Threats

Ransomware: attacks, risks and countermeasures

Discover what ransomware is, how it works, the damage it causes, how to protect yourself and what to do in case of an attack.

Attacks and risks

19 September 2025

Table of contents

  • Ransomware: meaning and definition
  • What happens to a PC hit by ransomware
  • What dimensions do ransomware attacks target
  • Ransomware is a type of sophisticated malware
  • Is there a relationship between phishing and ransomware?
  • Famous ransomware attacks: real-world cases
  • Data recovery policies in case of ransomware
  • What to do in case of a ransomware attack: step-by-step
  • How to protect yourself from ransomware attacks

Among the most dangerous and insidious cyber threats in recent years, ransomware holds a prominent place. It is a type of malware designed to encrypt the files on a system and demand a ransom in order to regain access to the data.

In this article, we will explain in detail what ransomware is, what damage it can cause, what happens to a PC affected by ransomware, how it spreads through techniques such as phishing, and most importantly, what to do in case of a ransomware attack.

We will also analyze key data recovery policies in case of ransomware and the best protection methods, starting from data backup.

Ransomware: meaning and definition

The word ransomware comes from the combination of “ransom” and “software.” Ransomware is a type of malwarethat infects a computer system, encrypts the files on the hard drive, and displays a ransom demand, usually accompanied by a countdown.

The attacker’s message informs the victim that the files have been encrypted and that only payment of the ransom (often in cryptocurrency) will provide the decryption key needed to recover them. However, there is no guarantee that the files will actually be returned, even after payment.

What happens to a PC hit by ransomware

When a device is infected by a ransomware attack, the sequence is usually as follows:

  • The malware enters the system via a phishing email with malicious attachments, a compromised website, or an existing system vulnerability.
  • Once executed, the ransomware begins to encrypt the files on the machine, working silently in the background.
  • After encryption is complete, a screen appears informing the user that the files have been locked and includes instructions to request the ransom payment.

The affected files often change their extension (.locked, .crypted, etc.) and become inaccessible. Some ransomware variants even target local backups and networked devices.

What dimensions do ransomware attacks target

One of the most critical aspects of ransomware is that it operates on multiple dimensions within a system. It doesn’t just encrypt files; it can:

  • Block the entire operating system, preventing even desktop access (e.g., locker ransomware).
  • Delete or encrypt data backups stored on the hard drive or network.
  • Steal login credentials, sensitive information, and system configurations.

In business environments, a ransomware attack can paralyze servers, databases, and critical applications, shutting down entire operations.

Ransomware is a type of sophisticated malware

Ransomware belongs to the larger family of malware, but it is among the most sophisticated and profitable for cybercriminals. Based on type, we can distinguish:

  • Crypto-ransomware
    Encrypts files and documents.
  • Locker-ransomware
    Locks the entire system.
  • Doxware
    Threatens to publish sensitive data online.
  • Ransomware-as-a-Service (RaaS)
    Attack kits sold on the dark web to launch attacks “on demand.”

This malware is constantly evolving, with new variants that often bypass traditional defenses.

Is there a relationship between phishing and ransomware?

Absolutely. One of the main distribution methods for ransomware is phishing—the act of sending emails that appear legitimate but contain malicious attachments or links.

A typical scenario involves a phishing email disguised as a bank message, shipping notice, or tax document. The user, believing it’s real, opens the file or clicks the link, unknowingly triggering a ransomware attack.

Some campaigns use Word documents with macros or compromised PDFs. In other cases, ransomware is downloaded through browser vulnerabilities or outdated plugins.

the warning sign

Famous ransomware attacks: real-world cases

Over the years, several ransomware attacks have made global headlines. Among the most notable:

  • WannaCry (2017)
    Hit over 200,000 systems in 150 countries by exploiting a Windows vulnerability.
  • NotPetya
    Devastated companies and infrastructure in Ukraine and spread globally.
  • Ryuk
    Used to target hospitals and public administrations.
  • LockBit
    One of today’s most active threats, launching targeted attacks against businesses.

These attacks caused millions in damages, compromised critical systems, and required weeks of recovery.

Data recovery policies in case of ransomware

One of the fundamental strategies for defending against this cyber threat is to implement strong data backup policies. Here are essential measures:

  • Frequent backups
    Save data copies to external or cloud media not connected to the system.
  • Offline backups
    Keep at least one “air-gapped” copy physically separated.
  • File versioning
    Ensure the ability to restore previous document versions.

Backups must be tested regularly and protected from overwrites or unauthorized access. Without reliable backups, paying the ransom becomes the only (and dangerous) option.

What to do in case of a ransomware attack: step-by-step

Suffering a ransomware attack is a critical event that can jeopardize an entire IT system, especially in corporate or professional settings. The temptation to give in to the ransom demand can be strong, especially when vital or sensitive data is at stake. However, the actions taken in the hours after the infection can determine the difference between minor damage and digital disaster.

Let’s take a closer look at what to do in the event of a ransomware attack, following a structured response protocol based on cyber security best practices.

1. Immediately isolate the infected device

  • Disconnect the PC from the Internet (cable and Wi-Fi).
  • Remove access to shared network drives.
  • In business contexts, alert IT teams to stop lateral spread.

This prevents the malware from encrypting more files or compromising additional systems.

2. Do not pay the ransom immediately

  • Paying does not guarantee file recovery. Many victims never receive the promised decryption key.
  • Payment fuels cybercrime, encouraging more attacks.
  • Some attackers demand more after the initial payment.

Experts strongly advise not to pay, unless absolutely necessary (e.g., hospitals).

3. Contact a cyber security expert

  • Specialists can analyze the ransomware behavior and identify its variant.
  • They can assess whether the malware stole data.
  • They can implement countermeasures to prevent reinfection.
  • Legal and data protection experts may also be needed for compliance.

4. Check for available backups

  • You may be able to restore encrypted files from a recent backup.
  • Reformat the infected system and start fresh.

Make sure backups:

  • Are not connected to the infected system.
  • Were not also encrypted by the ransomware.

5. Report the attack to authorities

In Italy, you should:

  • Contact Polizia Postale through their cybercrime reporting platform.
  • Refer to CSIRT Italia, the national CERT, for institutional or business cases.

This helps law enforcement track ransomware campaigns and may reveal known decryption keys.

6. Analyze the ransomware to identify the variant

Use platforms like ID Ransomware to:

  • Upload ransom notes or encrypted files.
  • Get detailed information on the malware.
  • Check if a decryption tool exists.

Each variant behaves differently—some have flaws that allow free recovery, others don’t.

7. Look for free decryption tools

Some ransomware decryption keys have been recovered by cyber security experts. The NoMoreRansom.org project offers:

  • A free decryption tool library.
  • An interactive guide to assess recoverability.
  • Educational resources for attack prevention.

The site is managed by Europol, Kaspersky, McAfee, and other international partners, and is one of the main reference points for those affected by ransomware attacks.

Final thoughts

Dealing with a ransomware attack requires calm, speed, and expertise. Even if your first instinct is to recover your data, hasty decisions can worsen the situation.

Having up-to-date backups, keeping software and operating systems patched, and training users to recognize phishing emails remain the best defenses. But if it happens, knowing what to do in case of a ransomware attack can mean the difference between a manageable crisis and total data loss.

How to protect yourself from ransomware attacks

Preventive cyber security is the only real way to avoid damage. Follow these best practices:

  • Regularly update operating systems and software.
  • Use updated antivirus with anti-ransomware protection.
  • Limit user privileges and access rights.
  • Train staff to spot phishing attacks.
  • Enable firewalls and disable macros in Office documents.
  • Monitor system logs for suspicious activity.

Awareness is your first line of defense—a single wrong click can cause disaster.

Conclusion

Ransomware today represents one of the most complex challenges in cyber security. Understanding what happens to a PC infected by ransomware, knowing how to respond to an attack, and adopting effective backup policies are essential to protect your data, your business, and your privacy.

Being aware of the connection between phishing and ransomware, recognizing malicious attachments, and keeping your systems up to date can make the difference between a serious incident and a minor warning.

Questions and answers

  1. What is ransomware?
    It’s malware that encrypts files on a device and demands a ransom to decrypt them.
  2. What happens during a ransomware attack?
    Files become inaccessible and a ransom note is displayed.
  3. How does ransomware spread?
    Through phishing emails, malicious attachments, and system vulnerabilities.
  4. Is ransomware linked to phishing?
    Yes, it’s often distributed via phishing emails with malicious links or files.
  5. What should you do if infected?
    Isolate the system, don’t pay, consult experts, analyze the malware, and check backups.
  6. Is paying the ransom safe?
    No—there’s no guarantee of file recovery, and it supports cybercrime.
  7. How can you protect your data?
    With regular backups, antivirus software, training, and timely updates.
  8. What files does ransomware target?
    Documents, images, databases, configurations—anything accessible.
  9. Can you recover files without paying?
    In some cases, yes—with available decryption tools.
  10. Are there free decryption tools?
    Yes—sites like NoMoreRansom.org offer tools for known ransomware variants.
2
To top