How to prevent ransomware and what to do if you become a victim

Imagine arriving at work one day, turning on your computer, and instead of accessing company documents, seeing a message: “Your files have been encrypted. To get them back, pay the ransom.” Work stops, customers are waiting, and tension in the team is rising. This is not a movie scenario, but a reality experienced by thousands of companies around the world.

What is ransomware?

Ransomware is a type of malicious software that infects company computers, encrypts data, and demands a ransom for its recovery. Cybercriminals often request payment in cryptocurrency to avoid being traced. If the company doesn’t pay, it risks losing all its data. Even if it does pay, there’s still no guarantee the data will be restored — some attackers simply disappear after receiving payment.

How often does it happen?

If you think these attacks only target large corporations, you’re mistaken. Ransomware attacks small and medium-sized businesses just as often as big ones. Why? Because smaller companies usually have weaker security and fewer resources to deal with cyber threats.

• Every 11 seconds, a ransomware attack occurs somewhere in the world.
• 60% of small and medium-sized businesses go bankrupt within six months of a major cyberattack.
• The average ransom demand ranges from tens of thousands to millions of euros.

What are the consequences of ransomware?

Cybercriminals exploit companies’ weak points, and the consequences can be catastrophic:

• Data loss – Company documentation, contracts, customer data, invoices — all can be encrypted and inaccessible.
• Financial losses – In addition to the ransom, the company loses revenue because employees can’t work. The cost of restoring IT infrastructure can be enormous.
• Reputation damage – If sensitive customer data leaks, client trust can be permanently destroyed. No one wants to do business with a company that can’t protect its data.

Real cases showing the business impact

Ransomware has become so widespread that it no longer threatens only IT giants — hospitals, law firms, and logistics companies have all been affected, with devastating results. In 2021, an attack on Colonial Pipeline in the USA shut down one of the largest fuel infrastructures, causing massive shortages and forcing the company to pay hackers a ransom of $4.4 million. A year earlier, British financial company Travelex became a victim of ransomware, losing millions of pounds after several weeks of downtime and ultimately declaring bankruptcy. In Germany in 2020, a ransomware attack crippled hospital systems, blocked access to patient records, and prevented urgent surgeries, leading to the tragic death of a patient who had to be transferred to another facility.

How does ransomware work and what are its variants?

Ransomware is not just one type of malicious software — cybercriminals constantly develop new ways to encrypt company data, paralyze operations, and force victims to pay. Some variants are simple, others highly sophisticated. Here are the four most common types of ransomware companies may encounter.

Encryption ransomware (Crypto ransomware)

This is the most common and dangerous type of ransomware. Once it infects a system, it encrypts files so they cannot be recovered without a decryption key. Victims see a warning message demanding payment — usually in cryptocurrency to keep attackers anonymous.

How does it enter a company?
Most often through fake emails, infected attachments, or malicious websites. An employee might, for example, download a document named “Invoice_urgent.pdf,” which launches ransomware and immediately encrypts company data.

How can it harm?
In 2017, the WannaCry ransomware spread worldwide, infecting more than 200,000 computers in 150 countries. It caused shutdowns in hospitals, factories, and banks — all due to one security flaw in Windows systems.

Locker ransomware

Unlike encryption ransomware, this one doesn’t block individual files — it locks the entire system. The computer becomes unusable, and employees can’t log in or work. A typical message appears:

“Your computer has been locked. Contact us and pay a fee to regain access.”

How does it enter a company?
Most often through infected software packages or websites. It’s enough for someone on the team to download an unreliable program or a pirated software copy containing malicious code.

How can it harm?
In 2016, the Petya ransomware attacked major corporations. The attackers claimed it was a typical encryption ransomware, but in reality, it simply destroyed data — even victims who paid never recovered their files.

Double extortion ransomware

Some attackers go even further — besides encrypting data, they threaten to publish it. This means that even if a company has backups and refuses to pay, it still risks having sensitive data leaked online.

Why is it dangerous?
Even if the company has good backups and can restore its systems, a data leak can lead to:

• Legal issues – Loss of personal client data may violate GDPR and result in fines.
• Reputation damage – If trade secrets or customer data appear online, the company may lose client trust.

How can it harm?
The Maze ransomware was one of the first to combine data encryption with threats of public disclosure. In 2020, it attacked several large firms, including law offices and tech companies. Attackers published parts of stolen data as proof they were serious.

Ransomware-as-a-Service (RaaS)

Just like companies rent cloud services, cybercriminals now offer ransomware “for rent.” RaaS enables even less experienced hackers to launch attacks without needing to code their own malware.

How does it work?
Professional cybercriminals develop ransomware and sell or lease it on the dark web. Buyers can use it for their own attacks, and the ransom profits are shared between the creators and attackers.

Why is it a threat?
This model allows ransomware to spread faster and more aggressively. In the past, ransomware attacks were carried out only by specialized hackers — today, anyone with enough money can launch one.

How can it harm?
The REvil ransomware was offered as RaaS and caused massive damage worldwide. Attackers rented it and used it to target IT firms, law offices, and healthcare providers.

How can companies protect themselves from ransomware?

Ransomware is a serious threat to companies of all sizes, but specific measures can significantly reduce the risk of attack. Prevention is always cheaper and less painful than dealing with the aftermath. Protection against this type of cyberattack lies in a combination of technical measures, good IT infrastructure organization, and employee training — including a well-prepared disaster recovery plan, or business continuity plan.

Data backup: The first line of defense

The most effective protection against ransomware is having up-to-date and secure data backups. If data is regularly backed up and safely stored, the company can recover even in case of an attack — without having to pay the ransom.

How often should backups be made?

• At least once a day — ideally automated to avoid human error.
• For critical data, it may be advisable to back up at shorter intervals.

Where to store backups?

• Offline backups (so-called air-gapped storage) – storing backups on physical media that are not connected to the internet or the company network. This prevents them from being infected during a ransomware attack.
• Cloud solutions – cloud backups provide flexibility and protection against physical damage (for example, fire or theft of servers). It’s important that the cloud storage supports file versioning, allowing data to be restored from a point before the attack.
• 3-2-1 backup rule – a recommended standard meaning keeping three copies of data, stored on two different types of media, with at least one backup offline.

Network segmentation and access control

Many companies store all their data and systems in one central storage location, which poses a major security risk. If ransomware infects the network, it can spread uncontrollably and paralyze the entire company.

Why is storing all company data in one place not enough?

• If an attacker gains network access, without segmentation ransomware can encrypt all files at once.
• Dividing data into separate segments reduces the risk of total data loss in case of an attack.

How to properly limit employee access only to necessary data?

• Principle of Least Privilege Access – employees should have access only to the data and systems they need for their work.
• Multi-Factor Authentication (MFA) – sensitive data should be protected by more than just a password, ideally a combination of a password and biometrics or one-time codes.
• Monitoring and logging of access – the IT department should regularly review access to important systems and identify suspicious behavior.

Employee training: Prevention starts with people

One of the most common ways ransomware enters a company is through human error. A careless click on a malicious email or downloading an infected file can compromise the entire company network.

How to recognize phishing emails and avoid opening suspicious attachments?

• Check the sender’s email address – scammers often mimic trusted contacts, but their emails may contain slight typos or unusual domains.
• Don’t open unexpected attachments – especially those with extensions like .exe, .zip, .rar, .js, .docm.
• Beware of urgent messages – scammers often use psychological pressure tactics, e.g., “Your invoice is incorrect, open the attachment immediately.”

How to avoid dangerous websites?

• Employees should know how to identify unsafe websites – for example, those lacking secure connections (HTTPS), containing many grammatical errors, or offering “too good to be true” deals.
• Using a company VPN and blocking suspicious domains via a firewall can prevent accidental visits to malicious sites.

IT infrastructure security measures

Technological measures are the foundation of ransomware prevention. Companies should regularly check and update their IT infrastructure to minimize vulnerabilities that attackers could exploit.

Regular software and operating system updates

• Many ransomware attacks exploit vulnerabilities in outdated software. Regular updates minimize the risk of attack.
• Automatic updates ensure all devices use the latest security patches.

Use of strong passwords and multi-factor authentication (MFA)

• Employees should use long, unique passwords and never share them.
• Multi-factor authentication adds an extra layer of protection, reducing the risk of unauthorized system access.

Antivirus solutions and EDR (Endpoint Detection and Response) systems

• Modern security solutions can detect and stop ransomware before it causes damage.
• EDR systems monitor suspicious device activity and can identify and isolate threats in real time.

What to do if your company becomes a victim of a ransomware attack

Even with thorough prevention, it can still happen — your company may become a victim of a ransomware attack. If your system displays a warning message demanding a ransom, it’s crucial to stay calm and act systematically. A quick and correct response can minimize damage and help the company restore operations as soon as possible.

First steps after ransomware infection

When a company discovers a ransomware attack, it must act immediately. The sooner the right steps are taken, the greater the chance of stopping the spread and recovering the data.

Disconnect the infected device from the network

• If ransomware is in the early stage of spreading, disconnecting the infected device from the network can prevent the attack from reaching other systems.
• It’s important to disconnect not only the internet but also company Wi-Fi, Bluetooth, and any external drives or USB devices that may contain backups or sensitive data.

Determine the extent of the damage

• The IT department or external experts should quickly identify which devices and files were encrypted and whether the ransomware affected only a local computer or also servers and cloud storage.
• It’s essential to determine whether a data leak occurred, since some ransomware types (e.g., double extortion) not only encrypt data but also threaten to publish it.

Inform the IT team or external specialists

• If the company doesn’t have its own cybersecurity team, it’s critical to immediately contact professionals experienced in handling ransomware incidents.
• In some cases, it may be possible to identify the specific ransomware type and find decryption tools that help restore data without paying the ransom.

 

To pay or not to pay the ransom?

Attackers demand a ransom with the promise that, once paid, they will provide a decryption key. Many business owners, in desperation to restore operations quickly, consider paying. However, it’s a risky decision with several serious downsides.

Risks of paying the ransom

• No guarantee of data recovery – Attackers may disappear after payment without providing the key. Statistics show that in some cases, companies paid but never regained access to their data.
• Supporting cybercrime – Every ransom payment motivates attackers to continue targeting other businesses.
• Risk of repeated attacks – Companies that pay often become targets again, as attackers see them as “willing payers.”

 

Alternatives to paying the ransom

If a company follows proper security practices, there are several ways to recover data without paying:

• Using backups – If the company has regular offline backups and a proper disaster recovery plan, it can quickly restore systems without paying the ransom.
• Finding decryption tools – Some ransomware strains are well-known, and free decryption tools exist to help recover data. Such tools are provided by organizations like Europol or cybersecurity companies.
• Forensic analysis of the attack – IT specialists can analyze the attack to find vulnerabilities the attackers exploited, helping to prevent future incidents.

 

Contacting professionals and legal experts

Not every ransomware case should be handled internally. In some situations, it’s essential to contact law enforcement and legal professionals.

When to contact the police or CERT-UK?

• If attackers threaten to publish sensitive company or customer data.
• If it’s a large-scale attack that may affect critical infrastructure (e.g., healthcare, energy, financial institutions).
• If the company suspects that attackers have targeted multiple organizations in the same industry.

Specialized cybersecurity units (such as CERT-UK or national Computer Emergency Response Teams) can provide valuable guidance and, in some cases, technical assistance.

 

Legal implications and incident reporting

• If personal data of customers or employees has been leaked, the company may be obligated to report the incident to data protection authorities under GDPR regulations.
• Some companies have contractual obligations to inform business partners and clients about cybersecurity breaches.
• The legal department should assess potential risks and help manage communication with affected parties.

Employees are the first line of defense

Even the best security software is useless if employees click on a phishing email or download a malicious file. That’s why staff training is one of the most important elements of cybersecurity.

Companies should implement:

• Regular training to recognize phishing attacks: Employees should be able to identify suspicious emails, fake links, and malicious attachments.
• Simulated cyberattacks: Testing employees through fake phishing campaigns helps reveal weak points within the organization.
• Data security policies: Clear rules for handling sensitive information and steps to take when a potential threat is detected — along with a complete overview of data within the company’s information security framework (for example, using DLP systems).

Employees are often the first target of attackers, which is why their education can significantly reduce the risk of an attack.

Regular backups and security policies can save not only money but also the company’s very existence

No company is entirely immune to ransomware attacks. The key difference between businesses that survive such incidents with minimal damage and those that face existential problems lies in properly configured backups, robust security measures, and a well-designed disaster recovery plan.

Every company should have in place:

• Automated backups – Data should be regularly backed up to multiple independent storage locations, including offline backups that are not connected to the network.
• Regular recovery testing – Having backups is not enough; it’s essential to regularly verify that they can actually be used to restore systems.
• A data access security strategy – Strict policies that limit access to sensitive files only to those who truly need it.
• Disaster recovery and business continuity plan – A detailed procedure defining what to do in case of a cyberattack, who is responsible for what, and how to minimize the damage.

Companies that follow these principles have a much higher chance of overcoming an attack without catastrophic consequences.

In conclusion, even the best strategies and technologies cannot succeed without the people managing them. Infrastructure and security teams are often understaffed — precisely because when everything works, their work goes unnoticed.

Cybersecurity, however, is not an “invisible service” but a key investment in the proper functioning of a company. Strengthening and adequately staffing these teams can be the decisive factor that determines whether a business survives an attack — and with what financial, data, or operational loss.