What Ransomware Actually Is
Ransomware is a type of malicious software that encrypts your files and systems, making them completely inaccessible — then demands a ransom payment (almost always in cryptocurrency) in exchange for the decryption key. Modern ransomware groups also steal data before encrypting it and threaten to publish it publicly if you don't pay, a technique called "double extortion."
What makes it devastating is the combination of immediate operational paralysis — you literally cannot access your own files — and the time pressure attackers create with countdown timers and escalating demands. Many businesses pay simply because they haven't thought through the alternatives in advance.
Paying the ransom does not guarantee your data is returned or that the attacker will not publish it anyway. Fewer than 65% of businesses that paid received fully working decryption tools. More importantly, paying signals to criminals that you are a viable target and increases the likelihood of a repeat attack.
How a Ransomware Attack Unfolds: Minute by Minute
Most people imagine ransomware as a sudden catastrophic event. In reality, attackers are often inside your network for days or weeks before triggering the encryption. Here's how a typical attack progresses:
Initial Access
The attacker gains entry — usually through a phishing email, a compromised remote desktop (RDP) connection, an unpatched vulnerability, or credentials purchased on the dark web. Your systems look completely normal. No alarms go off. Business continues as usual.
Reconnaissance & Lateral Movement
The attacker maps your network, identifies your most valuable data, locates your backups, and moves from system to system to gain wider access. They're looking for domain admin credentials, financial systems, and backup infrastructure. This phase is where good monitoring catches attacks before they detonate.
Data Exfiltration
Before encrypting, attackers copy your most sensitive data to their servers. This enables double extortion — even if you recover from backups, they can still threaten to publish customer data, financial records, or intellectual property. Many SMEs are unaware this happened until they see the ransom note.
Encryption Detonation
Ransomware deploys across your network simultaneously — often triggered in the middle of the night or on a weekend when fewer staff are watching. Within minutes, files are encrypted, backup systems may be deleted or corrupted, and systems begin displaying the ransom note. The attack typically reaches full scale within 45 minutes.
The Ransom Demand
Staff arrive to find screens replaced with ransom notes. Systems are inaccessible. The attacker has a countdown timer and a "customer service" portal (yes, really) where you can negotiate. Time pressure is a key tool — they know every hour of downtime is costing you money.
"The worst moment is finding out your backups were encrypted too. That's when businesses seriously consider paying."
— Sarah Kelly, CEO, CyberCloakBefore an Attack: Building Ransomware Resilience
The businesses that survive ransomware attacks with minimal damage have one thing in common: they prepared before it happened. These are the controls that make the biggest difference.
Maintain offline, tested backups following the 3-2-1 rule. Three copies of your data, on two different media types, with one copy stored completely offline (disconnected from the network). Test your restoration process quarterly — most organisations discover their backups are incomplete or corrupt only when they need them. An attacker who can reach your backups will destroy them before detonating ransomware.
Deploy Endpoint Detection & Response (EDR/XDR). Modern EDR tools detect ransomware behaviour patterns — bulk file encryption, process injection, credential dumping — and can automatically isolate affected endpoints before the attack spreads. Traditional antivirus is not sufficient against modern ransomware variants.
Apply patches within 72 hours of critical releases. The majority of ransomware attacks exploit vulnerabilities for which patches have been available for weeks or months. A disciplined patching programme — especially for internet-facing systems, VPNs, and remote access tools — removes the most commonly used entry points.
Segment your network. If an attacker compromises one part of your network, segmentation limits how far they can spread. Critical systems — backups, financial data, production servers — should be on isolated network segments with controlled access points between them.
Disable RDP or place it behind a VPN with MFA. Exposed Remote Desktop Protocol (port 3389) is one of the top entry points for ransomware groups. If your team needs remote access, route it through a VPN with multi-factor authentication, not directly over the internet.
Conduct tabletop exercises annually. Walk your team through a simulated ransomware scenario. Who do you call first? Who has the authority to take systems offline? Where are your backups stored? Do you have cyber insurance? Knowing the answers under pressure is very different from knowing them in theory.
During an Attack: The First 60 Minutes
If you discover an active ransomware attack, your decisions in the first hour are critical. Here's the priority order:
- Contain immediately — disconnect affected systems from the network. Pull network cables, disable Wi-Fi, isolate segments. Do not turn systems off (you may destroy forensic evidence), but stop them communicating with the rest of your network. The goal is to stop the spread, not fix the problem yet.
- Alert your incident response team or CyberCloak immediately. Do not try to handle this alone. Every minute matters, and experienced responders know exactly what to do. If you have cyber insurance, call your insurer — they often have IR resources included.
- Preserve forensic evidence. Do not wipe or reimage machines before capturing memory dumps and log files. This evidence tells you exactly what happened, how the attacker got in, and what they accessed — critical for recovery, compliance, and insurance claims.
- Assess your backup integrity. Check your offline or cloud backups. Are they intact? When were they last taken? This determines your recovery time and whether you're facing a ransom decision.
- Notify your legal team and check your GDPR obligations. If personal data was accessed or exfiltrated, you may have a 72-hour notification obligation to your Data Protection Authority under GDPR. Getting legal advice early is critical.
Do not negotiate with attackers without professional guidance. Do not pay without exhausting all alternatives. Do not reuse the same passwords when rebuilding — the attacker may still have credentials. Do not reconnect recovered systems before the initial infection vector has been identified and closed.
After an Attack: Recovery and Prevention
Once the immediate crisis is contained, the recovery and learning phase begins. This is where organisations either emerge stronger or remain vulnerable to repeat attacks.
Conduct a thorough root cause analysis: how did the attacker get in? What lateral movement path did they take? What could have detected the activity earlier? Update your incident response playbooks based on what you learned, rotate all credentials across the entire organisation, and re-run a full vulnerability assessment before bringing systems back online.
If you don't have cyber insurance, now is the time to get it. A good cyber policy covers ransom negotiation, IR professional fees, business interruption, and regulatory fines — it's no longer optional for any SME that holds customer data.
The three things that most determine ransomware outcomes: (1) whether your offline backups are current and tested, (2) whether you have EDR detecting anomalous behaviour, and (3) whether your team knows exactly what to do in the first 60 minutes. Address all three before you need them.
Is Your Business Ready for a Ransomware Attack?
Our security assessment evaluates your ransomware resilience: backups, EDR coverage, network segmentation, and incident response readiness. Know where you stand before it happens.