How to Protect from Ransomware
Businesses must learn how to protect from ransomware as it is the most common type of malware (malicious software) that is experienced by organisations globally. The Information Commissioner's Office states that ransomware is a persistent and significant online threat to the UK economy and security. It costs millions of pounds of damage and disruption each year, with cyber criminals attacking critical sectors including hospitals and governments alongside businesses.
How Does Ransomware Work?
Cyber criminals will have different motivations for attacking organisations using malware, including malicious intent, political motivations, data theft or extortion. They use different methods to steal intellectual property and sensitive data, causing significant service disruption and financial losses.
Ransomware is a type of malware that blocks access to your device and the data stored on it, typically encrypting your files. Cyber criminals will demand a ransom in exchange for returning control/access to your data. The process consists of the following three steps:
1. Access / Infection
Like any form of malware, Ransomware can gain access to an organisation's systems in a variety of ways. Attackers will establish control and plant malicious code or encryption software, take copies of your data or threaten to leak it. Here are the following warning signs of a ransomware attack and breach of access:
- Files look unreadable
- Ransomware note appearing on screen
- System behaviour has changed, slowing down your computer or network
- Missing or inaccessible backups
- Unusual emails and pop ups on screen (phishing)
- Unusual network activity
2. Activation
Once the malware has been activated, it quickly locks devices and encrypts data across the network, targeting files such as documents, images and databases. This can spread to shared drives and connected systems, often without immediate detection.
3. Ransom Demand
Once encryption is complete, a ransom message is displayed demanding payment (usually in cryptocurrency) and may include a deadline or threat to delete or release the data, leaving the victim unable to regain access without backups or expert intervention. However, even if companies provide a payment there is no guarantee that the criminal group involved will return your data or delete copies they have made of your files.
Types of Ransomware Attacks
Ransomware comes in various forms, each using different tactics to extort victims. Here are the most common types encountered across the UK:
Crypto ransomware (encryptors)
This variant encrypts files on the victim’s system, making data inaccessible until a ransom is paid. It is the most common form of ransomware. Often, the encryption is so strong that recovering the files without the decryption key is virtually impossible.
Scareware
This is fake antivirus or security software that tricks the user by claiming a virus or other issue has been detected. It pressures the user into paying to resolve a non-existent problem. Although it may not harm files, its persistent and alarming notifications can be highly disruptive.
Ransomware as a Service (RaaS)
With this model, criminal groups provide ransomware tools and platforms to affiliates who then carry out attacks. The service handles distribution, encryption, payment and sometimes negotiations in exchange for a share of the ransom profits.
Locker ransomware (lockers)
Rather than encrypt data, locker ransomware locks the user out of their device or operating system entirely. A lock screen is displayed with a ransom demand, sometimes accompanied by a countdown to heighten panic.
Leakware or doxware
Leakware, also referred to as doxware, threatens to release private or sensitive data unless a ransom is paid. The threat of reputational damage or legal consequences often compels victims to comply.
Monitor and Detect
Early detection is key to stopping ransomware as most attacks escalate in hours. Finding and reporting 'access signs' like phishing, exposed remote desktop protocol (RDP), or suspicious scripts is critical. Organisations should implement continuous monitoring of their networks, endpoints and email systems to identify unusual activity, such as sudden spikes in file changes, unauthorised access attempts or large volumes of data leaving the network.
At Minster, we provide a range of services to help organisations detect ransomware at the earliest stage, including:
● Managed Security Monitoring – round-the-clock oversight of your systems to identify and act on potential threats
● Advanced Threat Protection – filtering and analysis to block malicious files, links and emails before they reach your users
● Endpoint Detection and Response (EDR) – rapid identification and isolation of compromised devices to prevent further spread
● Vulnerability Scanning – regular assessment of your systems to identify and address weaknesses before they can be exploited
Prevent & Protect Against Ransomware
We help organisations across the UK stay one step ahead of ransomware threats through a blend of robust technology and expert guidance. Here are our recommended best practices:
- Keep systems updated – our managed IT support ensures security patches and updates are applied promptly across your network
- Use advanced security tools – we deploy and manage leading endpoint protection and threat monitoring solutions to detect and block attacks in real time
- Control access rights – our network management services ensure users only have the permissions they need, reducing the risk of ransomware spreading
- Enable multi-factor authentication – we set up secure login solutions to protect accounts even if credentials are compromised
- Back up data securely – our backup and disaster recovery services keep offline, encrypted copies of your data that are regularly tested for reliability
- Train your people – our cyber awareness training equips staff to recognise phishing attempts and suspicious activity
- Plan for incidents – we work with you to create and rehearse a tailored incident response plan, so you can act quickly and minimise disruption
FAQs for How to Protect from Ransomware
If your organisation has already been infected there are some actions you can take to help mitigate further damage - as advised by National Cyber Security Centre:
- Disconnect infected computers and devices from all network connections straight away. Whether it's wired, wireless or phone-based, all must be removed from the network.
- In a serious case, disconnect from Wi-Fi and disable any core network connections.
- Reset credentials including passwords (particularly admin and other system accounts) - make sure to verify that you are not locking yourself out of systems that are needed for recovery.
- Safely wipe infected devices and reinstall the OS.
- Organisations should all have backups of their data but you must ensure that any backups made are free from malware.
- Connect devices to a clean network
- Install, update and run anti-virus software
- Reconnect your network
- Inspect network traffic and run anti-virus scans to identify if any infection remains.
Making regular backups of important files and data is an essential practice of cyber security to prevent data loss in the event of an unplanned disaster or security breach. You can find out more about this in our article, How to Backup Your Data. We also cover our Disaster Recovery service within this guide as preparing for an incident, like a ransomware attack, can also limit the impact on your organisation such as downtime, data loss, and financial losses.
Speak to the experts
that put your business first