Ransomware locks your files, your systems, and your options. For Belgian organisations, the threat is not abstract: the Centre for Cybersecurity Belgium (CCB) documented 120 unique ransomware cases in 2023 alone, a 24% increase over the year before. The average cost per incident now exceeds €1 million when you factor in downtime, forensic investigation, system restoration and reputational damage.
This guide walks through the seven phases of a ransomware attack, explains how Zero Trust architecture disrupts the attack chain, and provides a concrete recovery playbook aligned with Belgium’s NIS2 obligations and the CCB’s CyberFundamentals framework.
How does a ransomware attack unfold step by step
A ransomware attack follows seven distinct phases. Understanding each phase reveals where your defences can break the chain before encryption begins. Most attackers spend weeks or months inside a network before triggering the payload.
- Initial infiltration through phishing, exposed RDP, or stolen credentials
- Privilege escalation to gain administrator rights
- Internal reconnaissance to map valuable targets and backups
- Lateral movement across poorly segmented networks
- Data exfiltration for double extortion leverage
- Encryption of files and deletion of shadow copies
- Ransom demand with threats of public data leaks
What is ransomware and why Belgian organisations are targeted
Ransomware is malware that encrypts files and systems, making them inaccessible until the victim pays a ransom. Modern variants go further than simple encryption. Ransomware-as-a-Service (RaaS) operations run like franchises, with developers building the malware and affiliates executing attacks for a share of the profits.
Belgium ranks among Europe’s wealthiest nations per capita. CCB research across 14,000 ransomware victims globally found a strong correlation between a country’s GDP and the number of attacks it attracts. Attackers follow the money, and Belgian mid-market organisations with 50 to 400 employees are particularly attractive targets. They hold valuable data but often lack the dedicated security teams that larger enterprises maintain.
The CCB received 352 incident reports in 2024. Since NIS2 came into force in October 2024, monthly reports jumped from an average of 25 to 45, an 80% increase driven largely by mandatory reporting requirements rather than a surge in actual attacks. Healthcare was hit hardest, with an 81% rise in attacks during Q3 2024 compared to the same period the previous year. The AZ Monica hospital attack in January 2026 forced the cancellation of over 70 surgeries and the evacuation of critically ill patients.
The seven phases of a ransomware attack explained
Each phase in a ransomware attack has specific techniques, objectives, and detection opportunities. Recognising these phases helps security teams position controls where they matter most.
| Phase | What the attacker does | Techniques used | Your detection window |
|---|---|---|---|
| 1. Initial infiltration | Gains first access to the network | Phishing emails, exposed RDP ports, credential stuffing, exploiting unpatched vulnerabilities | Email filtering, web isolation, vulnerability scanning |
| 2. Privilege escalation | Elevates permissions to admin level | OS exploits, credential harvesting, Kerberoasting | Privileged access monitoring, anomalous login alerts |
| 3. Internal reconnaissance | Maps the network, finds backups and high-value targets | Port scanning, Active Directory enumeration | Network traffic analysis, honeypots |
| 4. Lateral movement | Spreads across systems and segments | RDP, SSH, SMB shares, weak segmentation | Micro-segmentation, east-west traffic monitoring |
| 5. Data exfiltration | Steals sensitive data before encryption | Cloud uploads, FTP transfers, DNS tunnelling | Data loss prevention, outbound traffic analysis |
| 6. Encryption | Activates the payload, encrypts files, deletes shadow copies | Mass file encryption, backup deletion | Endpoint detection, file integrity monitoring |
| 7. Extortion | Demands ransom, threatens public data release | Ransom notes, leak site publication | Incident response activation |
Phase 4, lateral movement, is where traditional security fails most visibly. Once an attacker passes the firewall perimeter, VPN-based networks often provide broad access to internal resources. The attacker moves freely between servers, workstations and even operational technology systems. This is exactly the gap that Zero Trust Network Access is designed to close: by granting access only to specific applications rather than network segments, lateral movement becomes technically impossible.
Why traditional defences fail against modern ransomware
Firewalls and VPNs were designed for a world where the network perimeter was clearly defined. That world no longer exists. Employees work from home, applications run in the cloud, and IoT devices connect directly to production networks.
The core problem is the trust model. VPNs authenticate users once at the perimeter, then grant broad network access. An attacker who steals valid credentials, or compromises one endpoint, inherits that same broad access. From there, moving from an accountant’s workstation to a domain controller or backup server requires no additional authentication.
Detection-based tools like antivirus and traditional firewalls try to identify threats they already know about. But ransomware groups constantly develop new variants. Zero-day exploits bypass signature-based detection entirely. By the time your antivirus flags a file, encryption may already be underway.
The shift required is from detection-based to isolation-based security. Instead of trying to identify every possible threat, you assume any connection could be compromised and restrict what it can reach. This is the foundation of Zero Trust.
How Zero Trust and SASE protect against ransomware
Zero Trust architecture disrupts ransomware at multiple phases of the attack chain. Instead of trusting users and devices based on network location, every access request is verified against identity, device posture and context. The result is a fundamentally smaller attack surface.
A unified SASE platform combines the controls needed to stop ransomware at each phase into one cloud-managed service.
Stopping infiltration. Browser isolation executes website code in a secure cloud container rather than on the user’s endpoint. When an employee clicks a phishing link, the malicious payload runs in isolation and never reaches the device. The user sees a visual stream of the website. The ransomware script has nowhere to go.
Stopping lateral movement. Zero Trust Network Access replaces VPN tunnels with identity-based, per-application access. A finance team member connects to the invoicing application and nothing else. The rest of the network is invisible. Port scans return nothing. Micro-segmentation limits the blast radius of any compromised device to a single micro-zone rather than the entire network.
Securing agentless devices. Printers, IoT sensors and industrial controllers cannot run security agents. Left unprotected, they become pivot points for attackers. NIAC hardware provides inline isolation, allowing only approved communication flows between these devices and the network. This creates a secure bridge between IT and OT environments without disrupting production.
Enforcing device posture. Before granting access, device posture checks verify OS version, encryption status and security controls. A compromised or non-compliant device is denied access before it can become a launchpad for ransomware.
| Capability | Traditional VPN and firewall | Zero Trust SASE |
|---|---|---|
| Access model | Network-based, broad segments | Identity-based, per-application |
| Lateral movement | Possible once perimeter is breached | Blocked by micro-segmentation |
| Network visibility | Hosts discoverable via port scanning | Network invisible to unauthorised users |
| Agentless device protection | Complex firewall rules, often incomplete | Inline isolation via NIAC hardware |
| Phishing defence | Relies on detection and filtering | Browser isolation prevents execution entirely |
| Management | Multiple consoles, complex rule sets | Single cloud-managed console |
NIS2 reporting and what the CCB expects from your organisation
Belgium was the first EU member state to transpose the NIS2 directive into national law, effective October 2024. Around 2,500 organisations fall within scope, and roughly 2,410 from critical sectors have already registered with the CCB.
For a CISO, three NIS2 requirements directly affect ransomware preparedness.
First, mandatory incident reporting. You must notify the CCB within 24 hours of becoming aware of a significant incident. A ransomware attack that disrupts operations or compromises data meets that threshold. The CCB provides reporting through its incident notification portal and a dedicated emergency number for NIS2 entities.
Second, board-level accountability. NIS2 holds management personally liable for inadequate security measures. Fines can reach €10 million or 2% of global turnover for essential entities. Cybersecurity is no longer an IT budget line. It is a governance responsibility.
Third, demonstrable risk reduction. The CCB’s CyberFundamentals (CyFun) framework provides four assurance levels, from Small (basic measures for micro-organisations) to Essential (200 measures for critical infrastructure). Auditors expect evidence of access control, logging, least privilege enforcement and incident containment. A Zero Trust architecture with centralised policy management and logging generates exactly this evidence.
A practical ransomware recovery plan in eight steps
No security architecture is infallible. A structured recovery plan reduces downtime, limits damage and demonstrates the governance NIS2 expects.
Step 1: Detect and confirm. Identify abnormal behaviour such as mass file changes, unexpected admin logins, or unusual outbound traffic. Activate your monitoring alerts.
Step 2: Isolate immediately. Disconnect affected systems from the network. This includes disabling wireless connections and physically unplugging network cables where necessary. Speed matters. Every minute of delay allows further encryption and lateral movement.
Step 3: Protect your backups. Verify that backup infrastructure is intact and disconnected from compromised segments. If your backups are online and accessible from the infected network, assume they may be compromised too. Offline or air-gapped backups are the single most valuable asset during a ransomware incident.
Step 4: Notify the CCB. For NIS2 entities, submit an initial notification within 24 hours. Use the CCB’s incident reporting form or emergency line. Early notification gives you access to CCB support and intelligence about the threat actor.
Step 5: Activate your crisis team. Bring together IT, legal (for GDPR notification obligations), communications and senior management. Assign clear responsibilities. Document all decisions for post-incident review and compliance evidence.
Step 6: Investigate the root cause. Before restoring systems, identify how the attacker gained access and what they compromised. Restoring from backup without closing the entry point risks immediate reinfection.
Step 7: Restore from clean backups. Rebuild systems methodically. Prioritise business-critical services. Verify integrity of restored data before reconnecting to the network.
Step 8: Review and improve. Conduct a post-incident analysis. Document what worked, what failed, and what changes are needed. Update your security policies, CyFun evidence pack and incident response procedures. This step also satisfies NIS2’s continuous improvement requirement.
Common mistakes that worsen ransomware incidents
Avoid these patterns that consistently increase damage during ransomware attacks.
Paying the ransom without certainty of recovery. The CCB and most law enforcement agencies advise against payment. Organisations that pay are more likely to be targeted again, and there is no guarantee of receiving a working decryption key.
Keeping backups connected to the production network. Attackers specifically target backup systems before triggering encryption. If your backup server is reachable from the same network, it will be encrypted too.
Restoring systems before identifying the entry point. Without understanding how the attacker gained access, restored systems can be reinfected within hours.
Ignoring agentless devices during containment. Printers, IoT sensors and industrial controllers connected to the network can serve as persistent footholds if not isolated during incident response.
Treating the incident as purely technical. NIS2 requires notification within 24 hours, GDPR may require data breach notification within 72 hours, and board members bear personal accountability. Involve legal and communications from the start.
A Belgian manufacturing firm’s approach to ransomware resilience
A mid-market manufacturing company in the Benelux with 280 employees and three production sites faced a familiar challenge. Their IT and OT networks were connected through flat VLANs. Remote maintenance by third-party contractors used shared VPN credentials. Backups ran on network-attached storage accessible from the production network.
After a near-miss phishing incident, the CISO initiated a phased migration. The team replaced VPN access with identity-based application access, ensuring contractors could only reach the specific machines they needed to service, with time-limited sessions and step-up MFA. Production equipment, PLCs, and HMIs were placed behind NIAC hardware with strict upstream flow controls. Backups were moved to an air-gapped schedule.
The result: the blast radius of any single compromised device dropped from the entire network to one micro-zone. Audit preparation time fell from weeks to days. The CyFun evidence pack now documents access policies, change logs and incident drills that satisfy the Important assurance level.
How Jimber makes ransomware protection workable
Jimber delivers Real SASE in one cloud-managed platform. Zero Trust Network Access replaces broad VPN connections with per-application access tied to user identity and device posture. Browser isolation prevents phishing payloads from ever reaching endpoints. NIAC hardware isolates agentless and industrial devices, creating a secure bridge between IT and OT without production disruption.
All policies, logs and alerts are managed from a single console. For MSPs and partners, multi-tenant operations and transparent pricing make it straightforward to deliver managed ransomware protection across multiple customers. The platform generates the access logs, policy versions and incident containment evidence that NIS2 and the CyFun framework expect.
Frequently asked questions
How does ransomware actually encrypt files?
Ransomware uses strong encryption algorithms, typically a combination of symmetric (AES) and asymmetric (RSA) cryptography. Without the attacker’s private key, decryption is practically impossible. Modern variants also delete volume shadow copies and target backup systems to eliminate recovery options.
Is paying the ransom ever recommended?
The CCB and most law enforcement agencies advise against it. Payment funds criminal operations and provides no guarantee of data recovery. Organisations that pay are statistically more likely to be targeted again. Focus resources on backups, containment and improving your security posture instead.
What should I report to the CCB after a ransomware attack?
NIS2 entities must submit an initial notification within 24 hours of detecting a significant incident. Report through the CCB’s incident notification portal or dedicated emergency line. Include what systems are affected, containment measures taken and estimated impact. The CCB can provide threat intelligence and technical support.
Can Zero Trust really prevent ransomware from spreading?
Zero Trust does not guarantee that no device will ever be compromised. What it does is contain the damage. With identity-based per-application access, a compromised endpoint cannot reach other systems. Micro-segmentation keeps an infection confined to a single zone rather than allowing it to spread across the network.
How do we protect industrial equipment that cannot run security agents?
Use inline isolation hardware like NIAC to control which communication flows are allowed between agentless devices and the rest of the network. Industrial controllers and PLCs are placed behind a physical isolation boundary that permits only approved traffic to specific upstream systems.
Does our organisation fall under NIS2?
NIS2 covers essential and important entities across sectors including energy, transport, healthcare, digital infrastructure, government and manufacturing. Approximately 2,500 Belgian organisations fall within scope. The CCB provides a risk analysis tool to help determine your classification and required assurance level under the CyFun framework.
Take the next step
Ready to see how isolation-based security contains ransomware before it spreads? Book a demo and walk through your environment with a Jimber specialist.
