Who this page is for
This page is for executives, IT and security leaders, crisis team members and anyone who wants to understand ransomware realistically - without hype and without attack guidance.
What ransomware is
Ransomware is malicious software that makes data inaccessible - typically by encryption - and demands payment for release or for keeping exfiltrated data private. In practice attackers combine encryption with data theft and double extortion.
Typical flow at a high level
1. Initial access via phishing, stolen credentials, vulnerabilities or suppliers.
2. Foothold on a system and reconnaissance.
3. Privilege escalation and lateral movement.
4. Data exfiltration for later extortion.
5. Encryption of core systems.
6. Extortion with the threat of disclosure.
This description supports understanding. Concrete attack guidance is intentionally not provided.
Early warning signs
Common signals in early phases:
- Unusual logins, especially from unexpected regions
- Bursts of failed MFA prompts
- New administrator accounts
- Unexpected scripts or tools on servers
- Atypical data movement, for example large transfers to cloud storage
Effective protective measures
- MFA, ideally phishing-resistant, especially at identity providers
- Patch management for externally exposed systems
- EDR with response capabilities
- Network and identity segmentation
- Backups, at least one offline or immutable, regularly tested
- Least privilege for administrators and service accounts
- Awareness with a clear reporting culture
- A rehearsed incident response plan
First steps when ransomware is suspected
1. Stay calm and invoke the incident response plan.
2. Isolate suspect systems but do not clean up too fast.
3. Engage forensics and preserve evidence.
4. Review identities, rotate tokens and passwords, strengthen MFA.
5. Involve legal, data protection, authorities and insurer.
6. Coordinate factual external communication.
7. Resume operations only when persistence is eliminated.
The question of payment
Payment is not a fix and can be legally problematic. Even after payment, data is often not fully recoverable and the risk of repeat attacks rises. The decision is made by management together with legal, authorities and insurer.
Practical scenario
An attack starts with a phishing mail. MFA blocks the initial login. Awareness, a simple reporting path and EDR ensure early detection. A tabletop six months earlier had rehearsed exactly this scenario. Damage: limited.
Checklist
- MFA everywhere, especially at identity providers
- Patch management for externally exposed systems
- EDR rolled out and monitored
- Network and identity segmentation
- Offline or immutable backups, regularly tested
- Least privilege and privileged access management
- Ransomware playbook rehearsed
- Emergency contacts reachable 24/7
Frequently asked questions
+Should we pay?
Management decides together with legal, authorities and insurer. Payment is not a fix and can be legally problematic.
+Are backups enough?
Backups are indispensable, but attackers now also target data theft and extortion. Protection, detection and backups belong together.
+How does ransomware get in?
Most commonly via phishing, stolen credentials or vulnerabilities in externally exposed systems. Suppliers also play a role.
Related topics
A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.
Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.
A good incident response plan is short enough to be useful in a crisis and concrete enough to speed up decisions. This page describes a pragmatic structure and typical contents.
A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.
Awareness works when it is continuous, relevant and fairly measurable. A yearly mandatory training is not enough. This page shows what good organisational awareness looks like.
Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.
Backups are a core defence against data loss and ransomware. This page explains the 3-2-1 rule, offline and immutable backups, restore tests and common mistakes.
EDR provides telemetry and response on endpoints. It is standard in many organisations today and extends classic endpoint protection with detection and response.
Patch management decides how fast known vulnerabilities are closed. It is unglamorous routine work and reduces the risk of many incidents significantly.