The Raptoric Journal/Offensive Security
Offensive SecurityJun 16, 2026 · 14 min read

Ransomware: how to protect against it and respond to an attack

Ransomware encrypts your data and demands a ransom, and increasingly steals it before encryption. Here is what an attack looks like, how to prevent it, and how to respond so the disruption is as short as possible.
An incident response team coordinating recovery in front of an incident dashboard.
Written by
R
Raptoric Offensive Security
Share
LinkedInX / TwitterCopy link

Ransomware is a type of malicious software that encrypts the data on infected systems and then demands a ransom for the key that unlocks it. For a company, that means it can lose access to its files, databases, and systems overnight, and operations stop until the situation is resolved. In recent years attacks have grown more dangerous, because attackers steal the data before encrypting it and then threaten to publish it if the ransom is not paid.

Ransomware is now one of the most serious threats to organizations of every size, and especially to those that cannot tolerate downtime, such as hospitals, financial institutions, and critical infrastructure providers. The good news is that the risk can be reduced sharply, and the damage contained, by combining prevention, detection, and a prepared response. This post explains what an attack looks like, how to prevent it, and how to react if it happens.

What ransomware is

Ransomware takes its name from ransom and describes malicious software that denies a victim access to data or systems until a payment is made. Most often it encrypts files with strong encryption that is practically impossible to break without the key. After encryption the victim usually receives a message with payment instructions, routinely in cryptocurrency to make the money harder to trace.

It is important to understand that ransomware rarely acts on its own. Behind almost every attack is a person who first got into the network, expanded access, and only then launched the encryption. That means the attack has a phase during which it can be detected and stopped, before the damage is done.

What an attack looks like, step by step

A typical ransomware attack is not an instant event but a sequence of steps that can play out over days or weeks. Understanding those stages shows where defense can be inserted.

  1. 01
    Initial access
    Most often through a phishing message, stolen credentials, or an unpatched vulnerability on an internet-facing system.
  2. 02
    Foothold and reconnaissance
    The attacker maps the network, looks for valuable data, and identifies backups.
  3. 03
    Spread and privilege escalation
    The attacker moves across systems and takes over administrator privileges.
  4. 04
    Data theft
    Sensitive data is copied before encryption, for later extortion.
  5. 05
    Encryption
    The ransomware runs and data becomes unavailable, often deliberately outside working hours.
  6. 06
    Extortion
    The attacker demands a ransom and threatens to publish the stolen data if it is not paid.

Double and triple extortion

Ransomware once only encrypted data, so a good backup was almost a complete defense. Today attackers use double extortion: first they steal the data, then they encrypt it. Even if you restore your systems from a backup, they threaten to publish the stolen data. Some go a step further, into triple extortion, adding pressure such as a denial-of-service attack or contacting your customers and partners directly.

That is why modern ransomware defense cannot rest on backups alone. Backups solve the availability problem, but not the confidentiality problem of stolen data. You have to prevent the entry and the theft, not just enable recovery.

A backup restores your data. It does not restore the data an attacker has already stolen. That is why ransomware defense is built on preventing entry, not just on recovery.

How ransomware gets in

Almost every ransomware attack starts at one of a few predictable entry points. Those are exactly where defense has the greatest effect.

  • Phishing and social engineering, where an employee opens an attachment or gives up credentials, which we cover in our post on phishing and social engineering.
  • Stolen or weak credentials, especially for remote access such as internet-facing RDP.
  • Unpatched vulnerabilities on servers, VPN appliances, and internet-facing applications.
  • Supply chain risk, where the attacker gets in through a compromised vendor or software you use.

How to protect against it

Ransomware prevention does not come down to a single tool, but to several layers that together make both entry and spread harder.

  • Regular backups following the three copies, two media, one offsite rule, with at least one copy the attacker cannot alter or delete.
  • Regular updates and patch management, because attackers exploit known vulnerabilities quickly.
  • Multi-factor authentication on all access, especially on remote access and administrator accounts.
  • Network segmentation, which keeps an attack from spreading freely across the whole organization.
  • The principle of least privilege, where users and systems have only the access they actually need.
  • Advanced endpoint detection (EDR) that recognizes suspicious behavior, not just known viruses, which we run through managed detection and response.
  • Employee training, because a large share of attacks starts with human error.

Backups are the last line of defense

If everything else fails, the backup decides whether you recover in days or in weeks. But a backup is only worth something if the attacker cannot reach it and if you can actually restore from it. Attackers now deliberately hunt for and delete backups before encryption, so a backup connected to the same network is often not enough.

That is why backups must be separated and immutable, and recovery from them tested regularly. A backup you have never tried to restore is an assumption, not a guarantee. Testing recovery uncovers problems before you uncover them in the middle of a real attack. We cover this further in our post on business continuity and disaster recovery.

Early detection changes the outcome

Because a ransomware attack takes time rather than happening all at once, early detection is often the difference between a minor incident and a full stoppage. Suspicious behavior, such as sudden access to a large number of files, unusual logins, or attempts to disable security tools, can flag an attack while it is still in progress.

This is exactly what we cover through threat detection and response, where we build detections tailored to your environment and threats and make it possible to stop an attack before the encryption phase. Proactive threat hunting goes further, looking for signs of attackers who slipped past automated detection.

How to respond to an attack

If an attack does happen, a prepared response limits the damage. A panicked, disorganized response usually makes it worse. A written incident response plan is what turns the steps below into a repeatable process rather than improvisation.

  • Isolate infected systems from the network to stop the spread, but do not power them off immediately, because that can destroy evidence.
  • Activate the incident response plan and notify the responsible people and, if needed, an external response team.
  • Preserve evidence and run forensic analysis to establish how the attacker got in and how far they reached.
  • Assess whether personal data was stolen, because that can trigger an obligation to report within 72 hours.
  • Restore systems from verified backups only after you are sure the attacker has been removed from the environment.
  • Run a post-incident review and close the gap the attack came through, so it does not happen again.

Should you pay the ransom?

The general guidance, shared by cybersecurity authorities, is not to pay the ransom. Paying does not guarantee the data comes back, it funds further attacks, and it does not remove the risk that the stolen data is published. On top of that, paying certain actors can carry legal consequences. The decision is ultimately a business one, but it is far easier to make when you have verified backups and a clear recovery plan.

Ransomware and regulatory obligations

A ransomware attack is often a regulatory event at the same time. If you fall under the NIS2 directive, you have to report a significant incident within short windows. Financial institutions have similar obligations under DORA. If personal data was stolen, the obligation to report under GDPR comes into play as well. Each of these obligations has the same precondition: you have to know what happened and how far the attack reached.

Without detection and forensics it is impossible to meet the deadlines or give a regulator an accurate picture. We run the full readiness program, from prevention to response and compliance, through governance, risk, and compliance.

Ransomware cannot be ruled out completely, but the risk can be brought down to a level you can manage, and the damage limited through preparation. If you want to know how resilient your organization is and how you would respond to a real attack, see our threat detection and response service and book a scoping call.

Frequently asked questions

What is ransomware in simple terms?
Ransomware is malicious software that locks your data with encryption and demands a ransom to unlock it. Increasingly, attackers also steal the data before encryption and threaten to publish it. The goal is to force the victim to pay.
Is a backup enough protection against ransomware?
A backup is essential for recovery, but it is not enough on its own. It solves restoring the data, but not the theft in a double extortion. The backup also has to be impossible to delete or alter, and recovery from it tested regularly. Complete defense combines prevention, detection, and backups.
Should we pay if we get attacked?
The guidance is not to pay, because paying does not guarantee the data comes back, it funds future attacks, and it can carry legal consequences. The decision is far easier to make if you have verified backups and a recovery plan, so paying is not the only option.
How quickly should we react to ransomware?
As soon as possible. Because the attack unfolds in stages, an early reaction can stop it before encryption. After encryption, fast isolation prevents further spread. That is why a response plan prepared in advance and the ability to detect are decisive for the outcome.

Sources

  1. 1ENISA. ENISA Threat Landscape: Ransomware. European Union Agency for Cybersecurity, 2024. Link
  2. 2CISA. #StopRansomware. Cybersecurity and Infrastructure Security Agency, 2024. Link
Want this tested on your own systems?
Our team will scope it with you on a 30-minute call.
Book a scoping call
Keep reading
All insights →