An IT team at a distribution company walks in on a Monday morning to find their servers completely inaccessible. Every screen in the office shows the same message: all files have been locked, and the attackers are demanding hundreds of thousands of dollars to restore access.
That scenario has played out at real companies. IBM’s Cost of a Data Breach report puts the average financial loss from a ransomware attack at USD 4.91 million per incident, and that figure doesn’t even account for lost revenue while systems stay offline.
Ransomware is a type of malware that locks or encrypts a victim’s data, then demands a ransom payment in exchange for restoring access. Without the decryption key that only the attacker holds, business data simply can’t be read or used.
Understanding how to deal with ransomware is no longer just a technical matter for the IT department. It’s a business decision that determines how fast a company gets back on its feet after an attack.
Why Systems Are Vulnerable to Ransomware
Before getting into how to respond, it helps to understand exactly how attackers find their way in. Knowing the entry points leads to a faster, more targeted response when something does happen.
1. Phishing and Malicious Emails
An employee receives an email that looks like a routine message from a client or business partner, then clicks a link or downloads an attachment without thinking twice. That single click is enough to release malicious code across the entire company network.
This method doesn’t attack systems. It exploits people, and untrained employees are the easiest door for attackers to walk through.
2. Leaked Login Credentials
Attackers buy databases of stolen employee usernames and passwords on the dark web, then use them to log in without needing any sophisticated hacking technique. Because the login activity looks normal, this approach regularly bypasses traditional security detection systems.
The Colonial Pipeline attack in 2021 is the clearest proof: the entire pipeline network of the largest fuel supplier in the United States was shut down because a single VPN password belonging to a former employee had leaked. No complex exploit was needed.
3. Unpatched Software Vulnerabilities
Software that doesn’t get regular updates leaves security gaps that can be exploited at any time. According to an IBM X-Force report, the WannaCry attack in 2017 damaged systems across 300 organizations in 150 countries, largely because so many of them had skipped available Windows updates.
Skipping patch management is the same as leaving a door unlocked. Attackers only need to find one gap that hasn’t been closed.
Who Are the Main Targets of Ransomware Attacks?
No industry is completely safe from ransomware. Attackers tend to go after sectors that hold high-value data, can’t afford system downtime, or haven’t fully strengthened their security infrastructure.
Hospitals and Healthcare Providers
Hospitals store highly sensitive patient records and run systems that can’t afford to go offline for even a moment. When ransomware brings those systems down, the impact goes beyond financial loss and can directly threaten the safety of patients who depend on network-connected medical devices.
Ransomware attacks on healthcare facilities have risen sharply in recent years, partly because many hospitals still run legacy systems that are rarely updated and difficult to replace without disrupting operations.
Banking and Financial Services
Financial institutions hold transaction data, customer identities, and access to payment infrastructure that attackers find extremely valuable. Beyond the ransom itself, a data breach in this sector triggers mandatory reporting to regulators and potential sanctions from financial authorities.
The double pressure of restoring systems while meeting regulatory deadlines often makes incidents in this industry far more costly than the ransom figure alone.
Government and Public Sector
Disrupted government services affect the public directly and can’t easily be redirected to a temporary solution. The Brain Cipher ransomware attack in 2024 that took down Indonesia’s Temporary National Data Center (PDNS 2) and disrupted more than 200 government agencies is a clear example of the scale of damage that’s possible in this sector.
Public infrastructure is frequently targeted because political pressure to restore services quickly can, in practice, increase the likelihood of ransom being paid.
Manufacturing and Supply Chains
A production line that stops for even one hour has real consequences for delivery schedules and client contracts. Attackers understand this and use the time pressure to push victims into paying faster, before they’ve had a chance to evaluate other recovery options.
Many manufacturing facilities also run industrial control systems (ICS) that were never designed with cybersecurity as a priority, making them an easy target for exploitation.
Educational Institutions
Universities and schools hold personal data on thousands of students, research records, and access to international collaboration networks. Cybersecurity budgets in education tend to be smaller than in other sectors, which means systems often fall behind on updates and protection.
Attacks on educational institutions also disrupt teaching and research in ways that can’t easily be moved to a backup system on short notice.
8 Ways to Deal with Ransomware When a System Is Already Infected
Once an attack is underway, speed and precision determine how much damage can be contained. The steps below should be followed in order, from the first sign of infection through to full system recovery.
1. Disconnect from the Network Immediately
The first and most urgent move is to cut the infected device off from both the internet and the company’s local area network (LAN). This stops the ransomware from spreading to other devices connected to the same network.
Disconnect any external storage devices too, including flash drives or portable hard disks plugged into the infected machine. If they’re not removed quickly, they can get encrypted as well and become a new path for the infection to spread.
2. Don’t Pay the Ransom
Paying the ransom has never guaranteed a full return of data. Security authorities worldwide, including Indonesia’s National Cyber and Crypto Agency (BSSN), consistently advise victims not to meet the attacker’s demands.
Payment funds the criminal operation and signals to attackers that the company is a willing target for future attacks. There are safer recovery options that don’t involve handing money to the people responsible.
3. Identify the Ransomware Variant
Each ransomware variant behaves differently, and knowing which one you’re dealing with shapes every recovery decision that follows. Upload a sample of an encrypted file or the ransom note to ID Ransomware to identify the variant.
That information is necessary before searching for any decryption tool. Using the wrong decryptor on encrypted files can make them permanently unrecoverable.
4. Look for an Available Decryptor
For a number of known ransomware variants, free decryption tools are available from reputable cybersecurity providers. Several security organizations and global vendors regularly release updated decryptors to help victims recover data without paying.
Only download decryptors from official, trusted sources. Fake tools are circulating online, and many of them carry additional malware that compounds the damage.
5. Restore Data from Backup
If the company has a backup stored offline, meaning it’s not connected to the main network, now is the time to use it. Recovering from a clean backup is almost always faster and more reliable than trying to decrypt locked files.
Before restoring, make sure the system has been fully cleared of ransomware first. Restoring data onto a still-infected system will just get the backup encrypted all over again.
6. Run a Full Antivirus Scan
Once the network connection is cut and the backup source is identified, run a complete scan using antivirus software from an official source. The goal is to remove any remaining malicious code still active on the system.
Avoid downloading antivirus tools from unofficial sources or cracked versions. Unauthorized security tools often carry additional malware into the very system you’re trying to clean.
7. Repair Any System Settings That Were Changed
Some ransomware variants modify system settings, such as host files, group policies, or registry entries, to maintain persistent access. The IT team needs to review and restore these settings manually, or reinstall the operating system if the situation calls for it.
Once the system is back up, update all software to the latest versions. Those updates close the same gaps the attacker likely used to get in.
8. Report the Incident to the Authorities
Ransomware attacks targeting businesses should be reported to BSSN and the cybercrime unit of the national police. Reporting supports forensic investigation and helps authorities map patterns of active attacks.
If the incident involved a leak of personal data belonging to customers or employees, reporting also becomes a legal obligation under Indonesia’s Personal Data Protection Law (UU PDP). Ignoring that obligation adds a regulatory risk on top of everything else the company is already managing.
To reduce legal exposure and ensure data governance stays within regulatory requirements, companies should assess their audit readiness and compliance gaps early. The following guide walks through that evaluation systematically.
Audit Readiness for the UU PDP: Risk Mitigation Strategy and Enterprise Data Governance
Evaluate your company’s readiness for a Personal Data Protection Law (UU PDP) audit using a 6-dimensional gap analysis method. Systematically identify gaps in data governance risks and build a legally compliant documentation foundation for Legal and IT teams.
Transformation of Data Governance and Integrated Compliance Management
Prepare all required data protection documents and move away from high-risk manual operational processes. Implement a centralized monitoring system to manage data subject rights automatically.
How to Prevent the Next Ransomware Attack
Responding to an attack that’s already happened matters. But building defenses so it doesn’t happen again is a longer-term priority that carries more weight. Several preventive measures can be put in place right after a system has been recovered.
1. Set Up Regular Backups and Store Them Offline
An offline backup, one that’s physically separate from the main network, is the most reliable safety net when an attack hits. Run backups on an automated schedule and test recovery periodically so you know the backup actually works before it’s urgently needed.
An untested backup is practically the same as having none. Many companies only discover their backup is incomplete or corrupted precisely when they’re already in crisis mode.
2. Keep All Software Updated
Software updates aren’t just new features. They’re patches for known security gaps, and every delay in applying them is a window that attackers can use. IT teams need a strict patch management policy to make sure no old vulnerability stays open.
Focus updates on operating systems, internet-facing applications, and network devices first. Those are the areas most commonly used as initial entry points in attacks.
3. Train Employees to Spot Phishing
Untrained employees are the weakest point in any company’s security posture. Regular security awareness training, including simulated phishing campaigns, has a measurable effect on reducing the risk of staff falling for manipulation tactics.
One round of training isn’t enough. Attackers keep updating their techniques, so relevant training needs to run at least twice a year.
4. Tighten Identity and Access Management
Leaked credentials are behind some of the largest ransomware attacks on record, including Colonial Pipeline. Deploying multi-factor authentication (MFA) across all system access points cuts off this entry path, even when an employee’s password has already been compromised.
Apply the least privilege principle too: each user gets access only to the systems genuinely required for their role. If one account is breached, the damage an attacker can do stays limited.
Conclusion
Ransomware doesn’t give anyone time to think once an attack starts. Companies that recover quickly are the ones that had three things in place before it happened: a tested offline backup, a clear incident response protocol, and tight access management.
Strengthening identity and access management is the most actionable step a company can take today. Adaptist Prime is an Identity and Access Management (IAM) platform that helps companies control who can access which systems.
Backed by adaptive MFA, Single Sign-On (SSO), and conditional access policies that automatically block unauthorized access, even from credentials that have already leaked.
Ready to Manage Digital Identities as a Business Security Strategy?
Request a demo today and discover how IAM solutions centralize user logins through Single Sign-On (SSO), automate employee onboarding, and protect company data from unauthorized access without disrupting productivity with repeated logins.
FAQ
Not always. Recovery depends on the ransomware variant and whether a free decryptor is available, or whether the company has a clean backup from before the attack.
Recovery time ranges from a few days to several months, depending on how quickly the incident was detected and how complete the available backup is.
There’s no guarantee data will be returned after payment. Many victims who paid still didn’t receive a working decryption key.
Upload an encrypted file or the ransom note to ID Ransomware at id ransomware.malwarehunterteam.com to identify the variant.
Cut the infected device from the network immediately to stop the spread, then identify the ransomware variant before taking any further recovery steps.
