How Do Ransomware Attacks Work?

Ransomware attacks compromise companies’ secure data when an outside entity accesses and holds data, demanding money for its release. Learn what you need to know to protect your company from an attack.

Table of Contents:

seagate-article-ransomwareattacks-1440x900px seagate-article-ransomwareattacks-1440x900px seagate-article-ransomwareattacks-1440x900px

One of the major examples of dangerous software (often known as malware) is ransomware, which encrypts vital data from businesses and holds it for payment. 

When a victim’s data has been accessed, criminals hide it from an organization by encrypting it. The business doesn’t get the decryption key to unlock the data until a ransom is paid. Organizations can suffer serious monetary losses due to ransomware, plus they risk losing access to the databases, programs, files, and other resources used to run their business. 

How Do Ransomware Attacks Happen? 

All ransomware operations begin with hackers gaining access to confidential data, encrypting it, and then requesting a payment. However, the steps of each assault vary. 

Data Access 

Cybercriminals use various methods to gain access to sensitive company information. Phishing is the most often used ransomware assault. With phishing, the attacker sends a series of harmful spam emails that target workers, including requests to download a file or open an attachment. If an employee falls for the phishing attempt, the perpetrator obtains access to the company computer. 

Another method criminals rely on is drive-by downloading, whereby a user unknowingly visits an infected website, and ransomware gets downloaded and installed without the user realizing it. 

Data Encryption 

Once they get access to the necessary data, cybercriminals proceed to the encryption phase which blocks the owner from retrieving their data. Typically, offenders will select a few files, encrypt them, create a decryption key, and then erase the original, unencrypted files along with any readily available backups the company might need. Additionally, the computer may become locked or inoperable. 

Demanding Ransom 

After data encryption, the attacker writes the computer user a ransom notice, which is often displayed as an alert box on the screen. Payment—typically in the form of cryptocurrency—is demanded by a specified deadline. 
According to an analysis by the security firm Check Point, attackers request that payment be made within a few days. If the ransom isn’t delivered within the allotted time, the demanded sum may escalate, or the corporation may never be able to recover the encrypted data. The report also revealed that in 2021, it took businesses an average of 9.9 days to resume normal operations after an initial ransomware attack. 

What Types of Companies Are Ransomware Targets? 

While a number of factors have contributed to the increase in ransomware attacks, one of the most prevalent is the increase of remote labor. For ransomware creators, the COVID-19 outbreak was a boon. Companies were compelled to adopt remote working arrangements as quickly as possible, and this introduced gaps in firms’ cybersecurity frameworks. These cracks provided new access points for attackers to spread ransomware. 

Should the Cyber Attack Ransom Be Paid? 

If your computer is infected with ransomware and you’ve lost important data that you can’t recover from a backup, should you pay the ransom? 

Most law enforcement organizations advise against paying cyber attackers, arguing that doing so encourages hackers to produce more and better ransomware. That said, many infected businesses will stop considering the ‘greater good’ of not paying and instead evaluate the cost of the ransom versus the value of their encrypted data.  

According to a 2020 Vanson Bourne report, commissioned by security firm Sophos, the lowest average ransom payments were in the healthcare sector—with an average of $197,000. Very sophisticated ransomware can identify the nation where the infected computer is operating and change the ransom to suit that country’s overall economic status, requesting more money from businesses in wealthy countries and less from those in developing nations. 

Quick payment incentives are often provided to entice victims to pay rapidly without giving the incident much thought. The price is often chosen so that it’s both high enough to be profitable for the criminal and low enough to be less expensive than what a victim would have to spend to repair their machine and/or recover lost data. Considering this, some businesses are starting to incorporate potential ransom payments into their security plans. For instance, some major UK businesses are beginning to hold a certain amount of Bitcoin in reserve for ransom payments, despite being otherwise uninterested in cryptocurrency. 

There are a few items to keep in mind in a data hostage situation given that ransomware attackers are obviously criminals. First, before sending money to anyone, be sure you aren’t dealing with what’s known as ‘scareware.’ That is a case in which what seems to be ransomware may not have locked or encrypted your data. Second, you might not regain your data even if you pay the attackers. Sometimes, these criminals just take the money and run. The so-called ransomware may not even have decryption capabilities. According to the Sophos State of Ransomware 2022 report, 46% of organizations who paid the ransom received 61% of their data back, down from 65% in 2020. Only 4% of organizations received all their data back after paying the ransom, down from 8% in 2020. Some speculate that some data is returned because ransomware—without the possibility of decryption—can rapidly get a reputation and won’t produce as much cash for the perpetrators. 

Ransomware Examples 

Although ransomware has been around since the 1990s, its popularity has increased in the last five years, partly due to the availability of anonymous payment options like Bitcoin. 

These prevalent ransomware variants have been some of the worst offenders: 


SamSam first appeared in 2015. It mainly targets healthcare businesses. 


The Trojan Horse virus known as CryptoLocker spreads via unidentified attachments in staff emails. With CryptoLocker, only users of Microsoft® Windows® are in danger; Mac™ users are unaffected. Once your files get encrypted, a countdown timer starts. 


Ryuk is one of the most harmful ransomware variants due to the extreme ransom amount demanded. Millions of dollars may be required to restore data after a Ryuk attack. Like other viruses, Ryuk spreads via phishing. After infecting a system, it begins shutting down operations on the victim’s computer. 


When Cerber initially debuted in 2016, it was incredibly profitable for attackers, earning them $200,000 in just July of that year. To infiltrate networks, it made use of a Microsoft® vulnerability. 

Bad Rabbit 

First making an appearance in 2017, Bad Rabbit is similar to the malware known as Petya and WannaCry. Unlike other ransomware, Bad Rabbit can infect a computer when a user clicks on a hacked webpage. Once a user engages an infected site, the program immediately blocks access to all files on the person’s computer and demands a ransom, which often needs to be paid in Bitcoin. 


Maze encrypts data and demands a ransom, but it goes a step further. This type of malware produces copies of data to sell on the dark web after the encryption process is complete. It also establishes backdoors so hackers can continue to harass the organization. 


Throughout its propagation, the ransomware variant known as TeslaCrypt continuously gained footing as it targeted gaming files. 

Effective Methods to Prevent Ransomware Attacks 

You can take a variety of protective measures to avoid ransomware attacks. Following these guidelines will strengthen your defenses against all types of data assaults: 

Get Security Software  

To protect your business, you need security software specifically designed to thwart ransomware attacks. Get protection that offers secure online surfing and safeguards against phishing emails. Go a step further and install antivirus software that can identify harmful malware as soon as it appears and whitelist software that can stop unapproved apps from running. 

Backup Data 

Backing up your data is an essential step in minimizing ransomware damage. Although taking this precaution won’t stop ransomware attacks, it will greatly reduce the harm they cause. When you backup your data—ideally often—an attacker cannot control you. You continue to own and have access to the data even if it is stolen. Because many attackers will search for and remove these backups, you should take precautions to secure them. To make your backup harder to access, it’s recommended you store it on the cloud or on a different cold drive. 

An enterprise-level backup should implement the 3-2-1 backup strategy. Following this plan, you must move data backups to immutable storage so you can restore your data if other backups have been altered. You should also ensure that multi-factor authentication and role-based access control are part of your immutable backups. If attackers access your storage systems, they can delete the clusters hosting your immutable backup copies. They can also shorten or remove write once, read many (WORM) designations. Secure the backdoors of your storage systems using identity and access management (IAM) systems such as multi-factor authentication and firewalls.  

Protect Digital Certificates 

Digital certificates act as a kind of computer identification and provide a secure means to connect to a firm’s network. These certificates allow systems’ devices to communicate messages and other important data securely. Each digital certificate comes with a public and private key. The data gets encrypted using the public key, but access is only possible with the private one. 

Educate Employees 

Organizational prevention training is a company’s strongest defense against ransomware attacks. Since employees are the main targets of attacks, they must know what to watch out for. Since phishing is the most common method ransomware utilizes, the IT team should ensure every employee knows what these emails and attachments look like, so they can report them to the organization and law enforcement. 

Secure Macros 

Code signing is a technique that’s been used for many years to ensure a software download, program, or macro code hasn’t been altered or modified after being signed by a sender. A public-private key pair is utilized to secure a file when being sent. The key verifies a digital certificate’s authenticity, proving the file remained the same during its transmission. The transmission becomes secure if the original key matches the one received. 

Communicate Security Protocols to All Employees and Secure Endpoints 

While the IT team can implement all industry standard protocols to guide network security, the security strategy is incomplete if employees with different types of expertise outside IT don’t know these protocols.  

Because some employee actions can accidentally put the company’s network at risk, the IT team may use endpoint security solutions to prevent most threats resulting from unintentional acts. This includes enforcing periodic password changes, making complex passwords mandatory, and encrypting all company device drives.  

How to Respond to a Ransomware Attack 

If ransomware ends up on your computer, you’ll need to regain control by following this process step by step: 

Identify Which Devices Were Affected 

In the event of a ransomware attack, remember that time isn’t on your side. Damage can increase the longer the impacted device is connected to your company’s network. Isolating the infected device or devices is the first step to take when malware is found. Other possible targets cannot be accessed if the network connection is cut. 

Prevent Further Attacks 

Once the identified danger has been contained, search the network for any other infections. To protect data and limit the spread of malware, look for any encryption programs or machines behaving strangely and turn them off. 

Locate the Source 

As quickly as possible, pinpoint the ransomware or malware source. This will make it easier to monitor the infection’s spread. Inquire with workers about any unusual behavior they’ve seen on their computers—particularly in their email—and if they’ve clicked on any attachments or links in suspect communications. Bear in mind as you perform your search that there may be several infection sources. 


Don’t forget to notify the appropriate authorities in your area about the attack. Ransomware is illegal and law enforcement can have helpful resources that nobody else does. A digital forensics specialist may be able to decrypt your encrypted data, apprehend the perpetrator, and/or safeguard your company going forward. 

Restore Data Using Backups 

Hopefully, precautions were taken prior to any attacks and backups were made. But once data has been restored, don’t assume that these backup files weren’t compromised. Make sure the backups are secure. Wipe any infected devices clean. After thoroughly inspecting each device, restore backed-up files to the original disk. Hopefully, there won’t be much harm done as long as backups were recently made. 

Decrypt Files 

If the backup files were hacked or didn’t exist, try looking for potential decryptors. Several security-focused organizations provide free tools and programs that can be useful in this situation. There’s a good chance you’ll discover an existing decryption key that allows you to retrieve your data but there is no guarantee. 

How Seagate Can Help with Ransomware Attacks 

Seagate Exos X Series hard drives are a scalable, trusted backup solution that can help keep data safe from ransomware attacks.  
We enable scale-out data centers to take advantage of centralized surveillance across devices, making it easier for your full IT team to mitigate and monitor for anomalies. 

Speak to an expert at Seagate about your secure data storage management needs today.