๐ Compliance & Risk
What Is Ransomware? How Attacks Work and What They Cost
By Justin Le
ยท 7 min read ยท Updated June 27, 2026 Ransomware is one of the most damaging cyber threats facing organisations today. This guide explains how an attack actually unfolds, why the real cost is usually far more than the ransom, and what genuinely reduces the risk.
What is ransomware?
Ransomware is malicious software that encrypts an organisation's files โ and often whole systems โ then demands payment for the decryption key. Modern ransomware usually adds a second threat: attackers steal a copy of the data first and threaten to publish it unless paid, a tactic called double extortion. That means even good backups don't remove the pressure.
How an attack unfolds
- Initial access. Attackers get in โ commonly via phishing, stolen credentials, or an unpatched internet-facing system.
- Spread. They move laterally through the network, escalating privileges and mapping what's valuable.
- Exfiltration. They quietly copy sensitive data out for the extortion threat.
- Detonation. They encrypt systems, often timed for a weekend or holiday, and leave a ransom note.
Strong passwords and MFA cut off the most common entry points โ see our guide on creating a strong password.
Why downtime is the biggest cost
People focus on the ransom, but for most victims it's the smallest line item. The dominant cost is downtime: every hour systems are offline, the organisation loses revenue and staff can't work. Add the cost of recovery โ incident response, forensics, rebuilding systems โ and the total often dwarfs the ransom many times over. You can model this with our ransomware cost calculator.
Should you pay the ransom?
Law enforcement agencies broadly advise against paying. Payment funds criminal operations, marks you as a willing target for future attacks, and offers no guarantee โ many organisations that pay still can't fully recover, because decryptors are buggy or incomplete. And with double extortion, paying doesn't reliably stop stolen data from leaking. The far better investment is in being able to recover without paying.
Defenses that actually help
- Tested, offline backups. The single biggest lever. If you can restore quickly, you don't need the attacker's key. Make sure backups are immutable and not reachable from the network they protect.
- MFA everywhere. Stops most credential-based intrusions cold.
- Patch internet-facing systems. Unpatched VPNs and servers are a top entry point.
- Network segmentation. Limits how far an intruder can spread.
- A rehearsed incident response plan. Practiced recovery shortens the costly downtime window.
- Security awareness training. Reduces the phishing clicks that start many attacks.
Data breach and reporting obligations
Because modern ransomware steals data, an attack is usually also a data breach โ which can trigger legal reporting duties (under GDPR and similar laws) and notification costs. Estimate that side with our data breach cost estimator, and see our GDPR overview for the reporting angle.
The bottom line
Ransomware is primarily a resilience problem. The organisations that weather it best aren't the ones that pay fastest โ they're the ones that can restore from backups, contain the spread, and keep operating. Use the security ROI calculator to justify investing in those defenses before an incident, not after.
Frequently asked questions
Should you pay a ransomware ransom?
Generally no. Authorities advise against it โ payment funds crime, marks you as a target, and doesn't guarantee recovery or stop stolen data from leaking. Invest in backups and an incident response plan instead.
What's the biggest cost of a ransomware attack?
Downtime. Lost revenue and productivity while systems are offline, plus recovery costs, typically far exceed the ransom itself, because recovery can take days or weeks.
What is the best defense against ransomware?
Tested, offline (immutable) backups are the single biggest lever, because they let you recover without paying. Combine them with MFA, patching, network segmentation and a rehearsed response plan.
Try the related tools
- Ransomware Downtime Cost Calculator Estimate the total impact of a ransomware attack from downtime, recovery and ransom.
- Data Breach Cost Estimator Estimate the financial impact of a data breach from records exposed and per-record cost.
- Security ROI (ROSI) Calculator Compute the return on a security investment from expected loss and mitigation effectiveness.
Related guides
- What Is GDPR? Fines and Compliance Basics GDPR in plain English: who it covers, the rights it grants, the two fine tiers (up to 4% of turnover), and where to start. Educational, not legal advice.
- How to Create a Strong Password (and Why Length Wins) Forget swapping letters for symbols. Here's what really makes a password strong โ entropy, length, uniqueness โ and the simple system that beats memorising rules.
- What Is a Data Breach? Causes, Costs and Response What counts as a data breach, the causes behind most of them, why the true cost dwarfs the headline fine, and how to prepare before one happens.