What is Ransomware and How Does It Work?

Ransomware is a type of malware (malicious software) that encrypts a victim's files or locks their computer, effectively rendering them inaccessible to the user. The attacker then demands a ransom payment in exchange for restoring access to the files or device.

Ransomware can infect a computer system through a variety of methods, such as malicious email attachments, fake software updates, or drive-by downloads from compromised websites. Once the ransomware is executed on a victim's device, it can begin to encrypt files or lock the device.

The Different Types of Ransomware

There are several different types of ransomware, each with their own characteristics and methods of operation. Some of the most common examples include:

Common Threat Vectors for Ransomware Infection

Some common sources that can often lead to a ransomware attack include:

Internet-Facing Vulnerabilities and Misconfigurations


Precursor Malware Infection

Third Parties and Managed Service Providers

Signs of a Ransomware Attack and How You Can Detect It

Some common signs that may indicate a ransomware attack include:

Encrypted Files

If you are unable to access your files and notice that their file extensions have been changed or they have been renamed, it may indicate that they have been encrypted by ransomware.

Pop-up Messages

Some ransomware displays pop-up messages or alerts on the victim's screen, which may demand payment in exchange for decryption keys or threaten to delete the files.

Locked Computer or Device

If your computer or device becomes unresponsive or is locked, it may indicate a ransomware infection.

Slow or Unresponsive System

Ransomware may cause your system to slow down or become unresponsive due to the resource-intensive encryption process.

Missing Files

Ransomware may delete or move files as part of its attack, leaving you with missing files or folders.

Unusual Network Activity

Ransomware may use your network to communicate with the attacker's servers or to spread the infection to other devices on the network, leading to unusual network activity.

Best Practices for Protecting Against Ransomware Attacks

Protecting Business Critical Applications Against Ransomware

Onapsis protects the application layer with the Onapsis Platform and serves an essential part of our clients’ plans to protect their SAP and Oracle applications from ransomware:

  • Onapsis provides automatic visibility into critical vulnerabilities, missing important patches and security updates, misconfigurations–identifying all open doors–which is a crucial component for ransomware prevention. Once all possible entry points are identified, they can be closed/addressed, which reduces an organization’s attack surface.
  • Through continuous monitoring and real-time alerts, Onapsis helps monitor real-time attempts to access critical SAP and Oracle systems.
  • With code analysis prior to moving into production, and in transport, Onapsis can help identify malware or new vulnerabilities before they are released to the public. Code vulnerabilities may appear to be low risk, but we have seen examples like SolarWinds where a small risk can turn into a large security incident. Onapsis generally sees one critical vulnerability per 1,000 lines of code, but our clients generally have millions of lines of custom code. It’s important to close those open doors to prevent any access to business-critical systems.

Developing a Ransomware Incident Response Plan

Protecting against and preparing for Ransomware can be challenging, but the most important best practice is to be prepared and have a plan. According to SANS, there are six steps in order to properly handle a security incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Preparation: Preparing for a security or ransomware incident begins with research of existing processes, who within the organization should have access to information, and who needs to be involved should an incident occur.

Identification: Identifying your most valuable data, where it is located, and how you will operate should this data be inaccessible is the next step.

Containment: Developing a plan for how you will contain a given security incident or ransomware attack is the next critical step.

Eradication: Planning for how your team will eradicate ransomware is another vital step in your incident response plan.

Recovery: If any sensitive or proprietary data was lost or encrypted, this step aims to recover that data and ensure it is no longer in the wrong hands.

Lessons Learned: What part of this response plan worked? What didn’t? This is the time to truly evaluate the effectiveness of your response plan and communication.

Annual Tabletop Exercises


CISA Tabletop Exercise Packages (CTEPs) for example, can be a starting point or foundation for your organization’s preparedness. Simulated ransomware attacks enable an organization to identify gaps in incident response plans. This can not only help the IT and security teams feel prepared, but the board and other stakeholders. Practice and preparedness helps teams be measured instead of chaotic in the event of an incident.

Read the White Paper whatch on demand webinar

Steps Your Organization Can Take in 2023 to be More Prepared for Ransomware

Review your incident response plans (or start developing one) and continuously evaluate whether it is sufficient should a security event arise.

Conduct tabletop exercises with stakeholders in your organization at least once a year.

Patch known & exploited vulnerabilities and address misconfigurations.

Establish visibility for your organization’s full attack surface and anticipate how threat actors may seek to take advantage of any weaknesses.

Steps Your Company Can Take in 2023 to Recover from A Ransomware Attack

In the event your company has already fallen victim to a ransomware attack, CISA guidance recommends these steps. Here is some high-level guidance to begin to recover:

Isolate Infected Systems: Immediately isolate infected systems from the network to prevent the ransomware from spreading to other devices.

Assess the Damage: Assess the extent of the attack and determine which systems and data have been affected. Conduct a thorough investigation to identify the source and scope of the attack.

Restore Data from Backups: Restore your data from backups, if available. Ensure that the backups are clean and do not contain any malware.

Implement Additional Security Measures: Implement additional security measures to prevent future attacks. This may include updating software, implementing access controls, and training employees on cybersecurity best practices.

Conduct a Post-Incident Review: Conduct a post-incident review to evaluate the effectiveness of your response and identify areas for improvement. Use this review to update your incident response plan and improve your security posture.

Request a Demo from Onapsis

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.

Request a demo