and targeting backup systems, making it difficult to mitigate attack damage. Ransomware often targets personal and financial information, even converting targeted computers into cryptocurrency mining operations.

If you think your business is too small to be on a hacker’s ransomware radar, you’re mistaken.

Small companies often lack resources to protect themselves against ransomware, making them easy targets. It’s easier to hit up many small businesses for a few thousand dollars each than to score a more significant mark with more advanced security measures in place.

How Ransomware Works

There are five steps in the ransomware attack process:

  1. Infection

  2. Security Key Exchange

  3. Encryption

  4. Extortion

  5. Recovery


The first step in a ransomware attack is the initial infection. Some types of ransomware scan the internet blindly, looking for vulnerable networks wherever they can find them. Others target specific people in an organization (spear phishing).

If targets click links or email attachments, the ransomware will either load locally or try to copy itself to other attack surfaces in the network.

Security Key Exchange

Attackers are alerted when a victim is infected. After installation, ransomware requires the exchange of security keys to get to the next step: encryption. Attaining a security key allows access to applications, other devices, and online systems.


Encryption is the process that locks or disables the target’s data.


: What looks like ransomware may be “scareware” that hasn’t encrypted your data at all. Make sure you know what you’re dealing with before taking additional recovery steps.


Once files are encrypted, the victim is notified of a ransom demand to receive decryption keys. Ransom demands typically use threatening language and social engineering to encourage victims to make a payment quickly.

If the ransom deadline isn’t met, hackers often double down by threatening to delete or expose the data, adding another blackmail layer to the attack.

Note on extortion emails:

Extortion emails

are also an entirely separate class of compromise that don’t have to involve ransomware. The Armorblox threat research team has observed a sharp increase in emails whose subject lines are old passwords that victims have used (perhaps the scammers got these passwords from a data breach or from the dark web).

The emails then go on to make fake claims about the scammer having access to some sensitive data of the victim (like sextortion). The emails try compelling the victims to make a bitcoin payment, threatening them with leaking their sensitive information if the payment isn’t received.


To pay or not to pay: That is the question. Should you pay the ransom to receive the decryption keys or hold out in the hope of a better solution? Since there is no way to guarantee you won’t be hit again even if you pay the ransom, a better long-term solution is to reduce your vulnerabilities and entry points.

According to a recent study, 94% of organizations got their data back: 26% by paying the ransom, and 56% by using data backups. Many businesses would rather pay than admit they were hacked.

6 Basics of Ransomware Prevention

Here are six things you can do to reduce the risk of ransomware attacks on your business.

  1. Maintain Up-to-Date Backups

Running regular backups is a cybersecurity best practice. You should run full backups automatically and at set intervals. While backups won’t prevent ransomware attacks, they can mitigate losses after one occurs.

Pro tip: Store your backups offsite.

Did you know that if your backup is accessible from your network, you run the risk of having your backup ransomed as well? Restoring data from a secure location is often the best way to ensure your data’s safety.

  1. Educate Your Users

Prioritizing employee awareness training, responsibility, and testing cannot be overstated. Training your employees on identifying malware is a continual process, focusing on existing and emerging threats.

With the increasing complexity and frequency of cyberattacks, employees must constantly be looking for hacking and phishing attempts.

Education is only helpful if it’s put to good use. Phishing simulations provide near real-life examples that keep cybersecurity top of mind and should be performed regularly for best results.

Here are a few best practices employees should keep top of mind:

  • Avoid suspicious links, attachments, or downloads

    in unknown websites, social networks, instant messaging platforms, or email messages. If it looks sick, don’t click! It only takes one click to begin a ransomware download. Hovering on questionable links enables you to check out the URL before clicking. Train users to pay close attention to senders’ names and check that email addresses are correct. If you’re unsure of the legitimacy of a link, contact the sender directly through a new message or phone call — never through a reply.

  • Avoid errors: If it looks fishy, it’s probably phishy.

    Not all cybercriminals are Pulitzer prize-level writers. Obvious typos and egregious spelling or grammatical errors are often clues to suspicious intent.

  • Avoid replying to requests for personal information

    from unknown or untrusted sources. Experienced cybercriminals skillfully practice social engineering techniques to collect information that builds trust and is then used against their victims to get them to comply.

  • Avoid random USB sticks.

    We know USB stands for “universal serial bus,” but train your employees to think “unknown, sneaky, and bogus” instead. Connecting a USB stick from an unknown source is asking for trouble. Never plug in a USB stick given to you by a stranger or, worse yet, one that you’ve found in a public place. Better safe than sorry, always.

  1. Perform Regular Patch Management

Patch management is a cybersecurity best practice that solves several issues. Not only do software patches ensure you’re running the most recent platform features and upgrades, but they also provide you with the most recently released security patches and malware protections.

Hackers are well versed in security vulnerabilities and take advantage of known weaknesses in unpatched software to penetrate networks, operating systems, browsers, and antivirus tools without using complicated phishing email techniques.

  1. Maintain System Security Measures

Here are three specific system security measures you should perform to make your business resistant to ransomware threats:

  1. Install Antivirus Software

    Antivirus software can effectively protect against ransomware, hacking, and data security breaches. Antivirus software filters can also prevent employees from accessing dangerous websites, another step in stopping ransomware infiltration.

  2. Keep Firewalls Active and Properly Configured

    Firewalls help protect your systems by identifying, analyzing, and restricting network traffic, protecting your company’s sensitive data. Keeping firewalls up to date and active guards against known malware threats.

  3. Create Network Segmentations

    Protect Tier 1 critical systems, databases, data, and executive personnel from ransomware threats by creating segmentation gateways. Network segmentation keeps viruses from moving around within your network, expanding their reach and infecting servers and endpoints.

  1. Create Strong Usage Policies

Enforcing strong usage policies protects your business from cyberattacks.

  • Password Policies

    One of the easiest and often overlooked ways to protect against ransomware is to create and maintain strong password policies. Many businesses don’t take password security seriously, allowing users to share passwords while ignoring complexity guidelines, password generators, or storage tools.

    If your password policy is out of date (or nonexistent), take the time to establish guidelines on using strong passwords.

    Pro tip:

    Change manufacturers’ passwords on all LAN equipment. Keeping default passwords active is an easy way for experienced hackers to infiltrate your systems.

  • Software Restriction Policies

    Don’t allow applications to be installed that could introduce risk into your network. Software restriction policies or “allowed apps” lists enable you to designate software and apps that conform to established security protocols, keeping your systems safer.

  • BYOD and MDM Policies

    Bring-your-own-device (BYOD) scenarios, while saving companies on capital expenditures, have created a myriad of security risks for businesses. BYOD and mobile device management (MDM) policies establish rules for how personal and mobile devices are secured and used within your company. Without strict BYOD/MDM policies, you open your sensitive data up to cybersecurity dangers as well as theft and corporate espionage.

    BYOD and MDM policies apply to mobile devices including smartphones, notebooks, laptops, tablets, and portable media devices. They can also govern employee usage of public WiFi networks. Public WiFi can make computers vulnerable to attack; therefore, employees should use VPN services when conducting sensitive business transactions in public spaces.

  1. Limit Access to Privileged Information

Giving unlimited access to your network and sensitive data is like having doors with no locks -- and then leaving them wide open. The “principle of least privilege” (PoLP) gives users access to the data they need to see, edit or download — and no more. Make sure you also revoke the credentials, access, and privileges of former employees.

You’ve Fallen Victim to a Ransomware Attack: Now What?

You didn’t think it could happen to you, but it did. First, stay calm. Putting the following steps into action right away will increase your chances of a successful post-ransomware recovery.


Disconnect any infected devices from the internet and remove the virus with anti-malware software. Note: Removing the malware won’t decrypt your files but will protect the rest of your network from further damage. Encrypted files cannot be decrypted without the encryption key, known only by the attacker.


Report the crime to your local police department or the closest FBI office. While law enforcement agencies may not help decrypt your data or find the perpetrator, filing a report heightens awareness and may help others avoid similar attacks. Most law enforcement agencies do not encourage paying ransomware attackers.


If you need any more encouragement to maintain regular backup procedures, this is it! While you may (or may not) regain access to your encrypted data, restoring it via your own backups is the very best way to ensure that your business will return to normal.

Control Ransomware Attacks With an Incident Response Plan

Taking preventative measures to prevent a ransomware attack in the first place is always the best course of action. But how do you know where you stand in your preparedness response?

The Ransomware Incident Response Blueprint includes ready-to-use presentation templates, tools, and strategic guidance from Info-Tech Research Group. These resources assess your organization’s maturity for ransomware response and set people, processes, and technologies in place for when (not if) an attack happens.

Ready? Get your Ransomware Incident Response Blueprint today.