What Is Ransomware? A Primer for IT Professionals
The question sounds almost too basic for 2026: what is ransomware? Yet tens of thousands of people search for this term every single month. And here’s the truth—even seasoned IT professionals need to revisit this topic because ransomware attacks have changed dramatically over the past few years.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/
What Is Ransomware in Its Traditional Form?
At its core, ransomware is malicious software that gains access to your systems, encrypts your data, and demands payment (usually in Bitcoin) for the decryption key. The name comes from the concept of holding your data for ransom—they’ve taken it from you, and you can have it back if you pay up.
The traditional attack works like this: someone clicks a bad link or opens a malicious attachment, the malware installs itself, encrypts everything it can reach, and then you see that lovely screen asking for cryptocurrency. Simple, brutal, effective.
For years, the defense against this was straightforward: maintain good backups. If they encrypt your data, just restore from backup and move on with your life. You lose some time, maybe some recent work, but you survive. The attackers figured this out pretty quickly, which brings us to the modern version of the threat.
What Is Ransomware’s Double Extortion Model?
Today’s sophisticated attacks use what we call double extortion. Before encrypting anything, the attackers first exfiltrate your sensitive data—emails, customer records, financial documents, intellectual property, embarrassing internal communications—all of it gets copied to their servers.
Then they encrypt your systems like before. But now, even if you restore from backup, they hold a second threat over your head: pay up, or we publish everything we stole.
Think about what’s sitting in your company’s email servers right now. Conversations where people complained about customers. Internal debates about product quality. Maybe some HR issues that never went public. Personnel evaluations. Financial struggles. That ill-advised joke someone made three years ago. All of it becomes leverage.
The Sony hack remains one of the most famous examples. Attackers got in, stole massive amounts of data, and leaked emails where studio executives mocked their own talent. The reputational damage was enormous. They recovered long-term, but it wasn’t pretty.
What Is Ransomware’s True Cost to the Business?
Let me give you some numbers that should keep you up at night. Jaguar Land Rover got hit, and the damage is running around $2.5 billion when you count suppliers and downstream effects. Costa Rica’s entire government got attacked—and because they had a law preventing the use of taxpayer money for ransoms, they didn’t pay. They never got their data back and had to rebuild their federal systems from scratch. Imagine rebuilding the IRS from nothing.
But here’s what I really want smaller organizations to understand: you don’t need to be a billion-dollar company to suffer catastrophic damage. Think about a dental office MSP that got hit. Suddenly, dentists across the region couldn’t access patient records. Patients showed up for appointments, and the staff had no idea who they were, what their history was, or what procedures they needed. Operations ground to a complete halt.
What is ransomware’s real impact? It’s not just encrypted files. It’s your ability to function as a business. You can’t process orders. You can’t contact customers. You can’t even figure out who your customers ARE because that data is locked up.
What Is Ransomware Preparedness and Why Does It Matter?
Here’s the uncomfortable truth I share in my upcoming book with Dr. Mike Saylor: the odds of experiencing a ransomware attack approach 100% over time. It’s not a matter of IF but WHEN. You can reduce the frequency of successful attacks by doing the basics—strong passwords, multi-factor authentication, patched systems—and that might stop 90% of attempts. But you cannot reduce the risk to zero.
This means you need to operate from what security professionals call an “assumed breach” position. Assume you’re going to get hit and prepare accordingly.
What does preparation look like? First, you need solid backup and recovery systems using immutable storage. Your backups need to be protected from the same attack that takes down your production systems. Second, you need incident response plans created BEFORE the attack happens. What decisions will you make about paying ransom? Who makes that call? What’s your communication plan?
Third—and this is where I’ll sound like I’m selling something, but I genuinely believe it—consider working with a cybersecurity service provider. Someone who does this full-time, who can configure your SIEM and XDR tools properly, and who has seen enough attacks to know what actually works.
What Is the Impact on Small and Medium Businesses?
I hear this constantly: “We’re too small to be targeted.” That’s exactly the wrong mindset. Attackers love smaller organizations because they often have weaker defenses and are more likely to pay quickly to get back to business.
You don’t need to have 11 herbs and spices worth of trade secrets. What about emails where employees talked badly about customers? What about any business practice that wouldn’t look great on the local news? What about personal stuff that employees accessed on company computers? All of that becomes ammunition in a double extortion scenario.
The question isn’t whether you have something worth stealing. The question is whether you have something you’d prefer stayed private. The answer is almost always yes.
What Is The Connection to Backup and Recovery?
I’ve spent my career focused on backup and recovery, and ransomware is now the primary reason backups matter. It’s the number one threat to data center stability and the number one reason you need reliable backup systems.
But backups alone won’t save you from double extortion. They solve the “I can’t access my data” problem but not the “they’re threatening to publish my data” problem. You need both technical recovery capabilities AND business-level decision-making frameworks for when attackers threaten to leak what they’ve stolen.
The time to figure all this out is now—not when you’re staring at a ransom demand and trying to find someone who knows how to buy Bitcoin.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
