What is Ransomware?
Ransomware is malware that locks up your files and demands a payment to unlock them — often the single most expensive cyber incident a small business will ever face.
Ransomware holds your data hostage
Ransomware is a kind of malware that encrypts your files — scrambling them so they're unreadable — and then demands a ransom, usually paid in cryptocurrency, in exchange for the key to unlock them. You arrive at work to find a note on your screen, your documents renamed, and a countdown timer. Until you pay or restore from backup, your business is effectively frozen.
Over the past few years the playbook has gotten nastier. Most serious ransomware crews now use double extortion: before encrypting anything, they quietly copy your sensitive data, then threaten to publish it if you don't pay — so even a perfect backup doesn't fully take away their leverage. This is why ransomware is best understood not as a virus problem but as a business-continuity and data-breach problem rolled into one.
How a ransomware attack unfolds
A ransomware attack is rarely instant. It usually starts with an entry point — a phishing email, a stolen remote-access password, or an unpatched server exposed to the internet. From there the attacker moves laterally: gaining more privileges, mapping your network, identifying your most valuable data, and — critically — finding and deleting your backups so you can't simply restore. This "dwell time" can last hours to weeks.
Only once they're confident do they pull the trigger, encrypting everything at once, often after hours or over a weekend to slow your response. By the time the ransom note appears, the data has frequently already been stolen. The encryption itself uses strong, modern algorithms — without the attacker's key, brute-forcing your way back in is not realistically possible. That's why prevention, early detection, and protected backups matter so much more than any after-the-fact heroics.
What ransomware looks like in the wild
Ransomware-as-a-service
Criminal groups rent out their ransomware to "affiliates" who do the breaking-in, then split the profits. This industrialized model is why even small businesses get hit.
Double & triple extortion
Beyond encrypting and stealing data, some crews also harass your customers or launch DDoS attacks to pile on pressure to pay.
Big-game vs. spray attacks
Some groups carefully target one large victim for a huge payout; others automate mass attacks against anyone with an exposed, unpatched system.
Supply-chain hits
Attackers compromise a managed IT provider or popular software, then push ransomware to all their downstream customers at once.
The common thread: ransomware is a business run by professionals optimizing for profit. They go where defenses are weak and backups are reachable — which is exactly the gap a focused security baseline closes.
The defenses that stop ransomware
The good news is that the controls which stop ransomware are the same fundamentals that stop most other attacks. Focus your effort here:
- Keep offline, tested backups. Follow the 3-2-1 rule — three copies, two media, one off-site and offline. Then actually test a restore, because an untested backup isn't a backup.
- Require MFA on all remote access. Stolen VPN and RDP credentials are a top entry point — multi-factor authentication closes that door.
- Patch internet-facing systems fast. Ransomware crews weaponize known vulnerabilities within days — stay current with disciplined patch management.
- Deploy EDR and monitor for early signs. The dwell time before encryption is your window to catch the attack — EDR and monitoring spot the warning behaviors.
- Have an incident response plan. Decide in advance who you call, how you isolate systems, and how you restore — see incident response.
If the worst happens, speed and a clear plan determine whether you're down for hours or weeks. Red Hound's SOC & threat hunting service is built to catch ransomware in that early dwell-time window — before the files get locked.
Common questions about ransomware
What is ransomware in simple terms?
Ransomware is malware that locks up your files by encrypting them, then demands a payment — usually in cryptocurrency — in exchange for the key to unlock them. Many strains also steal the data first and threaten to leak it.
Should I pay the ransom?
Authorities generally advise against paying. Payment funds further crime, doesn't guarantee you get your data back, and may carry legal risk if the attacker is sanctioned. The decision is yours, but good backups make it far easier to refuse.
How does ransomware get into a business?
The most common routes are phishing emails, stolen or weak remote-access credentials (like RDP or VPN logins), and unpatched software vulnerabilities. Attackers often spend days inside a network before triggering the encryption.
Can backups protect me from ransomware?
Yes, if they're done right. Backups must be recent, tested, and stored offline or otherwise out of the attacker's reach, since modern ransomware deliberately seeks out and deletes backups it can find.
Get the free SMB Security Baseline Checklist
A short, plain-English checklist of the controls — backups, MFA, patching — that keep ransomware from ending your business. Built for SMBs.
Or get plain-English security tips by email: