Ransomware: How Attacks Work, What to Do, and How to Prevent Them

Ransomware is the most disruptive cyber threat facing businesses today. This guide explains what it is, how attacks unfold, and who is behind them. Learn which sectors face the highest risk, how much incidents cost, and what to do in the first hours of a breach. We cover proven ways to prevent attacks, how to recover safely using clean backups, and when cyber insurance can help.

Compare Cyber Insurance Quotes

What is ransomware?

Ransomware is malicious software that blocks access to your systems or data until you pay the attacker a ransom. It works by encrypting your files so you can’t open or use them. The criminals then demand a ransom, typically in cryptocurrency such as Bitcoin, in exchange for a decryption key that will restore access.

Think of it as digital extortion. Instead of breaking into a physical office, attackers hold your business data hostage. In many cases, they don’t even need to steal the data to cause harm; locking it is often enough to completely stop your operations.

Ransomware can strike through phishing emails, infected downloads, or vulnerabilities in outdated software. Once it spreads, it can take down servers, disable backups, and paralyse entire networks within hours. Attackers often pressure victims by setting payment deadlines or threatening to leak sensitive information if the ransom isn’t paid.

For businesses, ransomware is now one of the most common and costly cyber threats. Whether you’re a small firm or a large enterprise, understanding how it works and how to defend against it is critical to keeping your systems and reputation safe.

How does ransomware work?

Ransomware attacks follow a clear pattern. They start with an initial entry, move quietly through your systems, and end with a ransom demand that locks you out of your data. Understanding each stage helps businesses recognise early warning signs before the damage is done.

Stage 1: Initial infection: How ransomware gets in

Most ransomware begins with a single point of failure. A staff member clicks a phishing link, opens a malicious attachment, or visits an infected website. The malware installs silently, giving attackers a foothold inside your network.

Other attacks exploit technical weaknesses, such as unpatched software or unsecured remote access tools, including RDP and VPN gateways. Once inside, attackers probe the system for weak passwords and unprotected admin accounts. They aim to move deeper without being detected.

Stage 2: Lateral movement and privilege escalation

After gaining access, the attackers explore your network and seek ways to gain complete control. They target administrator credentials, shared drives, and backup systems.

Using stolen or brute-forced passwords, they escalate their privileges and spread across the network. Security tools are often disabled or deleted. Backups may be wiped or encrypted to prevent recovery. This stage can last anywhere from days to weeks before the actual attack begins.

Stage 3: Encryption: The lockdown begins

When the attackers are ready, the ransomware is deployed across every reachable device. Files are encrypted with strong algorithms, making them unreadable without a decryption key.

The malware often renames files or adds unique extensions, making the damage instantly visible. Critical systems shut down, applications fail to open, and normal operations come to a halt. Even businesses with backups may struggle if those backups were connected to the network when the attack spread.

Stage 4: Ransom demand

Once the data is locked, a ransom note appears. It explains that your files have been encrypted and demands payment, usually in Bitcoin or another cryptocurrency, in exchange for a decryption key.

Attackers often add urgency with deadlines or threats. Many now use double extortion, stealing copies of sensitive data and threatening to publish them if the ransom isn’t paid. Some have moved to triple extortion, where they contact clients or suppliers directly to increase pressure on the victim.

Stage 5: Payment and recovery

If the ransom is paid, the attackers may send a decryption key; however, there is no guarantee that it will work or that they won’t demand more. Businesses that refuse to pay must restore systems from clean backups and rebuild affected infrastructure, a process that can take weeks.

Even after recovery, the impact lingers. Downtime, data loss, reputational harm, and regulatory investigations can all follow. Insurers now routinely ask about how ransomware risks are managed before offering or renewing cyber insurance coverage.

CyberSure insight: Ransomware is one of the most damaging and fast-moving cyber threats in the UK. The best defence is preparation: enforce multi-factor authentication, patch software, restrict admin rights, and keep secure offline backups. Stopping every attack is impossible, but these steps can make the difference between disruption and disaster.

Who is behind ransomware attacks?

Ransomware is no longer the work of lone hackers. It is driven by organised criminal operations that run more like businesses than underground schemes. These groups specialise in extortion, selling access, and running affiliate programs that reward successful attacks.

Organised cybercrime gangs

Most ransomware attacks today come from professional criminal groups that operate globally. Well-known names include LockBit, Conti, and BlackCat (also known as ALPHV). Each group develops its own malware, manages encrypted communications with victims, and runs support teams to handle ransom negotiations.

Organised Cyber gangs

These gangs operate across borders, often from regions with limited law enforcement cooperation. They use advanced tools, double extortion tactics, and sophisticated social engineering to maximise pressure on their targets. Businesses are chosen based on potential payout, not size. Small firms with weak security are often seen as easy wins.

Ransomware-as-a-Service (RaaS) affiliates

A growing number of attacks are launched by affiliates who rent ransomware tools from larger criminal organisations. This model, known as Ransomware-as-a-Service (RaaS), works like a franchise system.

The developers create and maintain the malware, while affiliates handle distribution and infection. When a ransom is paid, the proceeds are split between both parties. This structure lowers the barrier to entry, enabling even low-skilled attackers to conduct high-impact campaigns.

RaaS has helped ransomware spread faster than ever. It allows hundreds of separate groups to use the same malware under different names, making attribution difficult and complicating law enforcement investigations.

State-sponsored or politically motivated actors

While most ransomware is driven by profit, some attacks are linked to state-sponsored groups. These incidents typically target critical infrastructure, government networks, or sectors tied to national interests.

For example, security agencies have linked certain ransomware strains to actors based in Russia, North Korea, and Iran. In these cases, the goal may be disruption, espionage, or political leverage rather than financial gain.

Even when financial motives dominate, state tolerance of ransomware operations can make it more difficult for victims and law enforcement to respond effectively.

Which businesses are most at risk?

Ransomware does not just target large corporations. It hits wherever defences are weakest and disruption will cause the most damage. In the UK, small and medium-sized businesses are the most frequent victims of cybercrime. Attackers are aware that they often lack dedicated IT teams, rely on outsourced support, and may not have full backups or multi-factor authentication in place.

Criminal groups also know that smaller firms are more likely to pay. When operations stop, every hour lost means missed orders, angry clients, and financial strain. For most attackers, SMEs make for an easy and profitable target.

High-risk sectors

Some industries face greater exposure due to the type of data they hold or the criticality of their systems to daily operations. Attackers study their victims before striking, knowing which sectors are most likely to pay fast.

  • Healthcare: Hospitals, clinics, and care providers depend on constant access to patient data. When records are locked, staff cannot work safely, and delays can put lives at risk. This urgency is exactly what attackers exploit.
  • Finance: Banks, accountants, and insurance firms hold valuable financial and personal information. Stolen data can be sold, used for fraud, or leaked to create pressure for payment. The fear of regulatory fines under data protection laws adds another layer of leverage.
  • Legal: Law firms manage highly confidential client records, contracts, and case files. A single breach can compromise trust, lead to regulatory issues, and result in client loss.
  • Education: Universities and schools often operate with limited budgets, old systems, and open networks. Attackers know that security awareness can be low and that incidents during term time can create maximum chaos.
  • Retail and e-commerce: If sales platforms go down, revenue stops immediately. Attackers take advantage of this by encrypting payment systems or threatening to leak customer data.
  • Manufacturing and logistics: Production lines and delivery networks are now digitally connected, which makes them easier to disrupt. A single ransomware attack can halt production and result in significant financial losses.

Supply chain risk

Even a secure business can be compromised if its suppliers are compromised. Attackers often target smaller partners who have access to larger organisations. Once inside, they can move across connected systems without being noticed.

Recent attacks have demonstrated that this type of supply chain vulnerability can impact hundreds of companies simultaneously. Cyber resilience now extends beyond your own network to encompass every third-party entity you depend on.

Industry Risk Level Why It’s Targeted
Healthcare Very high Critical systems, sensitive data, pressure to pay quickly
Finance High Valuable data, regulatory concerns, and high ransom potential
Legal High Confidential information, trust and reputation at stake
Education Medium-high Legacy systems, large user base, limited resources
Retail / E-commerce Medium-high Direct revenue impact, customer data exposure
Manufacturing Medium-high Production downtime, supply chain disruption
Professional services Medium Client data, remote access exposure
Public sector Medium Targeted for disruption or political motives
Small private SMEs (all sectors) High Weak security, limited resources, slow patching

What happens if you’re hit by ransomware?

A ransomware attack can stop your business in its tracks. Files become locked, systems freeze, and staff are unable to access their accounts. The impact can last anywhere from a few days to several weeks, depending on how quickly you detect and contain the attack. Below is what typically happens when a business is hit and why preparation matters.

Operational impact

The first sign of an attack is usually disruption. Systems stop responding, shared drives vanish, and error messages appear. Staff can’t log in or access key files. Emails, phones, and payment systems may also fail.

This downtime quickly affects productivity and revenue. Orders can’t be processed, services pause, and clients are left waiting. For small and medium-sized firms, even a few hours offline can mean lost contracts or missed deadlines. The longer the recovery takes, the greater the financial damage.

Data loss and regulatory impact

Most modern ransomware doesn’t just encrypt data; it also steals it. This is known as double extortion. Attackers threaten to leak or sell stolen data unless a ransom is paid, even if you restore your systems from backups.

Data loss and regulatory impact

If customer, employee, or supplier data is exposed, it can become a data protection breach under GDPR. In these cases, you may need to report the incident to the Information Commissioner’s Office (ICO) within 72 hours. Failure to do so can lead to regulatory fines, legal claims, and lasting reputational damage.

Reputational and legal impact

A public ransomware incident can quickly erode trust. Clients, investors, and partners may question your ability to safeguard sensitive information. Competitors can use the situation to their advantage, and media coverage often amplifies the damage.

There may also be legal fallout. If confidential client data is exposed, you could face breach-of-contract claims or regulatory investigations. Even if you recover operations quickly, rebuilding confidence can take far longer.

Financial consequences

The costs of ransomware extend well beyond the ransom itself. Businesses face expenses for investigation, system rebuilding, and professional recovery services. Additional costs often include:

  • Loss of income during downtime
  • Legal and compliance fees
  • Higher insurance premiums
  • Investment in stronger security controls

For UK SMEs, the total financial impact can range from tens to hundreds of thousands of pounds, depending on the scale of the incident and the effectiveness of backups and response plans.

Human and operational stress

Ransomware doesn’t just damage systems; it tests people. Staff must juggle frustrated clients, long hours, and constant pressure to restore services. IT teams may work through the night, while leadership manages communication with regulators, insurers, and media.

Without a clear plan, panic and confusion can spread quickly. Well-defined incident response procedures help reduce stress and guide decisions when every minute counts.

Insurance and recovery complexity

Cyber insurance can help cover some of the costs, but it’s not automatic. Insurers often require proof that core protections were in place before the attack, such as multi-factor authentication, offline backups, and patch management.

Claims may involve external investigators, forensic teams, and negotiators, which can delay resolution. Businesses that rely solely on insurance rather than robust defences often find coverage limited or claims disputed.

How much does a ransomware attack cost a business?

The cost of a ransomware attack depends on how prepared a business is when it happens. For UK SMEs, recovery from a minor incident can exceed £4,000, while major attacks often reach £100,000-£500,000 or more once downtime, legal advice, and recovery are included.

The ransom itself is rarely the biggest expense. The real cost comes from halted operations, lost revenue, customer communication, and rebuilding damaged systems. Many firms also face higher insurance premiums and long-term reputational loss.

Recent UK cases show how damaging these attacks can be. JD Sports saw customer data exposed, Royal Mail halted international deliveries, and the British Library faced months of disruption and costly rebuild work.

In most cases, prevention costs far less than recovery. Regular backups, patching, and staff awareness training remain the most effective ways to reduce financial risk.

Should you pay the ransom?

Paying a ransom may seem like the fastest way to restore systems, but it rarely resolves the underlying issue. In many cases, victims who pay still face data loss, downtime, and reputational harm. Deciding whether to pay is a complex matter, both legally and ethically.

The case against paying

Most security experts and law enforcement agencies, including the National Cyber Security Centre (NCSC), advise against paying. There are several reasons:

  • No guarantee of recovery: Attackers may not provide working decryption keys, or they may demand more money once you pay.
  • Encourages further attacks: Paying funds for criminal activity and signals that your business is a soft target.
  • Possible legal risk: If the payment goes to a sanctioned group, you could breach UK law, even unknowingly.
  • Limited insurance support: Some insurers may refuse to reimburse payments made without prior approval.

When payment is considered

In rare cases, businesses decide to pay to resume critical operations or protect life-dependent services. This is more common in sectors such as healthcare or logistics, where downtime can be particularly severe.

If payment is considered, insurers or legal specialists usually lead the negotiation. They confirm the recipient is not a sanctioned entity and manage communication through approved channels. Every step must be documented to ensure compliance with UK law and insurance conditions.

Cyber insurance involvement

Many cyber insurance policies include access to expert negotiators and forensic investigators. These professionals assess the situation, validate legality, and determine whether payment is appropriate or avoidable.

However, paying remains a last resort. Restoring from secure offline backups and having a clear incident response plan is far safer and often faster in the long run.

In short, while some victims do pay, doing so carries significant risks and no guarantees. Prevention, preparation, and strong cyber hygiene are far more effective defences than any ransom payment.

How to recover from a ransomware attack

A clear plan limits damage and speeds recovery. Your goals are simple. Stop the spread. Preserve evidence. Restore services safely. Meet legal duties. Communicate with confidence. Follow the steps in order and keep a written timeline of every decision.

Step 1: Isolate and contain

Act fast to stop the spread. Disconnect infected devices from the network and disable Wi-Fi and VPN on those hosts. Keep systems powered if safe to do so, so that forensic teams can capture volatile evidence. 

Shut down obvious pathways, such as RDP and unsecured SMB. Remove or restrict any accounts that exhibit suspicious activity, particularly those with privileged access. Segment the network to protect domain controllers, hypervisors, backups, and core business apps. Move the response team to an out-of-band channel that attackers cannot see. 

Capture ransom notes, filenames, logs, and timestamps. Good evidence speeds up the investigation and recovery process.

Step 2: Notify your IT and cyber insurance provider

Activate your incident response plan and name a clear lead. Inform your internal IT team or MSP and begin a running timeline of events. Call your cyber insurer’s hotline and provide a concise summary of impact, affected systems, and business priorities. 

Do not contact the attackers or agree to pay without consulting a lawyer and your insurer. Insurers can bring in forensics, breach counsel, negotiators, and PR support within minutes. Centralise communications and appoint a single spokesperson for staff, customers, suppliers, and media. Consistent messaging prevents confusion and protects trust.

Step 3: Report to Action Fraud / NCSC

Report the crime to Action Fraud. In Scotland, contact Police Scotland. Notify the NCSC and request current guidance on the threat group and any known decryptors. Assess whether data was accessed or exfiltrated. If personal data is involved, treat this as a data protection incident and consider whether an ICO notification is required within 72 hours. Some sectors have additional rules, such as those related to the FCA or NHS bodies, so check those obligations early. Keep a written record of every decision, including legal advice on sanctions risk if ransom payment is discussed.

Step 4: Restore from backups

Start by validating your backups. Confirm they are offline or immutable, scan them, and check that the restore point predates the compromise. If you cannot prove this, do not restore yet.

Choose your recovery approach. A clean rebuild is usually safer than decryption because it removes persistence and hidden tooling. Use trusted gold images and known-good installers.

Restore in a sensible order. Bring back identity, DNS, and core infrastructure first. Add file services next, then the business applications that keep customers served. Avoid reconnecting everything at once.

Rebuild endpoints methodically. Reimage devices, apply patches, and only then rejoin them to the domain. Rotate all credentials during this phase. That includes domain admins, service accounts, API keys, SSH keys, database passwords, and third-party tokens.

Watch the environment as it comes back. Use your EDR and logging to look for unusual logins, persistence mechanisms, or outbound beacons. Run functional checks and data integrity tests before opening systems to users. Keep at least one untouched, immutable backup copy in reserve until the incident is fully closed.

Step 5: Strengthen and reassess security controls

Close the door that the attackers used. Patch operating systems, applications, firmware, and every internet-facing service. Remove or harden anything exposed to the web.

Raise the bar for access. Enforce multi-factor authentication on email, VPN, admin, and all remote access. Apply least privilege. Remove shared admin accounts and manage elevated access through a privileged access management process.

Reduce your attack surface. Restrict or retire RDP. Review the remote tools used by IT and suppliers, and lock them down to approved methods and allow lists.

Improve detection and response. Deploy endpoint detection and response across servers and devices. Add 24/7 monitoring through a SIEM or MDR partner so that alerts are acted upon out of hours.

Harden email security. Enable DMARC, DKIM, and SPF. Use attachment sandboxing. Block high-risk file types and risky macro behaviour.

Fix backup posture. Follow the 3-2-1 rule with an immutable copy. Automate backup verification and schedule regular restore tests so you know recovery works under pressure.

Embed the lessons. Run a post-incident review. Document root cause, control gaps, and agreed actions. Assign owners and deadlines. Update playbooks, asset inventories, supplier access, and training to ensure your next response is faster and more efficient.

How to prevent ransomware attacks

Ransomware is preventable. Focus on controls that block common entry points, detect fast, and let you recover cleanly.

Implement strong access controls

Use multi-factor authentication on email, VPN, admin, and remote access. Apply the principle of least privilege so users only have the access they need. Remove shared admin accounts and utilise privileged access management for tasks that require elevated privileges. 

Review the joiner, mover, and leaver processes to ensure prompt access changes. Disable legacy protocols and enforce strong, unique passwords or passkeys.

Keep systems patched and updated

Treat unpatched software as an open door. Apply security updates on a set cadence and fast-track critical patches. Prioritise internet-facing services, VPNs, hypervisors, and email systems. Replace or isolate unsupported operating systems. Use automated patching where possible and verify completion with reports.

Backup data securely

Follow the 3-2-1 rule with at least one offline or immutable copy. Separate backup credentials from everyday admin accounts. Test restores regularly, so you know they work at speed. Snapshot critical systems before major changes. Keep backup networks segmented from production.

Train employees

Most attacks start with a phish. Teach staff to spot suspicious emails, links, and attachments. Make reporting easy with a one-click button. 

Run short, regular simulations and share lessons without blame. Include contractors and temps. Reinforce safe use of remote tools and file-sharing.

Use endpoint detection and response (EDR)

Deploy EDR on servers and endpoints to spot malicious behaviour early. Enable tamper protection and default to block mode for known threats. 

Feed alerts into central monitoring and ensure someone watches out of hours. Utilise EDR to detect lateral movement, credential theft, and persistence.

Have an incident response plan

Write a simple, tested plan. Assign roles, define a decision log, and list emergency contacts for IT, legal, insurance, and PR. Set a response timeline for the first hour, first day, and first week. Run tabletop exercises at least quarterly. Keep clean copies of the plan offline.

Limit remote access and segment networks

Harden or retire RDP. Restrict remote tools to approved methods and allow-lists. Segment networks so that a breach in one area does not bring down the entire system. Protect domain controllers, hypervisors, and backups behind tighter controls. Monitor east-west traffic for unusual movement.

Harden email and web gateways

Enable DMARC, DKIM, and SPF. Use attachment sandboxing and block high-risk file types and macros. Add protective DNS or web filtering to stop known malicious domains. Monitor for look-alike domains targeting your staff and customers.

How ransomware affects cyber insurance

Ransomware is insurable, but cover is conditional. Policies help with response and recovery, yet limits, sub-limits, and exclusions apply. Your controls influence both the eligibility and price of your cyber insurance costs.

Cover you can expect

Most policies fund an end-to-end response. That usually includes breach counsel, incident response, and forensic investigation. Data recovery and system rebuild costs are commonly covered, subject to limits and evidence of reasonable steps to mitigate loss. 

If operations stall, business interruption can cover lost income and extra costs to keep services running. Many policies also include public relations support to manage customers and media.

Extortion cover may fund specialist negotiators and, where legal, a ransom payment. Insurers will first screen the threat group for sanctions risk and confirm that paying is lawful and proportionate. Approval is required before any payment. 

Expect ransomware sub-limits, waiting periods for business interruption, and defined periods of indemnity. Coverage terms vary, so check the wording for triggers, proof requirements, and notification deadlines.

Common exclusions

Insurers increasingly exclude events they cannot price. State-backed or war-like attacks may fall outside the coverage under war or state-actor exclusions. 

Claims can be declined if core controls, such as multi-factor authentication on email or remote access, were missing, or if critical patches were ignored. Late notification, unapproved ransom payments, and failure to use the insurer’s panel vendors can also void parts of your cover. 

Expect limits or exclusions around regulatory fines, contractual penalties, and pre-existing incidents known before the policy start date. Some policies impose co-insurance on ransomware losses, requiring a percentage of the cost to be shared with the insured.

How ransomware drives premiums and underwriting

Ransomware frequency and severity have pushed premiums up and tightened underwriting. Insurers now treat certain controls as minimum standards. 

Typical requirements include multi-factor authentication, endpoint detection and response, regular patching, network segmentation, and offline or immutable backups with restore testing. 

Underwriters may ask for evidence, such as EDR deployment reports, backup architecture, and results of recent phishing tests. Strong controls reduce price and increase available limits. Weak controls lead to higher deductibles, ransomware sub-limits, co-insurance, or a refusal to quote. A clean incident history and rehearsed response plan can materially improve terms.

On This Page