ToolSec

๐Ÿ“Š Compliance & Risk

What Is Ransomware? How Attacks Work and What They Cost

ยท 7 min read ยท Updated June 27, 2026

Ransomware is one of the most damaging cyber threats facing organisations today. This guide explains how an attack actually unfolds, why the real cost is usually far more than the ransom, and what genuinely reduces the risk.

What is ransomware?

Ransomware is malicious software that encrypts an organisation's files โ€” and often whole systems โ€” then demands payment for the decryption key. Modern ransomware usually adds a second threat: attackers steal a copy of the data first and threaten to publish it unless paid, a tactic called double extortion. That means even good backups don't remove the pressure.

How an attack unfolds

  1. Initial access. Attackers get in โ€” commonly via phishing, stolen credentials, or an unpatched internet-facing system.
  2. Spread. They move laterally through the network, escalating privileges and mapping what's valuable.
  3. Exfiltration. They quietly copy sensitive data out for the extortion threat.
  4. Detonation. They encrypt systems, often timed for a weekend or holiday, and leave a ransom note.

Strong passwords and MFA cut off the most common entry points โ€” see our guide on creating a strong password.

Why downtime is the biggest cost

People focus on the ransom, but for most victims it's the smallest line item. The dominant cost is downtime: every hour systems are offline, the organisation loses revenue and staff can't work. Add the cost of recovery โ€” incident response, forensics, rebuilding systems โ€” and the total often dwarfs the ransom many times over. You can model this with our ransomware cost calculator.

Should you pay the ransom?

Law enforcement agencies broadly advise against paying. Payment funds criminal operations, marks you as a willing target for future attacks, and offers no guarantee โ€” many organisations that pay still can't fully recover, because decryptors are buggy or incomplete. And with double extortion, paying doesn't reliably stop stolen data from leaking. The far better investment is in being able to recover without paying.

Defenses that actually help

  • Tested, offline backups. The single biggest lever. If you can restore quickly, you don't need the attacker's key. Make sure backups are immutable and not reachable from the network they protect.
  • MFA everywhere. Stops most credential-based intrusions cold.
  • Patch internet-facing systems. Unpatched VPNs and servers are a top entry point.
  • Network segmentation. Limits how far an intruder can spread.
  • A rehearsed incident response plan. Practiced recovery shortens the costly downtime window.
  • Security awareness training. Reduces the phishing clicks that start many attacks.

Data breach and reporting obligations

Because modern ransomware steals data, an attack is usually also a data breach โ€” which can trigger legal reporting duties (under GDPR and similar laws) and notification costs. Estimate that side with our data breach cost estimator, and see our GDPR overview for the reporting angle.

The bottom line

Ransomware is primarily a resilience problem. The organisations that weather it best aren't the ones that pay fastest โ€” they're the ones that can restore from backups, contain the spread, and keep operating. Use the security ROI calculator to justify investing in those defenses before an incident, not after.

Frequently asked questions

Should you pay a ransomware ransom?

Generally no. Authorities advise against it โ€” payment funds crime, marks you as a target, and doesn't guarantee recovery or stop stolen data from leaking. Invest in backups and an incident response plan instead.

What's the biggest cost of a ransomware attack?

Downtime. Lost revenue and productivity while systems are offline, plus recovery costs, typically far exceed the ransom itself, because recovery can take days or weeks.

What is the best defense against ransomware?

Tested, offline (immutable) backups are the single biggest lever, because they let you recover without paying. Combine them with MFA, patching, network segmentation and a rehearsed response plan.

Try the related tools

Related guides