Who should read this: CISOs, Chief Security Officers, C-suite executives, risk managers, incident response teams, law enforcement liaisons, policy makers.
Ransomware has become the dominant cyber threat to European organisations. Between 2020 and 2024, ransomware attack frequency surged, ransom demands skyrocketed, and the business models supporting ransomware became increasingly sophisticated. No sector is immune: hospitals, banks, schools, manufacturers, local governments, and utilities have all been hit. Some attacks cause life-threatening disruption. Others cause financial catastrophe. The NIS2 Directive responds to this threat with an explicit policy focus on ransomware. Recital 54 acknowledges the urgency and calls on Member States and regulated entities to develop comprehensive ransomware strategies. This post explains the ransomware threat, why NIS2 treats it as a strategic priority, and what the Directive requires.
Ransomware is a category of malware that encrypts an organisation’s data and systems, making them inaccessible. The attacker then demands payment (a ransom) for decryption keys. The attacker might also threaten to publish the encrypted data on the internet if payment is not made, adding a second pressure lever. The combination of operational disruption (the victim’s systems do not work) and data breach risk (the victim’s secrets will be exposed) creates enormous pressure to pay.
The economics of ransomware are straightforward: attackers choose targets where the ransom demand exceeds the cost of attack. A manufacturer can lose €10,000 per hour of downtime, so a €100,000 ransom demand might seem cheap. A hospital dealing with patient lives at risk will pay higher ransoms. A local government with limited budgets is forced to choose between paying and remaining offline for weeks. The ransom amounts are often calibrated; attackers assess the victim’s likely ability to pay and pitch accordingly.
Recital 54 identifies the structural factors enabling ransomware’s growth: “The increasing frequency and severity of ransomware attacks can be driven by several factors, such as different attack patterns, criminal business models around ‘ransomware as a service’ and cryptocurrencies, ransom demands, and the rise of supply chain attacks.”
This is worth unpacking. Different attack patterns mean that ransomware is not static. Attackers evolve their techniques to evade defences. Some use spear-phishing to compromise administrators. Some exploit vulnerabilities in exposed internet-facing systems. Some compromise suppliers and use them as entry points. The diversity of attack patterns makes defence difficult. No single control stops all ransomware.
Ransomware as a Service is a particularly troubling development. Professional cybercriminal groups develop ransomware and rent it to other criminals. The professional group handles backend operations, such as managing the decryption service, negotiating ransom payments, and handling the cryptocurrency side. Renters handle frontend operations: compromise, encryption, and negotiation. This reduces barriers to entry. A criminal with no technical skills can rent ransomware and target organisations. The profit is shared. This model has industrialised ransomware.
Cryptocurrencies enable ransom payment without traditional banking controls. A victim can transfer cryptocurrency to a criminal’s wallet in minutes, with limited transaction oversight. Cryptocurrencies make payment hard to track and even harder to reverse. Law enforcement cannot easily intercept transfers.
Supply chain attacks add another dimension. Instead of targeting a business directly, attackers compromise a supplier and infect victims through trusted software updates or products. Supply chain ransomware attacks have hit hospitals, manufacturers, and government agencies globally.
The Scope and Impact of Ransomware
Ransomware affects all sectors and all organisation sizes. However, impact varies dramatically by sector:
- Healthcare: Hospitals facing ransomware face a choice between paying ransom or cancelling patient care. During the 2020 Universal Health Services ransomware attack, hospitals could not access patient records and postponed surgeries. Dozens of hospitals across the United States remained disrupted for weeks. Several patients died as a result of care delays. Regulatory agencies raised concerns that ransom payment was being made, indirectly financing further attacks on healthcare systems.
- Critical infrastructure: Power grids, water utilities, and transportation systems have been targeted. A successful ransomware attack on a power grid could leave millions without electricity. An attack on a water utility could shut down water treatment. These are not theoretical risks; attacks have occurred.
- Financial services: Banks and insurance companies have been hit. If a bank’s systems are encrypted, it cannot process transactions, approve loans, or verify customer identify. A ransomware incident can quickly become a systemic financial crisis.
- Manufacturers: Manufacturing relies on supply chain coordination. If a manufacturer’s systems are encrypted, production stops. Suppliers do not know what to ship. Customers do not know when products will arrive. Ransom demands to manufacturers often run into millions of pounds.
- Local government: Smaller governments often have limited IT budgets and limited cybersecurity expertise. Ransomware hits are not uncommon. A municipality losing access to property tax records, building permits, or emergency services faces existential pressure to pay.
- Education: Universities have been targeted. Student records, research data, and intellectual property are encrypted. Ransom demands can be tens of millions of pounds.
- Small and medium-sized enterprises: SMEs are hit at higher frequency because they often have weaker defences. The ransom amounts are lower, but still significant relative to their revenue.
Why Member States Must Act
Ransomware is not merely a private sector problem. It is a national security issue. Here is why:
- Destabilisation through disruption: Widespread ransomware attacks across hospitals, power grids, and government services can destabilise a nation. A coordinated ransomware campaign hitting multiple hospitals simultaneously would create healthcare crisis. Hitting power grids could leave citizens without electricity and heat. This is a form of hybrid warfare.
- Financing of organised crime and foreign actors: Ransom payments finance organised crime groups, many of which are based in countries hostile to Europe. Some ransom payments finance state-sponsored actors. Paying ransom is economically equivalent to funding adversaries.
- Data breaches: Ransomware attackers often exfiltrate data before encrypting systems. The data is then sold or published. Victims of attacks against critical infrastructure lose sensitive information. This compounds the direct harm of the ransomware.
- Supply chain concentration: Ransomware attackers deliberately target suppliers to critical infrastructure. A successful attack on a software vendor affects all customers. This creates cascading risk across sectors.
The Directive’s response, codified in Recital 54, is to require Member States to develop a policy addressing ransomware as part of their national cybersecurity strategy. This policy should cover detection, prevention, response, and critically, discouraging ransom payment. The emphasis on discouraging payment reflects the understanding that ransom payment, while rational from an individual victim’s perspective, is collectively irrational: it incentivises further attacks.
Detection and Prevention
Ransomware often enters organisations through phishing, exploited vulnerabilities, or weak credentials. Prevention relies on:
- Email security: Filtering malicious emails and training users to identify phishing. Many ransomware campaigns begin with phishing emails containing malicious attachments.
- Patch management: Applying security updates promptly so that exploitable vulnerabilities are closed. Some of the largest ransomware campaigns have exploited unpatched vulnerabilities that had patches available for months.
- Access control: Limiting who can access critical systems and requiring multi-factor authentication for remote access. Ransomware spreads through compromised credentials; strong access control slows the spread.
- Network segmentation: Dividing the network so that a compromise in one area does not automatically spread to all areas. If a user’s laptop is infected with ransomware, segmentation means the infection does not immediately spread to file servers and databases.
- Monitoring and detection: Monitoring systems for signs of unusual activity. Ransomware often behaves distinctively, with unusual file operations, rapid encryption activity, and unexpected network connections. Detection can catch ransomware before it completes encryption.
- Backups: Regular, automated backups stored offline (not connected to the main network). If ransomware encrypts production systems, the victim can restore from backups without paying ransom.
- Incident response: Having a plan for rapid response to ransomware, including notifying relevant parties, isolating systems to prevent spread, and working with law enforcement.
Response to Ransomware Incidents
When ransomware strikes, organisations must respond rapidly:
- Isolate infected systems: Disconnect systems from the network to prevent spread.
- Determine the scope: Identify which systems are infected and which data is encrypted.
- Notify authorities: Report the incident to law enforcement and relevant authorities.
- Consult with experts: Engage incident response professionals, cybersecurity specialists, and legal advisors.
- Assess backup options: Determine if clean backups exist and can be used for restoration.
- Negotiate or pay: Some victims negotiate ransom amounts down significantly. Others decide to restore from backups. Some organisations have cybersecurity insurance that covers ransom payments, which affects the decision.
- Communicate transparently: Inform employees, customers, and stakeholders of the situation and steps being taken.
- Investigate and remediate: Once the immediate crisis is addressed, determine how the attack occurred and fix the underlying vulnerability.
The Ransom Payment Dilemma
The Directive does not explicitly prohibit organisations from paying ransom. However, Recital 54 calls for policies that discourage payment. The rationale is compelling: each ransom payment that an attacker receives increases the incentive for further attacks. If every victim pays, ransomware remains profitable. If no one pays, the business model collapses. Therefore, collective refusal to pay is in everyone’s interest.
However, from an individual victim’s perspective, refusal to pay may be irrational. A hospital that cannot restore patient records within hours faces enormous pressure to pay. A manufacturer with €100,000 per hour losses might rationally pay a €500,000 ransom rather than spend weeks restoring from backups.
Member States should address this dilemma through:
- Awareness campaigns: Educating victims that ransom payment finances further attacks and that the attacker’s promise to delete exfiltrated data is often broken.
- Financial controls: Working with banks and cryptocurrency exchanges to make it harder to pay ransom. Some countries have moved to regulate cryptocurrency exchanges more strictly to prevent ransom payments.
- Insurance incentives: Encouraging cybersecurity insurance policies that reward organisations for refusing to pay ransom or negotiating lower amounts.
- Support for victims: Providing government assistance to organisations that refuse to pay, such as emergency funding, incident response support, or expedited recovery assistance.
- Law enforcement: Prioritising investigation and prosecution of ransomware attackers. This is challenging because many attackers operate from countries that do not extradite, but when attackers are caught, serious prosecution is a deterrent.
- International cooperation: Coordinating with other countries to isolate high-profile ransomware groups, freeze their assets, and disrupt their operations.
Supply Chain Ransomware Attacks
Supply chain ransomware attacks target a supplier to reach multiple downstream victims. For example, an attacker compromises a software vendor, injects ransomware into a routine update, and the update infects all customers of the vendor. This approach is efficient for the attacker: instead of compromising each customer directly, the attacker compromises one vendor and reaches thousands of customers.
Defending against supply chain ransomware attacks requires:
- Vendor assessment: Evaluating the cybersecurity practices of suppliers, with particular attention to how they develop and distribute updates.
- Staged rollout: Not deploying updates to all systems immediately. Instead, rolling out updates to a test group first, waiting for any issues, then deploying more broadly.
- Integrity verification: Checking that software updates have not been tampered with using cryptographic signatures. This requires that vendors sign their releases and that customers verify signatures before installation.
- Monitoring: Monitoring for unexpected changes after updates are deployed.
- Segmentation: Segmenting networks so that a compromised update in one area does not automatically spread everywhere.
A Shift in Mindset
The Directive’s emphasis on ransomware reflects a shift from viewing cybersecurity as an IT problem to viewing it as a strategic, national security issue. Ransomware is not a technical flaw that better firewalls will fix. It is a persistent threat with economic drivers that will exist as long as victims are willing to pay ransom.
The shift in mindset requires:
- Executive engagement: Cybersecurity is not a technicality; it is a business-critical and national security issue that demands executive and government attention.
- Collective action: Individual organisations protecting themselves is necessary but insufficient. Collective policies that discourage ransom payment are needed.
- Long-term investment: Building resilience, detecting attacks early, and maintaining clean backups requires ongoing investment, not just crisis response.
- Information sharing: Law enforcement, government agencies, private sector organisations, and international partners must share threat intelligence so that attacks can be detected and attributed.
Key Takeaways
- Recital 54 of NIS2 explicitly identifies ransomware as a strategic threat driven by attack pattern evolution, ransomware-as-a-service business models, cryptocurrency payment infrastructure, and supply chain attacks.
- Ransomware affects all sectors, but healthcare, critical infrastructure, and finance are particularly at risk of severe consequences.
- Detection and prevention rely on email security, patch management, access control, network segmentation, monitoring, backups and incident response planning.
- Member States should develop ransomware policies covering detection, prevention, response, and importantly, discouraging ransom payment, which collectively finances further attacks.
- Supply chain ransomware attacks are particularly dangerous because they affect multiple victims through a single compromised supplier; defence requires vendor assessment, staged rollout, integrity verification, and monitoring.
- The Directive’s approach reflects a shift from treating cybersecurity as an IT matter to treating it as a strategic, national security issue requiring collective action and long-term investment.