The 2025 Ransomware Playbook: How Attacks Have Evolved and What Defences Work

Ransomware is no longer a crime of opportunity conducted by lone actors. The groups responsible for the most damaging attacks in 2024 and into 2025 operate with the organisational structure, specialisation, and strategic patience of professional businesses. Understanding this evolution is essential for defenders — because the defences that worked three years ago are increasingly insufficient against the current threat model.

How a Modern Ransomware Attack Actually Unfolds

The popular image of ransomware — malicious software that appears suddenly and immediately encrypts everything — is increasingly inaccurate for the attacks causing serious damage. Modern enterprise ransomware attacks typically follow a multi-stage process that plays out over days or weeks before encryption occurs.

Stage 1: Initial Access

Most sophisticated ransomware groups do not conduct their own initial access. Instead, they purchase it from Initial Access Brokers (IABs) — specialised criminal operators who compromise organisations and sell that access on dark web marketplaces. The most common access methods IABs use are phishing campaigns, exploitation of internet-facing vulnerabilities (particularly in VPN appliances, remote access tools, and unpatched web applications), and credential stuffing using leaked password databases.

The implication for defenders is that perimeter hardening and credential hygiene are not just good practice — they are the primary controls that determine whether an organisation appears in an IAB's inventory in the first place.

Stage 2: Dwell Time and Reconnaissance

After access is established, attackers typically spend between 5 and 30 days (the average across major incident response firms' 2024 caseloads) conducting reconnaissance before deploying ransomware. During this period, they are mapping the network, identifying backup systems, locating high-value data for exfiltration, escalating privileges, and establishing persistence across multiple systems to ensure their access survives partial remediation attempts.

This dwell time is the defender's window of opportunity. Organisations with mature detection capabilities frequently identify and eject attackers during this phase, before encryption occurs. Those without it typically discover the intrusion when the ransom note appears.

Stage 3: Data Exfiltration

Double extortion — encrypting systems AND threatening to publish stolen data — is now standard practice rather than an innovation. Triple extortion, which adds threats to notify regulators or contact customers directly, is increasingly common in attacks against healthcare and financial services organisations. This means that even organisations with excellent backup and recovery capabilities face extortion pressure related to data exposure, not just operational disruption.

Stage 4: Encryption and Ransom Demand

When ransomware groups deploy encryption, they do so strategically. Backup systems and domain controllers are targeted first, to maximise leverage. Recovery becomes far more difficult when backup infrastructure is compromised simultaneously with production systems — which is precisely why attackers prioritise it.

Defensive Controls That Consistently Make a Difference

Incident response data consistently identifies the same set of controls that either prevent ransomware attacks from succeeding or significantly limit their impact. These are not novel recommendations — they are unglamorous fundamentals that many organisations have still not implemented fully.

Multi-Factor Authentication on all remote access

A disproportionate share of successful ransomware intrusions use compromised credentials to access VPNs, RDP, or cloud management consoles. MFA on these access points breaks the most common initial access path. Despite years of recommendations, a meaningful number of organisations still have remote access pathways without MFA enforced.

Offline and immutable backups

Backups that are accessible from the production network are accessible to attackers who compromise it. Offline backups (physically or logically air-gapped) and immutable backups (where previous versions cannot be modified or deleted) are the primary recovery mechanism when encryption occurs. The test of a backup system is not whether it runs — it is whether it can be used to restore critical systems within a recovery time that the business can tolerate.

Network segmentation

Flat networks — where any system can communicate with any other system — allow ransomware to propagate freely once an attacker has a foothold. Segmentation limits the blast radius. Organisations that had implemented meaningful segmentation consistently report that ransomware incidents were contained to a subset of their environment rather than spreading enterprise-wide.

Endpoint Detection and Response (EDR) with active monitoring

EDR tools that are deployed but not actively monitored provide limited protection. The attacker behaviour patterns that occur during dwell time — lateral movement, privilege escalation, large-scale data staging — generate alerts in well-tuned EDR platforms. Those alerts are only actionable if someone is reviewing them. Organisations without a security operations function or managed detection and response (MDR) service to monitor EDR output are leaving their most powerful detection capability dormant.

The Ransom Payment Question

Whether to pay a ransom demand is a decision that involves legal, ethical, operational, and financial dimensions that vary by organisation and jurisdiction. What the data shows clearly is that paying a ransom does not guarantee data recovery — a meaningful percentage of organisations that pay receive either no usable decryption tool or one that works only partially. It also does not guarantee that stolen data will not be published or sold.

The strongest position is one where payment is unnecessary because recovery from backups is feasible and stolen data risks are managed through data minimisation practices. That position requires investment before an incident, not during one.

What Security Teams Should Prioritise in 2025

Organisations that have not completed the fundamentals listed above should do so before pursuing more sophisticated security investments. No amount of threat intelligence tooling compensates for unpatched internet-facing systems, credentials without MFA, or backup systems that attackers can reach and destroy.

For organisations with a solid fundamentals baseline, the highest-value investments in 2025 are in detection capability — specifically, reducing the time between attacker access and defender awareness — and in tabletop exercises that test incident response plans against realistic ransomware scenarios before a real incident forces the test.