Ransomware attacks rose 45% in 2025, with 134 distinct groups now operating globally. For European mid-market organisations, the question is no longer whether an attack will happen, but how well you can prevent, contain, and recover from one. This playbook walks through the full attack lifecycle and maps concrete defences to each stage, so your team can act on a clear plan rather than react under pressure.
You will find a phase-by-phase breakdown of how ransomware unfolds, the controls that stop it at each point, backup and recovery principles, a practical incident response framework, NIS2 reporting requirements, and the insurance considerations that CISOs increasingly need to factor in.
How to prevent ransomware in 2026: quick overview
- Block initial access with phishing-resistant MFA, identity-based access, and device posture checks.
- Stop lateral movement through microsegmentation and least-privilege policies per application.
- Prevent data exfiltration with a Secure Web Gateway, outbound traffic controls, and DLP rules.
- Limit encryption damage by isolating devices at the network level so ransomware cannot spread beyond a single segment.
- Ensure recovery with immutable, air-gapped backups tested quarterly against your defined RTO and RPO.
- Prepare for reporting with a pre-built NIS2 incident response workflow covering the 24-hour, 72-hour, and 30-day deadlines.
Why ransomware is a board-level risk in 2026
Ransomware has evolved from an IT disruption into a strategic business risk that demands attention from the board, not just the security team. The financial impact of a single incident now ranges between $1.8 million and $5 million when you account for downtime, recovery, legal costs, and reputational damage. NIS2 makes senior management personally accountable for cybersecurity failures, including temporary bans from leadership roles in cases of serious negligence.
Three shifts have made 2026 particularly pressing. First, attackers are moving faster. The median time from initial intrusion to ransomware deployment dropped to roughly five days in late 2025, down from several weeks just two years earlier. Second, the Ransomware-as-a-Service (RaaS) model has lowered the barrier to entry. There are now 30% more active ransomware groups than in 2024, and many operate like professional software companies with support channels and negotiation services. Third, data-only extortion is rising. Attackers increasingly skip encryption altogether, stealing sensitive data and threatening to publish it. This tactic is harder to detect and cannot be resolved by restoring backups alone.
For mid-market organisations with 50 to 400 employees, the pressure is especially acute. Only 41% of mid-market companies successfully blocked ransomware with their existing defences in 2024. Most lack the headcount and tooling of large enterprises, yet face the same attackers. Germany alone saw a 97% increase in ransomware incidents in 2025. Manufacturing, professional services, and healthcare are the most targeted sectors across Europe.
How ransomware attacks actually unfold
Understanding the ransomware lifecycle is the foundation for placing defences where they matter most. A modern attack follows a predictable chain. Each stage offers an opportunity to detect and break the attack before damage escalates.
Stage 1: Initial access
Attackers gain a foothold through one of three primary vectors. Exploited software vulnerabilities accounted for 32% of ransomware incidents in 2025, making unpatched systems the single largest technical cause. Compromised credentials, often purchased from initial access brokers, were responsible for 23% of cases. Phishing, including AI-generated emails that are increasingly difficult to spot, remains a consistent entry point.
Stage 2: Persistence and privilege escalation
Once inside, attackers establish persistence by creating additional accounts, deploying remote access tools, or abusing legitimate admin utilities. They escalate privileges to gain domain-level access, often targeting Active Directory. This stage is typically quiet and can happen within hours.
Stage 3: Lateral movement
With elevated privileges, attackers move across the network to identify high-value targets. In flat networks with broad VPN access or minimal segmentation, this movement is trivial. The attacker maps file shares, databases, backup systems, and operational technology. This is the stage where a single compromised endpoint becomes a full-environment breach.
Stage 4: Data exfiltration
Before deploying ransomware, attackers increasingly exfiltrate sensitive data. This enables double or triple extortion: pay to decrypt, pay to prevent publication, and pay to avoid notifying affected customers. Data-only extortion, where no encryption occurs at all, is growing because it is quieter and harder for traditional endpoint tools to flag.
Stage 5: Encryption or destruction
The final stage is payload deployment. Ransomware encrypts files, disables backups where possible, and drops ransom notes. In some cases, attackers destroy systems rather than encrypting them, particularly when targeting industrial environments. Modern variants target virtualisation platforms (ESXi), cloud storage, and backup infrastructure specifically.
| Attack stage | Primary vector | Key defence | Detection signal |
|---|---|---|---|
| Initial access | Phishing, exploits, stolen credentials | MFA, patching, identity-based access | Failed login spikes, unusual geo-logins |
| Persistence | Backdoor accounts, remote tools | Privileged access management, monitoring | New accounts, unexpected remote sessions |
| Lateral movement | Flat network, shared segments | Microsegmentation, ZTNA | East-west traffic anomalies |
| Data exfiltration | Large outbound transfers | SWG, DLP, outbound controls | Unusual data volumes to external IPs |
| Encryption | Ransomware payload | Network isolation, immutable backups | Mass file changes, service disruption |
Ransomware prevention at each stage of the attack lifecycle
The most effective ransomware protection strategy places overlapping controls across every stage. No single tool stops ransomware. The goal is to create enough friction that an attack is detected and contained before it reaches the encryption or exfiltration phase.
Blocking initial access
Start with identity. Replace broad VPN access with Zero Trust Network Access that verifies every user and device before granting application-level access. Enforce phishing-resistant MFA on all accounts, with hardware keys or passkeys for privileged roles. Require device posture checks before any connection, verifying OS version, disk encryption, and endpoint protection status.
Patch management remains non-negotiable. Prioritise internet-facing systems and VPN appliances, which are consistently the most exploited entry points. Automate vulnerability scanning and define a 72-hour patching window for critical CVEs.
Deploy a Secure Web Gateway to filter malicious web traffic and block known phishing domains before they reach users. Category-based filtering and TLS inspection (where lawful and proportionate under GDPR) add layers that catch threats which email security alone misses. For organisations handling sensitive web applications, a Web Application Firewall adds protection against injection attacks and credential harvesting pages.
Combine technical controls with awareness training that goes beyond annual checkbox exercises. Simulated phishing campaigns tailored to roles, with real-time feedback, can reduce click rates from over 30% to below 5% within a year. In 2026, AI-generated phishing emails no longer contain obvious spelling errors or formatting issues, so training should focus on recognising context and intent rather than visual cues.
Stopping lateral movement
Lateral movement is where ransomware turns from a single-endpoint problem into an organisation-wide disaster. The defence is microsegmentation, which limits each user and device to only the specific applications they need.
In a Zero Trust architecture, users connect to named applications, not to network segments. If an endpoint is compromised, the attacker cannot reach file servers, backup systems, or operational technology because those paths simply do not exist for that identity. This “blast radius management” is the single most effective control against ransomware spreading across your environment.
For devices that cannot run agents, such as printers, IoT sensors, cameras, and industrial equipment, NIAC hardware provides inline isolation. These devices sit behind a controlled boundary that permits only defined communication flows. Without this step, agentless devices become pivot points for attackers to move between IT and OT environments.
Privileged access management is equally important. Admin accounts should use separate credentials, step-up authentication, and just-in-time access windows. Monitor all privileged sessions and alert on anomalies like off-hours logins or access from unfamiliar devices.
Preventing data exfiltration
Data-only extortion bypasses backup strategies entirely, making exfiltration prevention a distinct priority. Outbound traffic controls through a Secure Web Gateway and Firewall-as-a-Service should inspect and restrict large data transfers to unknown destinations. Apply data loss prevention (DLP) rules to sensitive file types and repositories.
Segment data access by role. Finance staff should not be able to access engineering repositories, and vice versa. Identity-based policies enforced at the application layer reduce what any single compromised account can reach.
Monitor for unusual patterns: large uploads during off-hours, bulk downloads from file shares, or new connections to cloud storage services not on your approved list. These signals are often visible days before the final payload drops.
Containing encryption and minimising blast radius
If ransomware reaches the encryption stage, network-level isolation determines whether you lose one endpoint or your entire environment. With properly segmented networks, the infected device is automatically contained. The ransomware cannot reach other segments, backup infrastructure, or production systems.
SD-WAN with centralised policy enforcement ensures that branch offices and remote sites follow the same segmentation rules as headquarters. Without this consistency, a remote office with weaker controls becomes the entry point for an organisation-wide incident.
For industrial environments, isolation between IT and OT is not optional. Ransomware that reaches production equipment can halt manufacturing for weeks. Network controllers and NIAC appliances create a secure bridge between IT and OT that allows necessary data flows while blocking unauthorised lateral access.
Backup and recovery strategies that actually hold
Backups are the last line of defence, and attackers know it. Modern ransomware specifically targets backup infrastructure, deleting snapshots and corrupting recovery points before encrypting production systems. Your backup strategy must assume that the attacker has admin-level access.
The 3-2-1-1 rule for 2026
The traditional 3-2-1 backup rule (three copies, two media types, one offsite) needs an update. Add a fourth element: one immutable copy. Immutable backups stored in write-once, read-many (WORM) format cannot be modified or deleted, even with administrator credentials. Combine this with an air-gapped copy that is physically or logically disconnected from your production network.
Define and test your RTO and RPO
Recovery Time Objective (RTO) defines how quickly you need systems back online. Recovery Point Objective (RPO) defines how much data loss is acceptable. Both must be documented, agreed with business stakeholders, and tested at least quarterly through actual restore exercises, not just paper plans.
Under NIS2 and DORA, demonstrating that you can recover is as important as demonstrating that you can prevent. Regulators and auditors expect evidence of tested recovery procedures, not just backup policies.
Recover identity systems first
Active Directory and your identity provider are the foundation of every other system. If these are compromised, restoring application servers is meaningless because the attacker still has the keys. Your recovery runbook should prioritise identity infrastructure, validate its integrity in a clean environment, and only then proceed to application and data restoration.
| Backup component | Best practice | Why it matters |
|---|---|---|
| Storage format | Immutable (WORM) | Prevents deletion by attackers with admin rights |
| Offsite copy | Air-gapped or logically separated | Survives network-wide encryption |
| Authentication | Out-of-band MFA for backup systems | Backup credentials separate from production |
| Validation | Cleanroom recovery and malware scan | Ensures restored systems are not reinfected |
| Frequency | Daily incremental, weekly full | Minimises data loss (RPO) |
| Testing | Quarterly restore exercises | Proves RTO is achievable under pressure |
Incident response planning for ransomware
A ransomware incident compresses weeks of normal IT work into hours. Without a pre-built plan, teams waste precious time figuring out who does what, while the attacker continues to operate. Your incident response plan should be documented, assigned, and rehearsed before an incident occurs.
Phase 1: Detection and triage
Centralised logging and real-time monitoring are the foundation. Aggregate logs from your ZTNA platform, Secure Web Gateway, identity provider, and endpoint tools into a SIEM. Define detection rules for the signals mapped in the attack lifecycle table above. When an alert fires, triage quickly: is this a confirmed incident or a false positive? Assign severity and activate the response team.
Phase 2: Containment
Isolate the affected endpoints, accounts, and network segments immediately. With network-level isolation through a SASE platform, this can be automated: the suspicious zone is disconnected from the rest of the network to prevent further lateral movement. Disable compromised accounts and revoke active sessions across all connected services, including cloud applications and federated identity providers. Preserve forensic evidence before reimaging, including memory dumps, network logs, and timeline data.
Speed matters. Every hour of uncontained lateral movement increases the scope of the breach and the cost of recovery. Organisations that can isolate a compromised segment within the first hour of detection reduce their average incident cost significantly compared to those that take a day or more.
Phase 3: Eradication and recovery
Identify the root cause, patch the exploited vulnerability or revoke the compromised credentials, and restore systems from verified clean backups. Follow the recovery priority: identity systems first, then business-critical applications, then secondary systems. Validate each restored system in an isolated environment before reconnecting it to production.
Phase 4: Post-incident review and reporting
Conduct a thorough lessons-learned review within two weeks. Document what worked, what failed, and what needs to change. Update your threat model, access policies, and detection rules based on findings. Feed the improvements back into your prevention controls.
This review is also your opportunity to strengthen the controls at the specific attack stage where detection happened too late. If the attacker was inside for three days before containment, your detection rules for that stage need tuning. If lateral movement succeeded across two segments, your segmentation policies have a gap. Every incident, even one that was contained successfully, reveals something actionable.
Store your post-incident documentation in a format that supports future audit requests and insurance claims. NIS2 auditors will ask for evidence of continuous improvement, and this documentation serves that purpose directly.
NIS2 reporting requirements during a ransomware incident
NIS2 introduces a strict, multi-stage incident reporting timeline that directly affects how you handle ransomware. Non-compliance carries fines up to 10 million euros or 2% of global annual turnover for essential entities, and up to 7 million euros or 1.4% for important entities. Management can face personal sanctions including temporary bans from leadership roles.
The reporting timeline has three mandatory stages. Within 24 hours of detecting a significant incident, you must submit an early warning to your national CSIRT. This is not a full investigation. It is a rapid alert indicating that an incident has occurred, whether it is suspected to be malicious, and whether it could have cross-border impact. Within 72 hours, you must submit a more detailed incident notification with an initial severity assessment, impact analysis, and indicators of compromise. Within one month, a final report is required covering root cause analysis, mitigation measures taken, and cross-border effects.
| Reporting stage | Deadline | Content required |
|---|---|---|
| Early warning | 24 hours | Incident detected, suspected malicious, potential cross-border impact |
| Incident notification | 72 hours | Severity, impact, indicators of compromise, initial assessment |
| Final report | 1 month | Root cause, mitigation, cross-border effects, detailed description |
To meet these deadlines under the pressure of an active ransomware incident, you need pre-built reporting templates, designated contacts for your national authority, and tested internal escalation procedures. Organisations that discover these requirements during an incident will almost certainly miss the 24-hour window.
Belgium transposed NIS2 into national law in early 2026, with the Centre for Cybersecurity Belgium (CCB) serving as the national authority. Essential entities must achieve a baseline CyberFundamentals level by April 2026. If your organisation falls under NIS2, reporting readiness is not a future project. It is a current obligation.
Cyber insurance considerations for 2026
Cyber insurance has become a standard part of ransomware risk management, but the market has tightened significantly. Insurers are no longer writing blanket policies. They are conducting detailed assessments of your security posture before underwriting, and many mid-market organisations are finding that gaps in basic controls lead to denied claims or exclusions.
What insurers expect to see
Most cyber insurers now require evidence of specific controls before they will offer coverage. These typically include MFA on all remote access and privileged accounts, network segmentation or microsegmentation, tested backup and recovery procedures, an incident response plan, endpoint protection on managed devices, and employee awareness training. Organisations without these controls face higher premiums, reduced coverage limits, or outright rejection.
The mid-market is feeling this shift acutely. Insurers that previously offered affordable cyber policies to smaller organisations have tightened underwriting criteria after a wave of ransomware claims in 2023 and 2024. Some now require a pre-binding security assessment, including evidence of segmentation architecture, backup immutability, and incident response testing. Treating insurance readiness as a security improvement project, rather than a procurement exercise, produces better outcomes on both fronts.
Policy terms to scrutinise
Review your policy for war exclusions (which can void coverage for nation-state attacks), sub-limits on ransomware-specific claims, waiting periods before business interruption coverage begins, and requirements around ransom payment approval. Some policies require insurer notification before any ransom payment, and failure to follow the process can void the claim.
Alignment with NIS2
NIS2 compliance and insurance readiness overlap substantially. The controls that satisfy regulators, such as risk management, incident response, access controls, and documented recovery procedures, are the same ones insurers require. Treating these as a single workstream rather than two separate projects reduces effort and improves consistency.
Building a ransomware-resilient architecture with Jimber
Jimber delivers Real SASE in a single cloud-managed platform, mapping directly to the ransomware prevention controls in this playbook. Rather than assembling point solutions from multiple vendors, you get an integrated architecture that addresses each stage of the attack lifecycle.
Zero Trust Network Access replaces broad VPN access with identity-based, per-application access. Device posture checks verify every connection. This blocks initial access through stolen credentials and eliminates the flat network paths that enable lateral movement.
The Secure Web Gateway and Firewall-as-a-Service inspect and control web traffic, blocking phishing sites, malicious downloads, and unauthorised data transfers before they reach endpoints.
SD-WAN provides secure connectivity across multiple sites with consistent policy enforcement, so branch offices and remote locations are protected to the same standard as headquarters.
For environments with agentless devices, NIAC hardware and industrial controllers create a secure bridge between IT and OT. Production equipment, IoT sensors, and legacy devices are isolated to defined communication flows, preventing them from becoming pivot points in a ransomware attack.
All of this is managed from a single console with centralised logging, policy versioning, and API-first integration for SIEM streaming. For MSPs and partners, the multi-tenant architecture supports scalable management across multiple customers with transparent pricing and predictable margins.
Practical examples in European mid-market environments
Belgian manufacturer with mixed IT and OT. A midsized production company segmented its factory network using NIAC appliances to isolate PLCs, HMIs, and sensors from the corporate IT environment. When a phishing email compromised a workstation in the engineering department, microsegmentation prevented the attacker from reaching any production systems. The incident was contained to a single endpoint, and the company’s NIS2 early warning was filed within 12 hours.
Dutch professional services firm. A consulting firm with 200 employees replaced its legacy VPN with ZTNA, granting staff access only to the specific applications their role required. Posture checks blocked connections from unmanaged personal devices unless they met baseline encryption and OS requirements. The firm reduced its attack surface by 70% and streamlined its cyber insurance renewal by demonstrating segmentation, MFA, and centralised logging.
Municipal government across multiple sites. A Belgian municipality connected its distributed offices and citizen service points through SD-WAN with centralised policy. Web filtering through SWG blocked access to known malicious domains. When a contractor’s device showed signs of compromise, the security team isolated the segment remotely from the central console within minutes, preventing any data from leaving the network.
Frequently asked questions
Can mid-market organisations afford proper ransomware prevention? Yes. The cost of a single ransomware incident now averages between $1.8 million and $5 million. A cloud-managed SASE platform replaces multiple point solutions, often reducing total security spend while improving coverage. The real cost is not the tools. It is the downtime and recovery from an attack you were not prepared for.
Does ransomware prevention help with NIS2 compliance? Directly. NIS2 requires risk management, access controls, incident response planning, and reporting procedures. The controls in this playbook, including ZTNA, microsegmentation, centralised logging, and tested backup recovery, provide the evidence regulators expect to see.
What is the most effective single control against ransomware? If you can implement only one change, make it microsegmentation with identity-based access. This limits lateral movement, which is the stage where a single compromised endpoint becomes a full-environment breach. Attackers who cannot move laterally cannot reach backup systems, exfiltrate data at scale, or deploy ransomware across your network.
How do we protect devices that cannot run security agents? Use inline isolation hardware like NIAC appliances. These sit between the agentless device and the rest of your network, allowing only defined communication flows. This approach covers printers, IoT sensors, cameras, and industrial equipment without disrupting their function.
Should we pay a ransom if we are attacked? Law enforcement agencies and the EU’s position consistently advise against paying. Payment funds criminal operations, does not guarantee data recovery, and may violate sanctions. Invest instead in prevention, tested backups, and a response plan that gives you alternatives. If your organisation considers payment, involve legal counsel and your insurer before making any decision.
How often should we test our ransomware response? At minimum, conduct a tabletop exercise twice a year and a full technical recovery test quarterly. Update your response plan after every test, and after any significant change to your infrastructure or threat landscape.
Take the next step
Ready to map these controls to your environment? Book a demo and see how Jimber’s SASE platform prevents ransomware at every stage of the attack lifecycle, in one console.
