Ransomware in 2025: How It Works, Who It Targets, and How to Survive It

The Ransomware Economy in 2025

Ransomware is no longer a technical curiosity. It is an industry — complete with affiliate programmes, customer service portals, negotiation specialists, and annual revenue that exceeds the GDP of small nations. The 2025 ransomware ecosystem looks nothing like the crude, spray-and-pray attacks of the early 2010s. It is professional, targeted, and devastatingly effective against businesses that have not prepared for it.

In India, CERT-In reported a sharp increase in ransomware incidents affecting businesses across sectors in its annual cybersecurity reports. Sectors particularly affected include BFSI, healthcare, manufacturing, logistics, and IT services — exactly the industries that form the backbone of India's SME economy. The RBI, SEBI, and IRDA have all issued sector-specific advisories on ransomware preparedness. The regulatory signal is clear: this is not a risk that can be deferred.

Understanding how ransomware actually works — not at an abstract level, but mechanically, step by step — is the first and most important step in building a credible defence. What you do not understand, you cannot defend against.

The Modern Ransomware Attack Chain

A successful ransomware attack is not a single event. It is a multi-stage campaign that typically unfolds over days, weeks, or even months. Each stage has specific goals, and defenders have opportunities to interrupt the chain at multiple points — if they know what to look for.

Stage 1: Initial Access

The attacker needs to get a foothold in your environment. In 2025, the most common initial access vectors are:

• Phishing emails: A message that appears to come from a supplier, colleague, or government body, containing a malicious attachment or a link to a credential-harvesting page. Modern phishing emails are AI-generated, grammatically flawless, and contextually relevant — often referencing real projects, events, or relationships that give them credibility.
• Exploitation of internet-facing vulnerabilities: Unpatched VPN appliances, remote desktop protocol (RDP) exposed to the internet, outdated web application servers, and vulnerable cloud management portals are scanned and exploited continuously by automated tools. Many ransomware groups maintain large databases of organisations with known-vulnerable externally accessible systems.
• Compromised credentials: Passwords leaked from previous data breaches (of consumer services, other businesses, or the dark web) are tested against business systems using automated credential stuffing tools. Without multi-factor authentication, a single leaked password is enough for initial access.
• Supply chain compromise: Access via a compromised vendor, managed service provider, or software update — the attacker enters through a trusted third party rather than attacking the target directly.
• Malvertising and drive-by downloads: Visiting a compromised or malicious website triggers the download and execution of a dropper, which establishes the attacker's foothold.

Stage 2: Establishing Persistence

Once inside, the attacker's immediate priority is to ensure they can maintain access even if the initial entry point is discovered and closed. Persistence mechanisms include creating new administrative user accounts, installing remote access tools (RATs) that call back to attacker-controlled infrastructure, modifying scheduled tasks or startup services, and deploying implants in locations that are not covered by the organisation's security tools.

At this stage, most attackers are deliberately quiet. They are not yet trying to achieve their objective — they are just making sure they can stay in the environment.

Stage 3: Reconnaissance and Lateral Movement

This is the phase that separates sophisticated ransomware groups from opportunistic attackers. Having established persistence, the attacker spends time — often days or weeks — mapping the environment: identifying high-value data stores, discovering administrative credentials, finding backup systems and determining their architecture, and moving laterally to gain access to as many systems as possible before triggering the encryption payload.

Lateral movement typically exploits legitimate tools and protocols that are already present in the environment — Windows administrative tools (PSExec, WMI, PowerShell), legitimate remote administration software, and Active Directory misconfigurations. Because the attacker is using tools that are supposed to be there, this activity is extremely difficult to detect without purpose-built behavioural detection tools.

During this phase, the attacker is specifically looking for:

• Backup systems — and, critically, attempting to identify and disable or delete them before triggering encryption
• Domain controller access — which, once achieved, allows the attacker to push the ransomware payload to every system in the domain simultaneously
• Sensitive data — which will be exfiltrated before encryption as leverage for double extortion
• Security tools — which the attacker will attempt to disable or bypass before triggering the payload

Stage 4: Data Exfiltration

Modern ransomware groups do not simply encrypt your files and demand payment for the decryption key. Before triggering encryption, they copy your most sensitive data to their own infrastructure. This data — customer records, financial information, employee data, intellectual property, confidential communications — becomes leverage in what is known as double extortion.

The ransom demand now carries two threats: pay us to receive the decryption key so you can restore your systems, and pay us to ensure we do not publish or sell your exfiltrated data. Many groups operate dedicated data leak sites on the dark web, where they post samples of stolen data to demonstrate they mean business and publish the full dataset for non-paying victims.

Some groups have moved to triple extortion — adding a third pressure vector by contacting the victim's customers, partners, or regulators directly to inform them of the breach, thereby increasing reputational and regulatory pressure on the victim to pay.

Stage 5: Encryption and Ransom Demand

With reconnaissance complete, backups compromised, sensitive data exfiltrated, and security tools disabled, the attacker deploys the ransomware payload — often simultaneously across every system in the domain. Files are encrypted using strong cryptographic algorithms (typically AES-256 for file encryption, RSA-2048 or similar for key protection), and the decryption key is transmitted to the attacker's infrastructure.

Within minutes, every file across every system is inaccessible. The ransom note appears on every screen. The attacker has your decryption key, your data, and leverage over your operations.

Ransom demands are not random. Sophisticated groups review financial documents obtained during the reconnaissance phase — audited accounts, invoices, budget documents — to calibrate the demand at a level the organisation can afford to pay but will find painful. For Indian SMEs, typical demands in recent campaigns have ranged from ₹20 lakh to several crore, depending on the size and apparent financial health of the target.

Ransomware as a Service (RaaS)

The professionalisation of ransomware has been enabled by the Ransomware-as-a-Service model. Just as legitimate software companies offer cloud-based platforms to their customers, RaaS groups provide complete ransomware capabilities — including the encryption payload, the command-and-control infrastructure, the negotiation portal, and even customer service for victims — to affiliates who carry out the actual attacks.

Affiliates pay the RaaS operator a percentage of each ransom collected (typically 20–30%). In return, they get access to enterprise-grade tools without needing to develop them. This model has democratised ransomware: technically unsophisticated attackers can now deploy the same ransomware variants used by nation-state groups, dramatically increasing the volume and reach of attacks.

Prominent RaaS groups that have been active in the Asia-Pacific region include LockBit, BlackCat/ALPHV, Cl0p, Play, and BlackBasta. These groups operate with the organisational structure of a software company — they have developers, negotiators, customer support staff, and public-facing communications teams.

Why Paying the Ransom Is Not a Recovery Strategy

The instinct under pressure is to pay the ransom and restore operations as quickly as possible. This is understandable but dangerous, for several reasons:

• Payment does not guarantee recovery: A significant proportion of organisations that pay never receive a working decryption key, receive a key that only partially decrypts their data, or find that the decryption process is so slow that restoration takes longer than rebuilding from scratch would have.
• Payment marks you as a willing payer: Ransomware groups track which organisations paid. An organisation that paid once is considered a soft target and is frequently re-attacked within months — sometimes by the same group, sometimes by affiliates who have purchased the victim list.
• Payment does not eliminate the data threat: Even after paying the ransom and receiving the decryption key, there is no guarantee that the exfiltrated data will be deleted. Groups have been documented selling data even after victims paid, or using it as leverage in subsequent extortion attempts.
• Payment may create legal complications: Depending on the sanctioned status of the ransomware group (some groups have been sanctioned by OFAC), paying ransom may violate financial regulations. Organisations should consult legal counsel before making any payment decision.

The Real Cost of a Ransomware Attack

The ransom demand is only one component of the total cost of a ransomware attack. Organisations that have worked through ransomware incidents consistently find that the total cost significantly exceeds the ransom amount itself:

• Downtime: Complete encryption of systems typically results in 3–21 days of operational downtime. For businesses that cannot operate without their systems, every day of downtime represents direct revenue loss. Even with a working decryption key, the process of decrypting and verifying every system is time-consuming.
• Incident response: Engaging a forensic incident response firm to contain the attack, determine the scope of compromise, oversee the recovery process, and produce the evidence required for regulatory reporting typically costs significantly more than the ransom demand for large incidents.
• Data breach notification: Under the DPDP Act, a ransomware attack that results in the exfiltration of personal data triggers mandatory notification obligations to the Data Protection Board and to affected individuals. Penalties for failure to notify can reach ₹200 crore.
• Reputational damage: For businesses whose customers entrust them with sensitive data — financial services, healthcare, legal, HR — a publicised ransomware attack causes lasting reputational damage. Customer churn and lost prospective business can dwarf the direct financial costs.
• System rebuilding: Even with a decryption key, many organisations find it faster and more secure to rebuild systems from scratch rather than trusting that the decrypted environment is clean. This requires significant IT resources and time.

What Effective Ransomware Defence Actually Looks Like

The good news is that the vast majority of successful ransomware attacks exploit well-known weaknesses with well-understood solutions. Implementing the following controls — prioritised in order of impact — will dramatically reduce both the likelihood of a successful attack and the severity of damage if one does occur.

1. Multi-Factor Authentication on Everything Externally Accessible

MFA on VPN, email (Microsoft 365 / Google Workspace), remote desktop, and cloud management consoles eliminates the credential stuffing and phishing attack vectors for gaining initial access. This is the single highest-impact, lowest-cost control available. There is no acceptable business justification for not having MFA on externally accessible systems in 2025.

2. Patch Management — Especially Internet-Facing Systems

Critical patches for internet-facing systems (VPN appliances, firewalls, web servers, email gateways) should be applied within 48–72 hours of release. Ransomware groups actively exploit newly disclosed vulnerabilities, often within hours of a proof-of-concept being published. A systematic patch management process — with a short SLA for critical vulnerabilities — removes a primary initial access vector.

3. Immutable, Offline, and Tested Backups

A backup strategy that can survive ransomware must include: at least one copy that is completely isolated from your primary network (offline or air-gapped); backups that cannot be modified or deleted by ransomware spreading through your environment (immutable backups in a separate cloud account with a different credential set); and — critically — regular restoration testing. A backup that has never been tested is a backup whose value is unknown. Most organisations discover their backup problems during an incident, when it is too late.

4. Network Segmentation

If ransomware gets into your environment, network segmentation limits how far it can spread. Separating operational technology from IT networks, isolating critical systems and backup infrastructure, and limiting lateral movement pathways between systems can contain a ransomware outbreak to a portion of the environment rather than allowing it to encrypt everything simultaneously.

5. Endpoint Detection and Response (EDR)

Traditional antivirus tools are ineffective against modern ransomware, which uses techniques specifically designed to evade signature-based detection. EDR tools monitor endpoint behaviour continuously — looking for patterns like mass file modification, shadow copy deletion, and credential dumping — and can detect and interrupt a ransomware attack before encryption completes. Deploying EDR across all endpoints (workstations, servers, laptops) is essential.

6. Privileged Access Management

Most ransomware lateral movement relies on compromised administrative credentials. Implementing least-privilege access principles — so that no user or service account has more access than it needs for its specific function — reduces the value of any single credential compromise. Privileged access workstations, just-in-time access controls, and regular credential audits all contribute to limiting the blast radius of initial access.

7. An Incident Response Plan — Before You Need It

The decisions that determine survival during a ransomware attack are made in the first few hours: which systems to isolate, who to call, what to communicate to customers and regulators, whether to engage law enforcement, whether to engage a ransom negotiation specialist. Making these decisions for the first time under the pressure of an active incident — with systems down and ransom demands on every screen — leads to costly mistakes. Document your incident response plan now, test it in a tabletop exercise, and make sure everyone who needs to knows what their role is.

What to Do If You Are Attacked Right Now

If you believe you are experiencing an active ransomware attack, the priority sequence is:

1. Isolate: Immediately disconnect affected systems from the network — unplug network cables, disable wireless, isolate VMs — to prevent the ransomware from spreading to additional systems and to protect any backups that have not yet been reached.
2. Do not pay immediately: Ransomware groups expect panic and urgency. Take time to assess. Engage a professional incident response firm before making any payment decision.
3. Preserve evidence: Do not wipe systems before capturing forensic images. Evidence is required for regulatory reporting, insurance claims, and law enforcement engagement.
4. Notify: Engage your cyber insurance provider (if you have one), your legal counsel, and — if personal data was potentially exfiltrated — begin the clock on your DPDP Act notification obligations.
5. Check your backups: Determine whether your offline or immutable backups are intact and whether they are recent enough to support recovery.

How InfraDefend Can Help

InfraDefend works with SMEs and startups to build ransomware-resilient environments — covering MFA deployment, backup architecture review, EDR deployment, network segmentation, and incident response planning. We also provide rapid-response incident support when an attack is in progress. If you want to understand how exposed your business is to a ransomware attack, reach out for a free security assessment. It is one conversation that can make an existential difference.