Cyber Security

What is Ransomware

In May 2017, the WannaCry outbreak forced the world to pay attention to ransomware in a way few cyber incidents ever had. One of the most frustrating takeaways: the worm exploited a Windows vulnerability that already had a security patch available—yet many organisations hadn’t applied it. Microsoft released the MS17-010 fix on 14 March 2017, and the WannaCry outbreak began 12 May 2017.

Fast-forward to today: ransomware hasn’t gone away—it has evolved. Modern attacks are often faster, more targeted, and more damaging because criminals frequently steal data before encrypting it and threaten to publish it if you don’t pay (so-called double extortion).

This guide explains what ransomware is, how it spreads, what to do if you’re hit, and how to build a ransomware-resilient organisation.

What is ransomware?

Processes is a type of malicious software (malware) that prevents you from accessing files, systems, or networks—most commonly by encrypting data—and then demands a ransom for restoration. Ransomware can affect:

Ransomware today: it’s not just encryption anymore

A typical modern ransomware operation may include:

Data theft (exfiltration) before encryption
Leak sites that publish victims and countdown timers
Multiple pressure tactics (legal threats, customer notification threats, DDoS threats)
A criminal “supply chain”: ransomware-as-a-service (RaaS), affiliates, money laundering, and “initial access brokers” that sell stolen access

How ransomware gets in: the most common entry points

While details vary, most ransomware attacks begin with one of a few repeatable patterns.

1) Phishing and social engineering

Attackers trick users into clicking malicious links, opening attachments, or entering credentials into fake login pages. This remains one of the most common starting points.

2) Stolen credentials and weak identity controls

If attackers obtain valid usernames/passwords (often from prior data breaches), they can log in “normally.” Weak MFA, poor help-desk verification, or password reuse amplifies the risk.

3) Unpatched vulnerabilities

WannaCry is the classic example: exploitation of a widely known issue, combined with slow patching.

In 2025–2026, ransomware groups still aggressively exploit newly disclosed vulnerabilities to gain entry quickly.

4) Remote access exposure

Misconfigured remote desktop services, poorly secured VPNs, and exposed management ports remain common pathways—especially for small-to-mid sized organisations.

5) Supply chain and third-party compromise

Attackers increasingly target vendors (IT providers, contact centres, outsourced service desks) because one compromise can unlock many downstream victims.

What happens during a ransomware attack (the typical lifecycle)

Understanding the attacker’s workflow helps you build the right defences.

Initial access (phish, exploit, stolen credentials)
Privilege escalation (admin rights, domain access)
Discovery (finding servers, backups, sensitive data, security tools)
Lateral movement (spreading across systems)
Disabling protections (security agents, backups, shadow copies)
Encryption and extortion (ransom note, deadlines, leak threats)
(security agents, backups, shadow copies)

Modern groups aim for speed and scale. Some can move from initial access to enterprise-wide disruption in hours, not days.

How to protect your organisation from ransomware (practical, modern controls)

The goal is not one magic product. The goal is layers—so that a single mistake doesn’t become a total outage.

1) Build resilience with backups you can actually restore

Backups are still one of the strongest “anti-ransom” controls—when they’re designed well and tested.

A strong backup program includes:

At least one offline/immutable backup copy (not directly accessible from normal admin accounts)
Regular restore tests (quarterly at minimum for critical systems)
Separate credentials and segmented access for backup infrastructure
Clear RTO/RPO targets so you know what “recovery” really means

ACSC guidance emphasises careful restoration—only restore from backups if you’re confident they’re clean.

2) Patch fast—especially externally exposed systems

Ransomware authors love known vulnerabilities because they’re repeatable and scalable. WannaCry’s MS17-010 story remains a cautionary tale.

Minimum standard:

Maintain an asset inventory (you can’t patch what you don’t know you have)
Prioritise “internet-facing” systems
Patch or mitigate critical vulns quickly (days, not weeks)
Retire unsupported systems wherever possible
Disabling protections (security agents, backups, shadow copies)
Encryption and extortion (ransom note, deadlines, leak threats)
(security agents, backups, shadow copies)

3) Strengthen identity: MFA, least privilege, and admin separation

Identity is often the real battleground.

Do this:

Enforce MFA everywhere possible (email, VPN, remote access, admin consoles)
Use separate admin accounts(no email browsing on admin identities)
Reduce standing privileges (just-in-time access where possible)
Lock down help-desk reset processes (verification, callbacks, anti-sim-swap checks)

4) Segment your network so one breach doesn’t become many

Flat networks help ransomware spread.

Practical segmentation includes:

5) Improve email and web controls (reduce the click risk)

6) Deploy detection and response capability (EDR + logging)

Prevention will never be perfect. You need visibility.

Minimum expectations:

Microsoft’s ransomware incident response playbook highlights containment and post-incident hardening as critical to reducing repeat attacks.

7) Train employees—but make it real-world

Security awareness works best when it’s specific:

8) Use a recognised framework to make it measurable

What to do when you’re hit: a ransomware response checklist

If you suspect ransomware, speed matters—but so does discipline.

Step 1: Don’t panic—start recording facts immediately

Capture:

ACSC’s “Report and recover from ransomware” guidance explicitly recommends recording details early.

Step 2: Contain the spread

Step 3: Engage experts (internal + external) and activate your incident plan

Australia: If you need immediate assistance, ACSC provides a 24/7 hotline: 1300 CYBER1 (1300 292 371).

Step 4: Preserve evidence (don’t wipe too early)

Before reimaging systems, capture:

This evidence helps determine how they got in—and prevents a repeat incident.

Step 5: Determine scope and “blast radius”

Questions to answer quickly:

Which systems are encrypted?
Did they exfiltrate data?
Are backups affected?
Is identity (AD / Entra ID) compromised?
Are cloud services affected?
Is the attacker still present?

Step 6: Eradicate the attacker’s access

How can you protect your organisation-Computing Australia Group

Encryption is often the end of the attack chain, not the beginning.

Common remediation actions:

Step 7: Restore safely (and test as you go)

Only restore from backups once you’re confident:

ACSC’s emergency response guidance warns against reconnecting backups to infected systems too early.

Step 8: Communicate and report

Australia: mandatory ransom payment reporting (some entities). A fact sheet notes mandatory ransomware/cyber extortion payment reporting active from 30 May 2025 for reporting business entities under the Cyber Security Act 2024, with reporting required within 72 hours of making (or becoming aware of) the payment.

Should you pay the ransom?

We generally do not recommend paying, for three reasons:

Law enforcement agencies often discourage paying because it incentivises criminal activity and still may not restore data.

There’s also a compliance angle: the U.S. Treasury’s OFAC has warned about sanctions risk related to ransomware payments (including for parties who facilitate payments). Even if you’re outside the U.S., global payment rails, insurers, or vendors may be impacted—so get legal advice early.

If leadership is considering payment anyway, treat it as a managed decision:

Can you decrypt without paying?

Sometimes—yes.

Before you do anything risky:

A widely used resource is the No More Ransom project, which hosts free decryption tools for many ransomware families (when keys or weaknesses are available).

Be cautious with random “decryptor” downloads from forums—attackers also distribute fake recovery tools.

A ransomware-ready organisation: what “good” looks like

If you want a simple target state, aim for:

Governance

Technical minimums

MFA enforced everywhere practical
Patch SLAs for critical vulns
Backups with offline/immutable copy + restore testing
EDR coverage across endpoints and servers
Centralised logs + alerting
Network segmentation for critical systems

People and process

CISA’s #StopRansomware guide and NIST’s ransomware risk management publications are good benchmarks to align against.

Dealing with ransomware can be tricky, so if you are not sure how to proceed, it is best to get a cybersecurity specialist’s services. Remember, paying ransom will only encourage criminals with no guarantee of getting your data back. Protect your systems now. Contact us or email us at cybersecurity@computingaustralia.group to get in touch with our cybersecurity team.

Jargon Buster

Vulnerabilities – A weakness, flaw or error in software, hardware or network that can be exploited to gain unauthorised access to the system.

Drive-by-download – Downloading of malicious code without any prompts or interaction by the user. The malicious code takes advantage of OS or browsers that have not been updated.

Cryptocurrency – In simple terms, it is digital money. It is an online digital currency that is not controlled by a government.

Peter Machalski

Let's Talk