Get Your Quote. Instantly.

What is Ransomware and How Do Hackers Choose their Immediate Targets?

Uncover the mechanics of ransomware and prevention strategies to safeguard your network against cybercriminal tactics with OnSecurity's expert insights

Ransomware has become one of the most disruptive cyber threats facing organisations today. Understanding how it works and who’s at risk is the first step in protecting your business from this costly attack vector.

What is ransomware?

Ransomware is malicious software designed to infiltrate your devices and network, encrypt your files, and hold them hostage. Once attackers gain control, they block access to your critical data and systems until you pay a ransom – often demanded in cryptocurrency like Bitcoin. 

Ransom demands vary dramatically, from a few hundred pounds for individuals to millions for large enterprises. Payment doesn’t guarantee data recovery, and paying often makes your organisation a target for future attacks.

How does ransomware infect your systems? 

Attackers use several methods to deploy ransomware, with phishing being the most common entry point:

  • Phishing emails: Carefully crafted messages impersonate trusted sources to trick recipients into clicking malicious links or opening infected attachments. One click can give attackers the foothold they need
  • Exploit kits: Attackers scan for unpatched vulnerabilities in software and operating systems, then use automated tools to exploit these weaknesses
  • Remote Desktop Protocol (RDP) attacks: Weak or compromised RDP credentials allow attackers to gain remote access to your network
  • Malicious websites: Drive-by downloads can infect systems when users visit compromised or malicious sites
  • Supply chain attacks: Attackers compromise trusted third-party software or service providers to distribute ransomware to multiple targets

Once inside your network, ransomware spreads quickly, encrypting files across connected systems and backing up its infection to ensure maximum damage.

How do hackers choose their targets?

Anyone can fall victim to a ransomware attack.

However, certain organisations are more attractive targets for cybercriminals due to their characteristics and vulnerabilities.

 Organisations with limited security resources

Universities and educational institutions are frequent targets. They often have: 

  • Small IT security teams relative to their size
  • Vast amounts of sensitive data (financial records, research, intellectual property, student information)
  • Open network environments that prioritise accessibility over security
  • Limited security budgets

In 2025, a ransomware attack on the University of Hawai’i leaked the information of up to 1.2 million people. Other recent victims include the University of Wolverhampton, the University of Manchester, and the University of Mississippi –  a stark example of how education vulnerabilities are actively exploited. 

Organisations that will pay quickly

Healthcare providers and government agencies are often prioritised because:

  • Their data is literally life-critical
  • Downtime can have severe consequences
  • They’re under immense pressure to restore services immediately
  • They often have insurance that covers ransom payments

The 2024 Synnovis cyber incident demonstrated this vulnerability dramatically. The ransomware attack disrupted pathology services across several NHS hospitals in London, forcing the cancellation of thousands of appointments and operations while severely affecting blood testing services and creating urgent pressure to restore critical systems.

High-value targets

Financial services, legal firms, and professional services hold valuable data that includes:

  • Client financial information
  • Confidential business records
  • Intellectual property
  • Regulated data subject to compliance requirements

These organisations often have the resources to pay substantial ransoms and face significant regulatory and reputational consequences from data breaches.

Small and medium businesses

Don’t assume you’re too small to be targeted. SMBs are increasingly attacked because: 

  • They often lack dedicated security teams
  • Security measures may be less sophisticated
  • They’re seen as easier targets with less resistance
  • Automated attacks don’t discriminate by company size 

The ransomware threat isn’t reserved for large enterprises – cybercriminals cast a wide net, and opportunistic attacks affect businesses of all sizes.

What can you do to prevent ransomware attacks?

Defence against ransomware requires a multi-layered approach combining technology, processes, and people.

Keep systems patched and updated

Regularly update your operating systems, applications, and firmware. Unpatched vulnerabilities are open invitations for attackers – these weak spots make it significantly easier for ransomware to infiltrate your network.

  • Implement automated patching where possible
  • Prioritise critical security updates
  • Maintain an inventory of all software and systems
  • Don’t neglect legacy systems that are still in use

Deploy endpoint protection

Install and maintain robust antivirus and anti-malware software across all devices. Modern endpoint protection solutions:

  • Detect and block known malware signatures
  • Use behavioural analysis to identify suspicious activity
  • Provide real-time threat protection
  • Automatically quarantine infected files

While not foolproof, endpoint protection catches many threats before they can execute.

Implement network segmentation

Don’t give ransomware an open highway through your infrastructure. Segment your network to:

  • Limit lateral movement if attackers gain access
  • Isolate critical systems from general user networks
  • Contain infections to specific network segments
  • Protect backup systems from encryption

Control software installation

Be strict about what gets installed on your systems:

  • Implement application whitelisting where feasible
  • Restrict user permissions to install software
  • Only use software from verified, trustworthy sources
  • Regularly audit installed applications
  • Remove unnecessary or outdated software

If you’re uncertain about software legitimacy, don’t use it. Infected applications can spread ransomware throughout your environment rapidly.

Educate and train your employees

Your people are both your greatest vulnerability and your strongest defence. Most ransomware attacks begin with successful phishing, making employee awareness critical.

Security awareness training should include:

  • How to identify phishing emails and suspicious links
  • The real consequences of successful ransomware attacks
  • Proper password hygiene and multi-factor authentication
  • Reporting procedures for suspicious activity
  • Safe browsing and email practices

OnSecurity’s phishing simulation service allows your team to experience realistic phishing attacks in a controlled environment. These simulations help employees develop the instincts to spot threats before clicking, without the consequences of a real attack.

Implement robust backup strategies

Even with strong defences, you need a recovery plan. Comprehensive backups are your insurance policy against ransomware.

Essential backup practices:

  • Follow the 3-2-1 rule: 3 copies of data, 2 different media types, 1 offsite
  • Use offline or immutable backups that ransomware can’t encrypt
  • Test recovery procedures regularly – backups are worthless if you can’t restore them
  • Automate backup processes to ensure consistency
  • Keep backups isolated from your main network

If ransomware does encrypt your systems, verified backups mean you can restore operations without paying the ransom.

Enable multi-factor authentication (MFA)

Require MFA for all remote access, administrative accounts, and critical systems. This dramatically reduces the risk of credential-based attacks that can lead to ransomware deployment.

Conduct regular security assessments

Regular penetration testing helps identify weaknesses before attackers do:

  • Test your defences against real-world attack techniques
  • Identify configuration errors and security gaps
  • Validate that your security controls actually work
  • Prioritise remediation based on actual risk

Develop an incident response plan

Prepare for the possibility of an attack:

  • Define roles and responsibilities during an incident
  • Establish communication protocols
  • Document containment and recovery procedures
  • Identify when to involve law enforcement and regulators
  • Practice your response through tabletop exercises

A quick, coordinated response can minimise damage and accelerate recovery.

The bottom line

Ransomware isn’t going away – it’s a lucrative business model for cybercriminals and continues to evolve. While certain organisations face elevated risk, no business is immune to attack.

The good news? Many ransomware attacks succeed because of preventable weaknesses. Regular updates, employee training, robust backups, and defence-in-depth security significantly reduce your risk profile.

Don’t wait for an attack to test your defences.

Strengthen your ransomware defences with OnSecurity

Our penetration testing services identify vulnerabilities before attackers do, while our phishing simulations prepare your team to recognise threats. Get an instant quote to discover how we can help protect your organisation.

 

Related Articles

What Is Broken Access Control? A Practical Guide

Learn how attackers exploit broken access controls, IDOR, and privilege escalation, and discover the server-side controls, RBAC policies, and testing practices your team needs to close the gap and protect sensitive data.

10 April 2026