Ransomware: What Actually Happens (And Your Three Options)

What Ransomware Actually Does

Ransomware is malware with a business model. It encrypts your files (documents, databases, backups, everything it can reach) then demands payment for the decryption key.

Think of it like someone changing all the locks in your office building overnight, then offering to sell you the only set of keys that work.

The encryption happens fast, usually locking down an entire network in under an hour. By the time someone notices files won't open, the damage is already complete.

Then comes the ransom note, typically a text file appearing on every encrypted machine. The message is always the same: pay a specific amount in Bitcoin within 72 hours or lose access forever. Some groups threaten to publish your data publicly if you don't pay, whilst others start deleting files after the deadline passes.

Your Three Options (None Are Great)

Option 1: Pay the Ransom

This gets your data back fastest, assuming the attackers keep their word. Transfer the Bitcoin, wait for the decryption key, hope it actually works. But paying guarantees nothing. Some attackers take the money and vanish. Others provide keys that only partially decrypt files. You're also funding criminal operations and marking yourself as someone willing to pay, which invites future attacks.

Option 2: Restore from Backups

This is what everyone recommends: wipe infected systems, restore from clean backups, rebuild your network. It works brilliantly if your backups are recent, regularly tested, and weren't also encrypted during the attack. The problem? Many organisations discover during a crisis that their backups haven't functioned properly in months. Even with perfect backups, restoration still means days or weeks of costly downtime.

Option 3: Refuse and Rebuild

Some organisations refuse to pay and discover they can't restore from backups either. They rebuild systems from scratch and accept the data loss. This route takes longest and hurts most: lost customer records, broken contracts, potential regulatory fines. Some businesses never fully recover.

What Project Managers Should Build In

As a PM, you're not handling the technical response, but you can shape how prepared your organisation is when ransomware hits.

Embed backup validation into project timelines. Don't assume backups work. Schedule quarterly restore tests for critical systems as actual project milestones. Real example: a manufacturing company tested their backups and discovered their production database hadn't backed up successfully in eight months. Better to find out now than during an attack.

Map dependencies before crisis hits. Document which systems rely on each other. If your customer database goes down, can sales still process orders? If email gets encrypted, how do teams communicate? A logistics company created a simple flowchart showing that their warehouse system depended on email for alerts. When ransomware hit, they had a workaround ready.

Build incident response into every project. When planning new systems, ask: "If this gets encrypted tomorrow, how long until we're operational again?" A financial services PM added a requirement that any new system must have recovery procedures documented before going live. When ransomware struck, they restored critical systems in 48 hours instead of weeks.

Run tabletop exercises with decision makers. Schedule a two-hour session where leadership walks through a ransomware scenario. Who decides whether to pay? Who contacts insurance? Sort this out before pressure mounts.

Why This Matters Now

The organisations that recover fastest from ransomware aren't lucky, they're prepared. As a project manager, you bridge technical teams and business leadership. You can ensure ransomware readiness isn't just a security problem but built into how projects are planned and executed.

P.S. Share this with other PMs in your network. Ransomware preparation is a project management challenge as much as a security one.

Next week: What security challenge are you facing? Tell us, and we'll tackle it in next week's issue.