Ransomware has changed. In the past, attackers encrypted systems and demanded payment to restore access. Today, ransomware focuses on data theft and extortion. Organisations can restore systems from backups. However, they cannot recover leaked data. This shift forces security leaders to rethink how they protect critical information.
What is ransomware in the modern threat landscape?
Ransomware is a cyberattack where criminals encrypt systems or steal sensitive data and demand payment. Traditionally, ransomware disrupted operations. Modern ransomware prioritises data exfiltration and extortion.
Attackers steal confidential information and threaten to publish or sell it. As a result, downtime is no longer the primary leverage. Instead, attackers exploit regulatory exposure, legal risk, and reputational damage.
In regulated sectors such as banking and insurance, this shift is critical. Organisations can recover systems. They cannot recover trust. This is driving demand for continuous monitoring, detection, and response capabilities, often delivered through managed security services.
Backups restore systems. They don’t protect data. Modern ransomware is a data theft problem, not a recovery problem. Share on X
Why backups alone no longer protect against ransomware
For years, organisations relied on backups as their primary ransomware defence. Backups remain essential for business continuity. However, they are a passive control.
In modern ransomware attacks, criminals do not need to encrypt systems. They only need to copy sensitive data. Restoring from backups does not stop data leaks, blackmail, regulatory breaches, legal liability, or reputational damage.
Backups restore operations. They do not protect data. Therefore, backups are a recovery tool, not a security control. For official guidance, see the UK National Cyber Security Centre ransomware guidance.
How modern ransomware attacks work
Modern ransomware groups follow a structured playbook. First, they gain access quietly. Next, they map the environment and identify high-value data. Then, they exfiltrate sensitive information. Finally, they apply encryption or extortion pressure.
This approach creates multiple business risks, including regulatory fines, contractual breaches, and loss of customer trust. Consequently, ransomware is now a board-level risk.
Organisations should test response capabilities through cyber resilience and incident response programmes and simulations.
For industry data, refer to the IBM Cost of a Data Breach Report and the Verizon Data Breach Investigations Report.
How CISOs must rethink their defence
1) From recovery to resilience
Security teams must detect abnormal data movement in real time. If attackers extract large volumes of sensitive data, controls must identify and block the activity. This requires behavioural monitoring, anomaly detection, and automated response.
2) Focus on data sovereignty and encryption
If stolen data is encrypted and attackers cannot access the keys, extortion loses power. Organisations must encrypt data at rest and in transit, enforce strong key management, and restrict access to sensitive datasets.
Security teams should align this with cloud and infrastructure security programmes to ensure architecture supports data protection.
3) Regulatory and reputational risk framing
CISOs must explain ransomware in business terms. Regulatory fines, legal costs, and loss of trust often exceed the ransom demand. Security investment must reflect total business risk, not just IT recovery metrics.
What modern ransomware defence really requires
Modern ransomware defence is data-led. Organisations need:
-
Real-time data visibility
-
Encryption architecture and key management
-
Granular access controls
-
Mature incident response planning
-
Governance aligned to regulatory frameworks
Security must protect data across its lifecycle: creation, storage, access, movement, and disposal.
Phishing remains a common entry vector. Organisations should test human risk through phishing security test service engagements.
Test your ransomware response with Under Ransom
Ransomware is no longer theoretical. It is a business-critical event that tests IT, legal, compliance, and executive teams.
Under Ransom is Northdoor’s live ransomware tabletop exercise, delivered with Arctic Wolf. It simulates a real data theft and extortion attack and tests how your organisation detects, responds, and recovers.
What you will learn
-
How attackers steal data before encryption
-
Where most ransomware response plans fail
-
How to detect and stop data exfiltration
-
How to manage regulatory and reputational fallout
-
How executives should make ransom and disclosure decisions
Frequently Asked Questions (FAQs)
If we can restore from backups, why would we pay a ransom?
In modern extortion attacks, system recovery is often secondary. Attackers threaten to leak sensitive client data or intellectual property. Paying is sometimes considered (though discouraged) to prevent disclosure, which backups cannot stop.
How does data observability differ from standard monitoring?
Standard monitoring checks whether a system is running. Data observability monitors how data behaves. It flags unusual volumes or destinations of data movement in real time.
What is the most effective way to prevent the initial breach?
Combining AI-powered anti-phishing tools with regular simulated phishing tests is one of the most effective ways to strengthen the human security layer.
Subscribe to our newsletter
Subscribe to our newsletter to get the very latest insights and updates in the world of enterprise IT and data security: