Ransomware is malicious software that encrypts a company’s files and demands a ransom to unlock them. In practice it means one thing: one morning nobody can open documents, email is down, the accounting system does not work, and a payment demand shows on the screen. I have seen what that morning looks like in a company that was not prepared, and in one that was. The difference between the two is not luck, but a few decisions made earlier.
How an attack begins
It helps to understand that encryption is usually the last stage, not the first. Before it happens, the attacker often sits in the network for days or weeks.
- Entry. Most often through phishing, a stolen password or a vulnerable service exposed to the internet, for example an unsecured remote desktop.
- Reconnaissance. The attacker learns the network, looks for administrative accounts and the location of backups.
- Data theft. Before encrypting files, they often copy them first so they can add the threat of disclosure as extra leverage.
- Encryption. Finally they launch encryption, usually at night or over the weekend, when no one is watching.
In the cases I have analysed, victims lost data not because they had no backup, but because the backup was connected to the same network and got encrypted along with everything else. A backup that can be deleted from the domain is not a backup.
The foundation: 3-2-1 backups
No protection is ever one hundred percent, which is why a backup is the last line that decides whether the company returns to work in hours or in weeks. A proven rule is 3-2-1.
- 3 copies of your data.
- 2 different media or technologies.
- 1 copy kept off site and isolated from the production network.
The key word is isolation. A copy that is offline or immutable cannot be encrypted even when the attacker takes over the domain. On top of that, backups must be tested regularly by restoring them, because a backup no one has ever restored is only an assumption. A well designed server backup accounts for both isolation and periodic restore tests.
The layer that detects an attack earlier
A backup alone only helps after the fact. The point, however, is to stop the attack altogether or detect it before encryption happens. This is what modern protection for workstations and servers is for.
Classic antivirus recognises known threats by signatures. Ransomware can evade them. That is why we use EDR/XDR, a layer that observes system behaviour.
- It detects unusual patterns, for example a process mass-encrypting files, and can stop it automatically.
- It lets you isolate an infected computer from the network with one click, before the threat spreads.
- It collects traces of the attack, so you know how and where someone got in, not just that something happened.
Limiting the spread once it starts
If the attacker gets in, what matters is how far they reach. A few rules reduce the damage in practice.
- Network segmentation. Separating servers, workstations and critical systems means an infection in one department does not take down the whole company.
- Least privilege. An ordinary user does not need administrator rights. Taking over such an account is far less dangerous.
- MFA on remote and administrative accounts. A stolen password alone stops being enough.
- Updates and patching. Many attacks exploit holes for which a patch has existed for months.
A recovery plan: what we do in the first hour
The worst moment to invent a procedure is during an ongoing attack. Companies that cope well have a plan written down in advance. It answers simple questions.
- Who makes decisions and who we notify first.
- What we disconnect from the network immediately to limit the encryption.
- From where and in what order we restore critical systems.
- How long the company can operate without a given system, that is the agreed RTO and RPO.
- When we report the incident, including any obligation to the data protection authority in the case of personal data.
This plan is the heart of disaster recovery. It is not about a thick document, but a few pages the team knows and has rehearsed.
Should you pay the ransom
I advise against it. Payment does not guarantee you recover the data, it funds further attacks, and the company ends up on the list of those that pay, so it often gets attacked again. It is far better to invest in advance in backups and detection, because those give you real independence from a criminal’s decision.
Where to start
If I had to name an order, it looks like this. First, close off your backups in a 3-2-1 model with one isolated copy and test the restore. Then deploy EDR/XDR and MFA. Finally, write down and rehearse a simple recovery plan. These three steps turn a potential catastrophe into a controlled, if unpleasant, incident.
If you want to check whether your company would survive such a morning, we will help you work through backups, workstation protection and a recovery plan without unnecessary theory. Start with a conversation about where your weakest link is today.