Ransomware is one of the most destructive forms of malware — it encrypts your files and demands payment for the decryption key. Understanding how it works is the first step to defending against it.
Ransomware is a category of malware that encrypts the victim's files using strong cryptographic algorithms, rendering them inaccessible without the decryption key held by the attacker. Once encryption is complete, the ransomware displays a ransom note demanding payment — typically in cryptocurrency — in exchange for the decryption key. The encryption used in modern ransomware is typically military-grade (AES-256 for file encryption, RSA-2048 or elliptic curve cryptography for key exchange), making it computationally infeasible to decrypt files without the key regardless of the victim's technical capability.
The attack sequence follows a consistent pattern. Initial access is gained through a delivery vector — phishing email attachment, malicious download, compromised Remote Desktop Protocol (RDP) credentials, or exploitation of an unpatched software vulnerability. Once the ransomware executable runs on the victim system, it typically performs reconnaissance: mapping connected drives, network shares, and backup locations. It then begins the encryption phase, targeting documents, images, databases, and other valuable file types while deliberately skipping system files needed to keep the computer operational (so the victim can read the ransom note and make payment). Finally, it deletes Volume Shadow Copies and other local backup mechanisms to prevent free recovery.
Modern ransomware operations — particularly those targeting businesses and organisations — frequently involve a "double extortion" model. Beyond encrypting files, the attackers first exfiltrate sensitive data before encrypting it. This gives them a second leverage point: even if the victim restores from backup and doesn't need the decryption key, the attackers threaten to publish the stolen data on leak sites if the ransom isn't paid. Some ransomware groups operate "triple extortion" models, adding threats to launch DDoS attacks against the victim or notify their customers and partners about the breach unless payment is received.
The history of ransomware stretches back to 1989's AIDS Trojan — distributed on floppy disks at a World Health Organisation conference — but the modern ransomware era began in earnest with CryptoLocker in 2013, which introduced strong RSA encryption and Bitcoin payment, establishing the template still used today. Since then, ransomware has evolved through multiple generations. Early variants targeted individual consumers; the second generation shifted to "big game hunting," targeting enterprises, hospitals, and government agencies for much larger ransom demands. The third generation introduced the Ransomware-as-a-Service (RaaS) model that now dominates the threat landscape.
Ransomware-as-a-Service has industrialised ransomware attacks. RaaS platforms like LockBit, BlackCat/ALPHV, Cl0p, and ALPHV operate like legitimate SaaS businesses — complete with affiliate programs, customer support for victims paying ransoms, and profit sharing between the platform developers and affiliate operators who conduct the actual attacks. This model dramatically lowered the barrier to entry for ransomware attacks: affiliates don't need to develop malware, just deploy it. The platform operators take 20–30% of ransom payments; affiliates keep the rest. This structure has dramatically increased both the volume and sophistication of ransomware attacks globally.
Beyond file-encrypting ransomware, related threat categories have emerged. Locker ransomware locks the device screen rather than encrypting files — less technically sophisticated and more recoverable, but still disruptive. Wiper malware masquerades as ransomware but is actually designed to permanently destroy data without any recovery mechanism, sometimes deployed by state-sponsored actors to cause maximum disruption. Scareware pretends to be ransomware without actually encrypting anything, hoping victims pay to avoid a threat that doesn't exist. Understanding these distinctions helps prioritise the right defensive measures — actual encrypting ransomware is the most serious threat, while scareware is a nuisance that shouldn't prompt payment.
Hong Kong has experienced significant ransomware incidents affecting both public and private sector organisations. The Hong Kong Productivity Council (HKPC) has documented a sustained increase in ransomware cases affecting local businesses, with small and medium enterprises particularly vulnerable due to limited IT security resources. Notable incidents include attacks on logistics companies, professional services firms, and healthcare providers — sectors that hold sensitive operational and personal data that makes them attractive ransomware targets. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) regularly publishes advisories on ransomware threats targeting the region.
Several factors make Hong Kong businesses particularly exposed to ransomware risk. High adoption of internet-connected business systems, widespread use of remote access tools (VPN and RDP connections accelerated significantly during COVID-19 restrictions), and a large concentration of SMEs with limited dedicated IT security resources create a target-rich environment. The financial services sector — a major component of Hong Kong's economy — is a premium target given the sensitivity of financial data and regulatory compliance pressures that create additional incentive to pay ransoms quickly to avoid data breach disclosure obligations under the PDPO and financial regulator requirements.
The decision of whether to pay a ransomware demand is complex and should not be made under time pressure. Law enforcement bodies including Hong Kong Police and international agencies like Europol and the FBI advise against paying ransoms — payment funds criminal operations, does not guarantee file recovery (a significant proportion of ransomware payments do not result in working decryption), and may mark the victim as a willing payer who will be targeted again. However, for organisations facing the loss of irreplaceable data without functional backups, the calculus is harder. The best approach is to make the payment decision unnecessary through prevention and backup strategies rather than facing it under attack conditions.
Recognising ransomware in progress — before encryption completes — can dramatically limit damage. Early warning signs include sudden significant disk activity (mass file reads and writes as files are encrypted), high CPU usage from an unknown process, files in directories suddenly gaining unusual extensions (.locked, .encrypted, .WNCRY, or random character strings), and antivirus alerts about suspicious file system activity. Many modern endpoint security products include ransomware-specific behavioural detection that triggers an alert when mass file encryption activity is detected. Time matters enormously: every minute of active encryption means more files lost.
If you suspect an active ransomware infection, the immediate response priorities are: disconnect from the network immediately (unplug ethernet, disable WiFi) to prevent the ransomware from spreading to network shares and other connected devices; do not shut down the computer (volatile memory may contain the encryption key in some ransomware variants — forensic specialists can sometimes recover it); photograph or document the ransom note for law enforcement reporting; and contact your IT support or incident response provider. Do not attempt to run additional software on the infected machine, as this can overwrite forensic evidence. Report the incident to HKCERT (https://www.hkcert.org) and Hong Kong Police if personal data of others may have been compromised.
Recovery from a ransomware attack without paying depends entirely on backup quality. The 3-2-1 backup rule — three copies of data, on two different media types, with one copy off-site or offline — is the gold standard that makes ransomware effectively non-threatening for data recovery purposes. The critical requirement is that at least one backup copy must be completely disconnected from the network and from any system the ransomware could reach ("air-gapped" or immutable backups). Many organisations that discover their backups were also encrypted by ransomware made the mistake of storing backups on network-accessible drives that the ransomware mapped and encrypted alongside the primary data. Cloud backup services with versioning (like Backblaze, Acronis, or OneDrive Vault with version history) provide the off-site, version-preserved copy that survives ransomware attacks.
