Ransomware attacks have evolved from a disruptive nuisance to an existential threat for businesses of all sizes. No longer confined to simple file encryption, modern ransomware campaigns target entire cloud environments, backups, and identity management systems, leaving organisations with few options for recovery.
With the UK government considering a ban on ransomware payments, companies can no longer rely on paying their way out of an attack. Instead, they must shift their mindset and operational strategies to assume an attack will happen and prepare accordingly.
The evolution of ransomware: beyond file encryption
Ransomware attacks have undergone a troubling transformation in recent years. Attackers no longer limit themselves to encrypting files and demanding payment for their release. They now aim for maximum disruption. And once inside a business’s network, these attacks can spread rapidly, locking down systems, stealing sensitive data, and rendering traditional recovery solutions useless.
One of the most alarming developments is the targeting of backup systems. Many businesses assume their data is safe if they have backups in place, but modern ransomware strains actively seek out and destroy backups before deploying their final payload. Attackers know that if they eliminate the safety net, companies are left with no choice but to comply with their demands.
But this isn’t the only risk. Identity management systems, such as Entra ID (formerly Azure Active Directory), are also increasingly in the firing line. A compromised identity system can grant attackers access to a company’s entire cloud environment, allowing them to manipulate settings, create new user accounts, and maintain persistence within the network long after the initial attack. Without the ability to verify trusted users and access controls, businesses may struggle to recover – even after the ransomware has been removed.
The false sense of security: why built-in Microsoft protections aren’t enough
Many organisations assume that Microsoft’s inclusive built-in security features, within the standard service, offer sufficient protection against ransomware. However, these default security measures are not designed to withstand sophisticated, targeted cyberattacks. Microsoft provides some level of backup and recovery. However, these tools have limitations in scope and retention policies, meaning critical data can still be lost if an attack succeeds.
Cybercriminals specifically exploit these gaps. They know that many businesses operate under the false assumption that their basic security systems adequately protect their data. In reality, while Microsoft secures the infrastructure, its shared responsibility model holds businesses accountable for protecting their own data. Without additional proactive security measures, these vulnerabilities will only increase.
UK ransomware payment ban: raising the stakes for business continuity
In light of the UK government’s proposed ban on ransomware payments, businesses in the public and private sectors could soon be under greater scrutiny in how they report and respond to ransomware threats. If enacted, this legislation would make it illegal for public sector bodies and CNI operators to pay ransoms, removing what has often been seen as a last resort to regain access to critical systems and data. While the outright ban isn’t currently proposed for private companies, they would still be required to report any intention to pay a ransom, with the possibility of the payment being blocked if it violates legal regulations.
Paying a ransom has never been a guaranteed solution, with many organisations never receiving decryption keys even after fulfilling demands – which is one of many reasons cyber security specialists advise against making payment. Not only does it perpetuate cybercrime, but it also fails to address the fundamental security issues at play, meaning companies remain equally vulnerable to future attacks. Still, for many organisations, the ability to do so has provided a desperate fallback. Without it, companies must prioritise building robust backup systems and disaster recovery strategies more than ever, to minimise downtime and prevent catastrophic data loss.
Shifting to a ‘when, not if’ cybersecurity mindset
Given the growing sophistication of ransomware and the rapid rise in threats, companies must shift from a reactive stance to a proactive one. Instead of hoping an attack won’t happen, organisations should operate under the assumption that it will, and take steps to mitigate its impact before it occurs. Prevention is always better than the cure, after all.
One of the most effective ways to do this is by implementing a comprehensive cybersecurity framework, such as ISO 27001 or the updated National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0. This structured approach consists of six core functions that, when properly executed, can help businesses prevent, detect, and recover from ransomware attacks:
1. Govern (GV): shaping cybersecurity governance
This critical function defines and communicates an organisation’s cybersecurity risk management strategy in context, aligning it with its mission and stakeholder expectations. It integrates cybersecurity into broader enterprise risk management (ERM) by setting policies, roles, and responsibilities, and overseeing cybersecurity strategy and supply chain risk management – ultimately strengthening governance across every touchpoint.
2. Identify (ID): understanding cyber risks
Before a business can defend against ransomware, it must first understand its vulnerabilities. Regular risk assessments and audits can help identify weak points in infrastructure, access controls, and backup strategies. Mapping out critical assets and dependencies ensures an organisation can focus its cybersecurity efforts on the most valuable and high-risk areas, in accordance with the its broader risk management strategy
3. Protect (PR): building stronger defences
Prevention is the first line of defence. Implementing multi-factor authentication (MFA), network segmentation, endpoint detection, and secure backup solutions can significantly reduce the risk of successful attacks. Security awareness training for employees is also crucial, especially since human error remains one of the leading causes of a breach.
4. Detect (DE): spotting threats early
The earlier an organisation detects a ransomware attack, the better their chances of mitigating its impact. Continuous monitoring tools, anomaly detection software, and advanced threat intelligence feeds can help businesses identify suspicious activity before it escalates into a full-blown attack, enabling timely response and reducing potential damage.
5. Respond (RS): acting quickly and effectively
When an attack occurs, having a well-rehearsed incident response plan can make all the difference. Businesses should establish clear protocols for isolating infected systems, notifying relevant stakeholders, and executing recovery procedures. Regular drills and simulations ensure that employees know their roles and responsibilities in the event of an attack, ensuring swift and effective action.
6. Recover (RC): ensuring business continuity
A robust recovery strategy is essential for minimising downtime and financial losses. Businesses should implement off-site, immutable backups that cannot be modified or deleted by attackers. A clean room environment – a separate, secure infrastructure used to restore data and verify its integrity before reintroducing it into the production environment – can also prevent reinfection and ensure a smooth recovery process.
The time to act is now
More than a disruptive inconvenience, ransomware is a significant risk that can bring operations to a standstill, spiral costs, and damage reputation beyond repair. With cybercriminals targeting backups, identity management systems, and cloud environments, and the UK government considering increased scrutiny surrounding ransom payments, businesses must take action before they too become victims.
- Cybersecurity