Should a business pay a ransomware demand?

Payment should not be treated as the plan. It does not guarantee recovery, it can create further risk, and it does not remove the need to investigate, rebuild, reset credentials, and understand whether data was stolen.

What is the best protection against ransomware?

The strongest protection is layered security: tested backups, MFA, patching, email protection, endpoint monitoring, restricted admin access, secure remote access, staff reporting, and a recovery plan.

What should you do first if ransomware is active?

Disconnect affected devices from the network, preserve evidence, avoid random deletion or rebooting, identify what is affected, and seek specialist help before restoring systems.

Ransomware: What It Is, How It Gets In, and How to Recover

You click a link. Nothing obvious happens. A few minutes later, files stop opening. Shared folders disappear. Staff start asking why documents have strange names. Then the message appears: your files have been encrypted. Pay in cryptocurrency or lose access. That is the moment most businesses first take ransomware seriously. The problem is that by then, the attacker may already have been inside for days or weeks.

What ransomware actually is

Ransomware is malicious software that blocks access to your systems or encrypts your files so you cannot use them. Older ransomware was usually simple: encrypt the files, show a ransom note, demand payment.

Modern ransomware is often worse. Attackers may steal data before encryption, threaten to publish sensitive files, delete backups, disable security tools, target administrator accounts, and move across the network before the business even sees the ransom note.

This is why ransomware should not be treated as a simple IT issue. It is a security incident, an operational incident, and often a data protection issue at the same time.

How ransomware gets in

Ransomware usually starts with one small failure. Not always a dramatic one. Not always a technical one. Often it is just a normal working day, a normal inbox, and one convincing message.

Phishing emails

The message looks like an invoice, password reset, shared document, delivery issue, or urgent request. The goal is to get someone to open a file, click a link, approve a login, or hand over credentials.

Control: email filtering, attachment scanning, staff reporting, MFA, and a process for checking urgent requests.

ENTRY VECTOR

Malicious attachments

ZIP files, fake PDFs, scripts, and macro-enabled documents can be used to start the chain. Password-protected archives can be used to bypass basic scanning.

ENTRY VECTOR

Fake login pages

The attacker may not need malware at first. A stolen Microsoft 365 or Google password can be enough to open the next door.

ENTRY VECTOR

Exposed remote access

Unprotected RDP, VPN portals, and remote admin tools are attractive targets, especially without MFA and monitoring.

ENTRY VECTOR

Known vulnerabilities

If the fix exists but has not been applied, attackers will not wait politely. Internet-facing systems should be patched first.

What happens after it activates

Once ransomware starts, things can move quickly. The visible encryption is only one part of the incident.

Discovery

The attacker or malware looks for useful files, mapped drives, cloud sync folders, databases, servers, and backup locations.

Data theft

In many modern attacks, data is stolen first. That gives the attacker leverage even if the business can restore systems.

Backup targeting

Attackers know backups are the escape route. If backups use the same credentials or sit on the same network, they may not survive.

Encryption

Files are encrypted across laptops, file servers, shared drives, databases, virtual machines, and cloud-synced locations.

Pressure

The ransom note applies pressure: pay quickly, pay more later, or face data leakage and public exposure.

Should you pay?

The simple answer is that payment should not be treated as the plan. It does not guarantee a clean recovery and it does not remove the need to investigate, rebuild, reset access, and understand whether data was stolen.

Even if a key is provided, it may not work properly. Decryption may be slow. Some files may remain corrupted. The attacker may still leak stolen data. You may also create legal, sanctions, insurance, and regulatory questions.

The stronger position is this: do the work now so payment is not your only option later.

How to protect the business

There is no single magic product that solves ransomware. Good protection is layered. Each layer either reduces the chance of an attack succeeding or limits the damage if it does.

LAYER 01

Backups

Use regular, automatic, encrypted, isolated, and tested backups. A backup that has never been restored is more like a hope than a plan.

LAYER 02

MFA and identity

Protect email, cloud storage, admin accounts, VPN, finance systems, HR systems, password managers, and backup platforms.

LAYER 03

Patching

Prioritise operating systems, browsers, firewalls, VPNs, servers, backup platforms, remote access tools, and anything exposed to the internet.

LAYER 04

Email protection

Combine SPF, DKIM, DMARC, malware scanning, link protection, impersonation protection, and a clear phishing reporting route.

LAYER 05

Endpoint monitoring

Look for mass file changes, suspicious encryption, credential dumping, attacker tooling, attempts to disable security tools, and lateral movement.

LAYER 06

Admin control

Keep admin access limited, separate from daily accounts, protected with MFA, logged, reviewed, and removed when no longer needed.

LAYER 07

Network separation

Separate staff devices, servers, guest Wi-Fi, printers, IoT, backup systems, payment systems, and sensitive departments where practical.

LAYER 08

Response plan

Decide who acts, who calls whom, how you communicate if email is down, and which systems must be restored first.

What to do in the first 15 minutes

If ransomware is active, the first few decisions matter. The goal is to contain the damage, preserve evidence, and avoid making recovery harder.

Incident response console

Tick each action as complete. This is not a replacement for incident response support, but it shows the order of thinking.

Disconnect affected devices from the network.Unplug ethernet, turn off Wi-Fi, disconnect VPN. Do not plug in backup drives. Stop random deletion, rebooting, or wiping.Preserve evidence. Take photos of ransom notes and record times, filenames, and affected systems. Identify the visible scope.Which devices, servers, shared drives, cloud folders, and backups appear affected? Protect accounts.Disable suspicious accounts, reset privileged credentials carefully, and check MFA status. Get specialist support.Use your IT provider, cyber insurer, legal contact, or incident response provider before restoring.

Containment has not started. Disconnect affected systems first.

Ransomware readiness check

This quick check helps highlight whether your business has enough recovery confidence. It is deliberately simple. The answers should be known, tested, and documented.

Recovery confidence score

Tick the controls you can honestly prove, not the ones you assume are in place.

We have recent backups of critical data.Not just laptops. Include cloud files, servers, databases, and line of business systems. Backups are isolated or protected from normal admin accounts.The same compromised account should not be able to delete live data and backups. We have tested a restore in the last six months.A successful restore test is what turns backup theory into recovery confidence. MFA is enabled on email, admin accounts, remote access, and backups.Prioritise high-impact systems and accounts first. Internet-facing systems are patched and reviewed.Firewalls, VPNs, remote access, servers, and exposed services should not be forgotten. Staff have a simple phishing reporting route.Reporting should be quick, normal, and blame-free. Endpoint alerts are monitored by someone who can act.Tools are useful, but only if someone sees the signal and responds. We have an offline incident contact list.If email or shared drives are down, the plan must still be reachable.

No controls selected. Start with backups, MFA, and exposed systems.

Ransomware myths

Click each card to reveal the reality.

Only large companies get targetedclick to scan

False

Large companies make the news, but smaller organisations are often easier to attack and less prepared. Many attacks are opportunistic.

Cloud storage means we are safeclick to scan

Not enough

Cloud files can still be encrypted, deleted, or accessed through a compromised account. Versioning, retention, MFA, logging, and backup planning matter.

Antivirus is enoughclick to scan

One layer

Endpoint protection helps, but it does not replace patching, backups, MFA, monitoring, email controls, and a response plan.

If we pay, we are back to normalclick to scan

No guarantee

Payment does not prove data was not stolen, remove the attacker, fix the route in, satisfy legal duties, or guarantee every file returns cleanly.

The practical bottom line

Ransomware is not just about encrypted files. It is about whether your business can keep operating when something goes wrong.

The strongest defence is not one tool. It is a combination of secure backups, strong MFA, patch management, email protection, endpoint monitoring, restricted admin access, secure remote access, network separation, staff reporting, and a tested recovery plan.

Start with seven questions: can we restore critical data, are backups protected, do important accounts have MFA, are exposed systems patched, can staff report suspicious emails, would we know if ransomware activity started, and do we know who to call?

If the answer to any of those is unclear, that is the place to begin.

Official resources

NCSC: What you need to know about ransomware NCSC: Mitigating malware and ransomware attacks NCSC: Report a cyber incident No More Ransom: Decryption tools and ransomware help FBI: Ransomware guidance

Want to know where you stand?

313SEC can review your external exposure, backup assumptions, Microsoft 365 security posture, email protection, endpoint visibility, and recovery readiness. The point is not fear. The point is knowing what would actually happen if ransomware hit tomorrow.

Request a ransomware readiness review

What ransomware actually is

How ransomware gets in

Phishing emails

Malicious attachments

Fake login pages

Exposed remote access

Known vulnerabilities

What happens after it activates

Discovery

Data theft

Backup targeting

Encryption

Pressure

Should you pay?

How to protect the business

Backups

MFA and identity

Patching

Email protection

Endpoint monitoring

Admin control

Network separation

Response plan

What to do in the first 15 minutes

Incident response console

Ransomware readiness check

Recovery confidence score

Ransomware myths

The practical bottom line

Official resources

Want to know where you stand?

Related Intel