Ransomware is one of the more common and dangerous forms of cybercrime, but what is ransomware exactly? In this article we’ll explain how it works, what you can do to prevent becoming the victim of a ransomware attack — and how to recover if you ever are.

What is ransomware?

Ransomware is a type of malware that infiltrates your device and encrypts your files, folders, or even the entire drive, so you can no longer access them. The only way to decrypt your data is to pay a ransom (usually in the form of cryptocurrency) to the attackers. Ransomware, by definition, is extortion: If you don’t pay, your files are locked away forever or even destroyed. Additionally, there’s no guarantee you’ll get your files or data back, even if you pay.

To give you an idea of how common — and serious — the problem of ransomware is, Cybercrime Magazine (new window)reported that in 2025, ransomware attacks will cost the public an estimated $57 billion. By 2031, ransomware is predicted to cost businesses nearly $275 billion annually, with possible attacks occuring every two seconds. Cybercriminals are increasingly targeting high-value sectors, ravaging businesses’ sensitive data networks and stealing intellectual property, financial data, and more.

Well known ransomware attack examples include WannaCry and attacks by cybercriminal group LockBit, which have caused significant damage to businesses, disrupting IT communications, global supply chains, critical infrastructure and vital financial systems worldwide.

How does ransomware work?

Ransomware is a malicious software that infects your computer or your business’ computer servers — often as a Trojan horse virus (usually just called a Trojan). Trojans are so named because they’re disguised as something else — a handy program, a useful PDF, or important spreadsheet — and once on your hard drive will reveal their true nature. 

These viruses are often spread in the form of a phishing attack(new window), a smishing text message, a quishing attack or through a compromised email attachment or website.

Where many computer viruses exist to extract information or simply to cause havoc, a ransomware virus will instead encrypt either an entire hard drive or parts of it. When the victim tries to access the computer or the folder, they receive a message that the files are encrypted and that a sum must be paid to either a bank account or, more likely, a crypto wallet.

Once the victim transfers the money or cryptocurrency, the attacker then sends a password that should once again decrypt the drive or folders. However, in practice, it often doesn’t happen this way. Many victims don’t receive a password for the ransomware removal upon payment. 

As a rule of thumb, it’s best to never pay ransomware attackers. According to research by Sophos, only 50% of companies(new window) that paid up actually got their data back. The rest did not.

That’s not great odds to begin with — and then there’s the risk of establishing a reputation as someone who pays attackers. According to one study, at least 80% of companies that paid(new window) were attacked again, often by the same group that targeted them the first time. That’s why it’s more important than ever to learn how to spot and prevent ransomware attacks. But prevention is just the beginning. Once you’ve learned how to identify and protect yourself and your business from ransomware attacks, it’s also imperitive to create a swift ransomware response strategy, so you can recover from an attack more easily if you ever find yourself the victim of one.

Ransomware protection: How to protect your business

There are many anti ransomware solutions and software systems that reduce the risk of attack, but there is still a chance that a more sophisticated actor can find a way to pass through your business’ defenses. That’s why it is critical take additional precautions.

An effective ransomware response and defense strategy requires a three-pronged approach:

1. First, you need to take precautions and preventative measures to protect yourself or your business from this type of destructive malware

2. Second, you must implement tools to monitor and detect ransomware in real time

3. You need recovery systems in place so you and your business can bounce back more easily if a ransomware attack ever occurs.

One of the least technical and most effective ransomware solutions is making sure no one at your business accidentally downloads strange files. Since ransomware is almost always a virus, it’s imperative to always check the source and never download files from unknown sources.

The biggest threat to be aware of is phishing, in which an attacker will make contact impersonating a person or institution you normally trust. The aim is usually to get you, or someone within your business, to give up personal information — or in the case of ransomware, get you to download the virus.

Regular employee training on phishing awareness is essential for the health and safety of your business. Implementing company-wide protocols on verifying email addresses is key in preventing malware infection. That goes for unexpected emails, text messages, and websites for personal use, as well. Make sure your team is set up to succeed by illustrating how to verify legitimate emails, websites and messages before downloading any files.

Monitoring for and detecting ransomware

An effective ransomware prevention strategy must include software tools to monitor and detect ransomware before it infiltrates your company’s IT and data systems. Implementing strong ransomware detection methods, like monitoring network traffic for unusual activity, is essential for early identification.

Detection software can monitor and alert your business for suspicious activity happening behind the scenes, including unusual encryption patterns and other threats or indicators of ransomware viruses that could infect your businesses’ data.

Threat-detection tools like Halcyon(new window), Kaspersky(new window), or Acronis(new window) can be used to catch ransomware viruses before they take hold of your businesses’ sensitive information. When paired with ransomware prevention strategies like backing up your data and versioning, these security solutions can be a critical part of a businesses’ ransomware defense practices.

Backups and versioning: An important line of defense

No matter the organization, people make mistakes, and even with robust ransomware prevention protocols, data breaches happen. If a ransomware attack does pass your defenses, there is always a better option than paying your attacker.

But to be able to ignore the ransomware attack, you or your business must first have an effective backup system to overwrite the hard drive and reinstall your data.

First, you’ll need a cloud storage service that can perform backups of vital files by syncing them. But the service needs to go one step further: The backups also need to create versions of files for every sync. This is because when attackers encrypt a file, that’s the version that gets uploaded to the cloud. With versioning, you can just roll back to an earlier version.

Proton Drive for Business can do both these things. Through our syncing feature on both the Windows and macOS desktop app, you can sync any file or folder from your device. Any time you make a change to those files, a new version is created automatically, which you can then recall through our version history feature.

If you get hit with a ransomware attack, you just wipe the hard drive, restore your files, and get back to work, no ransom paid — a simple and stress-free method of ransomware recovery.

Secure and defend your critical data with Proton

Email can be the first touchpoint for ransomware victims. With Proton Mail, you can protect both yourself and your business by automatically filtering spam and potential malware with smart spam filtering and PhishGuard, an advanced phishing protection feature that flags and alerts you to potential phishing attacks.

Proton Mail also features advanced link confirmation, urging you to pause and check the link URL for anything suspicious before you open it.

Additionally, Proton Drive keeps you and your business’ data safe more direct attacks. With end-to-end encryption, nobody but you can see what’s in your files. When Proton Mail and Drive are used together, you and your business are at far less risk of a breach than with other cloud storage services that don’t use end-to-end encryption.

With better security methods, smarter backups, and improved phishing protection, you can trust that your data is safe with Proton.