Ransomware is malicious software that encrypts a victim's files, making them inaccessible, and demands a ransom payment in exchange for the decryption key. Modern ransomware attacks also include data theft and the threat of public data publication.

How do ransomware attacks start?

Most ransomware attacks begin through phishing emails, exploitation of vulnerabilities in internet-facing systems (VPNs, RDP, firewalls), or through credentials purchased from initial access brokers on criminal forums.

Should I pay the ransom?

Paying the ransom does not guarantee data recovery and carries sanctions compliance risk. The decision should involve legal counsel, your IR firm, and your cyber insurer, and only be made after professional assessment of alternatives.

What should I do if I discover ransomware?

Do not reboot affected systems. Isolate them from the network by disconnecting cables. Call an incident response firm immediately. Notify your cyber insurer. Preserve logs before they roll over.

What Is Ransomware? How It Works and What to Do

The Definition

Ransomware is malicious software that encrypts a victim's files and demands payment in exchange for the decryption key. The name combines "ransom" and "software" — it is software designed to hold your data hostage.

In 2026, the term encompasses something more complex than simple encryption. Most ransomware attacks are double extortion operations: the attacker encrypts your files and steals a copy of your data, threatening to publish it unless a ransom is paid. Payment is demanded twice — once for decryption, once for suppression of the stolen data. Some groups have moved to pure extortion without encryption — theft and threatened publication only.

How Ransomware Works Technically

Understanding the technical mechanics helps explain why recovery is complicated.

Encryption

Ransomware typically uses a combination of asymmetric and symmetric encryption. A unique encryption key is generated for the victim (symmetric key), used to encrypt files, then itself encrypted using the attacker's public key (asymmetric). The victim cannot decrypt files without the attacker's private key — which they hold, and release only upon payment (when they choose to).

This is mathematically sound encryption — there is no way to break it without the private key. Claims from vendors that they can "decrypt without paying" are typically applicable only to specific groups whose encryption implementation had flaws, or where law enforcement seized decryption keys from infrastructure.

File Selection

Modern ransomware does not encrypt every file — it would take too long and is operationally unnecessary. Typically it targets specific file extensions (documents, databases, backups, virtual machine files), skips system files needed to keep Windows running (the ransom note needs to be displayed), and uses partial file encryption on large files to maximise speed.

This partial encryption is why some files appear intact after an attack but cannot be opened — the beginning of the file, containing format headers, has been encrypted while the remainder is unmodified.

Propagation

Ransomware spread across a network is typically not automatic worm-like propagation. In most enterprise incidents, the attacker deploys ransomware manually or via script from a compromised Domain Controller — pushing it to hundreds or thousands of systems simultaneously via Group Policy or remote management tools. This is why Active Directory compromise is the critical pivot point: once an attacker has domain admin, they can encrypt the entire estate in minutes.

How Attacks Start: Initial Access

The encryption event is usually weeks after the initial intrusion. How attackers get in:

Phishing: Malicious email attachments or links that install malware or steal credentials. The single most common initial access vector across all sectors.
Exposed RDP: Remote Desktop Protocol accessible from the internet — either on standard port 3389 or non-standard ports. Brute-forced or accessed with stolen credentials.
VPN vulnerabilities: Unpatched vulnerabilities in Fortinet, Citrix, Pulse Secure, and similar appliances are exploited within days of public disclosure. The window for patching is narrow.
Credential theft: Credentials purchased from initial access brokers or obtained from dark web credential dumps — where employees have reused passwords between corporate and personal accounts.
Malicious software updates: Supply chain attacks where legitimate software is compromised to deliver malware to users who install routine updates.

The Ransomware-as-a-Service Model

Most major ransomware operations in 2026 are structured as Ransomware-as-a-Service (RaaS): a criminal organisation develops and maintains the ransomware platform, portal, and support infrastructure. Independent affiliates conduct the actual intrusions and deployments, earning 70–80% of ransom payments in exchange.

This industrialisation of ransomware has driven the explosion in attack volume. The barrier to entry for becoming a ransomware affiliate is access to a target — not technical capability. Affiliates purchase that access from initial access brokers or conduct their own phishing campaigns, deploy the platform they have licensed, and run negotiations through the RaaS portal.

Who Gets Hit

The short answer: everyone. The longer answer: ransomware groups prioritise victims with revenue above approximately £5–10 million and low perceived security investment relative to revenue. Healthcare, legal, professional services, and manufacturing are consistently high-frequency targets. Critical infrastructure — energy, water, transport — is targeted but with more selectivity due to law enforcement attention.

SMEs below the £5 million threshold are not immune — they are targeted by lower-tier affiliates, automated attacks, and as stepping stones to larger supply chain targets.

The Impact

Beyond the ransom demand itself, ransomware incidents typically cause:

Business interruption: Weeks to months of reduced or zero operational capacity
Recovery costs: IR fees, forensics, rebuild costs, new hardware, often exceeding the ransom demand
Data breach exposure: GDPR fines, customer notification costs, regulatory investigation
Reputational damage: Customer attrition, brand damage, particularly significant for professional services and healthcare
Legal costs: Regulatory defence, potential civil litigation from affected customers or employees

Total incident cost, inclusive of all of the above, typically runs 3–10x the initial ransom demand in major incidents.

What to Do If You Are Hit

If you discover ransomware right now:

Do not reboot or power off affected systems — isolate from the network by disconnecting cables
Call an incident response firm immediately — before making any further decisions
Do not use potentially compromised systems to communicate about the incident
Notify your cyber insurer as soon as possible
Preserve logs — export Windows event logs and firewall logs before they roll over
Do not allow IT staff to "clean" systems without forensic guidance

See our full ransomware response checklist →

Prevention: What Actually Reduces Risk

Enforce multi-factor authentication on all remote access and email — this single control prevents a significant proportion of attacks
Patch VPN and perimeter appliances within 24–48 hours of critical vulnerability disclosure
Eliminate internet-exposed RDP
Deploy and actively monitor endpoint detection and response (EDR) tooling
Implement network segmentation — limit lateral movement if an attacker gains initial access
Test backups with full restores — an untested backup is not a backup
Train staff on phishing — specifically on reporting suspicious emails, not just avoiding obvious ones
Have an IR retainer in place before you need one

Frequently Asked Questions

Can ransomware be decrypted without paying?

In rare cases — where law enforcement has seized decryption keys (as with LockBit infrastructure in 2024) or where a specific variant had encryption flaws — free decryptors are available. Check nomoreransom.org for your specific variant. For most active ransomware groups, decryption without the key is not possible.

Will my cyber insurance cover a ransomware attack?

Probably yes, partially. Most cyber policies cover ransom payments, IR costs, and business interruption — but with sublimits and conditions. Read your policy's extortion and ransom section specifically. Pre-insurer-approval of ransom payments is typically required.

Should I report ransomware to the police?

In the UK, report to Action Fraud and notify the NCSC for significant incidents. For incidents involving personal data, notify the ICO within 72 hours. Law enforcement involvement does not typically accelerate recovery but contributes to threat intelligence and may result in asset recovery in rare cases.

How long does ransomware recovery take?

For SMEs with intact backups: 2–4 weeks. For mid-market organisations with AD compromise and limited backups: 6–12 weeks. For large enterprises: 3–6 months is realistic. See our detailed recovery timeline guide →

Dealing With a Ransomware Incident?

Binary Response responds to ransomware incidents across the UK. Emergency response available now.