Ransomware Attacks: What Every Small Business Needs to Know Before It’s Too Late

Ransomware is no longer just a threat to big corporations and government agencies. Every day, small and mid-sized businesses are being targeted — often with devastating consequences. In this post, we’ll break down what ransomware is, why you should care, real-world examples, and most importantly, how to protect your business.

🎥 Prefer video? Watch our CEO, Kessington Ekhaiyeme, explain ransomware in under two minutes here: Watch on YouTube

What Is Ransomware?

Ransomware is a type of malicious software that blocks access to your computer systems or encrypts your files. The attacker then demands a ransom payment — usually in cryptocurrency — to restore access.

Instead of stealing your data outright, ransomware locks it away, making your own information inaccessible until you pay. The problem? Even if you pay, there’s no guarantee you’ll get your files back.

According to CISA, ransomware attacks have surged in recent years, costing businesses billions globally.

How Ransomware Works

Most ransomware attacks follow a predictable pattern:

1. Infection — The attacker gains access through phishing emails, malicious downloads, weak passwords, or unpatched systems.

2. Encryption — The malware encrypts files, rendering them useless without a decryption key.

3. Ransom Demand — A ransom note appears, often with a countdown timer, threatening permanent data loss.

4. Payment (Optional) — Some businesses pay in desperation; others refuse. Payment is usually demanded in Bitcoin or another cryptocurrency.

5. Outcome — Even after paying, many victims never regain access to their data.

Types of Ransomware: A Complete Guide for Businesses

Ransomware is one of the fastest-growing threats in cybersecurity, and understanding its different forms can help businesses prepare better defenses. Each type of ransomware has its own tactics, impact, and recovery challenges.

Below is a breakdown of the main types of ransomware with explanations and references for further reading.

1. Crypto Ransomware

What it is:
Crypto ransomware encrypts valuable files — such as documents, images, and databases — and demands payment for the decryption key.

Why it’s dangerous:
Your system may still be usable, but all your critical files become inaccessible. Without backups, recovery can be nearly impossible without the decryption key.

Example:
The infamous CryptoLocker ransomware in 2013 was one of the earliest large-scale crypto ransomware attacks.

2. Locker Ransomware

What it is:
Locker ransomware doesn’t encrypt your files. Instead, it locks you out of your entire device, making it unusable.

Why it’s dangerous:
It blocks access to all programs and files until the ransom is paid. It often displays a full-screen ransom note and disables your keyboard or mouse.

Example:
WinLocker was one of the earliest locker ransomware variants, spreading through infected software downloads.

3. Scareware

What it is:
Scareware pretends to be security software, claiming to have found “issues” with your computer and demanding payment to fix them.

Why it’s dangerous:
While it may not encrypt files, it can cause panic and trick victims into giving away payment information.

Example:
Fake antivirus programs like “Security Shield” have been used in scareware campaigns.

4. Doxware (or Leakware)

What it is:
Instead of just encrypting data, doxware threatens to publicly release sensitive information unless the ransom is paid.

Why it’s dangerous:
The risk isn’t just data loss but also reputational damage and legal consequences if private customer or business data is exposed.

Example:
The “Maze” ransomware gang became notorious for combining encryption with data leaks.

5. Ransomware-as-a-Service (RaaS)

What it is:
Cybercriminals create ransomware and sell or lease it to other attackers, who then carry out attacks in exchange for a share of the ransom.

Why it’s dangerous:
It lowers the barrier to entry for cybercrime, allowing even inexperienced hackers to launch devastating ransomware attacks.

Example:
REvil was a well-known RaaS operation targeting businesses worldwide.

6. Mobile Ransomware

What it is:
Targets mobile devices (Android, iOS) by locking the screen or encrypting files until payment is made.

Why it’s dangerous:
With smartphones containing both personal and business data, mobile ransomware can be just as damaging as attacks on computers.

Example:
Svpeng is a type of mobile ransomware that also steals banking credentials.

Learn more:
Mobile ransomware threats – Kaspersky

7. Fileless Ransomware

What it is:
Unlike traditional ransomware that relies on files stored on disk, fileless ransomware operates in memory, making it harder for antivirus software to detect.

Why it’s dangerous:
Its stealthy nature makes it a preferred method for advanced attackers targeting high-value data.

Example:
Certain strains of WannaMine use fileless techniques to spread.

8. Double Extortion Ransomware

What it is:
Attackers both encrypt and steal data, demanding payment not only to decrypt files but also to prevent data leaks.

Why it’s dangerous:
Even if you have backups, the threat of stolen data being sold or published can force payment.

Example:
The “NetWalker” ransomware group was known for double extortion tactics.

How Ransomware Infects a System or Device

Ransomware is malicious software designed to block access to your files or systems until a ransom is paid. Understanding how it infects devices is crucial for preventing an attack. These infections don’t happen randomly; they exploit human error, technical vulnerabilities, or insecure network configurations.

1. Phishing Emails

Phishing remains the most common ransomware delivery method. Cybercriminals send emails disguised as legitimate messages from trusted sources (banks, vendors, IT departments) with malicious attachments or links.

• How it works:
  You receive an email urging you to click a link or download an attachment. Once you do, ransomware is installed on your device.

• Why it’s effective:
  Criminals often use stolen branding, convincing language, and urgency (“Your account will be suspended in 24 hours”).

Learn more:

• Phishing attacks explained – CISA

2. Malicious Downloads & Infected Websites

Also called “drive-by downloads”, ransomware can be installed simply by visiting a compromised or malicious website.

• How it works:
  These websites exploit browser vulnerabilities to install malware automatically or trick you into downloading fake software updates.

• Common bait:
  Free software, pirated media, fake antivirus programs, and “urgent” software patches.

3. Remote Desktop Protocol (RDP) Exploits

Many ransomware attacks occur when attackers gain access to devices via unsecured RDP connections.

• How it works:
  Hackers scan the internet for systems with weak RDP credentials or outdated versions. Once inside, they manually deploy ransomware.

• Why it’s dangerous:
  It bypasses email or download protections entirely — attackers directly control the machine.

4. Software Vulnerabilities

Ransomware can spread by exploiting unpatched vulnerabilities in operating systems or popular software.

• How it works:
  Hackers scan for outdated systems missing security patches, then use exploits to gain entry and install ransomware.

• Notable example:
  The WannaCry ransomware attack exploited a Windows SMB protocol vulnerability in 2017, infecting hundreds of thousands of computers globally.

Learn more:

• WannaCry ransomware – Europol

5. Malvertising

Malvertising is malicious advertising — fake ads placed on legitimate websites.

• How it works:
  Clicking an infected ad redirects you to a site that delivers ransomware, often without you realizing it.

• Why it’s hard to detect:
  Even trusted websites can display malicious ads via third-party ad networks.

Learn more:

• What is malvertising? – Kaspersky

6. USB Drives & External Media

Ransomware can also spread through infected USB drives or external hard drives.

• How it works:
  The ransomware hides on the storage device and automatically executes when plugged into a computer with autoplay enabled.

7. Supply Chain Attacks

In a supply chain attack, ransomware is delivered through compromised software updates or trusted vendor systems.

• How it works:
  Attackers compromise a vendor’s system, then distribute malware-laced updates to customers.

• High-profile example:
  The Kaseya VSA ransomware attack in 2021 targeted managed service providers (MSPs) and their clients.

8. Network Propagation

Once ransomware infects one device, it can spread laterally across a network to infect multiple systems.

• How it works:
  Using stolen admin credentials or exploiting vulnerabilities, ransomware can encrypt files on shared drives and connected devices.

Stages of a Ransomware Attack

Ransomware doesn’t appear on your screen instantly — it follows a series of stages that allow attackers to infiltrate, encrypt, and demand payment without being detected too early. Understanding these stages can help businesses spot early warning signs and stop the attack before damage occurs.

1. Initial Access

The attacker’s first goal is to gain entry into your system or network.

• How it happens:

  • Phishing emails with malicious links or attachments

  • Exploiting software vulnerabilities

  • Using stolen credentials to log in via Remote Desktop Protocol (RDP)

• Objective: Get a foothold into the target system without triggering alarms.

2. Deployment of Malware

Once inside, the attacker installs the ransomware payload.

• How it happens:

  • Dropping executable files into hidden directories

  • Using scripts (e.g., PowerShell) to download ransomware from external servers

• Objective: Position the ransomware so it can spread across devices and avoid detection.

Learn more: Trend Micro – Ransomware Behavior

3. Lateral Movement

The ransomware spreads within the network before launching the encryption process.

• How it happens:

  • Exploiting admin privileges to access other machines

  • Searching for shared drives and cloud storage accounts

• Objective: Maximize the number of infected systems for greater leverage.

4. Data Exfiltration (Double Extortion)

Many modern ransomware groups now steal sensitive data before encrypting it.

• How it happens:

  • Copying files to attacker-controlled servers

  • Targeting databases, financial records, and customer information

• Objective: Use the stolen data as an extra threat — pay the ransom or your data will be leaked online.

Learn more: ENISA – Double Extortion Ransomware

5. Encryption

This is the stage most victims notice — when files are locked and inaccessible.

• How it happens:

  • The ransomware uses strong encryption algorithms (e.g., AES, RSA) to lock files

  • It may rename files and append custom extensions

• Objective: Render the victim’s data useless until the ransom is paid.

Learn more: Kaspersky – What Is Ransomware Encryption?

6. Ransom Demand

The attacker delivers a ransom note with payment instructions.

• How it happens:

  • Text files or HTML notes appear in affected folders

  • Desktop wallpaper may be changed with ransom instructions

• Common demands: Payment in cryptocurrency (Bitcoin, Monero) within a deadline, often with threats to increase ransom or leak data.

Learn more: Europol – Ransomware Threats

7. Payment or Recovery

The victim must decide between paying the ransom or restoring systems through backups.

• Risks of paying:

  • No guarantee the attacker will provide a decryption key

  • Encourages future attacks

• Best practice: Restore from secure, offline backups and strengthen security to prevent reinfection.

Notable Ransomware Variants

Ransomware comes in many forms, and over the years, certain strains have become infamous for the damage they’ve caused worldwide. Knowing these names — and how they operate — can help you identify threats faster and strengthen your defenses.

1. WannaCry

• Year: 2017

• Impact: Infected over 200,000 computers in 150+ countries within days.

• How it works: Exploits the EternalBlue vulnerability in Windows systems, encrypting files and demanding Bitcoin payments.

• Notable victims: UK’s National Health Service (NHS), FedEx, Telefónica.
  

2. Ryuk

• Year: First spotted in 2018

• Impact: Targets large enterprises and government entities, often demanding millions in ransom.

• How it works: Deployed via phishing or as a second stage to other malware like TrickBot. Known for disabling recovery options before encryption.

• Notable victims: Hospitals, municipal governments, newspapers.
  

3. LockBit

• Year: 2019 – Present

• Impact: One of the most active ransomware-as-a-service (RaaS) operations, known for speed and automation.

• How it works: Uses automated scripts to encrypt networks quickly; supports double extortion by stealing data before locking it.

• Notable victims: Manufacturing firms, government agencies, financial institutions.
  

4. Conti

• Year: Emerged in 2020

• Impact: Linked to a large number of attacks on healthcare, education, and municipal targets.

• How it works: Operates as a RaaS group; uses fast encryption and often exfiltrates data for double extortion.

• Notable victims: Irish Health Service Executive, universities, local governments.
  

5. REvil (Sodinokibi)

• Year: 2019 – 2021 (disrupted by law enforcement)

• Impact: Known for high-profile supply chain attacks and multi-million-dollar ransom demands.

• How it works: Encrypts data and leaks it on a public “shame site” if ransom isn’t paid.

• Notable victims: Kaseya, JBS Foods.
  

6. Maze

• Year: Active 2019 – 2020

• Impact: Popularized the double extortion model now used by many ransomware groups.

• How it works: Encrypts data and leaks samples online to pressure victims into paying.

• Notable victims: Cognizant, Canon.
  

7. Dharma (CrySiS)

• Year: Active since 2016

• Impact: Common in small to medium business attacks, spread via RDP brute-force attacks.

• How it works: Encrypts files with unique extensions and provides email-based ransom instructions.
  

8. BlackCat (ALPHV)

• Year: 2021 – Present

• Impact: First ransomware written in Rust programming language, known for flexibility and stealth.

• How it works: Cross-platform attack capability (Windows & Linux) with triple extortion (encrypt, steal, and DDoS).
  

9. Clop

• Year: First observed in 2019

• Impact: Infamous for large-scale data theft and attacks on managed file transfer services.

• How it works: Often exploits vulnerabilities in enterprise software to breach large networks.
  

10. Petya / NotPetya

• Year: Petya (2016), NotPetya (2017)

• Impact: NotPetya caused billions in damages globally, considered a destructive cyberweapon.

• How it works: Encrypts the Master Boot Record (MBR) of infected computers, preventing them from booting. NotPetya was disguised as ransomware but acted as a wiper.
  

Ransom Payments in Ransomware Attacks

When ransomware strikes, the attackers typically demand a ransom payment in exchange for decrypting the victim’s files. These payments are usually requested in cryptocurrencies such as Bitcoin or Monero to make tracing the funds more difficult.

1. How Ransom Payments Work

• Demand Stage: After encrypting data, the attacker displays a ransom note on the victim’s device. This note includes payment instructions, deadlines, and sometimes a threat to increase the ransom or delete the data if payment is delayed.

• Cryptocurrency Wallet: Victims are usually asked to send payment to a specific crypto wallet address.

• Decryption Promise: Attackers claim they will send a decryption key or tool after receiving the payment.

• Double Extortion: In many modern attacks, hackers also steal sensitive data and threaten to publish it if the ransom isn’t paid — increasing the pressure on victims.

2. Common Ransom Amounts

• Ransom demands can range from a few hundred dollars for individuals to millions for large organizations.

• According to Chainalysis’ 2023 Crypto Crime Report, the average ransomware payment in 2022 was over $4 million for large corporate victims.
  Source: Chainalysis – Ransomware Trends

3. The Risks of Paying

Paying a ransom comes with significant risks:

1. No Guarantee of Recovery: Even after payment, some victims never receive a working decryption key.

2. Encourages Future Attacks: Payment signals to attackers that you’re willing to pay, making you a repeat target.

3. Legal Issues: Paying certain ransomware groups linked to sanctioned entities may violate laws in the U.S. and other countries.

4. Reputation Damage: If news of the payment becomes public, it can harm brand trust and investor confidence.

4. Regulatory Guidance

• U.S. Treasury’s OFAC has warned that companies facilitating ransom payments to sanctioned groups can face penalties.

• FBI & CISA advise against paying ransom, recommending focusing on prevention and recovery instead.
  Sources:
  OFAC Ransomware Advisory
  CISA Ransomware Guidance

5. Alternatives to Paying

• Restore from Backups: Having offline and regularly tested backups is the most reliable recovery method.

• Engage Cybersecurity Experts: Professionals can sometimes decrypt files using known decryption tools without paying.

• Report the Incident: In the U.S., victims should report to the FBI Internet Crime Complaint Center (IC3) or CISA.

• Negotiate or Delay: Some companies use negotiators to reduce the ransom or buy time for recovery efforts.

6. Case Examples

• Colonial Pipeline (2021): Paid ~$4.4 million in Bitcoin after a ransomware attack disrupted fuel supply. The FBI later recovered part of the payment.

• Travelex (2020): Paid ~$2.3 million to regain access to encrypted files after a REvil ransomware attack.

• Baltimore City (2019): Refused to pay a $76,000 ransom; the city spent over $18 million in recovery costs.

Why Small Businesses Are Prime Targets

Many small business owners assume cybercriminals focus on big corporations. The reality is different.

Reasons small businesses are targeted:

• Limited cybersecurity budgets

• Lack of dedicated IT staff

• Weak or no backup systems

• Outdated security software

Kenima Cybersecurity has seen first-hand that small businesses often store sensitive customer data without having the proper defenses in place — making them low-hanging fruit for attackers.

Real-World Case Studies

1. Hospital Ransomware Incident — In 2021, a small U.S. medical clinic paid $150,000 in ransom after losing access to patient records.

2. Manufacturing Firm Shutdown — A mid-sized manufacturing company faced three weeks of downtime after refusing to pay a ransom, resulting in millions in lost revenue.

3. Local Retail Breach — A small retail chain in Nigeria lost all point-of-sale data due to ransomware and had no backups to recover from.

The Cost of a Ransomware Attack

The financial toll is severe:

• Ransom Payment — Ranges from $10,000 to millions.

• Downtime — Businesses can lose thousands per day.

• Reputation Damage — Customers lose trust.

• Regulatory Fines — Especially in industries like finance and healthcare.

How to Protect Your Business

Kenima Cybersecurity recommends a layered defense approach:

1. Use Multi-Factor Authentication (MFA) — Adds a second verification step for logins.

2. Regular Backups — Store backups offline and test them frequently.

3. Employee Training — Teach staff to spot phishing attempts.

4. Update and Patch Systems — Outdated software is a hacker’s best friend.

5. Install Endpoint Protection — Detects and blocks ransomware before it spreads.

👉 Learn more in our Small Business Cybersecurity Guide.

What to Do If You’re Attacked

1. Disconnect affected devices from the network.

2. Report the attack to law enforcement (FBI Internet Crime Complaint Center).

3. Contact a cybersecurity professional immediately.

4. Do not pay the ransom unless advised — there is no guarantee.

Ransomware and Compliance

If you handle customer data, you may be legally required to have specific security measures in place. This includes GDPR, HIPAA, and PCI DSS compliance. Non-compliance after a breach can lead to hefty fines.

Kenima Cybersecurity offers compliance support to help businesses meet these requirements — Book a Free Consultation.

Ransomware protection and response

What you’re aiming for

• Prevent initial access.

• Limit blast radius.

• Detect fast.

• Contain, eradicate, and recover without paying.

• Meet legal/reporting duties.

Baseline controls that cut most risk

• Patch and harden: Prioritize known‐exploited vulnerabilities, remove default passwords, and keep internet-facing services tight. CISA’s current guidance stresses rapid patching and basic hardening as top-value actions. CISA+1

• MFA everywhere that matters: Especially for email, VPN, remote access, and admin accounts. CISA lists MFA as a high-impact baseline control. CISA+1

• Lock down remote access (RDP/VPN): Close what you don’t need; if you must keep RDP, gate it behind VPN with MFA, account lockouts, and monitoring. This is a common entry point highlighted by CISA/MS-ISAC. CISA+1

• Least privilege & segmentation: Separate user/admin roles, use tiered admin, and segment critical systems so one endpoint compromise doesn’t become a domain-wide outage. CISA’s StopRansomware guidance and NIST’s ransomware profile both emphasize this. CISANIST Publications

• Email and endpoint defenses: Modern EDR with behavior-based detection, attachment sandboxing, and macro controls for Office docs. NIST SP 800-61r3 points to layered detection and response capabilities. NIST Publications

• Backups you can actually restore: Keep offline/immutable, encrypted backups; test restores regularly; cover SaaS data as well. CISA calls this out directly (CPG 2.R), and NIST repeats the “secure, isolate, and test” message. CISA+1NIST Publications

Prepare before anything happens

• Asset & data inventory: Know crown-jewel systems, data locations, and business owners to set recovery priorities. NIST IR 8374 uses this to drive ransomware-focused risk decisions. NIST Computer Security Resource Center

• Incident response playbook: Build a ransomware-specific runbook aligned to NIST SP 800-61r3’s lifecycle (Preparation → Detection/Analysis → Containment/Eradication → Recovery → Post-incident). Run tabletops quarterly. NIST Publications

• Contacts list: Keep law enforcement, incident-response vendor, legal counsel, cyber insurer, regulators, PR, and CISA contacts handy and up to date. NIST IR 8374 explicitly calls for this. NIST Publications

• Logging: Centralize logs (EDR, auth, firewall, proxies, cloud), keep time synced, and ensure retention long enough to support forensics. Guidance stems from NIST SP 800-61r3. NIST Publications

Early signs to watch

• Unusual privilege escalations, mass file renames, spikes in CPU/disk I/O on file shares, many 4625/4624 logons, and new scheduled tasks or services on multiple hosts. NIST incident handling guidance encourages tuning detections for these behaviors. NIST Publications

If you’re hit: step-by-step

1. Pull the fire alarm (safely)

   • Isolate suspected endpoints from the network. Don’t power off; keep them on but disconnected to preserve volatile evidence. NIST Publications

2. Protect your backups immediately

   • Verify offline/immutable copies are still safe. If they’re network-reachable, remove access now. CISA warns attackers often look for and encrypt/delete backups first. CISA

3. Engage help and report

   • Call your IR retainer (or line up one fast). Notify law enforcement and file with the FBI’s IC3. CISA can also assist. Federal Bureau of InvestigationCISA

4. Triage and contain

   • Identify patient zero and lateral movement paths (RDP, PSExec, SMB). Disable compromised accounts and revoke tokens/keys. Block C2 indicators and known bad hashes. Follow NIST’s containment/eradication guidance. NIST Publications

5. Eradicate

   • Remove malware, backdoors, and persistence (scheduled tasks, services, startup items, GPO scripts). Patch exploited vulnerabilities before bringing anything back. NIST Publications

6. Recover safely

   • Rebuild critical systems from known-good images, then restore data from offline/immutable backups. Test integrity before reconnecting to production. CISA and HHS advise testing restores, not just taking a backup’s word for it. CISA

7. Communications and notices

   • Coordinate with legal on breach notifications, customers, regulators, and partners. Keep one source of truth to avoid mixed messages. NIST’s lifecycle includes structured reporting and comms. NIST Publications

8. Lessons learned

   • Within two weeks, run a post-incident review and update controls, playbooks, and detections accordingly. NIST SP 800-61r3 closes the loop here. NIST Publications

On paying the ransom

• The FBI does not support paying. It fuels more attacks, doesn’t guarantee decryption or deletion of stolen data, and may carry legal risk. Report and seek help instead. Internet Crime Complaint CenterFederal Bureau of Investigation

• Sanctions risk: Paying certain actors can violate U.S. sanctions. OFAC’s advisory warns companies and negotiators about this exposure—consult counsel and your insurer before any payment talk. OFAC+1

Backups that actually save you

• Design: Multiple layers (on-prem + cloud), offline/immutable, encrypted, with strict access control.

• Process: Regularly test restoration (not just backup success), protect backup consoles with MFA and separate credentials, and monitor for backup deletion/retention tampering. CISA and NIST both highlight offline + tested restores as non-negotiable. CISANIST Publications

Extra controls that pay off

• Application allow-listing for servers and high-risk endpoints.

• Disable or restrict macros and mark-of-the-web bypasses.

• Privileged access management for domain admins and service accounts.

• Network share hygiene: limit write access where possible; monitor mass changes.

• Supplier exposure: review MSP/RMM and backup vendor access paths; enforce MFA and IP allow-listing.
  These align with the current CISA #StopRansomware guide and the Cross-Sector Cybersecurity Performance Goals (CPGs). CISA+1

Reality check on the threat

Ransomware remains a top threat globally, with U.S. infrastructure complaints rising in 2024 per the FBI. Treat this as a business-level risk, not just an IT problem. Reuters

Quick reference (keep these links handy)

• CISA #StopRansomware Guide (living playbook + checklists). CISA

• NIST Ransomware Risk Management Profile (how to tune CSF for ransomware). NIST Publications

• NIST SP 800-61r3 (incident handling lifecycle used in most IR playbooks). NIST Publications

• FBI Ransomware page and IC3 reporting. Federal Bureau of Investigation

• CISA Cross-Sector Cybersecurity Performance Goals (CPGs). CISA

• OFAC Sanctions Advisory on Ransomware Payments (legal risk). OFAC

A brief ransomware timeline

1989: The first documented ransomware, known as the “AIDS Trojan” or "P.C. Cyborg” attack, is distributed through floppy disks. It hides file directories on the victim's computer and demands USD 189 to unhide them. Because this malware works by encrypting file names rather than the files themselves, it is easy for users to reverse the damage without paying a ransom.

1996: While analyzing the AIDS Trojan, computer scientists Adam L. Young and Moti Yung warn of future forms of malware that could use more sophisticated cryptography to hold sensitive data hostage. 

2005: After relatively few ransomware attacks through the early 2000s, an uptick of infections begins, centered in Russia and Eastern Europe. The first variants to use asymmetric encryption appear. As new ransomware offers more effective ways to extort money, more cybercriminals begin spreading ransomware worldwide.

2009: The introduction of cryptocurrency, particularly Bitcoin, gives cybercriminals a way to receive untraceable ransom payments, driving the next surge in ransomware activity.

2013: The modern era of ransomware begins with CryptoLocker inaugurating the current wave of highly sophisticated encryption-based ransomware attacks soliciting payment in cryptocurrency.

2015: The Tox ransomware variant introduces the ransomware as a service (RaaS) model.

2017: WannaCry, the first widely used self-replicating cryptoworm, appears.

2018: Ryuk popularizes big game ransomware hunting.

2019: Double-extortion and triple-extortion ransomware attacks become more popular. Almost every ransomware incident that the IBM Security® X-Force® Incident Response team has responded to since 2019 has involved double extortion.

2022: Thread hijacking—in which cybercriminals insert themselves into targets’ legitimate online conversations to spread malware—emerges as a prominent ransomware vector.

2023: As defenses against ransomware improve, many ransomware gangs begin to expand their arsenals and supplement their ransomware with new extortion tactics. In particular, gangs like LockBit and some remnants of Conti begin using infostealer malware that allows them to steal sensitive data and hold it hostage without needing to lock down victims’ systems.

Ransomware Attacks – Frequently Asked Questions

1. What is ransomware?
Ransomware is malicious software that encrypts files or locks systems, making them inaccessible until a ransom is paid—usually in cryptocurrency. Attackers may also steal data and threaten to leak it.
More from CISA

2. How does ransomware spread?
Common entry points include phishing emails, malicious attachments, compromised websites, weak or exposed Remote Desktop Protocol (RDP) services, software vulnerabilities, and infected removable media.
FBI – Ransomware Prevention

3. Who is targeted?
Small businesses, large enterprises, government agencies, healthcare providers, schools, and even individuals. Attackers often focus on organizations with low defenses but high urgency to restore operations.
NIST Ransomware Profile

4. Should I pay the ransom?
Law enforcement agencies like the FBI and OFAC advise against paying. Payment doesn’t guarantee file recovery or data deletion and could encourage more attacks. In some cases, paying could violate sanctions.
OFAC Advisory

5. What should I do if I’m attacked?

• Isolate affected systems from the network.

• Preserve evidence (do not power off).

• Protect backups.

• Contact your incident response team, law enforcement, and cyber insurer.
  CISA Incident Reporting

6. How can I protect against ransomware?

• Keep systems updated and patched.

• Use multi-factor authentication.

• Restrict RDP and secure remote access.

• Maintain offline, tested backups.

• Train staff on phishing recognition.
  StopRansomware Guide

7. What’s double extortion?
A tactic where attackers steal data before encryption, then threaten to publish it unless the ransom is paid—adding pressure to victims.

8. Can I recover my files without paying?
If backups are secure and isolated, yes. Some ransomware variants have public decryptors available via the No More Ransom Project.

9. How long does recovery take?
It can range from days to weeks depending on damage, availability of clean backups, and the need for full system rebuilds.

10. How do I report a ransomware attack?

• FBI IC3: https://www.ic3.gov/

• CISA: https://www.cisa.gov/report

• Notify regulators if required (e.g., HIPAA, GDPR).

Call to Action

Ransomware is one of the most damaging threats your business can face. The time to act is before it happens.

🎥 Watch our CEO explain ransomware in simple terms: YouTube Video
📩 Book Your Free Cyber Risk Audit: Kenima Cybersecurity Contact Page