In February 2022, Nvidia — one of the largest chip manufacturers on the planet — confirmed it was hit by a ransomware attack. The threat actor group Lapsus$ claimed they stole over a terabyte of proprietary data and began leaking employee credentials and source code. If a company with Nvidia's resources can get caught off guard, your organization needs to take what is ransomware seriously — not as an abstract concept, but as an operational threat that could shut your business down tomorrow.
This post breaks down exactly how ransomware works, what it costs, who it targets, and the specific steps I've seen actually prevent infections. No theory. No fluff. Just the practical guidance your team needs right now.
What Is Ransomware, Exactly?
Ransomware is malicious software that encrypts your files, locks you out of your own systems, and demands payment — usually in cryptocurrency — for a decryption key. Some variants also steal data before encrypting it, giving attackers a second lever: pay up, or we publish everything.
This double-extortion tactic has become the norm. Groups like Conti, REvil, and LockBit now routinely exfiltrate sensitive data before deploying encryption. That means even if you have perfect backups, you still face the risk of a devastating data breach.
The concept has been around since the late 1980s, but modern ransomware is a different animal entirely. Today's attacks are operated by sophisticated threat actor groups that run helpdesks, negotiate payments, and operate affiliate programs like legitimate businesses.
The $20 Billion Problem You Can't Ignore
Cybersecurity Ventures estimated that ransomware damages reached $20 billion globally in 2021. That figure has more than doubled since 2019. The FBI's Internet Crime Complaint Center (IC3) received 3,729 ransomware complaints in 2021 alone, with adjusted losses exceeding $49 million — and that only counts reported incidents. The real number is vastly higher.
The FBI IC3 2021 Internet Crime Report flagged ransomware as one of the top escalating threats, noting that 14 of the 16 U.S. critical infrastructure sectors had at least one member fall victim.
And here's what the raw numbers don't capture: downtime. IBM's 2021 Cost of a Data Breach Report pegged the average cost of a ransomware breach at $4.62 million. That includes forensics, recovery, lost business, and regulatory fines. For a mid-size company, that can be existential.
How Ransomware Actually Gets In
Phishing: Still the #1 Entry Point
I've investigated dozens of ransomware incidents over the years, and the vast majority start the same way: someone clicks a link or opens an attachment in a phishing email. The Verizon 2021 Data Breach Investigations Report found that phishing was present in 36% of breaches — up from 25% the year prior.
A single employee opening a weaponized Excel file can give an attacker initial access. From there, they move laterally, escalate privileges, disable security tools, and deploy ransomware across every system they can reach. The entire kill chain — from that first click to full encryption — sometimes takes less than 24 hours.
This is why phishing awareness training for organizations isn't optional anymore. It's the single most cost-effective control against the most common ransomware delivery method.
Exploited Vulnerabilities and Remote Access
Phishing isn't the only door. Threat actors actively scan for unpatched systems — especially VPNs, remote desktop protocol (RDP) endpoints, and internet-facing servers. The Kaseya VSA attack in July 2021 exploited a zero-day vulnerability to push REvil ransomware to hundreds of managed service providers and their downstream customers simultaneously.
Exposed RDP remains a favorite. Attackers buy stolen credentials on dark web marketplaces or brute-force weak passwords. Once they're in, they own your network.
Supply Chain Attacks
The Kaseya incident wasn't an anomaly — it was a preview. Attackers increasingly target software vendors and service providers to reach hundreds or thousands of victims through a single compromise. If your vendor gets hit, you get hit.
Who Gets Targeted? Everyone.
There's a dangerous misconception that ransomware only targets large enterprises. The data tells a different story. According to CISA's Stop Ransomware initiative, ransomware groups increasingly target small and mid-sized businesses, hospitals, school districts, local governments, and nonprofits — organizations with weaker defenses and more pressure to pay.
In 2021, the Colonial Pipeline attack disrupted fuel supply across the U.S. East Coast. The attack on Ireland's Health Service Executive crippled the country's healthcare system for weeks. JBS, the world's largest meat processor, paid $11 million after a REvil attack threatened global food supply chains.
These aren't edge cases. They're the new normal. And if you think your organization is too small to be a target, understand this: many ransomware operations are automated. They don't care how big you are. They care how vulnerable you are.
What Happens During a Ransomware Attack
Here's what actually happens when ransomware hits, based on incidents I've worked firsthand:
- Initial access: An employee falls for a phishing email, or an attacker exploits an unpatched VPN. A foothold is established.
- Reconnaissance and lateral movement: The attacker maps your network, identifies high-value systems, locates backup servers, and harvests credentials. Tools like Cobalt Strike, Mimikatz, and PowerShell scripts are common.
- Data exfiltration: Before encrypting anything, the attacker copies sensitive data to external servers. This is the double-extortion setup.
- Privilege escalation: The attacker gains domain admin rights. They disable antivirus, delete shadow copies, and neutralize endpoint detection tools.
- Deployment: Ransomware is pushed to every reachable system — workstations, servers, backups. Encryption happens fast, often in the middle of the night or on a weekend.
- Ransom note: You see a demand. A timer. A threat. Pay in Bitcoin within 72 hours, or the price doubles and your data gets published.
The entire sequence often unfolds over days or weeks, with the final encryption phase taking just hours. Most victims had no idea anyone was inside their network until the ransom note appeared.
Should You Pay the Ransom?
The FBI's official guidance is clear: don't pay. Payment funds criminal operations, encourages more attacks, and doesn't guarantee you'll get your data back. A 2021 Cybereason survey found that 80% of organizations that paid a ransom were hit again — sometimes by the same group.
But I've also been in rooms where executives face an impossible choice: pay $500,000 or watch the company go under. There's no easy answer when patient records, payroll data, or years of intellectual property are locked.
The real answer is to never be in that room in the first place. That starts with prevention, detection, and response — not reaction.
7 Practical Steps to Defend Against Ransomware
1. Train Your People — Continuously
Security awareness training isn't a once-a-year checkbox. Your employees are your first line of defense against social engineering, credential theft, and phishing — the primary ransomware delivery mechanisms. Run phishing simulations monthly. Make training short, frequent, and relevant. Start with a comprehensive cybersecurity awareness training program that covers the threats your team actually faces.
2. Implement Multi-Factor Authentication Everywhere
Multi-factor authentication (MFA) stops the vast majority of credential-based attacks cold. Enable it on email, VPN, RDP, admin consoles, cloud services — everything. If an attacker steals a password but can't bypass MFA, they're stuck at the gate.
3. Patch Fast and Patch Often
The Kaseya and Microsoft Exchange (ProxyLogon) attacks both exploited known vulnerabilities. Patch management isn't glamorous, but it eliminates the attack surface that ransomware groups actively scan for. Prioritize internet-facing systems, VPNs, and anything with a known exploit in the wild.
4. Segment Your Network
A flat network is a ransomware operator's dream. If one compromised workstation can reach your domain controller, backup servers, and financial systems, you've already lost. Network segmentation limits lateral movement and contains the blast radius of an incident.
5. Maintain Offline, Tested Backups
Backups are your last line of defense — but only if they work. Follow the 3-2-1 rule: three copies, two different media types, one stored offline or air-gapped. Test restores regularly. I've seen organizations discover during an active incident that their backups were corrupt or — worse — encrypted alongside everything else because they were on the same network.
6. Deploy Endpoint Detection and Response (EDR)
Traditional antivirus is not enough. Modern EDR solutions detect suspicious behaviors — like mass file encryption or credential dumping — and can automatically isolate compromised endpoints before ransomware spreads. If you're still running signature-based AV alone, you're bringing a knife to a gunfight.
7. Adopt Zero Trust Principles
Zero trust means never assuming any user, device, or network segment is inherently trusted. Verify every access request. Enforce least-privilege access. Monitor everything. NIST Special Publication 800-207 provides a solid framework for implementing zero trust architecture — and it's directly relevant to ransomware defense because it limits what an attacker can do even after gaining initial access.
What to Do If You're Already Hit
If you suspect a ransomware infection, act immediately:
- Isolate affected systems. Disconnect them from the network. Don't power them off — you may destroy forensic evidence.
- Notify your incident response team. If you don't have one, engage a reputable IR firm immediately.
- Contact the FBI. File a report at ic3.gov. Federal agencies can sometimes provide decryption keys or intelligence on the threat actor.
- Don't communicate with the attacker on compromised systems. They may be monitoring your email and chat.
- Preserve evidence. Logs, ransom notes, and encrypted file samples are critical for investigation and potential law enforcement action.
- Assess data exposure. If data was exfiltrated, you likely have breach notification obligations under state and federal law.
Ransomware Isn't Going Away — But You Can Be Ready
Every week in 2022, I'm seeing new ransomware variants, new extortion tactics, and new victim organizations that thought it couldn't happen to them. The threat is evolving faster than most defenses.
But the fundamentals still work. Train your people relentlessly. Patch your systems. Enforce MFA. Segment your networks. Test your backups. These aren't aspirational goals — they're baseline survival requirements.
If your organization hasn't invested in security awareness training yet, start now. Build a culture where every employee recognizes a phishing email, questions unexpected attachments, and reports suspicious activity without hesitation. That single shift in behavior can stop a ransomware attack before it ever reaches your systems.
The question isn't whether a threat actor will target your organization. It's whether you'll be ready when they do.