by The Computing Australia Group | What is Ransomware
In May 2017, the WannaCry outbreak forced the world to pay attention to ransomware in a way few cyber incidents ever had. One of the most frustrating takeaways: the worm exploited a Windows vulnerability that already had a security patch available—yet many organisations hadn’t applied it. Microsoft released the MS17-010 fix on 14 March 2017, and the WannaCry outbreak began 12 May 2017.
Fast-forward to today: ransomware hasn’t gone away—it has evolved. Modern attacks are often faster, more targeted, and more damaging because criminals frequently steal data before encrypting it and threaten to publish it if you don’t pay (so-called double extortion).
This guide explains what ransomware is, how it spreads, what to do if you’re hit, and how to build a ransomware-resilient organisation.
What is ransomware?
- Your full name, date of birth, address, or phone number
- Business networks (file servers, identity systems, backups)
- Cloud services (email tenants, storage buckets, SaaS platforms)
- Critical services (healthcare, education, legal, manufacturing)
Ransomware today: it’s not just encryption anymore
A typical modern ransomware operation may include:
- Data theft (exfiltration) before encryption
- Leak sites that publish victims and countdown timers
- Multiple pressure tactics (legal threats, customer notification threats, DDoS threats)
- A criminal “supply chain”: ransomware-as-a-service (RaaS), affiliates, money laundering, and “initial access brokers” that sell stolen access
How ransomware gets in: the most common entry points
While details vary, most ransomware attacks begin with one of a few repeatable patterns.
1) Phishing and social engineering
Attackers trick users into clicking malicious links, opening attachments, or entering credentials into fake login pages. This remains one of the most common starting points.
2) Stolen credentials and weak identity controls
If attackers obtain valid usernames/passwords (often from prior data breaches), they can log in “normally.” Weak MFA, poor help-desk verification, or password reuse amplifies the risk.
3) Unpatched vulnerabilities
WannaCry is the classic example: exploitation of a widely known issue, combined with slow patching.
In 2025–2026, ransomware groups still aggressively exploit newly disclosed vulnerabilities to gain entry quickly.
4) Remote access exposure
Misconfigured remote desktop services, poorly secured VPNs, and exposed management ports remain common pathways—especially for small-to-mid sized organisations.
5) Supply chain and third-party compromise
Attackers increasingly target vendors (IT providers, contact centres, outsourced service desks) because one compromise can unlock many downstream victims.
What happens during a ransomware attack (the typical lifecycle)
Understanding the attacker’s workflow helps you build the right defences.
- Initial access (phish, exploit, stolen credentials)
- Privilege escalation (admin rights, domain access)
- Discovery (finding servers, backups, sensitive data, security tools)
- Lateral movement (spreading across systems)
- Disabling protections (security agents, backups, shadow copies)
- Encryption and extortion (ransom note, deadlines, leak threats)
- (security agents, backups, shadow copies)
Modern groups aim for speed and scale. Some can move from initial access to enterprise-wide disruption in hours, not days.
How to protect your organisation from ransomware (practical, modern controls)
The goal is not one magic product. The goal is layers—so that a single mistake doesn’t become a total outage.
1) Build resilience with backups you can actually restore
Backups are still one of the strongest “anti-ransom” controls—when they’re designed well and tested.
A strong backup program includes:
- At least one offline/immutable backup copy (not directly accessible from normal admin accounts)
- Regular restore tests (quarterly at minimum for critical systems)
- Separate credentials and segmented access for backup infrastructure
- Clear RTO/RPO targets so you know what “recovery” really means
ACSC guidance emphasises careful restoration—only restore from backups if you’re confident they’re clean.
2) Patch fast—especially externally exposed systems
Ransomware authors love known vulnerabilities because they’re repeatable and scalable. WannaCry’s MS17-010 story remains a cautionary tale.
Minimum standard:
- Maintain an asset inventory (you can’t patch what you don’t know you have)
- Prioritise “internet-facing” systems
- Patch or mitigate critical vulns quickly (days, not weeks)
- Retire unsupported systems wherever possible
- Disabling protections (security agents, backups, shadow copies)
- Encryption and extortion (ransom note, deadlines, leak threats)
- (security agents, backups, shadow copies)
3) Strengthen identity: MFA, least privilege, and admin separation
Identity is often the real battleground.
Do this:
- Enforce MFA everywhere possible (email, VPN, remote access, admin consoles)
- Use separate admin accounts(no email browsing on admin identities)
- Reduce standing privileges (just-in-time access where possible)
- Lock down help-desk reset processes (verification, callbacks, anti-sim-swap checks)
4) Segment your network so one breach doesn’t become many
Flat networks help ransomware spread.
Practical segmentation includes:
- Separate user networks from servers
- Restrict server-to-server communication to what’s required
- Isolate backup systems and admin tools
- Use application allowlists for critical servers where feasible
5) Improve email and web controls (reduce the click risk)
- Advanced phishing protection (link rewriting, attachment sandboxing)
- Block executable attachments and risky macro content where possible
- DMARC/SPF/DKIM properly configured
- User reporting button (“Report Phish”) with rapid triage
6) Deploy detection and response capability (EDR + logging)
Prevention will never be perfect. You need visibility.
Minimum expectations:
- Endpoint Detection & Response (EDR) on servers and endpoints
- Centralised logs (SIEM or equivalent)
- Alerts for suspicious behaviour (mass file changes, credential dumping patterns, unusual admin activity)
Microsoft’s ransomware incident response playbook highlights containment and post-incident hardening as critical to reducing repeat attacks.
7) Train employees—but make it real-world
Security awareness works best when it’s specific:
- Short simulations based on your real threats
- Teach staff what “urgent invoice,” “password reset,” and fake login pages look like
- Reinforce: if something feels off, report it quickly
8) Use a recognised framework to make it measurable
What to do when you’re hit: a ransomware response checklist
If you suspect ransomware, speed matters—but so does discipline.
Step 1: Don’t panic—start recording facts immediately
Capture:
- Time you noticed it
- Screenshots of the ransom note
- Affected devices, accounts, and systems
- Any suspicious emails or logins
- Any unusual admin activity
ACSC’s “Report and recover from ransomware” guidance explicitly recommends recording details early.
Step 2: Contain the spread
- Isolate impacted machines from the network (disconnect cable/Wi-Fi)
- Block known malicious IPs/domains (if available)
- Temporarily disable compromised accounts
- Consider pausing file shares if encryption is actively spreading
Step 3: Engage experts (internal + external) and activate your incident plan
- Call your cybersecurity provider / incident response partner
- Notify executive leadership and legal counsel
- Trigger your cyber insurance notification process (if applicable)
Australia: If you need immediate assistance, ACSC provides a 24/7 hotline: 1300 CYBER1 (1300 292 371).
Step 4: Preserve evidence (don’t wipe too early)
Before reimaging systems, capture:
- Memory and disk images for key systems (if you have capability)
- EDR telemetry and log exports
- Firewall/VPN/authentication logs
- Copies of ransom notes and file extensions
This evidence helps determine how they got in—and prevents a repeat incident.
Step 5: Determine scope and “blast radius”
Questions to answer quickly:
- Which systems are encrypted?
- Did they exfiltrate data?
- Are backups affected?
- Is identity (AD / Entra ID) compromised?
- Are cloud services affected?
- Is the attacker still present?
Step 6: Eradicate the attacker’s access
Encryption is often the end of the attack chain, not the beginning.
Common remediation actions:
- Reset passwords (starting with privileged accounts)
- Rotate API keys and service credentials
- Close exploited vulnerabilities and exposed ports
- Remove persistence mechanisms (scheduled tasks, rogue admin accounts, remote tools)
Step 7: Restore safely (and test as you go)
Only restore from backups once you’re confident:
- Malware is removed
- Persistence is gone
- Backups are not contaminated
ACSC’s emergency response guidance warns against reconnecting backups to infected systems too early.
Step 8: Communicate and report
- Prepare internal comms to staff (clear do/don’t guidance)
- Notify customers/partners if necessary (legal guidance required)
- Report to relevant authorities
Australia: mandatory ransom payment reporting (some entities). A fact sheet notes mandatory ransomware/cyber extortion payment reporting active from 30 May 2025 for reporting business entities under the Cyber Security Act 2024, with reporting required within 72 hours of making (or becoming aware of) the payment.
Should you pay the ransom?
- Payment doesn’t guarantee recovery
- It encourages more attacks (including repeat targeting)
- It can create additional legal and business risk
Law enforcement agencies often discourage paying because it incentivises criminal activity and still may not restore data.
There’s also a compliance angle: the U.S. Treasury’s OFAC has warned about sanctions risk related to ransomware payments (including for parties who facilitate payments). Even if you’re outside the U.S., global payment rails, insurers, or vendors may be impacted—so get legal advice early.
If leadership is considering payment anyway, treat it as a managed decision:
- Involve legal counsel and insurance early
- Validate whether decryption is even possible
- Assume data may still be leaked even after payment
- Document the decision-making process
Can you decrypt without paying?
Sometimes—yes.
Before you do anything risky:
- Remove the malware first (or it can re-encrypt)
- Confirm the ransomware family/variant
- Check reputable decryptor portals
A widely used resource is the No More Ransom project, which hosts free decryption tools for many ransomware families (when keys or weaknesses are available).
Be cautious with random “decryptor” downloads from forums—attackers also distribute fake recovery tools.
A ransomware-ready organisation: what “good” looks like
If you want a simple target state, aim for:
Governance
- An incident response plan that includes ransomware + data extortion
- Tabletop exercises twice per year (IT + exec + legal + comms)
- Check reputable decryptor portals
Technical minimums
- MFA enforced everywhere practical
- Patch SLAs for critical vulns
- Backups with offline/immutable copy + restore testing
- EDR coverage across endpoints and servers
- Centralised logs + alerting
- Network segmentation for critical systems
People and process
- Phishing reporting workflow
- Help-desk identity verification hardened
- Vendor access reviewed (least privilege, time-bound access)
Dealing with ransomware can be tricky, so if you are not sure how to proceed, it is best to get a cybersecurity specialist’s services. Remember, paying ransom will only encourage criminals with no guarantee of getting your data back. Protect your systems now. Contact us or email us at cybersecurity@computingaustralia.group to get in touch with our cybersecurity team.
Jargon Buster
Vulnerabilities – A weakness, flaw or error in software, hardware or network that can be exploited to gain unauthorised access to the system.
Drive-by-download – Downloading of malicious code without any prompts or interaction by the user. The malicious code takes advantage of OS or browsers that have not been updated.
Cryptocurrency – In simple terms, it is digital money. It is an online digital currency that is not controlled by a government.
Peter Machalski
FAQ
How long does ransomware recovery take?
It depends on the scope, backup quality, and whether identity/cloud systems are compromised. Organisations with tested backups and segmented networks recover faster and more confidently.
Does antivirus stop ransomware?
It helps, but it’s not enough by itself. Ransomware operators use multiple techniques—so you need layered controls (identity, patching, segmentation, backups, detection).
What’s the difference between “ransomware” and “data extortion”?
Traditional ransomware encrypts data. Data extortion focuses on stealing data and threatening to leak it—often without encryption. Many modern attacks do both.
Should individuals handle ransomware themselves?
If you’re not sure, get help. Government guidance suggests seeking professional support if you get stuck because ransomware can be difficult to handle safely.
What’s the first thing to do when you see a ransom note?
Disconnect the affected device from the network, start documenting, and get expert help. Don’t start wiping systems until evidence is preserved and containment is underway.
