ransomwareready

Ransomware resilience

The time to survive ransomware is before it hits

Ransomware isn’t bad luck — it’s a repeatable attack chain you can break at every stage. Prepare the backups, controls and plans now, and an attack becomes a bad day, not an existential one.

  • Based on Sophos & Verizon data
  • Vendor-neutral
  • Updated 2026

What is ransomware

Not just encryption — extortion

Ransomware is malware that locks up your data and demands payment. Modern attacks steal it first, so paying doesn’t make the problem go away.

A ransomware attack encrypts your files and systems, then demands a ransom for the decryption key. But the model has evolved: most groups now run double extortion — they exfiltrate your data before encrypting, then threaten to publish it whether or not you can restore from backup.

It’s an industry. Ransomware-as-a-Service (RaaS) lets affiliates rent ready-made toolkits, so attacks are frequent, professional and aimed at organisations of every size.

The good news: an attack is a chain of stages, and readiness lets you break it at each one — stop the entry, contain the spread, protect the backups, and recover on your terms.

The threat

How modern ransomware works

Four things that make today’s ransomware different from a decade ago.

  1. ENTRY

    How it gets in

    The common doors: phishing, stolen or reused credentials, exposed RDP and VPN, and unpatched internet-facing systems. Most attacks start with one of these.

  2. DOUBLE

    Double extortion

    Attackers steal data before encrypting it, then threaten to leak it. This is why backups alone aren’t enough — you also have to keep them from getting in.

  3. RaaS

    Ransomware-as-a-Service

    Criminal groups rent their toolkits to affiliates for a cut. It industrialises attacks and lowers the skill needed, driving up volume across every sector.

  4. TARGET

    Who gets hit

    Every size and sector — and small and mid-sized organisations are frequent targets precisely because they’re less prepared. Suppliers are hit to reach bigger fish.

Get ready

The readiness priorities, in order

You can’t do everything at once. Start where it counts most for surviving and recovering.

  • Priority 1

    Tested, offline backups

    The single control that lets you recover without paying. Keep offline or immutable copies, and actually test restoring them.

    Why: Attackers try to destroy backups in 94% of attacks — offline copies survive it.

  • Priority 2

    MFA and patch the edge

    Close the common front doors: enforce multi-factor authentication and patch internet-facing systems, VPNs and RDP fast.

    Why: Most ransomware enters via stolen logins or unpatched exposed services.

  • Priority 3

    Segmentation and EDR

    Contain the blast radius with network segmentation and least privilege, and detect intruders early with endpoint detection and response.

    Why: Limits lateral movement and catches attackers before they encrypt.

  • Priority 4

    A rehearsed incident plan

    Decide who does what — technical, legal, comms — before an incident, and practise it. A plan on paper isn’t the same as a tested one.

    Why: A rehearsed plan turns chaos into a procedure and cuts recovery time.

Break the chain

Where readiness stops an attack

Step through the five stages of a ransomware attack and see the control that breaks the chain at each one. You don’t need to stop them everywhere — just somewhere.

Attacker

Gets a foothold via a phishing email, stolen or reused credentials, or an exposed, unpatched service like RDP or a VPN gateway.

Breaks the chain

Enforce MFA everywhere, train staff against phishing, and patch or remove internet-facing services. Most attacks die here if the front door is locked.

The cheapest place to stop ransomware is at the entrance.

Test your defences with OffSeq

The numbers

Why readiness pays for itself

Ransomware is common, expensive, and specifically targets the thing that saves you: your backups.

59%
of organisations were hit by ransomware in the past year, across sectors and sizes.
Source: Sophos State of Ransomware, 2024
94%
of ransomware attacks tried to compromise the victim’s backups — making offline copies essential.
Source: Sophos State of Ransomware, 2024
$2.73M
was the average cost to recover from a ransomware attack — excluding any ransom paid.
Source: Sophos State of Ransomware, 2024
~32%
of all breaches involved ransomware or extortion — one of the most common breach types.
Source: Verizon DBIR, 2024

Each figure links to its primary source. Numbers are approximate and updated as new reports are published.

For security teams

Readiness is now a regulatory expectation

Under the EU NIS2 Directive, in-scope organisations must handle incidents, maintain business continuity and backups, and report significant incidents on a tight clock.

The EU NIS2 Directive requires essential and important entities to have incident-handling and business-continuity measures — including backup management — and to submit an early warning of a significant incident within 24 hours of becoming aware of it.
NIS2 Directive (EU) 2022/2555 · EUR-Lex
  • Backups you’ve actually restored

    Offline or immutable backups with tested restores are the difference between recovery and paying. Untested backups fail exactly when you need them.

  • Contain the blast radius

    Segmentation, least privilege and EDR stop one compromised machine from becoming the whole estate encrypted overnight.

  • A rehearsed response

    Tabletop the incident: roles, decision-makers, legal, comms and the 24-hour reporting clock — before it’s real.

  • Test it like an attacker

    A penetration test or ransomware-readiness assessment proves whether your controls actually hold, before a real group finds out for you.

Frequently asked questions

Short, clear answers

What is ransomware?

Ransomware is malicious software that encrypts an organisation’s data and demands payment for its release. Most modern attacks also steal the data first and threaten to leak it — known as double extortion.

Should we pay the ransom?

Authorities generally advise against it. Payment funds further crime, doesn’t guarantee a working decryptor, and doesn’t ensure stolen data won’t be leaked. Tested offline backups and an incident plan are a far more reliable route to recovery. More on paying →

How do we prepare for ransomware?

Start with tested, offline or immutable backups; enforce MFA and patch internet-facing systems; segment the network and deploy EDR; and rehearse an incident-response plan. See the readiness checklist →

Why are backups so important against ransomware?

Because they let you recover without paying. Attackers know this, so they try to find and destroy backups in the vast majority of attacks — which is why the copies must be offline or immutable and tested regularly.

What is double extortion?

Attackers exfiltrate your data before encrypting it, then threaten to publish it. It means good backups alone won’t fully protect you — you also have to prevent the intrusion and detect data theft.

How does ransomware usually get in?

Most commonly through phishing, stolen or reused credentials, and exposed or unpatched internet-facing services such as RDP and VPNs. Closing these entry points stops many attacks at stage one.

What is ransomware-as-a-service (RaaS)?

A criminal business model where groups develop ransomware and rent it to affiliates for a share of the proceeds. It industrialises attacks and lowers the skill needed, increasing their frequency.

Does NIS2 require ransomware preparedness?

NIS2 requires in-scope organisations to have incident handling, business continuity and backup measures, and to report significant incidents quickly — with an early warning within 24 hours. Ransomware readiness is central to meeting it.