The Cyber Academy take
Ransomware is the malware class that encrypts data and demands payment for the key, often paired with data theft and extortion (double extortion). Attack vectors: phishing, internet-facing exposure, supply chain. Insurance pays less, regulators scrutinise more. Pre-event work (backups, segmentation, IR plan) determines the outcome, not the negotiation.
What ransomware actually is, and why the encryption is the easy part
Ransomware is malware that takes something you need and makes you pay to get it back. The classic mechanism is encryption: the malware scrambles files on the systems it reaches and offers the decryption key in exchange for a payment, usually in cryptocurrency. But treating ransomware as an encryption problem misses what makes it so damaging. The encryption is the visible symptom of an intrusion that has often been running for days or weeks. Before any file is locked, an attacker typically gained an initial foothold, escalated privileges, moved laterally across the network, located the systems that matter, and frequently copied the data out. The lock at the end is simply the moment the operator decides to convert that access into money.
That sequence is why the worst ransomware events are no longer just about encrypted files. Operators learned that a victim with good backups could refuse to pay and restore, so they added a second lever: steal the data first, then threaten to publish it. This is double extortion, and it changes the calculus entirely. Even an organisation that restores cleanly from backup still faces the prospect of confidential data, customer records or contracts being leaked on a public site. Some groups go further with additional pressure, contacting customers or regulators directly, or layering on denial of service. The negotiation, when there is one, is not really about a decryption key. It is about whether stolen data stays private.
How it gets in, and why the regulator now cares
The way in is rarely exotic. The dominant vectors are the unglamorous ones: a phishing email that delivers a loader or harvests credentials, an internet-facing service left exposed or unpatched, a weak or reused remote access password, and the supply chain, where a trusted vendor or piece of software becomes the path onto your network. None of this requires a novel exploit. It requires one open door, which is why exposure management and identity hygiene do more to reduce ransomware risk than any single product.
A ransomware event is now a regulatory event, not only a technical one. Because the attack almost always involves theft of data, it usually triggers personal data breach obligations under the GDPR, which means a notification assessment to the supervisory authority and, in serious cases, to the people affected. Operators of essential and important services face overlapping incident reporting duties under the NIS2 directive. National agencies such as ANSSI and ENISA publish guidance precisely because the same playbook keeps working. The practical consequence for a risk function is that the response plan must include the legal and notification track from the first hour, run in parallel with the technical recovery, not bolted on afterwards.
The outcome is decided before the attack, not during the ransom note
The single most important idea for practitioners is that the result of a ransomware event is largely determined by work done long before it happens. An organisation that can restore quickly from clean, tested, offline or immutable backups can refuse to pay for a key. One whose backups were reachable from the same network, and therefore encrypted alongside everything else, has no such option. Network segmentation limits how far an intrusion can spread before it reaches the systems that matter. Strong authentication on remote access and email closes the most common front doors. Detection that catches lateral movement buys the hours that separate a contained incident from an enterprise-wide encryption event.
What competent teams actually do, then, is invest in the pre-event posture rather than in negotiation skill. They keep backups that are isolated from the production domain, encrypted at rest, and restored on a schedule so that recovery is proven rather than assumed. They segment networks so that one compromised workstation cannot reach the backup server or the domain controllers unimpeded.
They maintain an incident response plan that names roles, decision-makers, external forensics and legal counsel, and the notification path, and they rehearse it. This is where ransomware connects directly to business continuity management and disaster recovery: the recovery time and recovery point an organisation can actually achieve, tested against a realistic scenario, is the difference between a bad week and an existential one.
Frequently asked questions
01What is double extortion in ransomware?
Double extortion is when attackers steal data before encrypting it, then threaten to publish or sell the stolen data as well as withholding the decryption key. It defeats the backup defence: even a victim who restores cleanly still faces the leak of confidential data, which is why the pressure is no longer only about getting files back.
02Should we pay the ransom?
That is a legal and risk decision, not a technical one, and it should be taken with counsel. Payment may yield a key but does not undo the data breach or its notification duties, the data may be leaked anyway, and paying a sanctioned entity carries its own legal exposure. Most agencies, including ANSSI, advise against paying.
03Do backups make us safe from ransomware?
Good backups are the strongest single defence, but only if they are isolated, immutable or offline, and regularly tested by actual restore. Backups reachable from the production network are routinely encrypted in the same attack. And against double extortion, backups let you recover but do not prevent the leak of stolen data.
04Is a ransomware attack a reportable data breach?
Usually yes. Because modern ransomware almost always involves data theft, it typically triggers personal data breach obligations under the GDPR and, for essential and important entities, incident reporting under NIS2. The notification assessment should start in the first hour, in parallel with technical recovery.
05How does ransomware usually get into an organisation?
Through ordinary doors: phishing that delivers malware or steals credentials, internet-facing systems that are exposed or unpatched, weak or reused remote access passwords, and the supply chain. It rarely needs a novel exploit, which is why identity hygiene and exposure management reduce risk more than any single tool.