Ransomware resilience
The time to survive ransomware is before it hits
Ransomware isn’t bad luck — it’s a repeatable attack chain you can break at every stage. Prepare the backups, controls and plans now, and an attack becomes a bad day, not an existential one.
- Based on Sophos & Verizon data
- Vendor-neutral
- Updated 2026
What is ransomware
Not just encryption — extortion
Ransomware is malware that locks up your data and demands payment. Modern attacks steal it first, so paying doesn’t make the problem go away.
A ransomware attack encrypts your files and systems, then demands a ransom for the decryption key. But the model has evolved: most groups now run double extortion — they exfiltrate your data before encrypting, then threaten to publish it whether or not you can restore from backup.
It’s an industry. Ransomware-as-a-Service (RaaS) lets affiliates rent ready-made toolkits, so attacks are frequent, professional and aimed at organisations of every size.
The good news: an attack is a chain of stages, and readiness lets you break it at each one — stop the entry, contain the spread, protect the backups, and recover on your terms.
The threat
How modern ransomware works
Four things that make today’s ransomware different from a decade ago.
- ENTRY
How it gets in
The common doors: phishing, stolen or reused credentials, exposed RDP and VPN, and unpatched internet-facing systems. Most attacks start with one of these.
- DOUBLE
Double extortion
Attackers steal data before encrypting it, then threaten to leak it. This is why backups alone aren’t enough — you also have to keep them from getting in.
- RaaS
Ransomware-as-a-Service
Criminal groups rent their toolkits to affiliates for a cut. It industrialises attacks and lowers the skill needed, driving up volume across every sector.
- TARGET
Who gets hit
Every size and sector — and small and mid-sized organisations are frequent targets precisely because they’re less prepared. Suppliers are hit to reach bigger fish.
Get ready
The readiness priorities, in order
You can’t do everything at once. Start where it counts most for surviving and recovering.
- Priority 1
Tested, offline backups
The single control that lets you recover without paying. Keep offline or immutable copies, and actually test restoring them.
Why: Attackers try to destroy backups in 94% of attacks — offline copies survive it.
- Priority 2
MFA and patch the edge
Close the common front doors: enforce multi-factor authentication and patch internet-facing systems, VPNs and RDP fast.
Why: Most ransomware enters via stolen logins or unpatched exposed services.
- Priority 3
Segmentation and EDR
Contain the blast radius with network segmentation and least privilege, and detect intruders early with endpoint detection and response.
Why: Limits lateral movement and catches attackers before they encrypt.
- Priority 4
A rehearsed incident plan
Decide who does what — technical, legal, comms — before an incident, and practise it. A plan on paper isn’t the same as a tested one.
Why: A rehearsed plan turns chaos into a procedure and cuts recovery time.
Break the chain
Where readiness stops an attack
Step through the five stages of a ransomware attack and see the control that breaks the chain at each one. You don’t need to stop them everywhere — just somewhere.
Gets a foothold via a phishing email, stolen or reused credentials, or an exposed, unpatched service like RDP or a VPN gateway.
Enforce MFA everywhere, train staff against phishing, and patch or remove internet-facing services. Most attacks die here if the front door is locked.
The cheapest place to stop ransomware is at the entrance.
Escalates privileges and moves laterally, hunting for domain admin and mapping the network toward high-value systems.
Apply least privilege and tiered admin, segment the network, and run EDR to detect the recon and lateral movement before it reaches everything.
Copies sensitive data out of the network to use for double extortion — the "pay or we leak it" threat.
Monitor and restrict outbound traffic, alert on large or unusual transfers, and block unknown cloud storage. Catching exfiltration limits the leverage.
Deploys the ransomware, tries to delete or encrypt backups first, then encrypts systems across the estate.
Keep offline or immutable backups with separate credentials, and test restores. If the backups survive, encryption loses most of its power.
Demands a ransom and threatens to leak the stolen data, applying time pressure and public naming.
Execute a rehearsed incident plan: contain, involve legal and comms, restore from clean backups, and report as required — without relying on paying.
Preparation here is what turns a crisis into a controlled recovery.
The numbers
Why readiness pays for itself
Ransomware is common, expensive, and specifically targets the thing that saves you: your backups.
Each figure links to its primary source. Numbers are approximate and updated as new reports are published.
For security teams
Readiness is now a regulatory expectation
Under the EU NIS2 Directive, in-scope organisations must handle incidents, maintain business continuity and backups, and report significant incidents on a tight clock.
The EU NIS2 Directive requires essential and important entities to have incident-handling and business-continuity measures — including backup management — and to submit an early warning of a significant incident within 24 hours of becoming aware of it.
-
Backups you’ve actually restored
Offline or immutable backups with tested restores are the difference between recovery and paying. Untested backups fail exactly when you need them.
-
Contain the blast radius
Segmentation, least privilege and EDR stop one compromised machine from becoming the whole estate encrypted overnight.
-
A rehearsed response
Tabletop the incident: roles, decision-makers, legal, comms and the 24-hour reporting clock — before it’s real.
-
Test it like an attacker
A penetration test or ransomware-readiness assessment proves whether your controls actually hold, before a real group finds out for you.
Guides
Go deeper
Plain-English guides to preparing for, resisting and recovering from ransomware.
-
Ransomware readiness checklist: the controls that matter most
A prioritised checklist to prepare for ransomware — starting with the backups and access controls that decide whether you recover or pay.
Read guide -
Should you pay the ransom? What to weigh before deciding
Paying rarely delivers what victims hope. Here’s what to consider — and why preparation beats the payment dilemma entirely.
Read guide -
Building a ransomware recovery plan that works under pressure
A recovery plan is what turns a ransomware crisis into a procedure. Here’s what belongs in one — and why rehearsal matters.
Read guide
Frequently asked questions
Short, clear answers
What is ransomware?
Ransomware is malicious software that encrypts an organisation’s data and demands payment for its release. Most modern attacks also steal the data first and threaten to leak it — known as double extortion.
Should we pay the ransom?
Authorities generally advise against it. Payment funds further crime, doesn’t guarantee a working decryptor, and doesn’t ensure stolen data won’t be leaked. Tested offline backups and an incident plan are a far more reliable route to recovery. More on paying →
How do we prepare for ransomware?
Start with tested, offline or immutable backups; enforce MFA and patch internet-facing systems; segment the network and deploy EDR; and rehearse an incident-response plan. See the readiness checklist →
Why are backups so important against ransomware?
Because they let you recover without paying. Attackers know this, so they try to find and destroy backups in the vast majority of attacks — which is why the copies must be offline or immutable and tested regularly.
What is double extortion?
Attackers exfiltrate your data before encrypting it, then threaten to publish it. It means good backups alone won’t fully protect you — you also have to prevent the intrusion and detect data theft.
How does ransomware usually get in?
Most commonly through phishing, stolen or reused credentials, and exposed or unpatched internet-facing services such as RDP and VPNs. Closing these entry points stops many attacks at stage one.
What is ransomware-as-a-service (RaaS)?
A criminal business model where groups develop ransomware and rent it to affiliates for a share of the proceeds. It industrialises attacks and lowers the skill needed, increasing their frequency.
Does NIS2 require ransomware preparedness?
NIS2 requires in-scope organisations to have incident handling, business continuity and backup measures, and to report significant incidents quickly — with an early warning within 24 hours. Ransomware readiness is central to meeting it.