Ransomware is one of the most insidious forms of cybercrime. It also one of the most widely discussed, due to its wide spread usage. But this conversation about the effects of ransomware often misses out explaining what you can do to stop it.
In this article, we’ll break down what ransomware is, the way it works, and the things that IT managers in SMBs should be doing to protect their organization. Ransomware isn’t just something you need to know about. It’s something you need to plan for.
This advanced cyberattack is hitting organizations of all sizes, from small businesses to government networks, with devastating consequences. As if losing your data wasn’t enough, you’ve also got to deal with the ransom demands and the reputational fall out if this data were to be leaked.
Sounds like a nightmare, right? Well, it happens every 14 seconds somewhere in the world. Read on as we unpack what ransomware is, why it’s so dangerous, and how you can protect yourself.
Listen To This Article
This article was originally released as a podcast episode, allowing you to listen to Expert Insights wherever you are, whatever you’re doing.
You can listen to this article here, as well as several others in this Explainer series.
Ransomware: Everything You Need To Know by Expert Insights Podcast
What Is Ransomware?
Let’s start with the basics. Ransomware is a type of malware that, once it infects a device, encrypts or scrambles your files, making them inaccessible. The attacker then demands a ransom—usually in untraceable cryptocurrency like Bitcoin—to restore your data. If you don’t pay, your files could be deleted or, worse, leaked to the public. It’s digital blackmail, plain and simple.
What makes ransomware so harmful is its speed and scale. In just minutes, it can lock up your device, spread to connected drives or networks, and cripple entire systems. In 2021 there were 500 million reported ransomware attacks globally. The average cost of a ransomware attack in 2024 was $5.13M, and this figure can’t account for any ransom demands that were paid without being reported.
Is this a figure that your organization could manage?
What’s The Law On Paying A Ransom?
You might have heard reports that paying ransomware is illegal or isn’t advised by security authorities. So, let’s clear that up. But first, it’s worth bearing in mind that this article is not written by lawyers, and we don’t know the specifics of your organization.
In the UK and the US, it is currently legal to pay a ransom demand. However, you could come it difficulty if that ransom money is used to finance terrorism or ends up in the hands of sanctioned individuals. This is very tricky to prepare or account for.
We may see some moves in the near future to make it illegal for public sector organizations to pay ransoms. Rather than making these organizations more vulnerable, attackers will know that there is zero change of getting money from these organizations, so not waste resources attacking them.
One final thing to bear in mind is that criminals aren’t always as honest as they seem. There is no guarantee that they will unlock your systems or return your data once you pay the ransom.
What Does It Look Like?
So, if your organization is the victim of a ransom attack, there are several ways that you might notice.
You might first find that your systems aren’t accessible. This could be caused by the malware, acting on your system. Equally, this could be the symptom of a different attack. A DDoS attack, for example, could cause you to be locked out. You’ll know that it’s a ransom attack when you get that ransom demand.
This could be a desktop popup, an email, or a post online, warning you of what’s taken place. The attacker will usually explain that they’ve breached your system and demand payment before they restore your access. They may give you a time frame to act, and they may release a portion of the stolen data to prove that they mean business.
While having personal data shared is an issue, it does help you confirm that the breach is genuine. Attackers could send speculative emails to organizations saying that they have breached your system, without actually having done so.
Whatever the first signs are – it’s in the attacker’s interest to make you aware of the breach and what they want from you. What might not be so clear, is when the breach happened.
How Does Ransomware Work?
So, how does ransomware infiltrate systems? It often starts with human error. The most common entry point is phishing emails—attackers disguise malicious attachments or links as legitimate, tricking users into downloading malware. Another method is the “Trojan horse” approach, where ransomware hides in seemingly harmless software downloaded from the internet.
Once installed, ransomware moves fast. It can, within seconds, encrypt files preventing users from accessing them. It often deletes anything that it can’t encrypt, before spreading to connected drives, USBs, or networked devices.
After this, a ransom note appears, demanding payment with a countdown timer to ramp up pressure. Some variants, like scareware, flood your screen with pop-ups, while others threaten to leak sensitive data.
Payments are typically in Bitcoin for anonymity, and attackers exploit human panic to maximize payouts. Some analysts have predicted the total cost of ransomware reaching $57bn in 2025, with the highest single ransom payment being $75m from a Fortune 50 company to the Dark Angels gang.
How To Stop Ransomware
So, let’s take a step back intime. Before your organization was hit by this attack, what would have been helpful to have in place. What tools and policies can you start to use now, to decrease your chances of being hit by an attack like this?
Here are six essential strategies:
First, invest in strong endpoint security. Anti-virus solutions block malware before it infects devices and alert admins to threats. They’re not foolproof, but they’re critical.
Second, secure your email. Email gateways filter out malicious attachments and links, while post-delivery protection uses AI to flag suspicious emails. Since phishing is ransomware’s main delivery method, this is non-negotiable.
Third, this one is linked to securing your email: prioritize security awareness training. Teach employees to spot phishing emails and follow best practices, like keeping software updated. Phishing simulations can test their skills and identify who needs more training.
Fourth, use web filtering and isolation. DNS filters block dangerous websites and downloads, including Trojan horse viruses. Isolation tech runs risky web activity in secure servers, keeping threats away from your device without disrupting your experience.
Fifth, back up your data. Store it in multiple places—local disks, main storage, and cloud services. If ransomware strikes, backups let you restore files without paying. Choose cloud solutions that integrate easily and offer quick recovery. It’s important that these backups are scanned for malware. We’ve heard cases where an attack happens, the organization refuses to pay the ransom and opts to restore an older backup, only to discover that the malware was present in the saved backup.
Finally, talk about it. Take the time within your organization to talk about the risks and talk about your playbook. The attackers will want you to feel stressed and under pressure to make rash decisions. If you’ve taken the time to think about the risks already, if an attack does happen, you can act straight away. Not only does this improve response times, it ensures that the decisions you make are strategic, rather than panicked.
These steps aren’t cheap or simple, but they’re far less costly than a ransomware attack. Start small, but start now.
Conclusion
Ransomware is a growing threat, but it’s not unbeatable. By understanding how it works and investing in strong defenses—endpoint security, email protection, web filtering, training, and backups—you can protect your organization. Don’t wait until you’re a victim.
