Ransomware has evolved from its early days (CryptoLocker 2013, WannaCry 2017) into a highly professionalized industry. Modern attacks follow a methodical pattern: attackers first gain initial access via phishing emails, compromised VPN credentials or unpatched systems. They then remain undetected in the network for weeks, escalate privileges and map the entire infrastructure — including all backup systems.

Only once they have a complete picture does the actual destruction phase begin: backup databases are deleted, snapshots removed, backup agents uninstalled, shadow copies destroyed, cloud backup credentials used to delete off-site copies. Only then does encryption of the production environment follow — with the aim of presenting the victim with a binary choice: pay or total failure.

The economic impact is significant. According to Sophos State of Ransomware 2024, the average downtime until full recovery is 23 days. 46% of affected organizations pay the ransom — yet only 4% get all their data back. The strategic conclusion is clear: payment is not a strategy. The only reliable counter-strategy is the ability to restore systems independently from a backup the attacker could not reach.

A particularly dangerous variant is so-called double extortion: attackers steal data before encrypting it and additionally threaten to publish it alongside the ransom demand. Against the data theft aspect, measures like network segmentation and data loss prevention help — against the encryption aspect, a physical air gap is the most effective counterstrategy.

Frequently asked questions

EDR, firewalls and intrusion detection systems are necessary protection layers — but they only address prevention. No preventive measure offers 100% protection. According to the Veeam Data Protection Trends Report, 85% of surveyed organizations fell victim to ransomware at least once despite having protection measures in place. The decisive question is therefore: can I recover after a successful attack?
Paying the ransom is not a strategy: 96% of those who pay still lose data (Sophos 2024). There is also no guarantee that attackers will actually provide a functioning decryption key after payment. The only reliable strategy is independent recovery from a backup the attacker could not compromise.
Healthcare facilities, public administrations and critical infrastructure are particularly targeted by ransomware attackers: the pressure to pay quickly is high because operational failure in these areas immediately endangers people or disrupts public services. Ransomware attacks on critical infrastructure operators have increased significantly in recent years.