Ransomware has become the defining cybersecurity threat of the decade. Understanding how it works and how to defend against it is now a baseline requirement for any organization with a network.
How Ransomware Works
Ransomware is malicious software that encrypts a victim’s files and demands payment in exchange for the decryption key. Modern ransomware attacks typically follow a predictable pattern: initial access (usually phishing or exploiting a vulnerability), lateral movement through the network, data exfiltration, encryption, and ransom demand.
The exfiltration step is what makes modern ransomware particularly dangerous. Attackers don’t just encrypt your data — they steal it first. This creates double extortion: pay up or we’ll publish your data publicly. Some groups add triple extortion by contacting your customers directly.
How Ransomware Gets In
Phishing email is the most common entry point. An employee clicks a malicious link or opens an infected attachment, and the attacker gains a foothold in your network.
Exposed remote access services — particularly RDP (Remote Desktop Protocol) open to the internet — are the second most common entry point. Attackers scan for these constantly.
Unpatched vulnerabilities in internet-facing systems and applications provide another reliable entry point for attackers with the capability to exploit them.
The Five Most Important Defenses
1. Tested, offline backups. The only reliable recovery from ransomware is clean backups. They must be tested regularly, and at least one copy must be offline or air-gapped so ransomware can’t encrypt it.
2. Multi-factor authentication everywhere. MFA on email, remote access, and admin accounts eliminates the most common credential-based attack paths.
3. Endpoint detection and response (EDR). EDR solutions detect ransomware behavior and can stop an attack in progress. Standard antivirus is insufficient against modern ransomware.
4. Network segmentation. Limit lateral movement by segmenting your network. If an attacker compromises one system, segmentation prevents them from reaching everything else.
5. Employee security awareness training. Phishing is the primary delivery mechanism. Regular, realistic phishing simulations measurably reduce click rates over time.