Ransomware: What It Is & How to Prevent It

Learn how to protect your organization from growing ransomware threats.

What Is Ransomware
How Ransomware Works
How Ransomware Spreads
Types of Ransomware
7 Basics of Ransomware Prevention
Ransomware Recovery in 3 Steps


Global ransomware damage costs are expected to surpass $30 billion in 2023, up from $325 million in 2015 — a 92x increase in only eight years. But what is this cybersecurity threat, and how does it impact individuals and businesses?

If you think ransomware attacks are perpetrated by people sitting behind a desk in a dark room, think again. Many ransomware attacks are almost entirely automated. Websites on the dark web even offer Ransomware-as-a-Service, or ransomware for rent, making the process easy for criminals. The owners of these sites take a cut if the ransom is paid.

This article will break down everything your business needs to know about ransomware, how it works, and how to protect your organization from these increasingly sophisticated attacks.

What Is Ransomware

Many people think ransomware equals malware, so let’s clear the air.


is a general term for any program designed to disrupt, damage, or hack a device or computer system.


is a type of malware that hackers use to encrypt files, denying victims access to their business or personal data. Hackers demand that targets pay a ransom to restore the captured data, usually requiring payment in bitcoin to maintain their anonymity.

Ransomware attacks have become increasingly elaborate, penetrating corporate networks and targeting backup systems, making it difficult to mitigate attack damage. It often targets personal and financial information, going as far as converting targeted computers into cryptocurrency mining operations.

If you think your business is too small to be on a hacker’s ransomware radar, you’re mistaken.

Small companies often lack resources to protect themselves against ransomware, making them easy targets. It’s easier to hit up many small businesses for a few thousand dollars each than to score a more significant mark with more advanced security measures in place.

How Ransomware Works

There are five steps in the ransomware attack process:

  • Infection

    — The first step in a ransomware attack is the initial infection. Some types of ransomware scan the internet blindly, looking for vulnerable networks wherever they can find them. Others target specific people in an organization (spear phishing).

    If targets click links or email attachments, the ransomware will either load locally or try to copy itself to other attack surfaces in the network.

  • Security Key Exchange

    — Attackers are alerted when a victim is infected. After installation, ransomware requires the exchange of security keys to get to the next step: encryption. A security key allows access to applications, other devices, and online systems.

  • Encryption

    — Encryption is the process that locks or disables the target’s data.


    : What looks like ransomware may be “scareware” that hasn’t encrypted your data at all. Make sure you know what you’re dealing with before taking additional recovery steps.

  • Extortion

    — Once files are encrypted, the victim is notified of a ransom demand to receive decryption keys. Ransom demands typically use threatening language and social engineering to encourage victims to make a payment quickly.

    If the ransom deadline isn’t met, hackers often double down by threatening to delete or expose the data, adding another blackmail layer to the attack.

  • Recovery

    — Should you pay the ransom to receive the decryption keys or hold out in the hope of a better solution? Since there is no way to guarantee you won’t be hit again even if you pay the ransom, a better long-term solution is to reduce your vulnerabilities and entry points.

    According to a 2021 study, 34% of organizations pay to get their data back, but only 65% of them actually recover it.

Learn more

: Detailed Explanation of How Ransomware Works

How Ransomware Spreads

There are many ways ransomware can enter your network and spread. And these are the most common ways:

  • Phishing Attacks

  • Remote Desktop Protocol (RDP)

  • MSPs and RMMs

  • Bad Ads

  • Network Propagation

  • Pirated Software

  • Portable Computers and USB Drives

  • Zero-Day/Unpatched Vulnerabilities

  • Public WiFi

  • Pay-For-Install Attacks

  • Network Scanning

  • Drive-By Downloads

To learn more about each of them, check our comprehensive blog.

Types of Ransomware

  • Crypto ransomware

    is one of the most popular and harmful types. It encrypts the data in a system, so it can’t be accessed without a decryption key.

  • Lockers, as the name suggests, is a type of ransomware that locks you out of your system so you no longer have access to any file.

  • Scareware

    is fake software that alerts you for a detected virus on your computer, asking you to pay to get rid of it.

  • Doxware

    or leakware threatens to publish sensitive data publicly if the ransom is not paid, causing panic among victims.

7 Basics of Ransomware Prevention

Here are seven things you can do to reduce the risk of ransomware attacks on your business.

  1. Maintain Up-to-Date Backups

Running regular backups is a cybersecurity best practice. You should run full backups automatically and at set intervals. While backups won’t prevent ransomware attacks, they can mitigate losses after one occurs.

Pro tip: Store your backups offsite.

Did you know that if your backup is accessible from your network, you run the risk of having your backup ransomed? Restoring data from a secure location is often the best way to ensure your data’s safety.

  1. Educate Your Users

Prioritizing employee awareness training, responsibility, and testing cannot be overstated. Training your employees on identifying malware is a continual process, focusing on existing and emerging threats.

With the increasing complexity and frequency of cyberattacks, employees must constantly be on the lookout for hacking and phishing attempts.

Phishing simulations provide real-life examples that keep cybersecurity top of mind and should be performed regularly for best results.

Here are a few best practices employees should keep top of mind:

  • Avoid suspicious links, attachments, or downloads

    from unknown websites, social networks, instant messaging platforms, or email messages. If it looks sick, don’t click! It only takes one click to begin a ransomware download. Hovering on questionable links enables you to check out the URL before clicking. Train users to pay close attention to senders’ names and check that email addresses are correct. If you’re unsure of the legitimacy of a link, contact the sender directly through a new message or phone call — never through a reply.

  • Avoid errors: If it looks fishy, it’s probably phishy.

    Not all cybercriminals are Pulitzer prize-level writers. Obvious typos and egregious spelling or grammatical errors are often clues to suspicious intent.

  • Avoid replying to requests for personal information

    from unknown or untrusted sources. Experienced cybercriminals skillfully practice social engineering techniques to collect information that builds trust and is then used against their victims to get them to comply.

  • Avoid random USB sticks.

    We know USB stands for “universal serial bus,” but train your employees to think “unknown, sneaky, and bogus” instead. Connecting a USB stick from an unknown source is asking for trouble. Never plug in a USB stick given to you by a stranger or, worse yet, one you’ve found in a public place. Better safe than sorry, always.

  1. Perform Regular Patch Management

Patch management is a cybersecurity best practice that solves several issues. Software patches ensure you’re running the most recent platform features and upgrades and provide you with the most recently released security patches and malware protections.

Hackers are well-versed in security vulnerabilities and take advantage of known weaknesses in unpatched software to penetrate networks, operating systems, browsers, and antivirus tools without using complicated phishing email techniques.

  1. Maintain System Security Measures

Here are three specific system security measures you should perform to make your business resistant to ransomware threats:

  • Install Antivirus Software

    Antivirus software can effectively protect against ransomware, hacking, and data security breaches. Antivirus software filters can also prevent employees from accessing dangerous websites, another step in stopping ransomware infiltration.

  • Keep Firewalls Active and Properly Configured

    Firewalls help protect your systems by identifying, analyzing, and restricting network traffic, protecting your company’s sensitive data. Keeping firewalls up to date and active guards against known malware threats.

  • Create Network Segmentations

    Protect Tier 1 critical systems, databases, data, and executive personnel from ransomware threats by creating segmentation gateways. Network segmentation keeps viruses from moving around within your network, expanding their reach and infecting servers and endpoints.

  1. Create Strong Usage Policies

Enforcing strong usage policies protects your business from cyberattacks.

  • Password Policies

    One of the easiest and often overlooked ways to protect against ransomware is to create and maintain strong password policies. Many businesses don’t take password security seriously, allowing users to share passwords while ignoring complexity guidelines, password generators, or storage tools.

    If your password policy is out of date (or nonexistent), take the time to establish guidelines on using strong passwords.

    Pro tip:

    Change manufacturers’ passwords on all LAN equipment. Keeping default passwords active is an easy way for experienced hackers to infiltrate your systems.

  • Software Restriction Policies

    Don’t allow applications that could introduce risk into your network. Software restriction policies or “allowed apps” lists enable you to designate software and apps that conform to established security protocols, keeping your systems safer.

  • BYOD and MDM Policies

    Bring-your-own-device (BYOD) scenarios, while saving companies on capital expenditures, have created a myriad of security risks for businesses. BYOD and mobile device management (MDM) policies establish rules for how personal and mobile devices are secured and used within your company. Without strict BYOD/MDM policies, you open your sensitive data up to cybersecurity dangers, theft, and corporate espionage.

    BYOD and MDM policies apply to mobile devices, including smartphones, notebooks, laptops, tablets, and portable media devices. They can also govern employee usage of public WiFi networks. Public WiFi can make computers vulnerable to attack; therefore, employees should use VPN services when conducting sensitive business transactions in public spaces.

  1. Limit Access to Privileged Information

Giving unlimited access to your network and sensitive data is like having doors with no locks -- and then leaving them wide open. The “principle of least privilege” (PoLP) gives users access to the data they need to see, edit or download — and no more. Make sure you also revoke former employees' credentials, access, and privileges.

  1. Have an Incident Response Plan

Taking preventative measures to prevent a ransomware attack in the first place is always the best course of action. But how do you know where you stand in your preparedness response?

Read more about how to create a ransomware incident response plan, including the seven steps that each plan should have. These steps will help you assess the preparedness of your organization and plan an appropriate ransomware response, setting the right people, processes, and technologies in place for when an attack happens.

Ransomware Recovery in 3 Steps

You’ve fallen victim to a ransomware attack. Now what?

You didn’t think it could happen to you, but it did. First, stay calm. Putting the following steps into action immediately will increase your chances of a successful post-ransomware recovery.


Disconnect any infected devices from the internet and remove the virus with anti-malware software. Note: Removing the malware won’t decrypt your files but will protect the rest of your network from further damage. Encrypted files cannot be decrypted without the encryption key, known only by the attacker.


Report the crime to your local police department or the closest FBI office. While law enforcement agencies may not help decrypt your data or find the perpetrator, filing a report heightens awareness and may help others avoid similar attacks. Most law enforcement agencies do not encourage paying ransomware attackers.


If you need more encouragement to maintain regular backup procedures, this is it! While you may (or may not) regain access to your encrypted data, restoring it via your own backups is the very best way to ensure that your business will return to normal.

See Armorblox in action.