Ransomware is no longer just a technical problem. It’s a business crisis and in some cases, a personal threat.
For a brief moment in early 2025, it looked like the tide might finally be turning. Blockchain data showed a sharp drop in ransom payments, marking the first real decline since 2022. For security leaders exhausted by years of escalating attacks, it felt like progress but that optimism didn’t last as ransomware groups adjusted quickly.
Recent research shows that a significant share of ransomware campaigns now include threats of physical harm against staff. At the same time, most organisations that suffer a successful breach still end up paying. When attackers are unable to extract payment through traditional ransomware tactics, they increase pressure instead of backing off. This often includes escalating threats, expanding impact, or targeting individuals to force faster decisions. For CISOs, reacting with fear or hesitation only increases risk. The practical response is to build resilience that limits attacker leverage.
The Numbers of Ransomware Attacks Are Down But The Pressure Is Up
On paper, ransomware revenue appears to be shrinking. Estimates suggest attackers collected about $814 million in 2024, down sharply from the $1.3 billion peak the year before. As fewer organisations are willing or able to pay, attackers are focusing their energy on those with weak defences or slow recovery capabilities. Once a company proves it can be coerced, it becomes a repeat target.
Across major economies including the US, UK, and Europe, more than half of organisations reported a successful ransomware breach in 2024. Of those, roughly 7 in 10 organisations paid a ransom. Worse still, more than half of the paying organisations did so more than once. From an attacker’s perspective, this is efficient business.
The Business Impact of Ransomware Is Brutal & Long-Lasting
Ransom payments are only part of the damage. Among organisations that paid, many reported annual losses in the hundreds of thousands of dollars. For a meaningful minority, the impact exceeded seven figures. These figures don’t include secondary effects like increased cyber insurance premiums, regulatory exposure, reputational harm, layoffs, or long-term budget cuts.
And there’s another uncomfortable truth: paying doesn’t guarantee recovery. In a notable number of cases, victims never received working decryption keys. They paid and still suffered.
This is why prevention alone is no longer enough. CISOs must assume compromise is possible and design their environments to survive it. In other to do this, they must:
Anticipate and Adapt to Evolving Attacks
Ransomware groups are no longer just encrypting data, they are escalating attacks, threatening permanent data destruction, regulatory exposure, or even targeting executives directly to force faster decisions while under stress. For CISOs, this means the traditional defensive playbook focused solely on preventing encryption no longer suffices.
At the technical level, identity systems are now the primary battleground. Most successful attacks exploit compromised credentials, directory services, cloud identity providers, or access platforms. Once inside, attackers move laterally, escalate privileges, and establish persistence with alarming speed.
For CISOs, understanding these evolving tactics is critical. Security strategies must anticipate how attackers adapt under pressure, prioritise protection of identity and access systems, and implement controls that reduce both the likelihood and impact of a breach. This shift requires moving from reactive defence to a proactive, adaptive approach, updating monitoring, detection, and response processes continuously to match the evolving threat.
Assume Breach and Engineer Organisation to Survive Ransomware
As artificial intelligence accelerates, cybercrime and affiliate ransomware models continue to expand, ransomware groups are unlikely to disappear even if law enforcement improves disruption efforts. Lower costs and easier tooling mean more attackers, not fewer. For CISOs, this reality makes it clear that preventing every breach is no longer a realistic objective.
The practical response is engineering resilience across people, process, and technology. This approach reflects a shift in the CISO playbook, from trying to stop every attack to ensuring the organisation can continue operating when attacks succeed.
That resilience starts with fundamentals. Strong user education, timely patching, and enforced multi-factor authentication dramatically reduce initial access opportunities. These controls might be unglamorous, but they directly limit how quickly attackers can gain a foothold and escalate pressure during an incident.
From there, organisations must plan explicitly for failure. This includes maintaining reliable and recoverable backups, deploying automated detection and response capabilities, and ensuring recovery processes are tested regularly and not just documented. The faster an organisation can detect suspicious activity, contain the intrusion, and restore operations, the less leverage attackers have to escalate threats, coerce decision-makers, or force ransom payments.
For CISOs, In an environment where ransomware tactics increasingly involve intimidation and escalation, survival becomes the priority and this is only possible by designing systems to withstand compromise and recover quickly.
Improve Recovery to Minimise Ransomware Impact
Poor recovery capability is one of the strongest predictors of repeat ransomware attacks. When attackers know an organisation will take weeks to restore identity systems, reestablish trust, and resume operations, they have time and leverage to escalate pressure through data destruction threats, regulatory exposure, or direct intimidation of leadership.
For CISOs, recovery is not a post-incident concern; it is a core ransomware defence control. Effective recovery reduces the attacker’s ability to coerce decisions under stress. This requires more than backups alone. Organisations must have well-defined incident response and recovery plans that are tailored to their actual environments, regularly rehearsed, and clearly understood by the required people before an incident occurs.
It is also important to ensure that recovery expectations extend beyond internal teams. Suppliers, identity providers, cloud platforms, and managed service partners can directly affect recovery timelines. If critical dependencies cannot recover quickly, the organisation inherits their risk.
Learn from Ransomware Groups
Ransomware groups have survived takedowns, sanctions, and infrastructure losses because they design for disruption. They avoid single points of failure, rebuild quickly, and adapt tactics when pressured. This operational resilience is one reason ransomware remains profitable. CISOs do not need to adopt criminal methods but they do need to adopt the same resilience mindset. That means designing security programs that assume disruption and prioritise continuity of operations under attack.
When organisations can absorb a ransomware incident, restore critical systems quickly, and continue operating, attackers lose leverage. Ransomware becomes harder to monetise, and repeat targeting becomes less attractive.