What is ransomware?

Ransomware is a kind of malicious software that holds user data for ransom, blocking access or threatening to publish the data unless demands are met.

As our interactions with and dependence on digital systems grows, so too does the value of our sensitive data. And while some cybercriminals are more interested in quietly stealing your data to sell or use for themselves, others are content to hold it hostage. When an outside threat actor takes control of your system, data, applications etc., and then attempts to blackmail you into paying to regain control, that is known as a ransomware attack.

Unfortunately, this kind of cybercrime is all too common; in 2020 alone, the FBI’s Internet Crime Complaint Center received nearly 2,500 reports of ransomware attacks, with adjusted losses amounting to more than $29.1 million. And the risk is only growing, with global ransomware reports having increased by over 700% from 2019–2020. In fact, in response to this mounting danger to American citizens, businesses and governmental departments, President Biden issued an Executive Order in May of 2021 (Improving the Nation’s Cybersecurity) providing details, federal policies and best practices designed to offer increased protection from the dangers of ransomware.

Unfortunately, protecting your organisation from the mounting threat of ransomware isn’t always simple. Ransomware attacks are becoming increasingly sophisticated, and go beyond targeting surface-level data. Instead, new ransomware is designed to capture and hold backup data and even take control of top-level administration functions. These attacks are often deployed as a single component in a larger strategy, with the goal of fully compromising critical systems.

Likewise, the threat actors themselves are becoming more sophisticated; instead of being limited to individual cybercriminals operating with their own limited resources, today’s threats include organised and well-funded groups, corporate-backed industrial espionage teams and even hostile foreign government agencies.

Given the ubiquity and diversity of these cyberattacks, businesses around the world are in critical danger of falling prey to this digital-age extortion racket.

As with any malicious software, ransomware can enter your network a number of different ways, such as through a spam email attachment, using stolen credentials, via an unsecured internet link, through a compromised website or even hidden as part of a downloadable software bundle. Some forms of ransomware use built-in social engineering tools to try to trick you into granting them administrative access, while other attempt to circumvent permissions entirely by exploiting existing security weaknesses.

Once inside your network, the software deploys, executing a series of commands behind the scenes. This often involves subverting critical administrative accounts that control systems, such as backup, active directory (AD) domain name system (DNS) and storage admin consoles. The malware then attacks the backup administration console, allowing the attacker to turn off or modify backup jobs, change retention policies and more easily locate sensitive data that might be worth taking hostage.

Most commonly at this point, the malware begins encrypting some or all of your files. Once those files have been secured against access, the malware reveals itself by informing you that your data is being held for ransom, and what demands will need to be met for you to regain access. In other kinds of malware (often called leakware), the attacker may threaten to publicly expose certain kinds of sensitive data if the ransom is not paid. In many cases, the data isn’t only encrypted; it’s also copied and stolen to be used in future criminal activities.

As previously mentioned, the use of ransomware in cyberattacks is on the rise. This explosive escalation can be attributed to a number of different factors:

Increased availability

Long gone are the days when cybercriminals had to have the technical understanding to build their own malware programs. Today, online ransomware marketplaces deal in malware kits, programs and strains, allowing any prospective criminal to easily access the resources they may need to get started.

Cross-platform accessibility

Ransomware authors were once limited in terms of which platform they were trying to target, with specific ransomware versions needing to be built for every additional platform. Now, generic interpreters (programs capable of quickly translating code from one programming language into another) make it possible for ransomware to be reliable across essentially any number of different platforms.

Improving techniques

New techniques are not only making it easier for threat actors to sneak malware into your systems; they’re also allowing them to do more damage once inside. For example, modern ransomware programs may be able to encrypt your entire disk, rather than just individual files, effectively locking you out of your system completely.

Unfortunately, there is no single approach to network security that will completely protect your organisation from every kind of ransomware attack. Instead, effective anti-ransomware strategies involve taking full account of existing IT infrastructure and any inherent weaknesses, establishing sound backup and authentication procedures, and promoting a cultural shift within your organisation towards increased security awareness.

To get started, consider the following steps:

How businesses can defend against ransomware graphic

Use effective data-backup methods

Eliminate simple network-sharing protocols when backing up data, and implement viable security features to protect backup data and administration consoles from attack. This will help to ensure that uncorrupted data copies are available when you need them.

Employ up-to-date security software

As new malware is identified, security software providers and other vendors update their products and systems to counter these new threats. Unfortunately, organisations sometimes neglect to keep up with the latest security patches, leaving themselves vulnerable to known threats. Regularly check for new updates and install them as soon as they are available.

Practice safe surfing

Create and distribute internet policies throughout your organisation detailing best practices and safety measures employees should follow when online. For example, never allow employees to conduct company business or access sensitive systems while on public WiFi. Train all relevant personnel in these policies, and establish response plans that they can follow in the event of exposure to malicious software.

Install multifactor authentication

Protect administrative accounts from unauthorised access and control by employing two-factor (or more) authentication. Configure accounts so that they only provide the minimum necessary system privileges by default.

Create an isolated recovery environment

Build ransomware recovery into your overall disaster-recovery strategy. Establish an isolated recovery environment (IRE)—a separate, closed off data centre in which data copies may be kept secure from outside access. Include the IRE in all disaster-recovery tests.

Stay informed

Knowledge and awareness are some of the most effective weapons in your anti-ransomware arsenal; keep them at the ready by following security professionals and experts on social media, regularly checking risk-advisory feeds and advisory sites, and keeping up to date on relevant news.

In the event that you are targeted by a ransomware attack, do not give in to the criminals’ demands. Doing so only identifies you and your organisation as willing victims, and encourages the criminals to continue to target you. In most cases, businesses that pay to have their data or files returned to them never actually receive a working encryption key. Instead, the attackers simply continue to increase their demands until the targeted business stops paying. Additionally, by paying the ransomers, you would be funding their criminal activity and opening up other organisations or individuals to the same risk.

If you find that you’ve been targeted by ransomware, act quickly by following these steps:

Isolate the infected devices or systems

Ransomware gets into a network by infecting a single device or system, but that doesn’t necessarily mean that it remains in that one spot. Ransomware can easily spread through your network. As such, the first thing you need to do when you discover ransomware is to disconnect the infected system and isolate it from contact with the rest of the network. If you are able to do so quickly enough, there’s a small chance that you’ll be able to contain the malware to a single location, making the rest of your job that much easier.

Remove suspicious devices or systems from the network

Much like how firefighters will remove brush and trees from the path of a raging wildfire, you should next take steps to stop any possible ransomware spread by disconnecting and isolating any other systems that might have been exposed. This should include any devices that appear to be behaving abnormally, including those that might not be operating on-premises. Further hinder the spread by shutting down any wireless connectivity options.

Perform damage assessment

With suspicious files isolated away from the network, you now need to assess the extent of the damage. Determine which systems have actually been affected, by looking for recently encrypted files (often with strange extension names). Take a close look at the encrypted shares in each device; if one has more shares than the others, it may be the original point of entry for the ransomware into your network. Turn off these systems and devices and create a complete list of everything that may have been affected (including external hard drives, network storage devices, cloud-based systems, desktops, laptops, mobile devices and anything else capable of running or passing along the ransomware).

Locate the source

As mentioned in the previous point, checking the affected devices for high numbers of encryption shares can help you locate ‘patient zero’. Other methods of locating the source of the ransomware include checking for any antivirus alerts that directly precede the infection, and reviewing any suspicious user action (such as clicking on an unknown link or opening a spam email). One you’ve discovered the source, remediation becomes much easier.

Identify the ransomware

Effectively countering a ransomware attack often depends on your ability to identify exactly what variety of ransomware you’re dealing with. There are a few different ways to identify the ransomware. The note included in the attack (the one telling you were to send money to unlock your files) may actually identify the ransomware directly. You may also be able to search the email address associated with the note to discover what ransomware this particular threat actor is using and what next steps other organisations have taken after being infected. Finally, there are sites and tools available online designed to help identify ransomware types—just be sure to fully research your options before you commit to any; you don’t want to download an untrustworthy tool only to drop more malware into your already-hobbled system.

Contact law enforcement

Once you’ve contained the ransomware, it is now your responsibility to contact law enforcement. In many cases, this goes beyond simple protocol; under the terms of certain data privacy laws, you may be required to file a report within a predetermined amount of time for any data breach your businesses experiences, with failure to do so potentially resulting in fines or other penalties. But even if you don’t have a legal obligation to contact law enforcement, doing so should be a top priority. For one thing, cybercrime agencies will likely have access to better authority, resources and experience in resolving these kinds of issues, and can help your business return to normality more quickly.

Examine backup data

With the fire effectively put out, now is the time to start repairing your systems. Ideally, if you have uncorrupted backup data, you should be able to restore your systems without too much trouble. Double check to make sure that all of your devices are free of ransomware and other forms of malware and then restore your data. Just be aware that modern ransomware attacks often target data backups, so you’ll need to be sure that your data is sound before restoring it.

Search for decryption options

If you don’t have data backup available, or if the data itself has also been corrupted, then your next best option is to try to find a decryption solution. As mentioned before, with some research you may actually be able to find a decryption key online to help you restore access and control.


Whether you restore your devices, find a decryption solution or just accept that your sensitive data is gone for good, your final step will always be the same: Rebuild and move on. In even the best-case scenarios, getting back to pre-attack levels of productivity can be an expensive and time-consuming process. Just make sure that you come away from the experience having gained a better understanding of the threats that face your organisation, and a clearer idea of how to defend yourself against them.

When defending against and responding to ransomware attacks, time may be your most valuable resource. ServiceNow, the leader in IT management and workflow automation, gives you the time you need, with clear, centralised control and monitoring capabilities. Eliminate security weaknesses before they can be exploited, identify suspicious network activity and respond to breaches at a moment’s notice, and more quickly recover from ransomware and other attacks with automated security response solutions. ServiceNow makes it all possible.

Protect your organisation against ransomware and other attack elements with continuous monitoring and an automated response. Learn more about ransomware and see how ServiceNow can help your business handle anything the world may throw your way.

Get started with ServiceNow Governance, Risk, and Compliance

Manage risk and resilience in real time with ServiceNow.

Loading spinner