What is Ransomware?—How to Prevent, Remove, and Respond to Attacks

What is Ransomware? How to protect your business

The success of a modern business is heavily reliant on the network of which its computers and employees operate. With many risks looming online, a secured operating system and network are critical for most businesses to perform to their full ability. 

One of the most prolific threats to modern business is ransomware. With global ransomware damage costs are predicted to reach $20 billion by 2021 organizations need to ensure their security posture is sufficiently mature to protect against this pervasive malware.

In this article, we’ll dive into the history of ransomware, and then provide solutions on how to prevent, remove, and respond to ransomware attacks.

Table of Contents

What is Ransomware?

Ransomware Attacks in 2019

IBM defines ransomware as a “form of malware that threatens to destroy or withhold the victim’s data or files unless a ransom is paid.” This is not too unlike ransom cases that we see in war and crime, where criminals hold people as hostages in return for large sums of money. But instead of people, cyber-criminals withhold valuable data and files in hopes of a big cash return.

Ransomware, just like other forms of malware, is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. There are two primary types of ransomware: locker or crypto. 

Research from the Beazley Breach Response (BBR) Services found that ransomware attacks increased by 131% between 2018 and 2019 alone. Cybersecurity Ventures predicts businesses will experience a ransomware incident every 11 seconds in 2021, up considerably from every 40 seconds in 2016.

“The ransomware landscape has been rapidly evolving. Back then, instances of ransomware typically involved the target’s data being encrypted, but not accessed or exfiltrated. Today, however, not only has the frequency of ransomware attacks increased substantially, but the added threat of a data breach makes them potentially much more damaging.”

2020 Breach Briefing, Beazley Breach Response (BBR) Services

Locker Ransomware

This type of malware blocks basic computer functions. For example, a user of an infected computer may not be able to access the desktop files or properly use the mouse and keyboard. By locking users from their computers and preventing them from using certain programs, cyber-criminals aim to have victims pay a ransom to regain control of their machines.

Crypto Ransomware

Crypto ransomware is malware that has been designed to encrypt the important data that is stored on a computer hard drive or network. Common targets include secured documents, files, photos, and other forms of personal information. Hackers will demand a ransom from their victims, promising to release the stolen data upon payment using a decryption key. 

There are two major forces driving the adoption is ransomware: Ransomware-as-a-Service businesses lowering the barrier to entry and the sheer profitability for threat actors.

Ransomware-as-a-Service allows malware developers to rent out their malicious software in exchange for a cryptocurrency (such as Bitcoin or Monero) or a share of what the victims pay. This allows threat actors without programming skills to spread ransomware without spending their time on development.

Why is ransomware so profitable? Simply put, victims are willing to pay; even against FBI recommendations. Cybercriminals prioritize their targets based on the perceived odds of receiving a ransom payment from their victim. Researchers from IBM Security’s X-Force surveyed executives at 600 businesses and found that 70% of those that were hit with ransomware have paid the ransom. 

How Do Ransomware Attacks Work?

Ransomware can be deployed in several ways, but it is most commonly spread through phishing emails, malicious websites, torrents, and shared networks. 


Personal data phishing concept background. Cartoon illustration of personal data phishing vector

Often disguised as a promotional offer or free product, fraudulent emails containing malware are sent to users to retrieve personal information from infected devices.

Malicious Websites

Image of a hacker wearing a hooded sweatshirt and a plain white mask. They are sitting in front of multiple computer monitors, typing on their keyboard.

Some websites attempt to install malware onto the computer of unsuspecting visitors, usually through popups or malicious web links.


Online file sharing and downloading is a particularly dangerous realm of the internet as ransomware can be downloaded through a file without the user knowing.

Shared Networks

Computers connected through a shared network are at a high risk of being attacked if there has been a security breach and the system has been infected. Malware is capable of spreading from one computer to another on a shared network, making the need to prevent ransomware even more of a priority for organizations that rely on a broad network of shared devices with many users.

The History of Ransomware

The Early Years

A collage of flopp disks

It is reported that the first-ever successfully deployed ransomware virus was created in 1989 by a Harvard student. 20,000 infected floppy disks were distributed to attendees of the World Health Organization’s AIDS conference. Disguised as technology that could analyze a person’s risk of getting AIDS, the floppy disks were used to infect the computers, hiding directories and encrypting the names of all files on the C drive. Victims were greeted with a cryptic message asking for a payment to recover their files.

Despite the elementary technique of the 1989 ransomware attack, the software used and the relative success paved the way for a long road of cyber-crime.

Throughout the ’90s and into the 2000s, ransomware technology developed alongside the increasingly powerful computers that became more and more mainstream in society. As businesses and civilians began purchasing computers and using them regularly, the ideation of widespread ransomware infections began to circulate throughout the criminal underworld. 

Ransomware Goes Viral

A group of employees surround a laptop. They all have worried expressions

In 2006, Archiveus Trojan and GPcode ransomware were developed by cyber-criminals to deploy wide-scale attacks. The ransomware was mainly distributed to victims through email and would aim to withhold information such as social security numbers and bank account information from the attacked computers. 

With the technology capable of attacking a mass volume of computers, ransomware was becoming a highly lucrative business. 

By the mid-2010s, ransomware had become a multi-billion dollar industry for cyber-criminals. Connecting through online forums and chat groups, hackers developed and shared open-source software code for malware that made it more simple to create successful ransomware attacks. And since 2016, over 4,000 ransomware attacks occur daily within the US. 

No Signs of Slowing Down

Cybersecurity threats have become widespread in our personal lives and within the business world. Every day people are falling victim to ransomware and large corporations are investing millions to increase the efficiency of their digital security systems.

And these threats aren’t superficial in any regard. ThreatPost.com reports that the volume of ransomware incidents around the world increased 151% for the first six months of 2021 as compared with the first half of 2020. Europe, specifically, saw the highest jump in volume, spiking +234%.

The biggest reason for the continued increase in ransomware incidents is, quite simply, the profit. Steve Morgan, a cyber-security expert, believes that the rise in ransomware incidents is largely due to companies that opt to pay a ransom. “It’s the proverbial get rich scheme,” says Morgan. Paying the ransom provides hackers with more incentive to continue creating the malware and tools necessary to generate even more money from their cyber-criminal schemes.

With only 25% of business executives willing to pay between $20,000 and $50,000 to regain access to encrypted data, generating the profit from their schemes is a numbers game for hackers. Given the variance and low likelihood of a payout, hackers will continue to increase the frequency of their attacks to maximize their profit.

As the internet continues to make it easier for users to learn new skills and connect with like-minded people, the prevalence of ransomware will become more and more substantial in society and business. Crime, greed, and technology can be a dangerous combination.

How Much Does a Ransomware Attack Cost?

The overall costs of ransomware can be tough to calculate as the effects of an attack are complicated. And unfortunately, paying the ransom does not always guarantee that the hackers will be cooperative in the recovery process.

According to Sophos’ The State of Ransomware 2021 report, the average cost of a ransomware attack was $1.85 million in 2021. This estimate takes into consideration a large number of factors, including hours of labor, reputational damage, and the ransoms paid.

Hours of Labor

A group of employees reviewing reports

When an attack occurs, companies will need to allocate resources, such as an IT team, to help restore backups and operating systems in an attempt to recover stolen and encrypted data. For most small to medium-sized businesses, outsourcing a team of cyber-security IT experts will often be necessary.

Other areas of business, such as marketing and human resources, can also be affected. A marketing team may have to focus energy towards maintaining positive public sentiment, while an HR team may be bombarded with questions and concerns from their staff.

Reputational Damage

A man sits at his desk working on a computer. The shadowy figure of a colleague looms behind him.

The protection of customer and patient information is paramount for businesses in today’s world. However, as most ransomware is designed to retrieve personal information such as a home address and medical records, a company affected by ransomware will incur major reputational damage. Current and potential customers and patients will be skeptical of doing business with a company that has been hit with a network breach, fearing poor security systems and negligent staff members.

Ransoms Paid

A hand counts several $100 US bills

Despite the FBI’s recommendation to not pay hackers their ransom, many businesses do end up paying the high costs as a means of recovering their stolen data and minimizing the impact of the incident. In  2021, the average ransomware payment is $570,000, an amount that would financially cripple most companies.

Biggest Ransomware Attacks of 2021

Hackers do not discriminate much when it comes to the targeting of their attacks, though certain industries are particularly appetizing for cybercriminals. These industries include the education sector, information technology, health care, and retail. With a desire for hackers to steal personal information from customers and patients, these industries are at a particularly high risk of ransomware attacks.

Buffalo Public Schools

The information of thousands of students, including their gender and race, was the target of a March 12th ransomware attack on the Buffalo Public Schools. Upon detection, the schools involved were forced to shut down as the school board hired a security team and requested support from the FBI to investigate and respond to the incident. Although the school board refused to pay the ransom, the response to and relief of the incident has cost nearly $10 million.

Colonial Pipeline 

In May of 2021, a group of hackers deployed the DarkSide ransomware strain that was responsible for the disruption of the Colonial Pipeline, America’s largest pipeline of refined products. The impact of the ransomware attack was felt immediately as gas prices soared above $3 for the first time in seven years. The pipeline operator immediately paid the hackers their $5 million ransom to minimize the impact and resume their operations.

DarkSide is a new ransomware variant, associated with the DarkSide hacker group, that operates as ransomware-as-a-service (Raas).

Ireland’s Health Service Executive

The Health Service Executive, which is the publicly funded healthcare system in Ireland, was attacked in May by a variant of Conti ransomware. The incident forced the HSE to shut down all of its IT systems, causing a great disturbance for the country and those relying on the HSE for health services.

The attackers have demanded a whopping $20 million in Bitcoin as ransom, a sum that the HSE and Ireland have thus far refused to pay.

Dairy Farm

A Pan-Asian retail giant, Dairy Farm, was the victim of a sophisticated ransomware attack carried out by the cyber-criminal group REvil. Dairy Farm, which operates a wide range of retail outlets including grocery and convenience stores, had its network and encrypted devices compromised in the attack that occurred in January of 2021.

The REvil group has demanded $30 million as a ransom for decrypting the stolen data and not leaking business information on the dark web.

How to Prevent and Remove Ransomware

There are many challenges and variables involved in the recovery process of each ransomware situation, making each case uniquely difficult to manage. Fortunately for companies, there are proven systems and solutions to help stop ransomware from happening in the first place.

Staff Training

Man giving a presentation

Any worker who uses a computer and the internet is susceptible to the threat of ransomware and could put their company at risk. And as we know, ransomware may come in many different forms, so training employees on what to look out for when on their computers will be an important first step to prevention.

Considering that phishing is one of the most commonly used methods to deliver malware, employees should be able to identify potentially harmful emails. Understanding what a phishing scam email looks like will be important for employees to help prevent the success of cyberattacks.

Web Filtering

Need to restrict internet access in your network? In this tutorial you will learn how to block websites using a free trial of BrowseControl, CurrentWare’s web content filtering software.

With BrowseControl you can…

Block websites based on URL, category, domain, or IP address

Schedule unique internet restrictions throughout the day 

Assign custom policies for each group of computers or users,

and enforce internet usage policies, even when devices leave the network

There are 3 ways to block employee internet access with BrowseControl

1) Block access to specific websites with the Block List

2) Restrict internet access to only certain sites with the Allow List 

3) Using the Category Filtering feature you can block access to content categories such as Porn, Virus Infected, or Social Media 

For complete control over internet and application use in your network, you can combine BrowseControl with BrowseReporter, CurrentWare’s internet monitoring software.

All right, let’s get started.

To begin, sign up for a free trial of BrowseControl at CurrentWare.com/Download. After filling out the form you will be provided with the files you need to get started with BrowseControl.

To install BrowseControl, run CurrentWare.exe on the administrator’s computer and follow the installation instructions; this will install the CurrentWare Console and Server. 

After that, deploy the CurrentWare Client Setup file (cwClientSetup.exe) on all of the computers you would like to control. 

From there you can import your Active Directory organizational units or manually create your desired policy groups.

For full installation instructions, please visit our knowledge base at CurrentWare.com/Support. 

Now that you have BrowseControl installed, I’ll show you how to block specific websites based on their URL, domain, or IP address with the URL Filter.

This feature can be used to block your employees from accessing distracting websites like Facebook, TikTok, or Instagram.

First, decide whether you want to control internet access based on users or computers and select the desired mode.

Next, click on the URL Filter then select “Blocked List”

From the drop-down menu, select the group of computers or users that you want to restrict

Enter the URL, domain, or IP address of the websites you want to block to the master URL list, then press the Enter key or click “Add”. 

BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be blocked as well.

In the master URL list, select the websites you want to block for the chosen group, then click “Add to Blocked List”.

If you would like to add the selected websites to the block list of multiple groups, you can press the drop-down arrow and select “add to multiple groups”, select the desired groups, then click “add to blocked list”

If you have a large number of websites you would like to block, you can also use the import feature to import an existing list.

Finally, click “Apply to Clients”.

That’s it! You have now blocked your employees, students, or patrons from accessing those specific websites. 

Next, I’ll show you how to restrict internet access to only certain sites.

This feature is ideal if you want to prevent your employees, students, or patrons from accessing websites that are not explicitly allowed by your organization.

The process is identical to how you would block a website, except this time you will set the internet to “off” and add the websites you would like to allow to the Allow List.

With this method, your users will only be able to access the exact websites that have been approved by your company.

Here are the full instructions.

First, decide whether you want to control internet access based on users or computers and select the desired mode.

Next, click on the URL Filter, then ensure that “Allowed List” is selected

From the drop-down menu, select the group of computers or users that you want to restrict

Next, set the internet to “Off”. This will ensure that only the websites that are added to the allowed list can be accessed.

Enter the URL, domain, or IP address of the website you want to allow to the master URL list, then press the Enter key or click “Add”. BrowseControl will apply a wildcard to the URL, ensuring that any paths within the domain will be allowed as well.

In the master URL list, select the websites you want to allow for the chosen group, then click “Add to Allowed List”

If you would like to add the selected websites to the Allowed list of multiple groups, you can press the drop-down arrow and select “Add to Multiple Groups”, select the desired groups, then click “Add to Allowed list”

If you have a large number of websites you would like to allow, you can also use the import feature to import an existing list.

Finally, click “Apply to Clients”.

Next, I’ll show you how to block websites based on content categories such as Porn, Virus Infected, and Social Media 

With BrowseControl’s category filtering feature you can block billions of websites across over 100 URL categories. More than 10,000 new domains are added each day, making it simple to restrict internet access even as new sites emerge. 

Here’s how:

First, decide whether you want to control internet access based on users or computers, then select the desired mode.

Next, click on “Category Filtering”

From the drop-down menu, select the group of computers or users that you want to restrict

Select the web content categories you would like to block, then click “Add to Blocked List”

Finally, click “Apply to Clients”.

That’s it! 

The Allow List can also be used in tandem with the Category Filtering feature to allow websites that would otherwise be blocked based on their content category. 

For example, you could use the Category Filtering feature to block Social Media while still allowing access to LinkedIn.

Now that you’ve seen the 3 key ways you can block a website with BrowseControl, I’d like to show you how to restrict internet access at certain times.

With BrowseControl’s Internet Scheduler you can schedule custom block or allow lists throughout the day. 

This feature will bring some flexibility to your internet restriction policies; in this example, we will allow our employees to browse the internet during lunchtime.

Here’s how to use the internet scheduler

First, decide whether you want to control internet access based on users or computers and select the desired mode.

Next, click on “internet scheduler”

From the drop-down menu, select the group of computers or users that you want to restrict

Next, click “New Schedule”

Set the start and end time of the schedule. Then, select the schedule type.

Internet On will allow internet access to all websites that are not on the URL Block List

Custom allowed list will only allow access to specific websites.

Custom blocked list will block access to a specific list of websites and allow access to the rest of the internet.

Custom Category blocked list will block specific categories and allow access to the rest of the internet.

Next, set your desired schedule frequency.

Daily will enable the schedule every day during the specified time period.

Weekly will enable the schedule only on specific days of the week.

Monthly will enable the schedule only on specific months.

Next, click “Add Schedule”.

If you selected one of the custom block or allow list options, you can click the link provided under the “schedule type” column to set the websites or categories that you would like on the list.

And finally, click “Enable Scheduler” if it is not already enabled

That’s it for today. If you’re ready to start blocking websites you can get a free trial of BrowseControl at CurrentWare.com/Download. 

If you have any questions during your evaluation our support team is available to help you over a phone call, live chat, or email.

See you next time!

90% of IT departments surveyed by Spiceworks restrict web access to protect against malware/ransomware infections

Preventing employees from accessing any of the millions upon millions of malicious websites that are infected with malware is a critical component of protection from ransomware.

Web filtering helps fight against ransomware attacks by proactively blocking websites that are used to execute ‘drive-by downloads’ that infect a user’s machine with the ransomware software without their knowledge.

Web filtering software allows employers to create dynamic lists of specific websites and website categories to be allowed or locked from employee access. To apply tighter restrictions, a company can create a list of the websites that workers are allowed to access while blocking all other websites. A well-curated blocked website list will prevent access to websites that contain ransomware.

Anti Virus Software and Anti Ransomware

Many different vendors offer software designed to prevent and remove ransomware. Depending on the scale and threat of the organization, customized anti-virus software solutions are available to help protect the business from an attacker.

Maintain Backups 

Cloud storage server

To minimize the impact of a successful security breach and ransomware infection, companies should prioritize maintaining secured backups of company data. Companies that maintain backups will not have to worry about paying the ransom to recover their data and can instead focus on identifying and improving the internal security flaws that failed the system.

A proper backup recovery from a ransomware attack can be as simple as reverting to a restore point, discovering the inciting incident, and remediating the vulnerabilities that made it possible.

Maintaining backups is easier said than done; if the only available backups are connected to the network they can become encrypted as well. 

Learn More: How Successful Companies Backup Data

How to Respond to a Ransomware Incident

How an organization responds to a ransomware infection will determine the impact of an incident and how long it will take to recover. 

While regaining access to encrypted files is seldom possible with the decryption key there are important steps to take in response to a ransomware attack to help reduce its effects and reduce the spread of the malware.

Should Companies Pay the Ransom?

man pulling a 5 dollar bill out of their wallet

The FBI and other law enforcement or government bodies will recommend never to pay the ransom. Doing so often further encourages the attackers, supporting their operation with more money to fund more attacks. 

Although the attackers may be motivated to maintain a reputation that they will honor their end of the deal, there is no guarantee that data can be recovered after payment. HelpNetSecurity.com writes that, in 2020, 56% of companies impacted by ransomware paid the attacker, but only 66% of those were able to recover their files.

In addition, organizations that pay ransomware demands prove that they are willing to pay, increasing risks for future attacks on their systems.

Isolate Affected Systems

2 computers on a desk in front of a window

To minimize the spread of malware infection throughout the network, isolating and disconnecting the machines that have been infected is very important. This should be the top priority to prevent ransomware from having a devastating effect.

Identify Patient Zero

Woman deep in thought while viewing laptop

Knowing which piece of the network was the source of the ransomware infection is important in understanding how attackers gained access to the system. Doing so will not only help to resolve the situation, but it will also help organizations to address vulnerabilities and reduce future risks.

Report to Authorities

Yellow police tape that says "Cyber Crime" wrapped in front of a blue digital screen.

No matter its scale, any victim of a ransomware incident should consider reporting their incident to authorities. The FBI asks all victims of ransomware to report their experience to their local FBI field office, stressing that it is important for law enforcement and local authorities to be aware of cyber-criminal activity. Affected businesses can contact the FBI’s Internet Crime Complaint Center (IC3).

In Canada, the National Cybercrime Coordination Unit (NC3) and the Canadian Anti-Fraud Centre are working on implementing a new cybercrime and fraud reporting system for Canadians and businesses


Hacking will continue to be a real-world problem for businesses in 2022 and beyond. As hackers and cyber-criminal organizations profit more and more from their sophisticated schemes, the frequency at which they choose to attack will continue to rise.

For businesses, knowing how to prevent, remove, and respond to ransomware will be important for remaining consistent in this ever-evolving world of technology and the threats it brings with it.

Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.