Whitepaper on the NIS2 Law
Ransomware: The Most Profitable Cyber Threat of 2025
'%3e%3cpath%20d='M26.6667%2020.022L30%2023.3553V26.6886H21.6667V36.6886L20%2038.3553L18.3333%2036.6886V26.6886H10V23.3553L13.3333%2020.022V8.35531H11.6667V5.02197H28.3333V8.35531H26.6667V20.022Z'%20fill='%230AA971'/%3e%3c/g%3e%3c/svg%3e)
The most important points at a glance
- Ransomware remains one of the most damaging and profitable cyberattack methods worldwide.
- Attacks involve intrusion, data theft, encryption and extortion.
- Key actors include cybercrime syndicates, ransomware as a service providers and nation state affiliates.
- SMEs are heavily affected due to limited resources, slow patching and vulnerable infrastructures.
- Attackers target healthcare, manufacturing, SaaS, finance and public institutions.
- NIS2 introduces strict cybersecurity and reporting requirements that directly impact ransomware preparedness.
- Companies need strong detection, segmentation, backups and incident response workflows to remain resilient.
Introduction
Ransomware has developed into a highly professional business model for cybercriminals. Attacks today are more targeted, more complex, and often perfectly orchestrated. Small and medium-sized enterprises in particular are increasingly becoming the focus of attention because they often lack the technical and organizational protection mechanisms that modern attackers can easily circumvent. At the same time, the NIS2 directive tightens cybersecurity requirements and obliges companies to significantly increase prevention and transparency.
To help you assess the risks correctly, it is worth taking a closer look at who is behind ransomware, how these groups operate, and what protective measures will make your company truly resilient.
Table of Contents:
Understanding Ransomware
Ransomware is a form of malware that encrypts or steals data and demands payment for recovery or non disclosure. Modern attacks often combine encryption, data exfiltration and long term extortion.
Key characteristics:
- Double and triple extortion
- Targeted intrusions, often weeks of preparation
- Economic motivation
- Significant operational disruption
Whitepaper on the NIS2 Law
Main Attacker Groups
Ransomware as a Service (RaaS) groups:
- Sell ransomware toolkits to affiliates
- Most active actors globally
- Examples: LockBit affiliates, BlackCat, Akira ecosystem
Cybercrime syndicates:
- Structured organizations
- Focus on large scale extortion and high ransom payments
Nation state aligned groups:
- Use ransomware as cover for espionage
- Target critical infrastructures and public institutions
Independent hackers:
- Use leaked ransomware kits
- Target SMEs for quick profits
How Ransomware Attacks Unfold
| Phase | Description |
| Initial Access | Entry into the network, typically through exploited VPN vulnerabilities, phishing emails, or the purchase of stolen credentials (e.g., RDP access, bypassing MFA). |
| Lateral Movement & Discovery | Spread within the network, identification of critical systems (servers, backups, domain controllers), and escalation to administrative privileges. |
| Data Theft (Exfiltration) | A critical stage: sensitive and valuable data (customer lists, IP, financial documents) is extracted without detection and used as the first layer of extortion (double extortion). |
| Deployment & Execution | The ransomware malware is distributed across all identified systems and triggered—often outside business hours to delay detection and response. |
| Encryption | Systems are encrypted and rendered unusable. A ransom note appears with payment instructions. |
| Extortion & Pressure Tactics | Second layer of extortion: contact is initiated, ransom is demanded, and attackers threaten to publish or sell the stolen data, including to competitors. |
| Recovery / Payment | The victim either pays the ransom or attempts recovery using secure, uncompromised backups. |
Motives and Monetization Models
- High profitability
- Scalable business model
- Anonymity through cryptocurrency
- Political goals (in state linked campaigns)
- Industrial espionage disguised as ransomware
Modern ransomware groups operate like startups: marketing, support desks, analytics and clear revenue models.
Who Is Targeted Most Often
- Healthcare
- Financial institutions
- SaaS and cloud providers
- Manufacturing and logistics
- Education and public sector
- Professional services firms
Attackers choose victims based on:
- High dependency on uptime
- Valuable personal or financial data
- Weak security maturity
- Slow update cycles
Impact on Small and Midsize Enterprises
SMEs face unique challenges:
- Fewer IT security resources
- Outdated infrastructure
- Inconsistent patching
- Lack of segmentation
- Limited monitoring capabilities
Consequences for SMEs include:
- Operational downtime
- Financial losses
- Reputational damage
- Regulatory penalties
- Long recovery periods
Note: For many small and medium-sized businesses, a single ransomware attack can be existentially threatening due to the high costs of forensics and recovery, as well as the disruption of business operations, even if no ransom is paid.
The Connection to NIS2
NIS2 introduces mandatory cybersecurity standards for a much wider set of organizations. Ransomware resilience becomes a compliance requirement.
Key NIS2 obligations relevant to ransomware:
- Risk management measures
- Incident reporting within 24 hours
- Mandatory backup and recovery plans
- Supply chain security
- Security awareness training
- Access control and multi factor authentication
- System monitoring and logging
Companies falling under NIS2 must demonstrate structured processes to detect, contain and report ransomware incidents.
Protection Strategies for Companies
Technical Measures
- Mandatory MFA:
Introduce multi-factor authentication (MFA) across all critical areas (VPN, email, admin access) as a fundamental access control mechanism (direct NIS2 requirement). - Network Segmentation:
Divide the network into smaller, isolated zones following the zero-trust principle to prevent attackers from moving laterally. - Immutable Backups:
Ensure backups are logically separated from the main network and cannot be altered, preventing attackers from encrypting them (crucial for NIS2 incident-response and recovery concepts). - EDR/NDR:
Use modern endpoint and network detection solutions (EDR/NDR) for proactive monitoring and rapid detection of initial access and data exfiltration.
Organisational Measures
- Incident Response Plans:
Create clear incident response plans and test them regularly, defining who must take which actions during an attack (core NIS2 requirement). - Awareness Training:
Provide regular, interactive training sessions to educate employees about phishing, social engineering, and recognizing suspicious activity. - Supply Chain Security:
Assess the security risks of third-party providers and critical suppliers (e.g., SaaS vendors, managed service providers).
(NIS2 requirement for supply chain oversight) - Patch Management:
Establish a consistent, documented process to quickly address known vulnerabilities (e.g., VPN appliances, mail servers).
Best practices
- Restrict administrative privileges
- Monitor high value assets
- Test restores regularly
- Deploy email threat protection
Legal and Ethical Implications
Ransomware isn’t only a cybersecurity challenge. It has a direct legal impact.
Relevant frameworks:
- GDPR: breach notification within 72 hours
- NIS2: strict reporting timelines and risk management duties
- Product liability: vendor accountability for insecure systems
- Employment law: responsibilities for handling attacks
Paying ransoms is legally and ethically problematic. It may violate sanctions rules and encourage further crime.
Conclusion
Ransomware is one of the greatest cyber risks of our time. With professional attacker groups, perfected extortion tactics such as double extortion, and the spread of ransomware-as-a-service, even a small vulnerability can have enormous consequences.
Small and medium-sized businesses are particularly at risk, while NIS2 sets clear and mandatory requirements for risk management, incident response, and the documentation of protective measures.
To effectively combat ransomware, you need strong security measures, immutable backups, trained employees, and a well-thought-out compliance setup that meets strict reporting and documentation requirements.
If you want to meet these requirements without complex tools and external consultants, we can help you with a solution that combines cybersecurity, data protection, and NIS2 compliance in a single, easy-to-use system, so your company is not only protected, but can also prove what it protects at any time.
FAQ
Should companies ever pay a ransom?
Security authorities advise against it. Payment offers no guarantee of recovery and may violate legal restrictions.
How long does recovery take?
Depending on the attack, from days to several months. SMEs with weak backups often face prolonged downtime.
Is ransomware becoming more targeted?
Yes. Attackers now conduct reconnaissance to identify victims with high willingness to pay.
Does NIS2 apply even if my company is small?
SME size does not automatically exclude you. Many sectors fall under NIS2 based on service type, not company size.
Important: The content of this article is for informational purposes only and does not constitute legal advice. The information provided here is no substitute for personalized legal advice from a data protection officer or an attorney. We do not guarantee that the information provided is up to date, complete, or accurate. Any actions taken on the basis of the information contained in this article are at your own risk. We recommend that you always consult a data protection officer or an attorney with any legal questions or problems.