What Is Ransomware?

Ransomware is a category of malicious software (malware) designed to deny access to a computer system or data until a sum of money, a “ransom,” is paid. It is widely regarded as one of the most significant cybersecurity threats facing organisations and individuals worldwide.

Unlike other forms of malware that aim to steal data silently, ransomware makes its presence known immediately. Victims typically see a ransom note displayed on their screen, informing them that their files have been encrypted and demanding payment, usually in cryptocurrency, in exchange for a decryption key.

How Does Ransomware Work?

A typical ransomware attack follows a predictable sequence, though the sophistication of each step varies greatly between opportunistic and targeted campaigns:

1. Initial access: The attacker gains a foothold in the victim's network. Common methods include phishing emails with malicious attachments, exploiting unpatched software vulnerabilities, compromising Remote Desktop Protocol (RDP) credentials, or leveraging supply-chain weaknesses.
2. Lateral movement: Once inside, the attacker moves through the network, escalating privileges and identifying valuable systems and data stores. This phase can last days or even weeks in targeted attacks.
3. Data exfiltration (optional): In “double extortion” attacks, the attacker copies sensitive data before encryption, giving them additional leverage.
4. Encryption: The ransomware payload is deployed, encrypting files across endpoints, servers, and sometimes backups. Modern strains use strong asymmetric encryption (e.g., RSA-2048) that is practically impossible to break without the key.
5. Ransom demand: A ransom note is displayed, typically providing instructions for payment via Bitcoin or Monero, a deadline, and sometimes threats to publish exfiltrated data.

Why Is Ransomware So Effective?

Several factors contribute to the persistent success of ransomware as a criminal enterprise:

• Cryptocurrency enables anonymous payments. Unlike traditional wire transfers, Bitcoin and Monero make it extremely difficult to trace ransom payments back to the criminals.
• Strong encryption is unbreakable without the key. The same cryptographic algorithms that protect legitimate communications also make ransomware encryption virtually impossible to reverse-engineer.
• Many organisations pay. According to the 2025 Sophos State of Ransomware report, roughly 46% of organisations affected by ransomware chose to pay the ransom, validating the criminal business model.
• Low risk for attackers. Operating from jurisdictions with limited international law-enforcement cooperation, many ransomware groups face minimal risk of prosecution.
• Ransomware-as-a-Service (RaaS) platforms allow even technically unsophisticated criminals to launch attacks using pre-built tools and infrastructure provided by experienced developers.

Who Is Targeted?

Ransomware attacks are not limited to large enterprises. While high-profile incidents involving hospitals, government agencies, and multinational corporations dominate headlines, the reality is that small and medium-sized businesses (SMBs) are disproportionately affected.

Common targets include:

• Healthcare providers — hospitals, clinics, and pharmaceutical companies
• Educational institutions — schools, universities, and research facilities
• Local and national government bodies
• Financial services — banks, insurance companies, and fintech firms
• Manufacturing and critical infrastructure
• Small businesses — often with limited IT budgets and no dedicated security team

The Cost of Ransomware

The true cost of a ransomware attack extends far beyond the ransom payment itself. Downtime, data loss, reputational damage, regulatory fines, legal fees, and the cost of rebuilding infrastructure often far exceed the ransom demand. Cybersecurity Ventures estimates that global ransomware damages will reach $265 billion annually by 2031.

Average downtime following a ransomware attack is approximately 21 days, during which business operations may be partially or completely halted. For critical sectors like healthcare, this downtime can have life-threatening consequences.

Is Paying the Ransom Recommended?

Law enforcement agencies worldwide, including the FBI, Europol, and the UK National Crime Agency, strongly advise against paying ransoms. The reasons are straightforward:

• Payment does not guarantee data recovery. Some decryption tools provided by attackers are deliberately flawed or never delivered.
• Paying funds further criminal activity and incentivises future attacks.
• Organisations that pay are often targeted again, as they have demonstrated willingness to pay.

Nevertheless, many organisations feel they have no alternative, particularly when backups have been destroyed and critical operations are at a standstill.

What Can You Do?

Effective ransomware defence requires a multi-layered approach. Our Prevention Guide provides detailed, actionable strategies. Key principles include:

• Maintaining regular, tested, offline backups
• Keeping all software patched and up to date
• Implementing network segmentation
• Using multi-factor authentication (MFA) everywhere
• Training employees to recognise phishing attempts
• Having a documented incident response plan