In September 2023, MGM Resorts watched its slot machines go dark, hotel room keys stop working, and reservation systems crash — all because a threat actor social-engineered the company's help desk with a ten-minute phone call. The attackers deployed ransomware that cost MGM an estimated $100 million in lost revenue and remediation. If you're asking what is ransomware, that single incident tells you almost everything you need to know: it's the fastest way for a criminal to turn your data into their payday.
This post is the guide I wish every business owner, IT manager, and employee would read. I'm going to break down exactly how ransomware works, why it keeps winning, and — most importantly — what you can actually do about it right now in 2024.
What Is Ransomware, Exactly?
Ransomware is malicious software that encrypts your files, locks you out of your own systems, and demands payment — usually in cryptocurrency — for the decryption key. Think of it as a digital hostage situation. Your data is the hostage. The ransom note appears on every screen in your office.
Modern ransomware doesn't just encrypt. Today's variants practice double extortion: they steal your data first, then encrypt it. If you refuse to pay for the decryption key, they threaten to publish your sensitive files on dark web leak sites. Some groups have escalated to triple extortion, adding DDoS attacks or contacting your customers directly to pressure you.
The FBI's Internet Crime Complaint Center (IC3) received 2,825 ransomware complaints in 2023, with adjusted losses exceeding $59.6 million — and that only counts incidents people actually reported. The real number is dramatically higher. You can review their findings in the 2023 FBI IC3 Annual Report.
How Ransomware Gets Inside Your Network
I've responded to dozens of ransomware incidents. In my experience, the initial access almost always traces back to one of three vectors.
Phishing Emails: Still the #1 Door
The Verizon 2023 Data Breach Investigations Report found that phishing and pretexting accounted for 74% of social engineering breaches. A single employee clicks a malicious attachment or enters credentials on a fake login page, and the attacker has a foothold. From there, lateral movement and privilege escalation happen fast.
This is why phishing awareness training for your organization isn't optional anymore — it's a direct countermeasure to the most common ransomware delivery method.
Exploiting Unpatched Vulnerabilities
The Cl0p ransomware gang exploited a zero-day vulnerability in MOVEit Transfer software in mid-2023, compromising over 2,600 organizations. Patches existed within days, but many companies were too slow. Attackers scan for known vulnerabilities constantly. If your patching cadence is measured in months, you're handing them the keys.
Stolen or Weak Credentials
Credential theft through infostealers, brute-force attacks on exposed RDP ports, and credential stuffing from previous data breaches give attackers legitimate login access. No exploit needed. They just walk in the front door. This is where multi-factor authentication becomes non-negotiable.
The $4.88M Price Tag You Can't Ignore
IBM's Cost of a Data Breach Report 2023 pegged the global average cost of a data breach at $4.45 million. But breaches involving ransomware specifically cost even more when you factor in downtime, ransom payments, regulatory fines, and reputational damage.
Here's what actually happens in the days after an attack:
- Day 1-3: Chaos. Systems are down. Nobody knows the blast radius. Employees can't work. Customers can't reach you.
- Day 4-14: Forensics teams work around the clock. You discover the attackers were inside your network for weeks before detonating. Your backups may or may not be intact — ransomware groups specifically target backup systems.
- Day 15-90: Recovery. Rebuilding servers, restoring data, notifying affected individuals, dealing with regulators, and answering hard questions from your board.
Small businesses get hit hardest proportionally. They lack dedicated security teams, often skip security awareness training, and assume they're too small to target. Attackers know this.
The Biggest Ransomware Gangs Operating in 2024
Understanding who's behind these attacks helps you understand the threat landscape.
LockBit
LockBit has been the most prolific ransomware-as-a-service (RaaS) operation for the past two years. In February 2024, an international law enforcement operation called Operation Cronos disrupted LockBit's infrastructure, seizing servers and obtaining decryption keys. But ransomware groups have a track record of rebuilding. Don't assume they're gone.
ALPHV/BlackCat
ALPHV was behind the MGM Resorts attack. They recruit skilled affiliates, provide sophisticated tooling, and target high-value organizations. The FBI disrupted their operations in December 2023, but — like LockBit — the group attempted to reconstitute almost immediately.
Cl0p
Cl0p specializes in mass exploitation of zero-day vulnerabilities in file transfer software. Their MOVEit campaign was one of the most widespread supply chain attacks in recent memory. They skip the encryption step entirely sometimes, relying purely on data theft and extortion.
Why Paying the Ransom Is Almost Always Wrong
I get it — your business is bleeding, your customers are angry, and someone's offering you the key for $500,000. Here's why paying is a terrible idea in most cases:
- No guarantee of recovery. Decryption tools provided by criminals are buggy. I've seen organizations pay and still lose 20-30% of their data.
- You become a repeat target. Paying signals that you'll pay again. Multiple ransomware groups share victim lists.
- Legal risk. Paying sanctioned entities violates OFAC regulations. The Treasury Department has made this clear.
- It funds more attacks. Every dollar paid funds the next operation against someone else's hospital, school, or small business.
CISA and the FBI consistently advise against paying ransoms. Report the incident to the FBI's IC3 at ic3.gov instead.
How to Defend Against Ransomware: Practical Steps That Work
I'm not going to give you a vague list of buzzwords. These are the specific controls that, in my experience, actually reduce ransomware risk.
1. Train Your People — Seriously
Your employees are your largest attack surface and your best sensor network. Regular, practical security awareness training reduces phishing click rates dramatically. But it has to be ongoing, not a once-a-year checkbox.
Run phishing simulations monthly. Review the results with your team. Make it a conversation, not a punishment. If you need a starting point, cybersecurity awareness training programs can help you build that foundation without reinventing the wheel.
2. Implement Multi-Factor Authentication Everywhere
MFA stops credential theft from becoming a full network compromise. Enable it on email, VPN, remote desktop, cloud services, and admin accounts. Every single one. Hardware security keys are best; authenticator apps are acceptable. SMS-based MFA is better than nothing but vulnerable to SIM swapping.
3. Maintain Offline, Tested Backups
The 3-2-1 rule still holds: three copies of your data, on two different media types, with one stored offline or air-gapped. But here's the part people skip — test your restores regularly. I've seen organizations discover their backups were corrupted only after the ransomware hit. That's a nightmare you can prevent.
4. Patch Aggressively
Prioritize internet-facing systems and anything listed in CISA's Known Exploited Vulnerabilities catalog at cisa.gov/known-exploited-vulnerabilities-catalog. If a vulnerability is on that list, threat actors are actively exploiting it. Patch within 48 hours or implement compensating controls.
5. Segment Your Network
Flat networks are a gift to ransomware operators. Once they compromise one machine, they move laterally until they own your domain controller. Network segmentation limits blast radius. Zero trust architecture takes this further by verifying every access request regardless of network location.
6. Deploy Endpoint Detection and Response (EDR)
Traditional antivirus isn't enough. EDR tools detect behavioral anomalies — like mass file encryption — and can isolate infected endpoints automatically. Make sure your EDR is monitored 24/7, either by your team or a managed detection and response provider.
7. Disable Unnecessary Remote Access
Exposed RDP is one of the most common ransomware entry points. If you don't need it, turn it off. If you do need remote access, put it behind a VPN with MFA. Audit your external attack surface quarterly.
What to Do If You're Hit: The First 60 Minutes
Your incident response plan should already exist before you need it. But here's the critical sequence:
- Isolate affected systems immediately. Disconnect them from the network. Don't power them off — you'll lose forensic evidence in memory.
- Activate your incident response team. If you don't have one internally, have a retainer agreement with a firm already in place.
- Preserve evidence. Don't start restoring from backups until forensics has identified the scope and entry point.
- Notify leadership and legal counsel. Breach notification requirements vary by state and industry. Your legal team needs to be involved from minute one.
- Report to law enforcement. File with the FBI IC3. They may have decryption keys or intelligence on the specific group targeting you.
Ransomware Is a Business Model — Treat Your Defense Like One
The uncomfortable truth about ransomware in 2024 is that it's a mature, profitable business. These aren't lone hackers in basements. They're organized operations with HR departments, bug bounty programs, and customer service portals for their victims.
You can't fight a business model with hope. You fight it with preparation, layered defenses, trained employees, and tested response plans.
If you're reading this and thinking your organization isn't ready, you're probably right. The good news is that every step you take — from deploying MFA to running your first phishing simulation — meaningfully reduces your risk. Start today. The threat actors already have.