Ransomware Attacks: Prevention, Response, and Recovery

Ransomware is a form of malicious software that, as the name implies, encrypts files on a device or system and locks access until a ransom is paid. These attacks are on the rise, with reported activity trending upward in each of the last three quarters of 2024 and an astounding 100% leap in Q3⁽¹⁾. 

Individuals or entire companies can be the target of extortion by ransomware, and no entity is too big to fall victim. The medical sector, which has some of the harshest penalties for client confidentiality violations, saw two major ransomware attacks last year in the U.S. alone⁽²⁾.  

Ransomware attacks can ruin a company financially. In 2021, CNA Financial forked over $40 million to the Russian hacking group Phoenix, a record-setting ransom price until 2024 when an unnamed Fortune 50 company paid an astonishing $75 million ransom⁽³⁾. However, the real cost comes in the data recovery process and reputational damage that follows. 

Because of this, it’s imperative that both individuals and businesses invest in preventative action against ransomware attacks before they present themselves. Read on to learn how ransomware is waged and ways you can protect yourself from becoming a victim. 

How Ransomware Works 

Through a variety of methods, malicious software is installed on a device and gives an unauthorized party access to confidential data. Through this infiltration, the data is then frozen, and the bad actor reaches out with a list of demands to resume access. There’s are a plethora of ways a cybercriminal can execute a ransomware attack, so we will go more in depth below. 

The Infection Process 

Like any malware attack, ransomware can be distributed in many ways. Some of the more popular methods used by ransomware attackers include: 

• Phishing: A common favorite among cybercriminals of all kinds, phishing attacks disguise themselves by imitating a trusted entity. They may send emails with infected attachments that give them access to their target’s system. 
• Domain Controllers: With remote work becoming more commonplace, many employees access company systems through remote desktop protocol connections (RDP). If cybercriminals can access employee credentials, they can breach domain controllers through RDP connections and directly download malware. 
• Drive-By Attacks: Instead of actively attacking a company’s system, bad actors may set up a malicious website or compromise a legitimate one and infect the code with malware. Visitors of the site are then unknowingly exposed, and their devices are infected. 
• Vulnerability Exploits: Instead of looking for a workaround, cybercriminals may opt to directly attack vulnerabilities in an organization’s network. One of the most well-known exploits is EternalBlue, a software that targets the Server Message Block of unpatched Microsoft devices and allows for unauthorized downloads of malicious data packets. 

Regardless of their infection method, cybercriminals will use ransomware to encrypt files and lock access before issuing their extortive demands. 

Ransom Demands 

Ransomware attackers are usually looking to turn a profit rather than misuse the data they’ve frozen. There are a variety of ways they can get their message across, but one of the most common is to have the display backgrounds of infected devices changed to display a ransom note. Payment is often requested through cryptocurrency as transactions are hard to trace. 

The average asking price for a ransomware attack eclipsed a monumental $5.2 million in 2024⁽⁴⁾. Additionally, nearly two-thirds of all ransom demands were for $1 million or more⁽⁵⁾. If these prices weren’t high enough to deter paying ransom demands, consider the fact that only 54% of victims who met these demands actually recovered their data⁽⁶⁾. 

Types of Ransomware 

There are many different variants of ransomware that vary in their intended outcome and method of attack. These categorizations are continuing to grow as Ransomware as a Service (RaaS) becomes a criminal industry. Lockbit, one of the largest ransomware families, targets a system’s server messaging block while variants like the WannaCry attacks utilize OS vulnerabilities. Knowing what variant of ransomware you’re dealing with is important when responding to an attack. 

Some of the most common forms of ransomware include: 

• Encrypting Ransomware: This type of ransomware locks the victim’s data by encrypting it. The victim needs a decryption key to regain access, which the cybercriminal has and will offer to supply if the ransom is paid. 
• Locker Ransomware: Instead of freezing access to important files, locker ransomware disables the entire device and essentially “locks” all operations. The only thing the device will do is show instructions for how to pay the ransom. 
• Scareware: This is an appropriately named form of ransomware that informs the victim that their device has been infected and provides instructions to pay for its repair. However, their device has not been infected, and the victim pays for a fake service. 
• Doxware: This combines elements of blackmail, doxxing, and ransomware in an attack where the victim’s sensitive data is frozen and stolen and then threats are levied to release the information if the ransom demand is not paid. 

Who Is Targeted by Ransomware? 

To put it shortly, everyone. Whether it’s one person’s personal computer or the entire network of a government agency, nobody is fully safe from the threat of a ransomware attack.  

Individuals 

While many think of ransomware attacks targeting companies or organizations, individual internet users may also fall victim. Personal devices can be infected by clicking malicious links or visiting compromised websites. This can lead to an individual’s sensitive data being stolen, resulting in potential cyber extortion, reputational damage, and even identity theft. 

Small and Medium-Sized Businesses 

The data shows that roughly 82% of ransomware attacks target small to midsized businesses. Of the companies that make up this percentile, about six in ten will fold within half a year of the attack⁽⁷⁾. 

These businesses are often targeted due to their weaker cybersecurity systems and lack of preparation for such an attack. Roughly 30% of SMBs have no plan to handle a ransomware attack, and an additional 35% of the ones with a response plan haven’t tested it in over a year. This culminates in roughly three-fourths of ill-prepared businesses going under within a week⁽⁸⁾. 

Large Organizations and Governments 

Critical infrastructure and major organizations are commonly targeted due to the potential to demand a high payout. Companies with an annual revenue of $500 million to $1 billion received an average ransom price of over $5 million and companies above $5 billion in annual revenue were asked for almost $7.5 million per ransomware attack⁽⁵⁾. 

This is largely due to their desperation to resume operations as quickly as possible and avoid regulatory action for failure to protect sensitive data. Take the medical sector, for example. Hefty legal penalties can be handed out for violating HIPAA, and failure to regain control of data and return to regular function can result in a 41-54% increase in in-hospital mortality rate⁽⁹⁾. 

Signs You May Be Experiencing a Ransomware Attack 

Be aware of the following characteristics as they may indicate that your device or network has been compromised by ransomware. 

• Locked Files or Systems: Sudden inability to access files, folders, or entire systems within your network is often a sign they’ve been locked or encrypted. 
• Ransom Note or Pop-up Message: The perpetrator will have to communicate with you in order to lay out their list of demands. If you receive a ransom message, it’s a clear indication of a ransomware attack. 
• Unusual Network Behavior: The malicious program is likely running continually in the background and communicating with its command-and-control servers. This can lead to slowed performance, system crashes, abnormal patterns of network activity. 

What to Do If You’re Hit by Ransomware 

Now that you know what ransomware is, how it’s distributed, and its tell-tale signs, you’re probably wondering how to react in the event of an attack. Swift action is required to secure your network and maintain operations, but making the wrong choice could be more devastating than taking no action at all. Don’t panic and make well-informed decisions with the guidance of the suggestions below. 

Do Not Pay the Ransom 

As we’ve already outlined, paying the ransom is far from a guarantee that your data will be recovered. In fact, it often results in the exact opposite as the cybercriminal realizes you are willing to comply. This can make you a mark for future extortion and may also result in legal penalties for violated sanctions laid out by the Office of Foreign Asset Control⁽¹⁰⁾. 

Disconnect from the Network 

Ransomware is capable of spreading laterally across an entire network of devices. Once you’ve identified that a device has been infected, you should immediately isolate it to prevent ransomware from impacting your entire operation. 

Contact a Cybersecurity Expert 

The assistance of cybersecurity professionals, such as the team at DFC, can assist you in investigating and documenting a ransomware attack. This includes containing the infection, identifying the origin and infiltration point, recovering lost data, and ongoing monitoring to prevent similar extortion attempts in the future. 

Report the Incident 

You should report any instance of cybercrime to the appropriate law enforcement agencies. Begin with a local police report and work up to the FBI’s IC3 if the situation requires. It’s worth noting that the OFAC takes consideration for companies who comply with law enforcement and properly report ransomware, even if they’ve violated sanctions by paying the ransom⁽¹⁰⁾. 

How to Protect Yourself from Ransomware 

Whether you’ve experienced and successfully resolved a ransomware attack or are looking to continue avoiding the threat, you should take preventive action to protect your network. The following actions can help you position yourself to avoid the pitfalls of ransomware: 

• Regular Backups: 68% of organizations who successfully recovered their data after a ransomware attack utilized backups⁽⁵⁾. Additionally, recovery costs grow up to eight times higher when backups are compromised versus when they remain intact⁽¹¹⁾. This indicates the importance of having regularly tested backups stored both on and offline. 
• Strong Cybersecurity Practices: Install reputable antivirus and anti-malware programs and perform routine scans to gage the health of your system. Additionally, you should update programs and systems immediately upon release to patch vulnerabilities such as the EternalBlue exploit. 
• Educate Your Team or Household: The security systems of households, organizations, and entire governments can be compromised by a single click from one individual. Educate your network users on what ransomware is, how it works, and ways it’s commonly distributed and encourage caution when opening attachments. 
• Multi-Factor Authentication and Network Monitoring: To avoid bad actors infiltrating your domain controllers with stolen employee credentials, secure all accounts in your system with multi-factor authentication. Furthermore, you should monitor your network for unusual activity that may indicate an intrusion attempt. 

Don’t Wait Until It Happens to You 

Ransomware is a serious and growing threat, but it can be prevented with proactive measures. Anyone who relies on digital devices to house their data needs a system in place to protect against ransomware as well as a response plan for successful infiltration. 

As we’ve outlined, nobody is without risk of falling to ransomware attacks, regardless of their size, status, or sovereignty. That said, the team at DFC has your back if your data is taken hostage. Contact us today and let us help recover your files and restore your peace of mind.  

Sources: 

1. Gen Blogs | Gen Q4/2024 Threat Report 
2. Top 10 Biggest Cyber Attacks of 2024 & 25 Other Attacks to Know About! 
3. Largest Ransom Ever Paid: Fortune 50 Co pays Unprecedented $75 Million 
4. Ransomware Attack Demands Reach a Staggering $5.2m in 2024 – Infosecurity Magazine 
5. sophos-state-of-ransomware-2024-wp.pdf 
6. Cyberthreat Defense Report 2025 – CyberEdge Group 
7. Articles 
8. Microsoft Word – CyberCatch SMB Ransomware Survey (SMBRS) April 12 2022.docx 
9. 4579292.pdf 
10. ofac_ransomware_advisory.pdf 
11. sophos-the-impact-of-compromised-backups-on-ransomware-outcomes-wp.pdf 

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.