RaaS and double extortion: most relevant families operate with affiliates. They exfiltrate first (data exfiltration), encrypt afterwards and publish on leak sites when the victim does not pay. The attack combines operational pressure and reputational pressure.
What is ransomware
Ransomware is a type of malware that encrypts files, databases, virtual machines and even entire infrastructures in order to demand a payment in exchange for the decryption key. Today it almost always arrives as double —sometimes triple— extortion: before encrypting, the attacker exfiltrates data and threatens to publish it, and in some cases adds pressure with DDoS or with direct contact to customers, employees and regulators. It is not an isolated virus: behind it sits a professionalised criminal ecosystem, the RaaS (Ransomware-as-a-Service) model, where developers, affiliates, negotiators and initial access brokers split functions and profits like a business.
Why it matters
The cost of the ransom is, more often than not, the least important part. What sinks an organisation is the operational stoppage —halted factories, unbilled services, hospitals rescheduling— and the bill that follows: infrastructure rebuild, legal and forensic fees, customer notifications, regulatory fines, rising cyber-insurance premiums and loss of trust. In the European context, an incident affecting essential services triggers NIS2 (24-hour notification, detailed report), GDPR if personal data is involved, DORA in financial services and ENS in public-sector entities. For a CISO, planning no longer starts from "what if it happens?" but from "how fast will we detect it and contain the blast radius when it happens?". That is why real priorities are immutable and tested backups, strong segmentation, endpoint detection and a rehearsed incident response plan.
Key points
Typical initial vectors: phishing with attachments or links, exposed services (RDP, VPN without MFA), critical unpatched perimeter vulnerabilities and compromised credentials purchased from initial access brokers. Malware rarely "gets in on its own".
Lateral movement with legitimate tools: once inside, operators rely on PowerShell, PsExec, WMI, commercial RMMs, Cobalt Strike and admin credentials to propagate. Signature-based detection misses them; you need behavioural analysis and correlated EDR telemetry.
Priority targets before encryption: domain controllers, virtualization servers (ESXi, Hyper-V) and backup systems. Encrypting at the hypervisor layer takes hundreds of VMs down at once; destroying backups before encryption forces the victim toward payment.
Regulatory and contractual impact: notification duties to regulators and customers, SLA penalty clauses, extraordinary audits and, in payment scenarios, the sanctions angle (OFAC, EU) if the family or the group is listed.
Prevention and recovery designed together: immutable backups (3-2-1-1-0), tested restoration, SIEM and EDR able to alert in the early phases, isolation runbooks and a 24x7 SOC capable of acting in the window when the incident can still be contained.
Example: Ransomware attack on an industrial company
A mid-sized industrial company receives an email from a supposed supplier with an attached invoice. An office worker opens the document; the macro downloads a loader that establishes persistence and phones home. During the following week nothing visible happens: the attackers move slowly, obtain credentials from a technician with access to several servers, locate Active Directory, the virtualization cluster and the backup server. Once they have the full map, they exfiltrate hundreds of gigabytes of technical and commercial documentation and, on a weekend night, launch encryption through a GPO: hypervisors, file shares and backups become unreadable in parallel.
On Monday morning production lines do not start. The team activates the incident response plan: network isolation, crisis committee, contact with the cyber-insurer, the data protection authority and the competent authorities under NIS2. Technical assessment confirms that on-site copies are encrypted, but an immutable off-site copy from two days earlier is available: the company opts to rebuild from there instead of paying. The full operation takes more than two weeks, with partial production supported on isolated workstations, controlled communication to customers and material financial losses; the lesson, however, is clear: without that off-site copy and a rehearsed runbook, the decision would have been far worse.
Common mistakes
- Assuming on-premises backups are enough. Modern ransomware specifically targets backup servers, storage arrays and backup tool credentials. If copies are reachable from the compromised network, they are likely lost with everything else. The minimum bar is an off-site copy, immutable or WORM, and tested restoration.
- Having no written, rehearsed response plan. In the heat of an incident, without runbook or pre-assigned roles, the first hours —the most valuable ones— are wasted deciding who decides, who is notified and how to communicate. The plan must cover payment decisions, legal notifications, continuity and communications to customers and employees.
- Ignoring early phases: anomalous logins, new privileged accounts, unusual use of PsExec or PowerShell, antivirus being disabled, sustained outbound traffic to unknown domains. Encryption arrives at the end; the attacker has been inside for days. Without SIEM and EDR in detection+response mode those events go unnoticed.
- Resolving the incident without touching the root causes. Restoring from backup without rotating credentials, without closing the initial vector (VPN without MFA, exposed service, leaked credential) and without a proper investigation is an invitation for the attacker to return in weeks, often with the same family or another affiliate of the same RaaS.
- Relying exclusively on cyber-insurance. Policies cover part of the cost and give access to specialists, but they increasingly require strict pre-conditions (MFA, EDR, offline backups, response plan) and exclude specific scenarios. Without basic hygiene, premiums rise or coverage is not renewed.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
Should we pay the ransom?
The general guidance is not to pay without legal, technical and cyber-insurance advice. Paying funds the criminal infrastructure, does not guarantee a working decryptor nor prevent exfiltrated data from being published anyway, and may breach sanctions regulations if the group is on international lists (OFAC, EU). The sensible path is to activate the incident response plan, notify competent authorities and the cyber-insurer, evaluate the viability of restoring from immutable backups and make the payment decision through a crisis committee with full legal, operational and reputational context.
Can ransomware be detected before encryption completes?
Yes, and that is where detection earns its keep. Dwell times are typically days or even weeks before the encryption event, and attackers leave a trail: credential theft on domain controllers, unusual use of PowerShell or PsExec, creation of privileged accounts, disabling of endpoint protection, sustained outbound traffic to unknown infrastructure. With a well-tuned SIEM, EDR in response mode and strict network segmentation, those signals can be acted on in hours. A working 24x7 SOC is usually the difference between a contained incident and an organisation-wide outage.
What is the difference between ransomware and wiper malware?
Ransomware encrypts data and demands payment for decryption keys; it preserves data as leverage. Wiper malware is designed to destroy without offering recovery: the goal is disruption, not extortion, and it appears more often in state-sponsored or sabotage campaigns. Defensively both require the same essentials —early detection, segmentation, offline and immutable backups— but with a wiper the payment option does not exist, so preparation and resilience are the only answer.
How long does recovery take in practice?
It depends heavily on scope, quality of backups and system complexity. A contained incident on a single workstation may be hours. An enterprise-wide attack that has touched domain controllers, hypervisors and backups typically takes weeks, including time to rebuild from verified clean media, validate integrity, harden what was weak and run digital forensics. A realistic plan assumes that some systems will not be fully restored: some data is accepted as lost, some architecture is rebuilt instead of recovered. That is why recovery objectives (RTO/RPO) must be tested against real scenarios, not declared on paper.