Protect your business from ransomware

Understand what ransomware is, how it works, how it can affect your business and how to prevent attacks.

Ransomware is malicious software (malware) used by cyber criminals to lock, encrypt or steal your business data. It blocks access to your files or computer systems, and demands a ransom payment, often in cryptocurrency, to restore access.

Ransomware attacks can be a serious threat to businesses. They are usually random, highly disruptive and expensive to recover from. As well as financial losses, you may face:

  • permanent loss of data
  • downtime and reduced productivity
  • reputational damage
  • potential fines for breach of data security or data theft

Read more about the impact of cyber attack on your business.

How ransomware infects your system

Ransomware typically infects machines or networks through:

  • Phishing email (spam) - messages that appear 'legitimate' but contain malicious links or attachments. Clicking these can download ransomware onto your device.
  • Drive-by download - software installed onto your device without your knowledge when you visit a compromised or fake website. These attacks often exploit security weaknesses in browsers, plug-ins or operating systems.

Once installed, the malware can quickly spread across your network, locking shared drives and connected devices.

Types of ransomware and examples

The two most common forms of ransomware are:

Screen lockers 

Screen lockers block access to your computer with a full‑screen message, often pretending to come from law enforcement and demanding payment of a 'fine'. They don't typically interfere with the underlying system and files.

Encryption (crypto) ransomware 

Crypto ransomware encrypts your files to make them unreadable, then demands a ransom for a decryption key. Attackers often threaten to delete or leak your data if you don't pay.

Cryptolocker and WannaCry are well-known examples of crypto malware. Hybrids like Petya combine features of both screen lockers and encryptors. Newer, ransomware-as-a-service platforms like LockBit can be rented out on the dark web, allowing more criminals to launch targeted attacks with minimal technical skill.

What to do if your business is infected with ransomware

If you suspect a ransomware infection:

  1. Immediately disconnect the affected device from your network and the internet to stop the malware spreading.
  2. Reboot the device in safe mode, if possible, to limit further damage. Try to identify the specific ransomware strain – this helps you check for decryptors, or assess systems damage before full recovery.
  3. Run reputable anti-malware software to remove the infection, but be aware this may not always be possible. Even if you can remove the malware, you may not always be able to decrypt and recover your data.
  4. Do not pay the ransom. There is no guarantee that you will get a working decryption key, even after payment. Paying may, in fact, prolong the attack and mark your business as a target for future attacks.
  5. Restore your system from backups once you have confirmed your system is clean and patched. Recover offline backups only after removing the malware completely. If no backups are available, and you're unable to decrypt your files, you may have to accept potential data loss and rebuild systems from scratch using clean installation.
  6. Change any compromised passwords and enable two‑factor authentication (2FA) on key accounts such as admin, email and finance. You should also update all devices and software with the latest security patches.
  7. Finally, report the incident to the relevant authorities, including the National Cyber Security Centre (NCSC).

How to prevent ransomware attacks

Criminals often use email, social posts and even texts to infiltrate computer networks. To protect your business from ransomware, you should combine strong technical controls with staff awareness. At the very least:

  • use secure email filters to block phishing messages and malicious attachments
  • train staff to recognise and report suspicious emails, messages and links
  • regularly change passwords to strong, unique combinations
  • keep software, browsers and operating systems updates with the latest patches
  • restrict admin rights and use multi-factor authentication for sensitive accounts

Most importantly, you should back up your key business data. Regular offline or version‑controlled cloud backups can help you:

  • recover key data after an attack
  • restore your system to a previous, safe version
  • resume business operations with minimal disruption and costs

Keep any backups isolated from your network. Ransomware can encrypt connected USB drives, network storage and even cloud backups with poor version control. 

Read more about backing up your data and find detailed NCSC guidance on mitigating malware and ransomware attacks.

Actions
NCSC ransomware hub
Response & recovery guidance
Report a cyber security incident
ICO guide on ransomware and data protection compliance
Government response to ransomware legislative proposals
Also on this site
Protect your business online
Cyber security for business
Primary parent
IT security and risks
Content category
IT

Source URL

/content/protect-your-business-ransomware

Links