What Is Ransomware?

Understanding Ransomware: What It Is and Why It Matters

Ransomware is one of the most disruptive and financially damaging cyber threats facing UK businesses today. Despite frequent headlines, many organisations still struggle to clearly understand what ransomware is, how it works, and why it poses such a serious risk, even to smaller companies.

At Speedster IT, we regularly support businesses that assumed ransomware was “something that only happens to big corporations” until it happened to them. This guide explains ransomware in plain English, from an expert IT security perspective, so you can understand the risk and take informed action.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that blocks access to computers, systems, or data and then demands money (a ransom) to restore access.

In most cases, ransomware:

• Encrypts files so they cannot be opened.
• Locks critical business systems.
• Displays a message demanding payment, usually in cryptocurrency.

The attackers promise to provide a decryption key once payment is made but there is no guarantee they will follow through.

How Ransomware Has Evolved Over the Years

Ransomware has evolved from “nuisance” attacks against individual PCs into a mature criminal ecosystem targeting entire organisations. The biggest change is that modern ransomware is not just about encryption; it often involves data theft, business disruption, and high-pressure extortion.

• 1989: Early experiments – the first widely cited ransomware (PC Cyborg / “AIDS Trojan”) was distributed via floppy disk and demanded payment by post. Attacks were rare and largely manual.
• 2000s: Screen lockers and scareware – attackers used fake warnings and lock screens to coerce payment, but widespread strong file encryption was not yet common.
• 2013–2016: Crypto‑ransomware becomes mainstream – reliable encryption plus anonymous online payments (especially cryptocurrency) enabled large-scale campaigns such as CryptoLocker-style attacks delivered via email.
• 2017: Global disruption events – outbreaks like WannaCry and NotPetya showed how quickly malware could spread using software vulnerabilities, causing widespread operational impact.
• 2018–2019: “Big game hunting” and targeted intrusions – attackers increasingly broke into networks first, escalated privileges, then deployed ransomware across servers to maximise downtime and pressure.
• 2019–2021: Double extortion becomes common – groups started stealing data before encryption and threatening to leak it, meaning backups alone were no longer enough.
• 2020s: RaaS and criminal supply chains – Ransomware‑as‑a‑Service, initial access brokers, and affiliate models increased scale. Attacks became faster, more repeatable, and more “business-like”.
• 2023–present: Multi‑extortion and data‑theft‑only cases – some groups focus on stealing data and extorting without widespread encryption, while others add pressure tactics (e.g., contacting customers/partners). Increased law-enforcement action has also pushed groups to rebrand and decentralise.

How Ransomware Attacks Typically Happen

Ransomware does not usually arrive in dramatic fashion. It commonly enters an organisation through everyday activity, often exploiting trust or human error.

The most common infection methods include:

Phishing Emails

Employees receive emails that appear legitimate, often impersonating known suppliers or colleagues. A malicious attachment or link installs the ransomware when opened.

Compromised Credentials

Attackers use stolen or weak passwords to access systems remotely, especially where Remote Desktop Protocol (RDP) or VPN access is poorly secured.

Unpatched Software

Cyber criminals actively scan for known vulnerabilities in outdated systems and applications, exploiting them to deploy ransomware.

Operating System and Software Vulnerabilities

Beyond simple “out-of-date software”, many ransomware incidents begin with attackers exploiting a specific vulnerability in an operating system (Windows/macOS/Linux) or a commonly used application. These vulnerabilities can allow remote code execution, privilege escalation (gaining admin-level access), or bypassing security controls—turning a single weak point into full control of a device or server.

Vulnerabilities are often found in:

• Operating systems and core services (e.g., Windows services, file sharing, print services).
• Internet-facing systems such as VPN gateways, firewalls, remote access portals, and email services.
• Browsers and document tools (PDF readers, Office-style documents, JavaScript-enabled content).
• Remote management and IT tools used by admins or third parties (RMM tools), which attackers target because they provide broad access.
• End-of-life (EOL) software that no longer receives security updates, leaving known holes permanently open.

Attackers routinely scan the internet and internal networks for known, unpatched weaknesses, then use automated exploit tools to gain an initial foothold. That is why patching cannot be “when we have time”: organisations need a regular update cycle, clear ownership, and a way to prioritise critical fixes—especially for internet-facing systems and high-value servers.

Supply Chain Attacks

A trusted third‑party supplier is compromised, and ransomware spreads through shared systems or software updates.

Ransomware-as-a-Service (RaaS)

Ransomware-as-a-Service (RaaS) is a business model where skilled cyber criminals build and maintain ransomware tools, then rent or “license” them to other attackers (often called affiliates). This lowers the technical barrier to launching ransomware attacks and is a key reason ransomware has become so widespread.

In many RaaS schemes, affiliates handle the break‑in (phishing, stolen credentials, exploiting vulnerabilities, etc.), while the RaaS operator provides the ransomware payload, payment infrastructure, and negotiation process. Profits are then shared, which effectively “scales” cyber crime by allowing many different groups to use the same ransomware platform at once.

What this means for organisations:

• More attackers, more attempts – ransomware is no longer limited to a small number of expert groups.
• Faster, repeatable attack playbooks – affiliates reuse proven techniques across many victims.
• Professionalised extortion – some groups run “helpdesks”, publish leak sites, and use pressure tactics to force payment.
• Defences still work – strong MFA, patching, endpoint protection, backups, and monitoring remain highly effective because affiliates rely on common entry routes.

Notable Ransomware Variants

Ransomware groups and “brands” change frequently, and names are sometimes reused or rebranded. However, the following variants have been widely referenced in major incidents and reporting over the last several years:

• LockBit – one of the most prolific “affiliate” ransomware operations, known for aggressive extortion and frequent targeting of businesses.
• Conti – a major RaaS group associated with large-scale attacks and “double extortion” tactics (data theft plus encryption).
• REvil (Sodinokibi) – known for high-profile attacks and supply-chain style compromises, operating via an affiliate model.
• Ryuk – associated with targeted, “hands-on-keyboard” attacks against organisations, often preceded by credential theft and lateral movement.
• Maze – widely credited with popularising modern double extortion in ransomware campaigns.
• BlackCat (ALPHV) – a modern RaaS operation noted for targeting large environments and combining encryption with data theft and extortion.
• Clop – linked to campaigns that exploit vulnerabilities in widely used software and then extort organisations, sometimes without widespread encryption.

Compromised Devices (Laptops, Desktops, and Mobile Phones)

Ransomware often starts with a single compromised device, then spreads into the wider business environment. Any device that can access company email, cloud storage (such as Microsoft 365), shared drives, or internal systems can become an entry point.

Common ways devices get compromised include:

• Malicious links and downloads – users click a link in email/Teams or download a file that installs malware in the background.
• Fake apps and mobile malware – a user installs an untrusted app (or is tricked into approving permissions) that steals session tokens, passwords, or MFA prompts.
• Stolen devices – an unlocked or poorly protected phone/laptop can expose saved passwords, email accounts, and authenticator apps.
• Out-of-date operating systems – unpatched Windows, macOS, iOS, or Android devices can be exploited using known vulnerabilities.
• Public Wi-Fi and rogue hotspots – attackers intercept traffic or trick users into logging in to lookalike portals.
• Unsafe remote access – weakly protected RDP/VPN access allows attackers to take control of a device and pivot into the network.

Mobile phones are especially important because they often hold the keys to everything else: business email, password managers, and authentication apps. Even if ransomware never runs on the phone itself, a compromised mobile device can enable account takeover, which can then be used to access cloud data, reset passwords, approve sign-ins, and ultimately deploy ransomware onto servers and PCs.

To reduce device-based risk, organisations should combine endpoint protection, device encryption, regular patching, strong MFA (ideally phishing-resistant where possible), and mobile device management (MDM) to enforce screen locks, app controls, and the ability to remotely wipe lost devices.

What Happens During a Ransomware Attack?

Ransomware attacks are rarely instant. They usually follow a series of stages, and attackers may spend days or weeks inside a network preparing before they trigger encryption.

The stages of a typical ransomware attack look like this:

1. Initial access – attackers get in through phishing, stolen credentials, exposed remote access, or exploited vulnerabilities.

1. Execution (malware runs) – malicious code runs on a device or server, often disguised as a normal file or tool.
2. Persistence – attackers create ways to stay in the environment (for example scheduled tasks or new accounts) so they can return even if a user logs out or a device is rebooted.
3. Privilege escalation and discovery – they try to gain admin-level access and map the environment (servers, backups, security tools, and where sensitive data is stored).
4. Lateral movement – they move from one system to another to reach high-value systems such as file servers, domain controllers, or cloud admin accounts.
5. Data exfiltration (sometimes) – they copy sensitive data outside the organisation to increase leverage (used for double extortion).
6. Impact: encryption and disruption – ransomware is deployed broadly and encrypts files/systems, often at the same time, to maximise disruption.
7. Extortion and negotiation – a ransom demand is issued (often with a deadline), and attackers may threaten data leaks or ongoing disruption.

1. Persistence – attackers create ways to stay in the environment (for example scheduled tasks or new accounts) so they can return even if a user logs out or a device is rebooted.
2. Privilege escalation and discovery – they try to gain admin-level access and map the environment (servers, backups, security tools, and where sensitive data is stored).
3. Lateral movement – they move from one system to another to reach high-value systems such as file servers, domain controllers, or cloud admin accounts.
4. Data exfiltration (sometimes) – they copy sensitive data outside the organisation to increase leverage (used for “double extortion”).
5. Impact: encryption and disruption – ransomware is deployed broadly and encrypts files/systems, often at the same time, to maximise disruption.
6. Extortion and negotiation – a ransom demand is issued (often with a deadline), and attackers may threaten data leaks or ongoing disruption.

1. Privilege escalation and discovery – they try to gain admin-level access and map the environment (servers, backups, security tools, and where sensitive data is stored).
2. Lateral movement – they move from one system to another to reach high-value systems such as file servers, domain controllers, or cloud admin accounts.
3. Data exfiltration (sometimes) – they copy sensitive data outside the organisation to increase leverage (used for “double extortion”).
4. Impact: encryption and disruption – ransomware is deployed broadly and encrypts files/systems, often at the same time, to maximise disruption.
5. Extortion and negotiation – a ransom demand is issued (often with a deadline), and attackers may threaten data leaks or ongoing disruption.

1. Lateral movement – they move from one system to another to reach high-value systems such as file servers, domain controllers, or cloud admin accounts.
2. Data exfiltration (sometimes) – they copy sensitive data outside the organisation to increase leverage (used for “double extortion”).
3. Impact: encryption and disruption – ransomware is deployed broadly and encrypts files/systems, often at the same time, to maximise disruption.
4. Extortion and negotiation – a ransom demand is issued (often with a deadline), and attackers may threaten data leaks or ongoing disruption.

1. Data exfiltration (sometimes) – they copy sensitive data outside the organisation to increase leverage (used for “double extortion”).
2. Impact: encryption and disruption – ransomware is deployed broadly and encrypts files/systems, often at the same time, to maximise disruption.
3. Extortion and negotiation – a ransom demand is issued (often with a deadline), and attackers may threaten data leaks or ongoing disruption.

Many modern incidents include double extortion, where attackers steal data before encryption and then threaten to publish it if the ransom is not paid.

Why Ransomware Is So Damaging for Businesses

Ransomware is not just an IT issue. It is a business‑critical risk that affects operations, finances, reputation, and legal compliance.

The real‑world impact includes:

• Complete operational shutdown
• Loss of critical data and systems
• Financial losses from downtime and recovery
• Regulatory risks under UK GDPR
• Reputational damage and loss of customer trust

For many organisations, the cost of recovery can far exceed the ransom itself particularly when backup and recovery planning is inadequate.

Who Is at Risk of Ransomware?

The short answer: everyone.

While large enterprises often make headlines, small and medium‑sized UK businesses are frequently targeted because they tend to have:

• Fewer security controls
• Limited in‑house IT expertise
• Less robust backup strategies

Healthcare providers, professional services, manufacturers, and local authorities are especially attractive targets due to the sensitive or time‑critical nature of their data.

Should Businesses Pay the Ransom?

From a security and ethical standpoint, paying a ransom is strongly discouraged.

Reasons include:

• No guaranteed data will be restored.
• Attackers may demand additional payments.
• Funds criminal activity and future attacks
• Some organisations become repeat targets after paying.

UK authorities and cyber‑security bodies consistently advise focusing on prevention, backups, and incident response rather than ransom negotiation.

How Ransomware Protection Really Works

Effective ransomware protection is about layers, not single tools.

A strong defence typically includes:

1. Secure Backups

Backups should be:

• Offline or immutable
• Tested regularly
• Protected from the same credentials as live systems.
• Email and Endpoint Security

Advanced email filtering, malware detection, and endpoint protection reduce the risk of initial infection.

• Patch and Vulnerability Management

Keeping systems and applications fully updated closes many of the doors ransomware uses to enter.

• Access Control and MFA

Multi‑factor authentication (MFA) and least‑privilege access limit how far attackers can move if they gain entry.

• User Awareness Training

Employees remain a key line of defence. Training helps staff recognise phishing and suspicious behaviour early.

Ransomware Protection and Response

Prevention reduces the likelihood of an attack, but response planning reduces the impact when something goes wrong. The goal is to contain the threat quickly, protect evidence, and restore services safely.

Protection (Before an Incident)

• Backups you can trust – keep offline/immutable backups and test restores routinely.
• Patch fast where it matters – prioritise internet-facing systems, servers, and security updates rated critical.
• Secure remote access – restrict RDP, harden VPN, and use conditional access and strong MFA.
• Reduce admin rights – apply least privilege, separate admin accounts, and protect domain admin credentials.
• Endpoint protection and monitoring – use modern endpoint security and centralised logging to spot suspicious behaviour early.
• Email and web protection – block malicious attachments/links and enforce safe browsing controls.
• Secure Microsoft 365 – protect accounts, disable legacy authentication, and monitor risky sign-ins and mailbox rules.
• Third-party risk checks – understand supplier access, remote tools, and update processes.
• Tabletop exercises – rehearse the incident plan so people know what to do under pressure.

Response (When You Suspect an Attack)

• Isolate affected devices – disconnect from Wi‑Fi/network (do not power off unless instructed by your IT/security team).
• Contain access – reset suspected credentials, revoke sessions, and lock down remote access temporarily if needed.
• Preserve evidence – record what you see (screenshots, filenames, ransom note details) and keep relevant logs.
• Identify scope – confirm which systems, accounts, and data are affected (including cloud services and backups).
• Communicate internally – use a clean channel (phone/alternate email) in case normal systems are monitored.
• Engage specialist support – involve your IT/security provider and, where appropriate, cyber insurance and legal support.
• Restore safely – rebuild and restore from known-good backups only after the entry point is removed and security is verified.
• Post-incident hardening – close the gaps that allowed the attack (patching, MFA, admin controls, monitoring, and user training).

Depending on the incident, you may also have reporting obligations (for example, under UK GDPR if personal data is involved). A structured debrief after recovery helps ensure the same entry route cannot be reused.

UK Reporting and Law Enforcement Guidance

If you are a UK organisation dealing with ransomware, get specialist technical help, but also report the incident promptly. UK guidance typically points to these routes (depending on severity and what has happened):

• NCSC (National Cyber Security Centre) – use the government “Where to Report a Cyber Incident” service to be directed to the right place, particularly for significant incidents.
• Action Fraud / Report Fraud – the national reporting centre for fraud and cyber crime (online or by phone). For businesses/organisations actively under cyber attack, guidance indicates calling 0300 123 2040 and selecting the priority option for a live incident.
• Police (emergency) – if the incident is happening now and there is immediate risk (e.g., safety issues or an ongoing crime in progress), call 999; otherwise use 101 for non‑emergencies.
• ICO (Information Commissioner’s Office) – if personal data is affected, you may need to assess and report a personal data breach under UK GDPR. ICO guidance notes reporting within 72 hours of becoming aware of a notifiable breach (where feasible).

Also be aware that ransomware payments can create legal and financial risk. UK government guidance highlights that financial sanctions may apply to certain individuals or entities, meaning paying (or facilitating payment) could be a serious offence. If you are considering any payment decision, take legal advice and keep clear records of actions taken and reporting made.

Ransomware From an Expert Perspective

From our experience supporting UK businesses, ransomware is rarely caused by a single failure. It is usually the result of small gaps across systems, processes, and people.

The organisations that recover fastest or avoid attacks altogether are those that treat cyber security as an ongoing business priority, not a one‑off IT task.

Ransomware is no longer a niche or technical threat. It is a common, deliberate, and financially motivated crime affecting businesses of all sizes across the UK.

Understanding what ransomware is and how it operates is the first step towards protecting your organisation. The second is ensuring your IT security strategy is robust, realistic, and regularly reviewed.

If ransomware is not part of your business risk thinking today, it should be.

Louise

With over 15 years at Speedster IT, I’ve built a career around helping businesses navigate the evolving world of technology. I publish all the content for the IT Support London Blog and Cyber Security Blog, where I share practical insights on infrastructure upgrades, cybersecurity trends, and smart IT strategies for growing companies.