Ransomware has surged back into focus in 2026, remaining one of the most significant and persistent forms of cyber threat facing businesses. Recent attacks have shown just how quickly organisations can be brought to a standstill – causing operational paralysis, financial fallout, and lasting reputational harm. With the pressure mounting on businesses to protect personal data and maintain customer trust, understanding how ransomware works and how to guard against it has never been more critical. In this article, we break down the basics and outline what practical steps businesses can take to minimise the risk of an attack.
What is ransomware?
Ransomware is a form of malware that blocks access to IT systems and / or data until a fee is paid to the perpetrators. As the data is encrypted by the criminals, it can’t be accessed until the money is handed over and a decryption key provided. A ransomware attack can paralyse even the largest organisation, leaving them with little choice but to stump-up the ransom, which is usually substantial and often accepted only in cryptocurrency.
How it compares to other cyber security threats?
A ransomware attack is the most serious form of cybercrime for businesses. If it catches a business unprepared, it will often bring the entire organisation to an immediate standstill. In almost every case, it is a genuine and urgent crisis.
Other types of cyberattack are serious, of course, but usually not as stressful and immediate as ransomware. Virus infiltrations can result in data being stolen or corrupted or business being severely disrupted. Distributed denial of service (DDoS) attacks will flood a business with digital traffic and prevent it functioning properly. Through the practice of phishing, cybercriminals can glean information that will provide them access to systems, giving them the ability to steal money directly, carry out fraudulent schemes, or plant other types of malware inside the network. This is often the method used to perpetrate ransomware.
Why won’t ransomware problems go away?
While cybersecurity protection has continued to advance, ransomware has also become more sophisticated. The perpetrators are highly organised and motivated. They persist in their efforts because it pays. It is easy for them to identify and target potential victims, and it is difficult for enforcement authorities to track and close them down. Criminals continually adapt their attacks, making it an endless struggle for supremacy between them and security vendors and service providers.
How do ransomware attacks happen?
Attacks are typically initiated through email, compromised websites, or vulnerabilities in business applications. Phishing emails are the most common way in which ransomware is spread and initiated. The malicious email, which is often made to look like it comes from a legitimate source, will try to persuade the receiver to open an attachment or link. This will subsequently lead to a file being downloaded that will run the ransomware app. Known vulnerabilities in software and access protocols are also exploited to plant and run ransomware.
What can organisations do to prevent ransomware attacks?
By taking a multi-layered approach, you can significantly reduce the chance of a ransomware attack for your business. Essential steps include:
Make sure employees are aware
Ensure all staff know how to identify phishing attacks and any suspicious activity. There should be regular employee training and refresher courses.
Create and maintain strong cyber security policy
Ensure you review your cyber security policy regularly to keep your posture up to date.
- A robust backup regime – backups should be taken frequently and tested for their veracity. Importantly, they must be stored offline from your own systems, so that they can’t also be taken out by a ransomware attack.
- Keep all software up to date – as well as making certain that security software is updated and device licences are current, key business applications need to be up to date.
- Deploy good endpoint security software – having strong protection on the network and every device is essential.
- Protect the gateway – deploy a firewall or unified security appliance at the gateway to your network.
- Apply strict access control – it is all too easy for the rules to be softened over time. Access rights and controls need to be strict, and users must be told to stick to the rules. Privileges should be reviewed regularly.
- Use two-factor authentication – this will give you an added layer of access protection.
- Plan for an incident – set out a clear plan for what you would do in the event of a ransomware attack or any other cyber incident. As well as a detailed recovery plan, this should cover how you will communicate with customers, suppliers, and stakeholders. Ensure you keep printed copies of the plan – or store digital versions somewhere that is not connected to your network.
You might also want to consider using a specialist third party security firm to monitor your network, manage your digital security, and guard against any potential threats.
Can you be certain of not getting hit?
There is no absolute guarantee that you won’t suffer an attack. Even if you take all the measures described above and get help from a third-party specialist, if you connect to the internet, it’s possible that you may get attacked. However, by always staying vigilant, applying as many layers of protection as you can, regularly reviewing your posture, and avoiding complacency, you can minimise the risk.
How to respond to an attack
If you are attacked, it’s vital to act swiftly, but also to remain calm and methodical. You should call in other staff and expert help right away and try to keep a documented record of everything you do.
1. Disconnect systems immediately
All impacted systems should be disconnected from the network immediately to prevent the attack spreading to other internal systems and external connections. However, it’s a good idea not to power them down, as the memory may contain clues that can be used by security experts to discover what has happened. Take photos of any ransom demands of error messages displayed on screens. Makes notes of the timings and sequence of events and record any other details that may seem relevant, such as filenames and contact information.
2. Notify your staff
All managers and employees need to be informed as quickly as possible and told what to do, and more importantly, what not to do. They should avoid logging on or doing anything on systems until they are instructed otherwise. Everyone should be kept updated and informed of what’s happening as the investigation and recovery proceeds. You should invoke your incident response plan and bring together all the individuals who are part of the response team. Be ready to take the steps outlined in your disaster recovery plan.
3. Call in cyber security experts immediately
You should call in cybersecurity experts immediately to help you recover. Together you need to work out exactly what has happened, how the attack was perpetrated, the full extent of the potential damage, and what recovery options are available. If you have insurance cover for cyberattacks, you will also need to contact your insurer.
4. Report the incident to the ICO
In some cases, it may be necessary to report the incident to law enforcement. In the UK, an attack must be reported to the Information Commissioner's Office (ICO) within 72 hours if it's a personal data breach likely to risk individuals' rights. Severe incidents affecting critical services or substantial operations should be reported to the National Cyber Security Centre, and all cybercrimes, including fraud, reported to the Action Fraud national reporting centre. You may also want to inform or call in expert legal advisers.
5. Assess the scope of the attack
You will need to assess the scope of the attack and whether reliable backups are available that can be used to restore operations. If confidential data about customers and / or employees has been compromised, you will need to take appropriate action and work on both internal and external communications plans.
6. Do not pay the ransom
If possible, you should avoid paying any ransom, as this encourages further attacks. If you do pay, it won’t necessarily mean you will be able to get system access and data – criminals will sometimes ask for further payments if they think they are in a position of strength. Whatever you decide, you should take legal advice before proceeding.
What’s the best-case scenario in the event of an attack?
If you have a well-planned and clear recovery plan, you will be decently placed to deal with a ransomware attack. A vital part of that is having reliable and recoverable back-ups as it’s entirely likely that you will need to revert to them if you don’t want to pay the ransom.
After recovering, you should review all your security practices and posture from scratch, strengthen as required, and provide additional training to employees. Clear communication with customers, suppliers and other affected parties will also be important if you want to retain trust and minimise any damage to your reputation. Being seen to have acted swiftly and decisively will stand you in good stead.
The expert view
Scott Rogers, director – security, TD SYNNEX, says that ransomware is a threat that organisations of all sizes need to take seriously. ‘Cybercrime is a huge and highly organised industry and while it’s always big news when a well-known company or public service organisation suffers an attack, there are many more small and medium-sized businesses being hit by the criminals all the time.
‘The good news is that if you do take the right steps, you can minimise the risk of becoming one of those victims. There are some simple things you can do yourself – making sure you have anti-malware software and making staff aware of the dangers, but we’d also advise most businesses to enlist the support of an external third-party with expertise in cybersecurity. You might simply want them to review your security posture and implement appropriate solutions. Or you may wish to go further and outsource the entire monitoring and management of digital security to a specialist managed services provider. Either way, getting expert help is always a good idea.
‘The other piece of advice we always give is that you should never allow yourself to become too relaxed about security. A set-and-forget approach does not work – you need to be vigilant, make sure that your protection and licences are always up to date, and review your position on a regular basis.’
A threat that must be taken seriously
Ransomware is a big threat and it’s not going away. Taking appropriate prevention measures, educating employees, making sure you have good, up-to-date security solutions, regularly reviewing your position, and having an action plan to deal with an attack will give you a high degree of resilience and minimise the risk of your business being infiltrated and seriously impacted.
