Why you're a target

Ransomware crews specifically hunt mid-sized businesses: big enough to pay, small enough to lack a mature security team. The attack is now a service industry with affiliates, negotiators, and customer support. Assume you're on the list.

The kill chain, and where to break it

Most ransomware follows a predictable path. Break it early:

  1. Initial access — phishing or exposed RDP/VPN. Defense: phishing-resistant MFA, no internet-exposed RDP, patched edge devices.
  2. Execution & persistence — malware runs and digs in. Defense: endpoint detection and response, application allow-listing.
  3. Privilege escalation & lateral movement — they spread. Defense: least privilege, network segmentation, disabled legacy protocols.
  4. Exfiltration — they steal data for double extortion. Defense: egress monitoring, DLP on sensitive stores.
  5. Encryption — the payload fires. Defense: this is too late; rely on the steps above and on backups.

Backups are your real insurance

The only thing that reliably defeats encryption-for-ransom is a restore.

  • 3-2-1 rule: three copies, two media, one off-site.
  • Immutable / air-gapped copy that ransomware can't reach or delete. Attackers now target backups first.
  • Test restores quarterly. A backup you've never restored is a hope, not a plan.

When it happens anyway

Have the incident runbook ready: isolate, identify the strain, preserve evidence, and engage counsel before negotiating. Paying funds the next attack and doesn't guarantee recovery — your backups should make the question moot.

The companies that shrug off ransomware are the ones who practiced the restore before they needed it.