Cybersecurity

Ransomware in 2026: Double Extortion and How to Prepare

Ransomware in 2026 uses double extortion and targets backups. Learn the current threat landscape and the layered defences that actually prevent attacks.

N

Nerdster Team

1 October 2025

Ransomware is not new. But the way it operates in 2026 is fundamentally different from the ransomware of five years ago. The attacks are more sophisticated, the business model is more mature, and the consequences of being unprepared are more severe. If your ransomware defence strategy has not been updated recently, it is probably inadequate for the current threat landscape.

How Ransomware Has Evolved

Double and Triple Extortion

The original ransomware model was simple: encrypt the victim’s data and demand payment for the decryption key. Modern ransomware groups have added layers:

Double extortion means the attackers exfiltrate your data before encrypting it. Even if you restore from backups, they threaten to publish or sell the stolen data unless you pay. This makes backups necessary but no longer sufficient.

Triple extortion adds a third pressure point: contacting your clients, partners, or regulators directly to inform them of the breach and increase pressure on you to pay. Some groups also launch DDoS attacks against your public-facing infrastructure to compound the disruption.

Ransomware as a Service (RaaS)

The ransomware ecosystem now operates as a mature service industry. Ransomware developers create the malware and infrastructure, then rent it to affiliates who conduct the actual attacks. The affiliates keep a percentage of any ransom payments. This model has dramatically lowered the barrier to entry, increasing the volume of attacks while maintaining their sophistication.

Groups like LockBit, BlackCat/ALPHV, and Cl0p operate multi-million-pound enterprises with help desks, negotiation teams, and even “customer service” for victims navigating the payment process.

Targeting Backups

Attackers have learned that the primary defence against ransomware is backup restoration. Consequently, modern ransomware specifically targets backup systems:

  • Identifying and deleting shadow copies and local backup files
  • Compromising backup server credentials to corrupt or encrypt backup repositories
  • Remaining dormant for weeks or months to ensure that backup sets are infected before the encryption event
  • Targeting backup agent software with specific exploits

If your backups are connected to the same network and accessible with the same credentials as your production systems, they are vulnerable.

Dwell Time and Reconnaissance

Modern attackers do not deploy ransomware immediately upon gaining access. The average dwell time — the period between initial compromise and ransomware deployment — is now 5-7 days, according to Mandiant’s 2025 M-Trends report. During this time, attackers:

  • Map your network and identify critical systems
  • Escalate privileges to gain domain admin access
  • Locate and compromise backup systems
  • Exfiltrate sensitive data
  • Identify and disable security tools
  • Choose the optimal moment to deploy (often weekends or holidays)

The Impact on UK Businesses

The NCSC’s 2025 Annual Review identified ransomware as the most significant cyber threat to UK organisations. Key statistics:

  • The average ransomware recovery cost for UK SMBs was GBP 840,000 in 2025 (Sophos State of Ransomware)
  • 21 days was the average downtime following a ransomware attack
  • 46% of UK businesses that paid a ransom did not recover all of their data
  • 80% of organisations that paid were attacked again within 12 months

The message is clear: paying the ransom is not a reliable recovery strategy. Prevention and resilience are the only credible approaches.

Layered Defences That Actually Work

No single control prevents ransomware. Effective defence requires multiple layers, each addressing a different stage of the attack chain.

Layer 1: Prevent Initial Access

The most common initial access vectors for ransomware are phishing emails, exploited vulnerabilities in internet-facing systems, and compromised credentials.

  • Email security: Deploy advanced anti-phishing that analyses URLs and attachments in a sandboxed environment before delivery. Configure DMARC, DKIM, and SPF to prevent domain spoofing.
  • Patch management: Apply critical patches within 72 hours. Prioritise internet-facing systems (VPNs, firewalls, web servers) and commonly exploited applications.
  • MFA on everything: Phishing-resistant MFA (FIDO2 keys or certificate-based) on all remote access, email, and administrative interfaces.
  • Attack surface reduction: Disable RDP on internet-facing systems. Remove unnecessary services. Minimise the number of internet-exposed entry points.

Layer 2: Limit Lateral Movement

If an attacker gains initial access, limit how far they can move:

  • Network segmentation: Separate critical systems, servers, and user workstations into distinct network segments with controlled communication between them.
  • Privileged access management: Eliminate persistent admin credentials. Use just-in-time access for administrative tasks. Implement local admin password solutions (LAPS) so each device has a unique local admin password.
  • Endpoint detection and response (EDR): Deploy EDR on every endpoint with behavioural detection that identifies suspicious process chains, credential access attempts, and lateral movement patterns.

Layer 3: Protect Backups

Your backup strategy must assume that an attacker will try to destroy your backups:

  • Immutable backups: Use backup solutions that support immutability — once written, backup data cannot be modified or deleted for a defined retention period, even by administrators.
  • Air-gapped or isolated backup copies: Maintain at least one backup copy that is not accessible from your production network. This can be physical media stored offsite or a cloud repository with dedicated credentials that are not stored anywhere in your production environment.
  • Backup account separation: The credentials used to manage backups should be completely separate from your domain admin accounts. If an attacker compromises your Active Directory, they should not automatically gain access to your backup infrastructure.
  • Regular restoration testing: Test backup restoration quarterly. Not a spot check of one file, but a full system restoration that proves you can recover your environment within your defined recovery time objective.

Layer 4: Detect and Respond

  • 24/7 monitoring: Ransomware deployment often happens outside business hours. If your monitoring stops at 6pm, you are vulnerable during the exact window attackers prefer.
  • SIEM with behavioural analytics: Aggregating logs from endpoints, servers, network devices, and cloud services enables detection of the reconnaissance and lateral movement that precedes ransomware deployment.
  • Incident response plan: A documented, tested plan that defines who does what when ransomware is detected. This should include isolation procedures, communication templates, and decision frameworks for whether to engage law enforcement and specialist incident response firms.

Layer 5: Prepare for Recovery

  • Defined RTOs and RPOs: Know how long recovery will take and how much data you can afford to lose. These numbers should be agreed with business leadership, not estimated by IT.
  • Recovery procedures documentation: Step-by-step procedures for rebuilding critical systems from backup. These should not exist only in one person’s head.
  • Communication plan: Templates for notifying clients, employees, regulators, and insurers. During an active incident, you will not have time to draft these from scratch.
  • Cyber insurance: Ensure your policy covers ransomware-specific scenarios including business interruption, data recovery costs, regulatory fines, and third-party liability from data exfiltration.

Should You Pay the Ransom?

The NCSC and law enforcement agencies advise against paying ransoms. The practical reasons align with the ethical ones:

  • Payment does not guarantee data recovery
  • Payment funds criminal enterprises and incentivises future attacks
  • Organisations that pay are frequently attacked again
  • Payment may violate sanctions regulations if the attacker is a sanctioned entity

The only reliable protection is the combination of robust prevention, immutable backups, and a tested recovery capability that makes paying the ransom unnecessary.

An Honest Self-Assessment

Answer these questions honestly:

  1. Could your backups survive if an attacker with domain admin access tried to destroy them?
  2. When was the last time you tested a full system restoration from backup?
  3. Do you have 24/7 monitoring that would detect an attacker moving laterally through your network at 2am on a Saturday?
  4. Does your incident response plan exist, and has it been tested in the last 12 months?
  5. Are all internet-facing systems patched within 72 hours of critical vulnerability disclosure?

If any answer is “no” or “I am not sure,” your ransomware preparedness has gaps that need closing.

How Nerdster Protects Against Ransomware

We build ransomware resilience into every managed IT environment we operate: layered prevention, immutable backups, 24/7 monitoring, tested incident response, and regular recovery drills. Our financial services clients require this level of protection, and we apply the same standards across our entire client base.

If you want to understand how your business would fare against a modern ransomware attack, book a free IT assessment with Nerdster. We will give you an honest evaluation and a prioritised remediation plan.

ransomwarecybersecurityincident responsebackup

Ready to fix your IT?

Book a free 30-minute IT assessment. We'll review your setup, identify risks, and show you exactly what better IT looks like.

Book Free Assessment View Pricing