RSS Feeds
Ransomware: Inside the Criminal Enterprise
Ransomware is no longer just malware. It is now a criminal business model, supported by developers, affiliates, brokers, negotiators, laundering services, help desks, data leak sites and a clear operating process. That was the main message behind our recent MU.SCL presentation, "Ransomware 2026: Inside the Criminal Enterprise", which looked at how the ransomware economy works, why victims still pay, and what organisations can do to reduce both the risk and the impact of an attack.
The first point to understand is scale. Chainalysis estimates that ransomware payments fell by around 8% in 2025 to approximately $820 million, even while claimed attacks increased significantly. This is an important nuance: lower visible payment revenue does not mean the ransomware problem is disappearing. It may reflect fewer victims paying, better recovery capabilities, law enforcement disruption, or a shift in criminal targeting, but the operational pressure on organisations remains high.
Other industry reporting supports the same conclusion. Hornetsecurity reported that 24% of organisations were hit by ransomware in 2025, up from 18.6% in 2024. Sophos also continues to show ransomware as a major operational and financial risk, with exploited vulnerabilities, compromised credentials and email-based attacks remaining core entry points.
The practical lesson is that ransomware should not be treated as a rare technical event. It is a business continuity, legal, financial, regulatory and reputational risk. One reason for this is the continued evolution of the ransomware-as-a-service model. Ransomware should be seen as a supply chain service rather than a single attacker sitting behind a keyboard:
This matters because it lowers the barrier to entry. An attacker does not need to invent a ransomware strain, build a payment system or identify victims from scratch. They can buy access, rent capability, use existing tooling and follow repeatable playbooks. This is why defensive maturity matters so much, the organisation is not facing a single piece of malware:
it is facing an operating model.
The most common root cause remain familiar, Sophos' 2025 ransomware research identifies exploited vulnerabilities as the leading technical root cause, with compromised credentials and email-based attacks also featuring prominently. Email remains significant, with malicious email and phishing combined representing a substantial share of initial access routes.
This aligns with what defenders see in practice: Attackers exploit public-facing systems before patches are applied; they use valid VPN, RDP, cloud or Microsoft 365 credentials obtained through phishing, credential theft or brokered access; they use legitimate administration tools such as PowerShell, PsExec, RDP and remote management utilities to move laterally.
By the time the ransom note appears, the intrusion is often no longer new. Systems have been mapped, privileged accounts targeted, backups located, sensitive data staged, and only then encryption begins.
The regional point is also important. Africa and the Indian Ocean region should not assume that ransomware is mainly a European or North American problem. The economics have shifted: Rapid digitisation, cloud adoption, mobile money, digital banking, cross-border financial services and mixed security maturity all create attractive conditions for attackers. Mauritius, in particular, has characteristics that make it interesting from an extortion perspective: financial services, offshore structures, fintech activity, healthcare data, listed entities, confidential professional services data and a high dependency on trust.
The issue is not whether ransomware can reach Mauritius, or other somewhat remote places in the world. It already can. The question is whether local organisations are ready to detect it, contain it, recover from it and manage the legal and communication consequences without improvising under pressure.
Modern ransomware is also no longer limited to encryption. Triple extortion is now common:
Payment may help with decryption, but it does not "erase" data theft, it does not guarantee confidentiality, it does not remove legal notification obligations and it certainly does not guarantee that the attacker will delete stolen data.
This is where many organisations misunderstand the ransom decision. The question is not simply "can we pay to get our files back?" The real question is broader: can we recover safely, can we trust the decryption process, what data was stolen, who must be notified, are sanctions risks involved, what are the regulatory consequences, and what precedent does payment create?
Veeam's recent work with Coveware highlights that even when a decryption key is available, recovery can still take time; the presentation referenced an average recovery time of eight days with a key in Coveware cases.
The answer is not to build a perfect defence. That is unrealistic. The answer is to make the attack harder, detect the intrusion earlier, limit the blast radius and recover with discipline.
The basic controls remain the most important:
The "tested" part matters, a backup strategy that has not been restored under realistic conditions is an assumption, not a control.
Detection must focus on the pre-ransomware phase. Defenders should watch for unexpected use of administrative tools, credential dumping utilities, abnormal privileged access, bulk file enumeration, unusual outbound data transfers and off-hours activity inconsistent with normal behaviour. This requires more than buying an EDR agent. It requires coverage, tuning, monitoring, escalation and a response process that works outside office hours.
Preparedness is the other major differentiator. The first 72 hours of a ransomware incident define the outcome. Without a playbook, organisations lose time deciding who is in charge, who can speak externally, whether to notify insurers, how to engage legal counsel, who contacts regulators, whether to negotiate, and how to validate backups. With a rehearsed playbook, the situation is still serious, but it becomes a managed crisis rather than a panic-driven response.
There are several readiness measures we recommend: A written and tested ransomware playbook, legal counsel identified in advance, an incident response retainer, a negotiation strategy, crisis communication templates, and a board-approved payment decision framework. These decisions should not be made for the first time at 2am while systems are encrypted and staff are asking when operations will resume.
For senior leaders, the most useful takeaway is simple: ransomware resilience is not built during the incident. It is built before the incident, through boring but disciplined preparation.
The immediate checklist is practical:
Today, verify MFA on all remote access and privileged systems.
This week, test a real backup restore and confirm that backups are not reachable from the normal production network.
This month, review or draft the ransomware playbook, define escalation routes, identify external response partners and schedule a tabletop exercise with executives and the board.
Ransomware in 2026 is a criminal enterprise, it is professionalised, adaptive and increasingly automated. Organisations do not need to be perfect to reduce their risk, but they do need to be honest about their exposure. The organisations that fare best are not necessarily the ones with the biggest security budgets (although that helps!). They are often the ones that have done the fundamentals properly, tested recovery, clarified decision-making, and prepared the business for a crisis before the attacker arrives.
Sources: