Ransomware in 2025: Understanding the Threat and Building a Resilient Defence
In 2024, ransomware attacks caused over $1 billion in ransom payments globally — and that figure excludes the far larger costs of downtime, recovery, and reputational damage. No sector is immune: hospitals, manufacturers, law firms, and local governments have all been hit. Understanding how ransomware works is the first step to making your organisation genuinely resilient.
Ransomware has completed a transformation from opportunistic malware that spread indiscriminately to a highly organised criminal industry with dedicated business units, affiliate programmes, customer service portals, and negotiation teams. The model — called Ransomware-as-a-Service (RaaS) — means that sophisticated attack capabilities are now available to criminals with no technical expertise, as long as they pay a cut of any ransom collected.
What has changed most profoundly is the approach. Modern ransomware operators do not simply encrypt files and demand payment. They spend weeks inside a network — escalating privileges, exfiltrating sensitive data, identifying backup systems to destroy — before triggering the encryption. This 'double extortion' (encrypt and threaten to publish) means paying the ransom does not guarantee the problem goes away.
01The ransomware ecosystem today
The ransomware industry now operates with a level of professionalism that rivals legitimate software businesses. Major groups like LockBit, ALPHV/BlackCat, and Cl0p maintain affiliate programmes where criminal partners deploy ransomware in exchange for a percentage of ransom payments — typically 70–80% to the affiliate, 20–30% to the group.
This industrialisation has several important implications for defenders: attacks are now persistent, patient, and targeted. Initial access brokers sell footholds in corporate networks on dark web markets. Negotiators handle victim communications professionally. Some groups have even published 'vulnerability disclosure' policies and maintain PR operations.
Criminal groups licence ransomware toolkits to affiliates, lowering the technical barrier to launching sophisticated attacks against enterprises.
Attackers exfiltrate data before encrypting it, then threaten to publish sensitive files on leak sites if ransom is not paid — eliminating the backup recovery option alone.
A growing trend: attackers also target customers or partners of the victim, threatening to release their data too, maximising leverage.
A separate criminal market sells persistent access to compromised networks, enabling ransomware groups to focus on the extortion phase.
02How a ransomware attack actually unfolds
Understanding the attack timeline is critical because defences are most effective at specific stages. Modern ransomware attacks typically follow a multi-stage process that can span weeks or months before any encryption occurs:
The key insight for defenders: the encryption event is the end of the attack, not the beginning. By the time files are encrypted, the attacker has likely been in the network for days or weeks. Effective defence focuses on detecting and ejecting the attacker during the pre-encryption stages.
Most commonly: phishing emails (credentials or malicious attachments), exploiting public-facing vulnerabilities (VPN, RDP, web apps), or purchasing access from initial access brokers.
Attacker establishes persistence (scheduled tasks, registry modifications), surveys the network, identifies domain controllers, backup systems, and high-value data stores.
Attacker elevates to administrator or domain admin privileges using tools like Mimikatz, exploiting misconfigured services or unpatched local privilege escalation vulnerabilities.
Using stolen credentials and tools like PsExec, WMI, or Cobalt Strike, the attacker spreads across the network — often reaching domain controllers within hours of gaining initial access.
Sensitive data (financial records, customer PII, intellectual property) is exfiltrated to attacker-controlled infrastructure before encryption begins.
Backup systems are disabled or destroyed first, then ransomware is deployed simultaneously across all compromised systems. Ransom note demands payment within a deadline.
03The true cost of a ransomware attack
Organisations are often focused on the ransom demand, but the ransom is typically the smallest component of the total cost. Downtime is far more damaging: the average recovery time after a ransomware attack is 22 days, according to Sophos research. For a mid-sized manufacturer, 22 days of disruption can mean tens of millions in lost revenue.
Beyond the immediate financial hit, the medium-term costs include: forensic investigation and incident response, legal counsel, regulatory notification (mandatory under GDPR and Vietnam's Decree 13/2023), customer notification, credit monitoring for affected individuals, and the reputational damage that drives customer churn for months afterwards. Cyber insurers have responded by dramatically increasing premiums and reducing coverage for organisations without basic hygiene controls in place.
“Ransomware payment is rarely the end of the story. Groups that paid saw their data published 40% of the time — and 80% of victims who paid were attacked again within the year.”
04The 3-2-1-1-0 backup strategy
Backups are the cornerstone of ransomware recovery — but only if the backup architecture is designed to survive an attack by a sophisticated adversary who specifically targets backup systems. The updated 3-2-1-1-0 rule is the industry standard:
The critical addition to the classic 3-2-1 rule is 'zero errors verified': backups must be regularly tested with documented restore procedures. Unverified backups are not backups — they are hopes.
One production copy and two backup copies. Multiple copies ensure redundancy if one is corrupted or encrypted.
E.g., local disk and cloud storage. Different media types protect against media-specific failures.
A copy stored in a geographically separate location protects against site-wide events (fire, flood, ransomware spreading via corporate network).
A backup that ransomware cannot reach or modify — either air-gapped (offline) or immutable storage (cloud object lock). This is the recovery lifeline.
All backups must be regularly tested with actual restore operations. Unverified backups are worthless when you need them most.
05Building a ransomware-resilient organisation
Resilience against ransomware is achieved through layered defences — no single control stops all attacks, but the combination dramatically reduces both the likelihood of compromise and the impact when it occurs:
The goal is not to make your organisation impenetrable (that is impossible) but to make the attack cost more than the ransom would yield, while ensuring you can recover cleanly even if some data is encrypted.
Email remains the primary initial access vector. Deploy advanced email filtering, DMARC/DKIM/SPF, and run regular simulated phishing campaigns to train users.
Most ransomware exploits vulnerabilities that have patches available. A 30-day patching cycle for critical and high vulnerabilities eliminates the majority of exploitable entry points.
Modern EDR solutions detect ransomware behaviour (mass file encryption, shadow copy deletion) and can automatically isolate compromised hosts before the attack spreads.
Restrict domain admin and local admin rights aggressively. Most lateral movement relies on over-privileged credentials — shrinking the privileged account surface dramatically limits attacker movement.
Segment critical systems (financial, production, backup) from the rest of the network. A ransomware infection in one segment should not automatically spread to all others.
Have a documented, tested incident response plan for ransomware specifically. Know who makes the decisions, who calls law enforcement, who communicates with customers — before an attack.
06If you are attacked: what to do in the first 24 hours
The first 24 hours of a ransomware incident are critical. Actions taken in this window either contain the damage or allow it to compound. Speed and discipline both matter:
Do not make the ransom payment decision alone or in a panic. Engage experienced incident response counsel. Many ransomware groups are sanctioned entities — paying them may violate financial regulations. Law enforcement (Vietnam's NCSC, or the FBI for US-connected businesses) should be notified promptly.
Disconnect affected systems from the network immediately, but preserve them powered on for forensic evidence. Hasty shutdowns can destroy evidence needed for recovery.
Activate your IR plan. If you do not have internal capability, engage a retained IR firm immediately. Time from detection to containment is the primary cost driver.
Forensic investigation requires logs from SIEM, EDR, firewalls, and Active Directory. Ensure logs are being captured to an unaffected system before the attacker deletes them.
Immediately verify whether your immutable or air-gapped backups are intact. This determines whether you can recover without paying.
Key takeaways
- 01Modern ransomware is a professional criminal industry — RaaS means sophisticated attacks are available to low-skill affiliates.
- 02The encryption event is the end, not the beginning — attackers spend weeks inside networks before striking. Detect them early.
- 03The 3-2-1-1-0 backup rule (including immutable/air-gapped copies) is the recovery foundation — but only if backups are regularly tested.
- 04Layered defences — email security, EDR, PAM, patching, segmentation — reduce both likelihood and impact.
- 05Have a ransomware-specific incident response plan documented and tested before an attack, not during.