Blog

Crypto-Locker: What to expect

There are two types of businesses: those that have been victims of ransomware attacks and those that will be—it’s increasingly difficult to escape this reality in today’s digital landscape.

Cybercriminals continue to evolve their tactics, developing sophisticated methods to bypass advanced email security filters and AI-powered threat detection systems. Modern ransomware campaigns are remarkably professional, often mimicking legitimate communications so convincingly that even security-conscious users can be deceived. Despite widespread awareness and training programmes, these attacks remain highly successful.

Recent estimates suggest that ransomware gangs collectively generate billions in revenue annually, demonstrating just how profitable their criminal enterprise has become. The business model clearly works, which is why these attacks continue to proliferate.

While there’s extensive information available about ransomware prevention strategies, this post focuses on what actually happens during an attack—what you’ll see, what to expect, and how to respond effectively.

What will it look like if it happens to you?

Modern ransomware infections typically begin when someone clicks a malicious link or downloads a seemingly legitimate attachment. Unlike older variants, today’s ransomware often operates silently in the background, sometimes for hours or even days, before revealing itself.

You might not immediately see a dramatic ransom screen. Instead, the first sign of trouble is usually discovering that your files have been encrypted and renamed with unusual extensions like .locked, .encrypted, or random character strings. Every document, spreadsheet, image, and database file becomes completely inaccessible.

In each affected folder, you’ll typically find ransom notes—usually text files or HTML documents with names like “READ_ME.txt” or “HOW_TO_RECOVER.html”. These contain detailed instructions for payment, almost always demanding cryptocurrency like Bitcoin or Monero.

Today’s ransomware operations are disturbingly sophisticated, often including multilingual support desks, step-by-step payment tutorials, and even “customer service” chat systems to help victims navigate the payment process. Some groups offer “proof of concept” decryption of a few files to demonstrate they can actually restore your data.

What to do when you first notice it

Time is absolutely critical. The moment you suspect a ransomware infection:

• Immediately disconnect the affected device from your network—unplug the ethernet cable or disable WiFi
• Alert your entire organisation to shut down and disconnect all systems to prevent lateral spread
• Contact your IT support provider immediately—don’t attempt to “fix” it yourself
• Preserve evidence by taking photos of ransom messages and noting the time of discovery
• Report the incident to relevant authorities and consider notifying cyber insurance providers

The best-case scenario involves having recent, tested backups that allow complete system restoration with minimal data loss. However, modern ransomware often attempts to encrypt or delete backup files, making recovery more challenging than it once was.

At Resolve Technology, we implement comprehensive backup strategies with immutable storage and regular recovery testing. Our managed clients benefit from continuous monitoring, rapid incident response, and recovery procedures specifically designed for the unique compliance requirements of legal firms, healthcare organisations, and government agencies.

We also provide ongoing security awareness training and implement multi-layered security frameworks tailored to New Zealand’s regulatory environment, helping organisations significantly reduce their risk exposure.

If you’d like to discuss strengthening your organisation’s ransomware defences or need guidance on incident response planning, our team would be happy to help. Contact us to learn more about protecting your critical business systems.

Chris Drowley
General Manager, Resolve Technology
Outside the office, Chris runs a highly organised empire of model trains — where the schedules are always on time, unlike the real thing.