What is Ransomware? How It Works & How to Respond

Ransomware

Ransomware is a type of malicious software that encrypts an organization's data or systems and demands payment (a ransom) for the decryption key. Modern ransomware attacks often include data theft and threats to publish stolen data (double extortion).

cybersecurity

malware

extortion

incident response

data breach

Why It Matters

Ransomware has become a multibillion-dollar criminal industry. Attacks don't just lock your files — modern ransomware gangs steal data first, then encrypt systems, threatening to publish the stolen data unless a ransom is paid. This "double extortion" means even organizations with good backups face significant risk. Under GDPR, a ransomware attack involving personal data is a reportable data breach.

How Ransomware Works

Initial access — typically through phishing emails, compromised credentials, or exploiting unpatched vulnerabilities
Lateral movement — attackers move through the network, escalating privileges and identifying valuable data
Data exfiltration — sensitive data is stolen before encryption (for double extortion leverage)
Encryption — files and systems are encrypted, rendering them unusable
Ransom demand — a note demands payment (usually in cryptocurrency) for decryption keys and a promise not to publish stolen data

Compliance Implications

GDPR Article 33 — ransomware involving personal data triggers the 72-hour breach notification obligation
NIS2 — essential and important entities must report significant incidents within 24 hours (early warning) and 72 hours (full notification)
CIRCIA — US critical infrastructure entities must report within 72 hours, and ransom payments within 24 hours
HIPAA — healthcare ransomware incidents involving ePHI are presumed reportable breaches

Response Steps

Isolate affected systems immediately to prevent spread
Do not pay the ransom — there's no guarantee of data recovery, and payment funds further attacks
Preserve evidence for law enforcement and forensic analysis
Activate incident response plan and notify relevant stakeholders
Report to authorities — supervisory authority (GDPR), CERT/CSIRT (NIS2), law enforcement
Restore from backups if available and verified clean
Communicate with affected individuals if personal data is at risk

Prevention

Regular patching of operating systems and software
Offline backups tested regularly (3-2-1 rule: 3 copies, 2 media types, 1 offsite)
Network segmentation to limit lateral movement
MFA on all remote access and privileged accounts
Employee training on phishing recognition
Endpoint detection and response (EDR) tools

Key Statistics

Average ransomware recovery cost: $1.82 million (Sophos, 2023)
Average downtime after attack: 24 days
75% of ransomware attacks begin with a phishing email

Why It Matters

How Ransomware Works

Initial access — typically through phishing emails, compromised credentials, or exploiting unpatched vulnerabilities
Lateral movement — attackers move through the network, escalating privileges and identifying valuable data
Data exfiltration — sensitive data is stolen before encryption (for double extortion leverage)
Encryption — files and systems are encrypted, rendering them unusable
Ransom demand — a note demands payment (usually in cryptocurrency) for decryption keys and a promise not to publish stolen data

Compliance Implications

GDPR Article 33 — ransomware involving personal data triggers the 72-hour breach notification obligation
NIS2 — essential and important entities must report significant incidents within 24 hours (early warning) and 72 hours (full notification)
CIRCIA — US critical infrastructure entities must report within 72 hours, and ransom payments within 24 hours
HIPAA — healthcare ransomware incidents involving ePHI are presumed reportable breaches

Response Steps

Isolate affected systems immediately to prevent spread
Do not pay the ransom — there's no guarantee of data recovery, and payment funds further attacks
Preserve evidence for law enforcement and forensic analysis
Activate incident response plan and notify relevant stakeholders
Report to authorities — supervisory authority (GDPR), CERT/CSIRT (NIS2), law enforcement
Restore from backups if available and verified clean
Communicate with affected individuals if personal data is at risk

Prevention

Regular patching of operating systems and software
Offline backups tested regularly (3-2-1 rule: 3 copies, 2 media types, 1 offsite)
Network segmentation to limit lateral movement
MFA on all remote access and privileged accounts
Employee training on phishing recognition
Endpoint detection and response (EDR) tools

Key Statistics

Average ransomware recovery cost: $1.82 million (Sophos, 2023)
Average downtime after attack: 24 days
75% of ransomware attacks begin with a phishing email

Ransomware

Why It Matters

How Ransomware Works

Compliance Implications

Response Steps

Prevention

Key Statistics

Phishing

Incident Response

Breach Notification

NIS2 Directive

Business Continuity

Want to learn more?

Ransomware

Why It Matters

How Ransomware Works

Compliance Implications

Response Steps

Prevention

Key Statistics

Phishing

Incident Response

Breach Notification

NIS2 Directive

Business Continuity

Want to learn more?