Ransomware & Small Businesses

<  Back to Fact Sheets

Ransomware is a form of malware (a virus) that encrypts files, or denies the user the ability to access their device, or both. There are many forms of ransomware, but they nearly all lead to a demand for payment of a ransom for access to be allowed. The ransomware may also be accompanied by the theft of data and a threat to post this information online.

Attacks typically come in the form of phishing emails, downloading free software, and remote access scams (where a cybercriminal, posing as a trusted organisation, is provided access to a device and installs ransomware whilst in control). Once the ransomware has been executed, such as by clicking on links or attachments, the criminals have largely automated their whole process. Pop-ups or other on-screen messaging will alert the user to “a virus” or “encryption” or the computer being "locked”. A contact point will be provided, typically with a short timeframe to respond to the ransom demand. 

Detecting Ransomware 

There are two ways to detect ransomware: 

  1. Your anti-virus software informs you that it has detected and prevented the malware from executing, or
  2. On-screen messaging appears from the criminal demanding payment or some other form of action.

Be aware: If a ransomware message is received via email, be sure that is a genuine email and not simply a phishing attempt.


Preventing Ransomware
  • Ensure you back-up and encrypt all of your data, both offline (such as to a separate hard drive) and in the cloud (such as through an online hosting service). This won't prevent ransomware, but it will decrease the harm a cybercriminal can do if you have backed-up copies of your files.
  • Run anti-virus frequently and make sure it’s the most recent version – millions of viruses are created each year so your anti-virus needs to keep up with these.
  • Keep your operating system, devices, and apps/ software updated.
  • Use multifactor authentication wherever it is possible.
  • Use strong, unique passwords, and store them in a password manager.
  • Consider blocking ads and pop-ups.
  • Think twice before downloading freeware (free downloads) without checking their security first.
  • Become familiar with how to spot phishing emails.
  • Never provide remote access to your device when someone calls or emails you first.
  • Educate your employees about how to prevent and respond to ransomware and phishing emails.
  • If the data your business holds is sensitive, you may wish to discuss with your IT provider additional network security measures, such as network segmentation.

Responding to Ransomware

Disconnect your device immediately, including removing anything plugged into it (cables, USBs, dongles), disabling any wireless connections (Wifi. Bluetooth, hotspot, or mobile data), and disconnecting from any other devices on your network (such as laptops, printers or modems).

Take photos (on a non-infected device) of any communications from the criminals, including pop-ups, payment demands, cryptocurrency wallet addresses and websites.

It is possible to stop ransomware from continuing to run on a device with Microsoft Windows 10 by following these instructions from the ACSC. However, if you are using an Apple device, or if your device is not responding, or you do not feel confident following the ACSC instructions, simply hold down the power button on your device to force it to shut down.

Make sure the malware is removed from your device before reconnecting to the internet, joining a network, plugging anything back in, or installing backups of your data.

You may wish to try to decrypt the files on your device. There are hundreds of ransomware types, and in many cases only the criminals have the tools to decrypt. You can try:

If you are considering paying the ransomware, keep in mind:

  • You are dealing with criminals, so there is no guarantee that your files will be decrypted, will not be shared online, or that you will not be targeted again.
  • In New Zealand, paying ransomware is not an offence, however it is not recommended for the reasons outlined above.
  • In Australia, there are grey areas surrounding the legality of paying ransomware. According to the Department of Home Affairs in their March 2021 report Locked Out: Tackling Australia's ransomware threat, "At worst, payment of these amounts may be unlawful and involve committing a criminal offence."

Remember that removing the ransomware from your device may not be the end of the attack on your business. Consider all the information that the cybercriminal had access to on your device, and assume that all accounts have been compromised. This could include your emails, bank account details (including logins and customer reference numbers), tax file numbers, driver licence details, and superannuation details.

Information stored on your device most likely also includes information about your employees and customers. Contact your IDCARE small business adviser to discuss how to protect your employees and customers, and whether the ransomware infection is also considered a notifiable date breach.

For additional support or information, contact IDCARE by submitting a Get Help Form or call 1800 595 160 (Aus) or 0800 121 068 (NZ).


Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

  • IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
  • The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
  • While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
  • IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
  • If you would like to provide feedback please use our Feedback Form.


IDCARE is here to provide you with specialist support and guidance when faced with a cyber and identity related issue. Contact one of our Identity & Cyber Security Case Managers to learn more about our Support Services and how we can help you.   

Get help

Submit a web request

Call Centre Icon


1800 595 160

Mon - Fri: 8am - 5pm AEST

QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA08 7078 7741

Call Centre Icon

call our NEW ZEALAND

0800 121 068

Mon - Fri: 10am - 7pm NZST

AKL: 09 884 4440