Ransomware encrypts your files and demands payment for the decryption key. That much hasn't changed. What has changed is the business around it. Most serious operations now run a double-extortion model: before encrypting anything, they quietly exfiltrate a copy of your sensitive data. Then they encrypt, and the ransom note threatens two things — you don't get your files back and they'll leak what they stole on a public "leak site" unless you pay.
This reframes the whole defensive problem. A perfect backup defeats the encryption hostage completely. It does nothing about the leak hostage. So the goal isn't only "be able to restore" — it's "don't let them get in, don't let them spread, and don't let them quietly haul data out the door."
How ransomware actually gets in
The cinematic image of a lone genius cracking a firewall is mostly fiction. Real intrusions are mundane and repetitive. The common front doors:
- Phishing — a malicious attachment or a link to a credential-harvesting page. Still the number-one initial vector.
- Exposed remote access — internet-facing RDP or VPN endpoints with weak or reused passwords, often found via credential stuffing or account takeover.
- Unpatched internet-facing software — a known vulnerability in a VPN appliance, mail server, or web app that was never updated.
- Supply-chain and third-party access — a compromised vendor or managed-service connection, the territory we cover in supply-chain attacks.
Ransomware is now a service industry. "Ransomware-as-a-Service" (RaaS) lets developers rent their malware and infrastructure to affiliates who carry out the break-ins, splitting the proceeds. This division of labor is why the volume is so high — you don't need to build anything to launch an attack, just rent it.
Backups: necessary, not sufficient
Backups remain the foundation, but attackers know that — so they hunt for and delete backups before triggering encryption. A backup that's reachable from the network you're trying to recover is a backup that gets encrypted too. The discipline that survives is the 3-2-1 rule with teeth:
- 3 copies of important data,
- on 2 different media types,
- with 1 copy kept offline or immutable — air-gapped, or in write-once storage the attacker's stolen admin credentials cannot alter or delete.
And critically: test the restores. An untested backup is a hypothesis, not a safety net. The first time you discover your backups are incomplete should not be during an active incident. Our guide to encrypted backups covers doing this without turning the backup itself into a new exposure.
The prevention layers that matter most
Ranked roughly by impact relative to effort:
| Control | What it stops |
|---|---|
| Phishing-resistant MFA | Stolen or sprayed passwords becoming a working login — see 2FA types compared |
| Prompt patching of internet-facing systems | Mass-exploited known vulnerabilities in VPNs, mail, web apps |
| Network segmentation | Lateral movement — containing one compromised host instead of losing the whole estate |
| Least privilege | A single stolen account encrypting everything it can reach |
| Email filtering + macro blocking | The most common initial delivery vector |
| Endpoint detection (EDR) | The mass-encryption behavior, ideally before it finishes |
None of these is exotic. Ransomware thrives on the gap between "everyone knows you should patch and segment" and "we actually did." Closing that gap is unglamorous and overwhelmingly effective.
If it happens anyway
Preparation beats improvisation. A few principles for the worst day:
- Isolate, don't necessarily power off. Disconnect affected machines from the network to stop spread, but powering off can destroy volatile evidence (and occasionally in-memory keys). Follow a pre-written incident plan rather than acting on instinct.
- Identify the strain. Some ransomware families have publicly available free decryptors. Resources like the No More Ransom project catalog known decryptors — check before assuming the key is unrecoverable.
- Restore from clean, offline backups only after you understand how the attacker got in — restoring onto a still-compromised network just hands them a second turn.
- Treat it as a data breach. With double extortion, exfiltration likely happened. Notification obligations and the leak risk are now part of the incident, regardless of whether you can restore files.
The hard question: should you pay?
Law-enforcement guidance consistently discourages paying, for reasons that hold up under scrutiny:
Paying guarantees nothing. There's no contract — decryptors are sometimes broken or incomplete, exfiltrated data sometimes leaks anyway, and a payer is a marked target for the next round. Every payment also funds and validates the entire ecosystem, financing the attacks that follow.
Payment can also carry legal risk: sending funds to a sanctioned entity or group can itself be a violation in some jurisdictions, independent of the extortion. The realistic position is that the decision should never be made for the first time mid-crisis — it should be a board-level policy decided in advance, with legal counsel and, where appropriate, law enforcement already engaged.
The throughline
Ransomware defense isn't a product you buy; it's the cumulative effect of boring discipline. Strong authentication so a phished password isn't game over. Patching so a public exploit isn't a free pass. Segmentation so one foothold isn't the whole network. Immutable, tested backups so encryption is an inconvenience, not a catastrophe. The crews running these attacks are running a business optimized for the path of least resistance — the entire goal of defense is to stop being that path.