Ransomware is now an operational crisis, writes Ashish Khanna, Senior Managing Director of Security Consulting Services at Verizon Business.
The clock is ticking. Your systems are locked. Production lines stand idle. Customers can’t access services. And somewhere, cybercriminals are waiting for your call, confident that every minute of downtime is increasing their leverage. This is often the new reality of ransomware.
While security teams have been fortifying their perimeters, threat actors have rewritten their playbook. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), ransomware now features in a staggering 44 per cent of breaches, up from 32pc last year. But this only tells half the story. What’s changed isn’t just the frequency of attacks but their fundamental nature. Business disruption, not data theft, has become an important weapon of choice in this new age of digital extortion.
“We can’t operate” can now strike more fear in boardrooms than “your data has been encrypted.” While data theft still grabs headlines, the DBIR confirms what many CISOs already know: ransomware’s very important outcome is operational disruption. In some cases, the cost of downtime now eclipses the value of the ransom itself.
Consider the recent cascade of failures when major platforms were hit. There were system-wide paralyses that rippled across entire industries, bringing critical services to a grinding halt. Insurance data backs up this brutal truth: downtime costs frequently outstrip the ransom demands themselves. When production lines freeze, when patient care systems crash, when supply chains fracture — every second can translate directly to lost revenue, market share, and customer trust.
However, there’s an interesting paradox in the findings. Even as damage from ransomware escalates, fewer organisations are paying. The DBIR found that 64pc of victims now refuse to pay ransoms (up from 50pc in 2022), and median payments have dropped to $115,000, down from $150,000. So, attackers are getting paid less often and less per attack.
What does this mean? Attackers aren’t walking away. They’ve adapted to stay profitable. Rather than relying on data encryption alone, they now weaponise operational paralysis where downtime is devastating. And they’re doing it at scale: exploiting edge device vulnerabilities, hitting smaller vendors with privileged access, and automating parts of the attack chain. The result? Broader impact, lower per-target payouts, but more opportunities to monetise disruption.So with all that being what are tangible actions that continue to help and reduce your exposure to these risks.
Conduct Business Impact Assessments (BIAs): Regularly assess and quantify the financial and operational impact of potential downtime for critical systems and business processes. This will help prioritise recovery efforts.
● Develop and Test Incident Response Plans (IRPs) with a focus on business continuity: Ensure your IRPs explicitly address operational disruption, not just data recovery. Include scenarios where key business functions are entirely unavailable.
● Operate with a “No Ransom” Mindset: Your ransomware defence strategy should not include paying a ransom as a viable option. Instead, cultivate a policy that presumes payment will not be made. This approach fosters a greater commitment to educating stakeholders and investing in robust defense and recovery capabilities instead.
Enterprises: The Rise of Nth-party Risk
The 2025 DBIR findings reveal a shocking truth: 88pc of breaches affecting small and medium-sized businesses involved ransomware. Why does this matter to enterprise security leaders? In today’s interconnected business world, these smaller companies can be your partners, vendors, and service providers. The new attack vector isn’t a direct assault on your fortress-like security. Threat actors are increasingly targeting technology hubs and service providers where a single compromise can cascade across hundreds or thousands of downstream clients. They’ve realised that your law firm handling sensitive IP, your HVAC vendor with remote access to building systems, or your cloud service provider might offer a less-defended path into your organisation.
Think about it: Would you invest months trying to breach a bank’s state-of-the-art security, or simply compromise the smaller fintech provider that already has privileged access to their systems? This “nth-party risk” extends far beyond your immediate vendors, creating a complex web of vulnerabilities that traditional security approaches can struggle to address. Your digital ecosystem no longer ends at your network boundary. It encompasses every entity that touches your data or connects to your systems.
Tangible Actions to continuously assess your threats:
● Implement a comprehensive Vendor Risk Management (VRM) program and Cyber risk quantification programs(CRP): This program should not only assess your direct vendors but also their critical sub-vendors (Nth parties).
● Demand Security Requirements in Contracts: Incorporate strong cybersecurity clauses in all vendor contracts, requiring adherence to specific security frameworks, regular audits, and incident reporting.
● Conduct Regular Vendor Security Assessments: Go beyond questionnaires; perform technical assessments, penetration tests, and security audits on high-risk third-party vendors.
● Segment Networks for Third-Party Access: Isolate third-party access to your network using strict segmentation and Zero Trust principles to limit the blast radius of a potential compromise.
Why fast recovery is key
These findings demand a fundamental shift in our approach. Rather than concentrating resources solely on keeping attackers out, forward-thinking organisations are focusing on their ability to detect, contain, and bounce back from attacks with minimal business impact. This requires a multi-layered strategy that goes far beyond traditional security controls:
● Network segmentation has evolved from a technical best practice to a business continuity requirement, limiting malware propagation when—not if—perimeter defences are breached.
○ Action: Implement segmentation within your network to help isolate critical assets and prevent lateral movement of threats. Regularly review and test segmentation policies for network & Data in the cloud and on-prem.
● Zero Trust architectures reduce the blast radius of compromised credentials, while isolated, immutable backup systems help keep restoration options viable even after sophisticated encryption attacks.
○ Action: Design and implement air-gapped, immutable backups of critical data and systems. Regularly test the restoration process to ensure data integrity and quick recovery.
● Documented response protocols maintain operational clarity during a crisis, while proactive security assessments must address vulnerabilities throughout the entire ecosystem, not just internal systems.
○ Action: Develop detailed and regularly updated incident response playbooks that outline roles, responsibilities, and step-by-step procedures for various ransomware scenarios.
○ Action: Conduct regular penetration tests and vulnerability assessments that extend beyond your internal network to include cloud environments, third-party integrations, and remote access points.
● Most critically, this approach requires breaking down the silos between security teams and business operations. Recovery capabilities can no longer live solely in the IT department, they must be embedded in business continuity planning at every level.
○ Action: Establish cross-functional incident response teams that include representatives from IT, security, legal, communications, operations, and executive leadership.
○ Action: Integrate cybersecurity incident response planning directly into your broader business continuity and disaster recovery (BC/DR) strategies. Conduct joint drills and simulations.
The organisations thriving in this new threat landscape aren’t always distinguishing themselves with better prevention—they’re also building systems and processes that can absorb attacks without catastrophic business impact. As ransomware continues its evolution from a technical nuisance to an existential business threat, the metric that matters most may not be how many attacks you prevent, but how quickly you recover from those that succeed. In a world where operational disruption has become weaponised, your recovery speed isn’t just a technical consideration – it can be your survival strategy.
