Ransomware Attacks: What You Need to Know

For more than three decades, ransomware has evolved from a niche hacking tactic into the fastest-growing and most pervasive form of cybercrime today.

With attacks now occurring every two seconds, cybercriminals are continuously refining their malware payloads and extortion techniques, driving up costs and increasing complexity for businesses worldwide.

Ransomware remains the top organisational cyber risk year after year, with 45 per cent of cybersecurity professionals ranking it as their primary concern. Innovations in ransomware tactics are expected to accelerate, further enabled by the growing adoption of Ransomware-as-a-Service (RaaS). This model lowers the barrier to entry for cybercriminals by commoditising attacks.

If that is not alarming enough, according to the latest figures from Statista, 71 per cent of global businesses have experienced the effects of ransomware. Of those hit, nearly 63 per cent paid the ransom. Yet paying up rarely guarantees full recovery, and often emboldens further attacks.

Meanwhile, the World Economic Forum’s 2025 cybersecurity report shows that 72 per cent of leaders believe cyber risks have increased in the past year, driven by a surge in phishing, social engineering, cyber-enabled fraud, and identity theft.

Understanding what ransomware really is and how it works is the first step to keeping your organisation one step ahead of attackers.

What is a Ransomware Attack?

Ransomware is a type of malicious software that blocks access to a device or encrypts critical data, holding it hostage until a ransom is paid. But the impact of these attacks extends far beyond locked files.

Victims face a cascade of consequences: ransom negotiations and payouts, data destruction, theft of intellectual property and financial information, prolonged downtime, lost productivity, fraud, embezzlement, and reputational damage. In many cases, organisations also face regulatory fines, legal costs, forensic investigations, and expensive recovery operations, all while business operations grind to a drastic halt.

As digital transformation accelerates, the challenge becomes more complex with the emergence of new technologies. While 66 per cent of organisations believe AI will have the biggest impact on cybersecurity, only 37 per cent currently have processes in place to assess the security of AI tools before deployment. This gap creates new opportunities for cybercriminals and remains a growing concern for business leaders.

The sooner ransomware is detected and handled, the better the chances of containing the attack and minimising the fallout for organisations. With this in mind, Ransomware is no longer just an IT issue; it’s a business-critical risk!

Types of ransomware

As ransomware attacks become increasingly common, organisations need to recognise the various forms these threats can take. Each type has unique characteristics, infection methods, and impacts on operations.

Here are the different types of ransomware:

1. Locker ransomware
   Locker ransomware doesn’t encrypt files but instead completely locks users out of their devices or systems. Victims see a ransom message demanding payment so that they can get access.

   While data isn’t altered or deleted, the inability to use systems causes serious disruption to an organisation. Early detection is difficult since the lockout happens immediately, but strong access controls, multi-factor authentication, and timely patching can help prevent these attacks.

2. Crypto ransomware
   This is one of the most well-known types. Crypto ransomware encrypts important files on individual devices or across entire networks, rendering data unusable. Attackers then demand payment, typically in cryptocurrency, for a decryption key.

   This encryption happens quietly, causing ransomware to often go unnoticed until files become inaccessible. There will be signs, so be alert for unusual file access or mass data changes.

3. Doxware (Leakware)
   Doxware focuses on stealing confidential or sensitive data and threatening to leak it unless a ransom is paid. Unlike encryption-based ransomware, the primary threat here is data exposure, which can cause serious reputational harm and legal consequences, especially for organisations handling private customer or financial information.

   Preventative measures include encrypting sensitive data, deploying data loss prevention tools, and conducting regular security audits.

4. Double extortion ransomware
   An evolution of traditional crypto ransomware, double extortion attacks not only encrypt data but also steal sensitive information. Attackers threaten to release the stolen data publicly unless their ransom demands are met. This adds extra pressure on victims, as they face operational disruption and the risk of reputational damage, legal liabilities, and regulatory penalties.

   To prevent this from happening, effective protection will require monitoring both file encryption and data exfiltration activities.

5. Ransomware-as-a-Service (RaaS)
   RaaS has lowered the technical barriers for cybercriminals by allowing less skilled hackers to rent ransomware tools developed by experts. This ransomware subscription model has contributed massively to the surge in attacks.

   The RaaS kits often mimic legitimate software, and early detection can be challenging. Continuous network monitoring, anomaly detection, and employee awareness are crucial defences, along with adopting a zero-trust security approach.

6. Fileless ransomware
   Fileless ransomware is extremely challenging to detect using signature-based methods, sandboxing or even machine learning-based analysis. Unlike traditional ransomware, fileless variants don’t rely on malicious files stored on disk. Instead, they exploit legitimate system tools and processes to execute attacks directly in memory.

   This approach helps evade standard antivirus solutions and prolongs the attack. Defending against fileless ransomware requires behaviour-based monitoring, strict access controls, up-to-date software, endpoint detection and response tools, and employee training on suspicious activities.

7. Scareware
   Scareware uses fear tactics rather than encryption or lockouts. It bombards users with fake warnings, claiming the system is infected and urging them to buy bogus security software.

   While often less damaging financially than other ransomware types, scareware causes confusion, stress, and wasted resources. It’s usually easy to spot through its fake alerts, and prevention hinges on user education about phishing scams and strong anti-malware protection.

How does Ransomware work?

Ransomware can infiltrate an organisation’s IT systems through several different attack methods. Understanding these common entry points is key to building stronger defences and reducing risk.

1. Phishing emails
   One of the most common tactics involves deceptive emails that appear to come from trusted sources. These emails often contain harmful links or attachments. Once clicked or opened, the ransomware is quietly downloaded and begins its work.
2. Stolen or weak credentials
   Attackers may gain access to networks using stolen login details bought on the dark web, or when hackers try many different passwords over and over until they find the right one to break into an account.
3. Exploiting software flaws
   Cybercriminals frequently take advantage of unpatched vulnerabilities in software or operating systems. These security gaps provide an easy entry point for attackers to install ransomware and move through a network before detection.
4. Fake software and updates
   Some ransomware is disguised as legitimate software or updates. Victims unknowingly download what looks like a trusted application, only to install malware onto their devices instead.
5. Malicious websites and links
   Visiting a compromised website or clicking on a dangerous link on a file-sharing platform can also trigger a ransomware infection. These sites may secretly download malware onto the user's system without their knowledge.

Once downloaded on the victim’s system, it will spread, exploiting internal weaknesses, targeting connected machines across the network. It works by encrypting files and folders, rendering them inaccessible without a decryption key.

Victims are then shown a ransom note on-screen, demanding payment, often in cryptocurrency and offering instructions for unlocking their data. It's important to remember that even if a ransom is paid, there's no certainty that attackers will honour the deal or provide a working decryption key.

Examples of Ransomware Attacks

Ransomware has hit the news more than once in recent years, with different strains showing just how dangerous and disruptive these attacks can be. Here are two examples.

• Clop ransomware group

The Clop ransomware group exploited a zero-day vulnerability in MOVEit Transfer, a widely used secure file transfer platform, to launch a coordinated attack on organisations relying on the software.

Using structured query language (SQL) injection methods, the attackers first extracted sensitive data before deploying ransomware, impacting numerous prominent companies and institutions. This incident highlighted how rapidly threat actors can take advantage of security flaws in commonly used business applications.

The breach affected over 255 victims, including both private corporations and government agencies, resulting in the exposure of personal information belonging to approximately 18 million users. The fallout caused significant financial losses and reputational harm.

• RansomHub

A new ransomware affiliate program named RansomHub was announced on the Russian-language hacking forum RAMP by a user known as ‘koley.’ This program offers affiliates a lucrative revenue split—90 per cent of the ransom payments go to the affiliates, while the developer retains 10 per cent.

RansomHub is engineered for versatility, capable of targeting a broad range of platforms, including Windows, Linux, and ESXi, and supporting multiple architectures such as ARM and MIPS. This adaptability makes it a huge threat across diverse IT environments.

In a notable shift within the ransomware ecosystem, members of the notorious Scattered Spider group, responsible for major attacks on organisations like MGM International, Caesars Entertainment, and Okt, abandoned the disrupted ALPHV/BlackCat operation to join forces with RansomHub.

By October 2024, RansomHub affiliates had surpassed LockBit as the most active ransomware-as-a-service (RaaS) group, significantly driving a surge in ransomware claims. To date, RansomHub has been linked to attacks affecting a total of 593 confirmed victims.

What Can Organisations Do to Prevent Ransomware Infections?

According to the American Cyber Defense agency, organisations can do the following to prevent being hacked by criminals on the dark web:

• Update and patch computers. Ensure your applications and operating systems (OSs) have been updated with the latest patches. Vulnerable applications and OSs are the target of most ransomware attacks.
• This is an important one! Use caution with links and when entering website addresses. Be careful when clicking directly on links in emails, even if the sender appears to be someone you know. Attempt to independently verify website addresses (e.g., contact your organisation's helpdesk, search the internet for the sender organisation’s website or the topic mentioned in the email). Pay attention to the website addresses you click on, as well as those you enter yourself. Malicious website addresses often appear almost identical to legitimate sites, using a slight variation in spelling or a different domain (e.g., .com instead of .net).
• Open email attachments with caution. Be wary of opening email attachments, even from senders you think you know, particularly when attachments are compressed files or ZIP files.
• Keep your personal information safe. Check a website’s security to ensure the information you submit is encrypted before you provide it.
• Verify email senders. If you are unsure whether or not an email is legitimate, try to verify the email’s legitimacy by contacting the sender directly. Do not click on any links in the email.
• Keep yourself informed about recent cybersecurity threats and up to date on ransomware techniques. You can find information about known phishing attacks on the Anti-Phishing Working Group website.
• Use and maintain preventative software programs. Install antivirus software, firewalls, and email filters—and keep them updated—to reduce malicious network traffic.

How to Remove Ransomware?

If your organisation has fallen victim to a ransomware attack, acting quickly and carefully is crucial to minimise damage and prevent the infection from spreading further. Here are key steps you can take:

• Isolate the affected devices: Immediately remove any infected computers, tablets, or smartphones from all forms of network access, whether it’s Ethernet, Wi-Fi, or mobile data. This helps stop the malware from spreading to other systems.
   
• Shut down broader network access if necessary: For severe outbreaks, consider temporarily disabling your organisation’s Wi-Fi, unplugging network switches, or even cutting internet access to contain the threat.
   
• Change all critical login credentials: Reset passwords for administrator accounts and other sensitive user profiles. Be careful not to lock yourself out of systems that may be essential for restoring operations.
   
• Reformat infected systems: Completely erase compromised devices and perform a fresh installation of the operating system to eliminate any hidden or persistent threats.
   
• Verify backups before restoring: Make sure your backup data is clean and malware-free before using it to recover lost files. Avoid restoring from backups unless you're confident both the backup and the destination system are secure.
   
• Use a safe environment to rebuild: Connect wiped devices only to trusted, clean networks to download operating system updates and reinstall essential software.
   
• Deploy and update antivirus tools: Install reputable security software, ensure it’s up to date, and run full scans to confirm the system is clean.
   
• Re-establish network connections cautiously: Once devices have been cleaned and verified, reconnect them to your organisation’s network.
   
• Continue to monitor: Keep an eye on network activity and run regular scans to catch any lingering threats or signs of reinfection.

It's important to understand that paying the ransom is strongly discouraged by law enforcement and cybersecurity experts! While it might seem like a quick way to regain access to your data, there’s no guarantee that attackers will provide a working decryption key or that they won’t demand more money. In many cases, even after payment, stolen data is still leaked or sold.

Instead of paying, organisations should report the incident to local authorities or national cybersecurity agencies. Law enforcement bodies, including the FBI and Europol, consistently advise victims to seek professional support and avoid funding criminal activity, as it encourages future attacks.

Standing Up Against Ransomware

Ransomware doesn’t just crash systems; it takes control, locks away your data, and holds your business hostage. These types of attacks only succeed when we’re unprepared. The good news? You don’t have to be an easy target!

One of the simplest and most powerful defences is regular, offline backups. Since ransomware works by encrypting your data and demanding payment for its release, having clean, disconnected backups means you can restore operations without ever needing to negotiate with criminals. Just as attackers plan their moves carefully, so should your organisation make sure your backups are verified, up to date, and stored on devices that aren’t connected to your network.

But tools alone aren’t enough. Ransomware often starts with a single click, usually on a phishing email or a fake software prompt. That’s why it’s vital to train your staff—technology alone isn’t enough. All it takes is one wrong click to let a ransomware attack in. Training your teams to spot suspicious emails, links, and behaviour, and running regular phishing simulations, can stop an attack before it even starts.

Defending against ransomware isn't just about reacting; it's about preparing. With smart practices, strong policies, and a vigilant workforce, organisations can disrupt the ransomware playbook and stay one step ahead.