What is ransomware?

Ransomware is a type of malicious software (or malware for short). When it’s installed, the malware stops you from accessing your computer systems.

10.09.25

By Alan Boswell Group

The main motive for criminals is money, so if your business suffers a ransomware attack, you’ll usually be asked to make a payment (often in cryptocurrency) to regain access to affected systems. In some cases, hackers are after sensitive corporate information which could be used to discredit your organisation.

To help your business stay one step ahead, here’s how ransomware works, how to prevent it, and what to do if you’re unfortunate enough to experience an attack.

How does ransomware work?

Broadly speaking, there are four main types of ransomware:

Locker ransomware

Locker ransomware is a type of malware that locks devices to prevent access. When this happens, you’ll usually be greeted by an on-screen message that demands payment in exchange for access to your device.

Crypto ransomware

This is when your files or data are encrypted, blocking your access to them. A high-profile example of this type of ransomware is the WannaCry malware that shut down parts of the NHS back in 2017.

Scareware

Scareware tricks you into thinking your device has been infected with malware and offers you the opportunity to pay a fee or purchase software to fix the problem. Crucially, at the point of receiving the original message, your computer hasn’t been infected; it’s only if you purchase and download the software that it’s offering that your computer is infected.

Cyber criminals can then access data and files, encrypting them or threatening to release sensitive information if you don’t pay the ransom.

Leakware

Leakware is a type of ransomware that encrypts your data and files and threatens to leak it to the public or third-parties unless you pay the ransom being demanded.

In addition to the above, there is a growing use of ransomware-as-a-service (RaaS). Similar to software-as-a-service (cloud-based software where providers host applications and which customers used on a subscription basis), RaaS subscriptions can be purchased by cyber criminals who don’t have the time or knowledge to develop their own ransomware and then used to attack businesses and individuals. Concerningly, this widens the scope for criminals, as those who didn’t have the knowledge to develop ransomware previously wouldn’t have been able to use it, but now almost anyone could purchase a RaaS subscription.

What threats do ransomware criminals use?

Criminals use a variety of threats to demand payment, but the most common include:

Doxware – when criminals threaten to release sensitive information they’ve stolen from you.
Double extortion – when criminals encrypt your data and also threaten to release it unless you pay them.
Wipers – when criminals threaten to remove all your data from your systems.

What is the most common way to get infected?

Ransomware example: user clicks malicious link, files encrypted, criminals demand ransom

Operational, human error is the greatest risk to systems getting infected with ransomware. Criminals will use a number of techniques to infect computers; one of the most common methods is to get users to click or download a link, which then locks or encrypts your computer or files. These links can be presented in a variety of ways, including:

Phishing – when criminals ‘fish’ for details such as your username, passwords, and date of birth. This information is then used to access, lock, and encrypt your data.
Exploit kits – these detect any vulnerabilities on your device and ‘infect’ your network through any breaches it finds.
Malvertising – when ransomware links are hidden in online adverts.

Another method used by cybercriminals is to link up to your network using the Remote Desktop Protocol (RDP), which lets someone else access your computer. RDP is a useful tool that lets an IT expert fix any minor issues you have with your PC, but it can also be used by criminals.

How do I know if my device has ransomware?

The most obvious sign is that you receive a message from the attackers. This could be an on-screen message, a pop-up window, or a full ‘lock-screen’ where your entire monitor screen is hijacked. In some cases, you might still have access to your files, but they’ll be encrypted. You may also notice that file names and extensions have been modified or look unusual, or that files are missing.

Another subtle sign that your device might be affected by malware is if it suddenly slows down for no other apparent reason.

How to respond to a ransomware attack?

If you have a cyber incident response plan, it should set out the steps you need to take to minimise the impact of the attack. It should also list any regulatory bodies you need to contact if you think there’s been a data breach which affects GDPR laws.

If you have cyber insurance, you should let your provider know as soon as you receive a ransomware message. They will manage all of this for you and be able to take you through the next steps, which will depend on the specific conditions set out in your policy.

Otherwise, immediate steps you can take include:

Disconnecting infected computers from your network as soon as possible.
Resetting all credentials on affected devices (take care not to lock yourself out of essential accounts that you might need to restore files).
Removing all data and then restoring files from a recent backup (double-check backed-up files are corruption-free).

If you’re confident that files and networks are clean, you can then reconnect devices (ensuring that operating systems and antivirus protection are updated).

To stay up to date with the latest advice, you can head to the National Cyber Security Centre’s guide to mitigating malware and ransomware attacks.

How serious is ransomware?

The National Crime Agency (NCA) describes ransomware as ‘the largest cyber security threat’. This threat level comes from the all-round damage that ransomware causes. As well as financial and reputational damage, there’s also the loss or theft of sensitive or personal information, as well as disruption to services.

The government’s most recent cyber security survey revealed that ransomware attacks significantly increased between 2024 and 2025, affecting 19,000 businesses. The survey also found that smaller organisations in particular believed that ransomware attacks only targeted larger firms. As a result, many of those who are affected report being ‘unprepared for the scale, sophistication and impacts of the attack’.

What’s the average ransomware payout?

According to a recent survey, the median ransom demand in the last year was £3.9 million, up from £1.9 million the year before. Another survey found that of the businesses surveyed which said they had suffered a ransomware attack, more than half (59%) said they’d paid the ransom demanded.

The average ransom paid out in the UK is around £870,000, although some organisations pay millions to recover control of their systems. Across the world, around 5% of organisations admit paying over £10 million in ransoms.

Remember that while ransom notes might promise to release or return encrypted or stolen data, paying up doesn’t guarantee this will happen. The UK government is proposing a measure to ban all public sector organisations from paying ransom demands. Under the proposal, businesses would also be able to seek government support and advice, particularly if there was a risk of firms breaking the law by paying criminals who may be under existing sanctions.

Can you remove ransomware?

You can remove some ransomware with anti-malware programs, which search for and remove any corrupted files. These types of programs work well if the ransomware is relatively basic.

If the ransomware is sophisticated and your files have been encrypted, it can be very difficult or nearly impossible to recover the information. If this happens, you may need to find an IT expert to see if anything can be done (for more about antivirus products at the National Cyber Security Centre). If you have cyber insurance, your insurer would provide you with an IT expert to assist you with this.

Removing ransomware can take anything from a few days to months. In the case of the British Library, it’s taken years to reset systems after they were struck by a ransomware attack in 2023.

How to prevent ransomware

As in most situations, prevention is better than cure, and there are plenty of steps you can take to help prevent a cyber attack or minimise the impact to your business, for example:

Back up files regularly (ideally weekly).
Ensure all anti-virus software is up to date.
Update all operating systems to the latest version.
Check that firewalls and safeguards are secure and can’t be easily breached.
Always use unique passwords and change them on a regular basis.
Set up multi-factor authentication.
Train staff to recognise phishing emails and raise awareness of how criminals dupe individuals into giving up sensitive information.
Never click on links or open attachments from sources you can’t confirm as genuine.
Develop a cyber incident response plan that outlines the steps to take in the event of a cyber attack.
Take out cyber insurance, as policies typically include training, security protection, and preventative measures such as scanning your systems (and those of your suppliers) for vulnerabilities, plus taking care of much of the above for you.

For access to official guidance and training tools, visit the National Cyber Security Centre.

Does cyber insurance cover ransomware?

Yes, cyber insurance policies do cover events in relation to ransomware, including extortion, fraud, data restoration, third-party liability, and business interruption. Bear in mind that policies often come with conditions that you might need to meet, for example, having a cyber incident response plan and implementing certain cyber security measures. Not meeting these conditions can invalidate cover, which will leave you unprotected.

At Alan Boswell Group, our cyber insurance also covers liabilities, reputational damage and breach expenses. This focuses on how the virus entered your network in order to minimise future attacks. Policies also normally include access to cyber security experts who will step in to help if you suffer a cyber attack.

Ultimately, the policy that’s right for your business will depend on its size, your industry, the safeguards you have in place, and the type of data you store and manage. If you’d like to talk about your business needs and how cyber insurance can support your organisation, speak to a member of the team on 01603 218000.

Need help with your insurance?

To find out more about how we can help, take a look at what our cyber insurance includes. For more bespoke advice or to tailor a policy, speak to an expert member of the team.

Speak to us: 01603 218000

What is ransomware?

In this article

In this article