Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules
TL;DR
- New Coalition data covering 100,000+ policyholders shows ransomware severity dropped 19% — your backup investments are paying off.
- In response, 70% of ransomware attacks now combine encryption and data theft — paying or not paying no longer protects you from exposure.
- Average ransom demands surged 47% to over $1 million in 2025, though 86% of victims declined to pay.
- Business Email Compromise is the #1 cyber insurance claim at 31% of all incidents, costing an average $27,000 per event.
- The fix isn't spending more — it's implementing the 3-Layer Recovery Stack that separates "we paid the ransom" from "we stayed operational."
Good news first: the defensive investments businesses have made in backup technology are working. According to Coalition's 2025 cyber insurance claims report — covering more than 100,000 policyholders across the US, Canada, the UK, Australia, and Germany — ransomware severity dropped 19% year over year, with average losses settling at $262,000 per incident [1]. That's a meaningful improvement, and it's directly attributable to better backup practices.
Now the harder news: ransomware operators noticed.
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Why Ransomware Gangs Changed Tactics (and What It Means for Your Business)
When attackers discovered that businesses were recovering from encryption without paying, they adapted. Today, 70% of ransomware claims involve dual extortion — attackers encrypt your systems and simultaneously steal your data, then threaten to publish it unless you pay [1]. Average losses for dual extortion incidents are $299,000, compared to $138,000 for encryption-only attacks.
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →This shift matters enormously for small and medium businesses. Under the old model, a solid backup meant you could restore operations without negotiating with criminals. Under dual extortion, restoration is still possible — but your customer data, financial records, and business intelligence may still end up on the dark web regardless of what you do.
According to the CyberProof 2026 Global Threat Intelligence Report, ransomware attacks targeting retailers increased 58% in Q2 2025 alone, while manufacturing sector attacks rose 61% compared to 2024 [2]. These aren't abstract enterprise statistics — retail and manufacturing are disproportionately represented in the SMB sector.
The three dominant ransomware variants in 2025 were Akira (25% of incidents, average demand $926,000), Qilin (12% of incidents, average demand $1,167,000), and RansomHub (7% of incidents, average demand $2,331,000) [1]. Smaller businesses weren't exempt — opportunistic attacks on organisations with fewer resources still generated demands in the $9,000 range, which is enough to seriously harm a business operating on tight margins.
The $1 Million Demand Your Business Won't Pay — But Must Survive
Average initial ransom demands crossed the $1 million threshold in 2025, rising 47% year over year with some demands reaching $16 million [1]. Most businesses don't pay — 86% of victims declined.
For those who did pay, professional ransomware negotiators reduced demands by an average of 65%, bringing the average final payment to $355,000 [1]. That's still a potentially business-ending sum for most SMBs.
But here's what the data actually reveals: declining to pay is the right call, and it's increasingly viable. The businesses successfully declining are the ones that invested in recovery infrastructure before the attack — not after.
What Business Email Compromise Costs (It's Not What You Think)
Before diving into the recovery framework, a critical sidebar: ransomware is only 21% of cyber insurance claims. Business Email Compromise (BEC) — where attackers gain access to email accounts and impersonate executives, vendors, or banks — accounts for 31% of all claims, making it the single most common cyber incident type [1].
BEC frequency rose 15% year over year, though average losses dropped 28% to $27,000 per incident. The drop is partly due to faster detection, partly due to better bank-level fraud controls. In 52% of BEC-linked funds transfer fraud cases, attackers used mailbox access to intercept transactions and alter payment details — with average losses of $112,000 in those cases [1].
Critically, Coalition recovered $21.8 million in stolen funds in 2025 across funds transfer fraud incidents, with a 32% recovery rate [1]. Early reporting to your bank — within hours, not days — is the primary driver of successful recovery.
The 3-Layer Recovery Stack: What Separates Businesses That Survive
Shelley Ma, Incident Response Lead at Coalition, identifies three non-negotiable elements for backup-based ransomware recovery [1]:
Layer 1 — Hardened Backup Infrastructure Backups must be immutable (files cannot be modified or deleted once written), logically or physically isolated from the production network, and protected by separate credentials and multi-factor authentication. An attacker who has already compromised your primary systems should find it structurally impossible to reach your backups.
Layer 2 — Tested Recovery Runbooks Having backups is table stakes. Being able to restore from them under pressure is the actual capability that matters. Ma recommends maintaining written recovery runbooks that sequence systems by business priority — revenue-critical and safety-critical infrastructure first, in parallel with forensic investigation. Practice this at least twice a year.
Layer 3 — Data Exfiltration Monitoring Because 70% of attacks now steal data before or during encryption, businesses need visibility into unusual data movement — large file transfers, access to directories outside normal business hours, new external sync targets. Cloud-based SIEM tools make this accessible to SMBs at a fraction of enterprise costs. CISA's free Malicious Domain Blocking and Reporting (MDBR) service also provides a meaningful baseline layer [3].
Related: Your MFA Isn't Enough Anymore — The 3-Layer Defence Stack
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Why Nation-State Actors Are Now Targeting SMB-Adjacent Infrastructure
The zero-day exploitation picture is changing in ways that affect businesses beyond the enterprise tier. Google's Threat Intelligence Group reports that 90 zero-day vulnerabilities were exploited in the wild in 2025, with nearly half targeting enterprise-grade networking and security technology — an all-time high [4]. China-nexus groups doubled their zero-day attribution rate from 2024 to 2025, with a strong focus on edge networking devices.
This matters to SMBs because of supply chain exposure. You may not run Cisco SD-WAN infrastructure yourself, but your managed service provider, your internet provider, or your accounting software vendor might. Cisco this week confirmed active exploitation of CVE-2026-20127, a maximum-severity (CVSS 10.0) authentication bypass zero-day in its Catalyst SD-WAN Controller, with CISA issuing Emergency Directive 26-03 requiring immediate federal action [5]. Three additional CVEs in the same product family are also confirmed as exploited in the wild.
The implication: your technology vendors' security posture is now part of your attack surface. A compromised vendor network can be used as a staging point to reach your systems.
Related: Hidden in Plain Sight: How Hackers Used Google Sheets to Spy on 53 Organisations
What Your Business Should Do This Week
The Coalition data suggests a clear priority order:
1. Audit your backup architecture against Layer 1 criteria. Are your backups truly isolated from production? Can a compromised domain admin account reach them? Most SMB backup configurations fail this test.
2. Run a tabletop recovery exercise. Pick one critical business system and walk through restoring it from backup, step by step, from your runbook. Identify gaps before attackers do.
3. Enable alerts on large file transfers. Most cloud storage platforms (Microsoft 365, Google Workspace) have built-in anomaly detection that flags unusual download activity. Make sure it's turned on and someone actually reviews the alerts.
4. Verify your BEC controls. Add a callback verification step for any payment change request received by email, no exceptions. This single control prevents 71% of social engineering-driven funds transfer fraud [1].
5. Check vendor security posture. Ask your managed service provider, cloud provider, and key software vendors what their patching cadence is for critical CVEs. Specifically ask whether they've addressed CVE-2026-20127 if they use Cisco SD-WAN [5].
The ransomware landscape isn't getting quieter — but businesses that invest in structured recovery capability aren't just surviving attacks, they're recovering faster and paying less. The data from 100,000+ real incidents confirms it.
FAQ
Ransomware frequency has stayed flat and severity has dropped 19% — which is genuinely good news for businesses with strong backups [1]. However, the shift to dual extortion (encryption + data theft) means that operational recovery no longer protects you from data exposure. The financial risk profile has changed, not disappeared.
Dual extortion is when attackers both encrypt your files and exfiltrate (steal) your data before encryption, then threaten to publish the stolen data even if you restore from backup. It now represents 70% of ransomware claims and carries average losses of $299,000 [1]. Immutable backups resolve the encryption component but not the exfiltration component.
The data shows 86% of victims decline to pay, and this is generally the right call [1]. Paying does not guarantee data deletion, may fund further attacks, and can create legal complications depending on your jurisdiction and whether the attacker is a sanctioned entity. Focus investment on recovery capability before an incident occurs.
An immutable backup is one where data cannot be modified or deleted once written, for a defined retention period. Technologies like AWS S3 Object Lock, Azure Immutable Blob Storage, and dedicated backup appliances with WORM (Write Once Read Many) functionality provide this. The key requirement is that your regular production credentials — even domain admin accounts — cannot delete or overwrite these backups.
BEC is a targeted form of fraud where attackers compromise or spoof a legitimate email account (typically an executive or vendor) to direct fraudulent payments or extract information. Unlike mass phishing, BEC attacks are personalised, researched, and often involve weeks of inbox monitoring before the payoff request. The average BEC loss is $27,000, but BEC is also the precursor to 52% of large-scale funds transfer fraud events [1].
References
[1] Coalition, "2025 Cyber Claims Report," Coalition, 2026. [Online]. Available: https://www.coalitioninc.com/blog/coalition-cyber-claims-report-2025
[2] CyberProof, "CyberProof 2026 Global Threat Intelligence Report," CyberProof, 2026. [Online]. Available: https://www.cyberproof.com/cyberproof-2026-global-threat-intelligence-report/
[3] Cybersecurity and Infrastructure Security Agency, "Malicious Domain Blocking and Reporting (MDBR)," CISA, 2026. [Online]. Available: https://www.cisa.gov/resources-tools/services/malicious-domain-blocking-and-reporting-mdbr
[4] Google Threat Intelligence Group, "2025 Zero-Day Exploitation Review," Google Cloud Blog, March 6, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review
[5] Cybersecurity and Infrastructure Security Agency, "Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems," CISA, March 2026. [Online]. Available: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
[6] Cisco, "Cisco Catalyst SD-WAN Manager Vulnerabilities Advisory (cisco-sa-sdwan-authbp-qwCX8D4v)," Cisco Security Advisory, March 5, 2026. [Online]. Available: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
[7] Tenable, "CVE-2026-20127: Cisco Catalyst SD-WAN Zero-Day Authentication Bypass Exploited in the Wild," Tenable Blog, March 2026. [Online]. Available: https://www.tenable.com/blog/cve-2026-20127-cisco-catalyst-sd-wan-controllermanager-zero-day-authentication-bypass
[8] Help Net Security, "Backup strategies are working, and ransomware gangs are responding with data theft," Help Net Security, March 6, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/
[9] Cybersecurity Dive, "Nearly half of exploited zero-day flaws target enterprise-grade technology," Cybersecurity Dive, March 6, 2026. [Online]. Available: https://www.cybersecuritydive.com/news/half-exploited-zero-day-flaws-enterprise-grade-technology/814021/
[10] eSecurity Planet, "CyberProof 2026 Report Warns of Rising Identity and AI Cyberattacks," eSecurity Planet, March 6, 2026. [Online]. Available: https://www.esecurityplanet.com/threats/cyberproof-2026-report-warns-of-rising-identity-and-ai-cyberattacks/
Is your backup architecture actually ready for a dual extortion attack? lilMONSTER helps SMBs build recovery capability that works when it matters most. Book a free consultation →
Related Notes
- [[cve-daily-2026-03-09]] — Today's CVEs: Caddy, BentoML symlink write, Linux kernel netfilter — exploit paths ransomware chains exploit
- [[creative-research-2026-03-07]] — RansomHub hits Waive; dual extortion wave covered this week
- [[creative-research-2026-03-02]] — AU superannuation MFA failures; credential abuse feeds ransomware pipeline
- [[nightshift-summary-2026-03-08]] — Week summary: 4 CRITICAL CVEs, 7 infra issues; recovery stack context
- [[competitor-intel]] — SMB security market: backup/recovery advisory is a major consulting service category
- [[infra-check-2026-03-06]] — Infrastructure state: backup mounts and storage relevant
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →ELI10: Ransomware Gangs Are Adapting — Here's Why Your Backup Isn't Enough Anymore
TL;DR
- Ransomware is like someone locking your filing cabinets and demanding payment for the key.
- Businesses got smart — they started making copies of everything first. So now attackers also steal the files before locking them.
- The average ransom demand is now over $1 million. 86% of businesses don't pay.
- The businesses that survive do three things: keep backups criminals can't reach, know exactly how to restore, and watch for suspicious copying before the lock-up happens.
Imagine your business is a restaurant. All your recipes, customer contacts, supplier contracts — everything that keeps the doors open — lives in filing cabinets in the back office.
A ransomware attack is like someone sneaking in overnight, locking every single cabinet with their own padlocks, and leaving a note: "Pay us $1 million and we'll give you the keys."
For years, smart businesses fought back by making copies. Keep a backup of every file somewhere else — your own fireproof safe, an offsite storage unit, a cloud system only you can access. Problem solved, right? If they lock the cabinets, you just use your copies.
Ransomware criminals noticed. And they adapted.
What "Dual Extortion" Means (and Why It Changes Everything)
Now, before attackers lock your filing cabinets, they quietly make their own copies first. Every customer record, every financial document, every private contract — they copy it all out the back door before they lock up.
Then they leave two notes. Note one: "Pay us to unlock your cabinets." Note two: "If you don't pay, we'll post all your private files on the internet for anyone to see."
This is called dual extortion, and it now accounts for 70% of ransomware attacks [1]. Even if you can restore from your backup — even if you never need to pay the ransom — your private data might still end up exposed.
The Real Numbers (Translated)
- The average ransom demand in 2025 was over $1 million [1]. That went up 47% in a single year.
- 86 out of 100 businesses that got hit refused to pay [1]. Good call.
- For the 14% who did pay, negotiators helped get the demand reduced by about 65% — but they still paid an average of $355,000 [1].
- Retailers saw a 58% jump in ransomware attacks in the middle of 2025. Manufacturers saw a 61% jump [2].
The good news: the amount of damage ransomware causes is actually going down — 19% lower on average than the year before [1]. That's because backup strategies are working. Businesses are recovering without paying. The criminals get nothing.
The 3 Things That Actually Protect You
Think of these as three locks on three different doors.
Lock 1: Backups Criminals Can't Reach Your backup copy needs to live somewhere that an attacker — even one who has already taken over your entire computer system — simply cannot get to. That means separate login credentials, a separate system, and ideally a "write once, read many" storage system where files can be added but never deleted or changed. It's like keeping a copy of your filing cabinet contents in a vault only you can open, with no connection to your main office.
Lock 2: A Tested Recovery Plan Having a copy means nothing if you don't know how to use it under pressure. Write down, step by step, exactly how your business would get back online if every computer was suddenly unusable. Then practice it. The businesses that recover quickly have done this. The ones that struggle haven't.
Lock 3: Watching for the "Copy Before the Lock" Move Because attackers now steal data before they encrypt it, you need to watch for unusual copying or large file transfers happening on your systems — especially outside business hours. Most business email and cloud storage tools have free alert settings for this. Turn them on.
The Other Big Threat: Business Email Scams
Ransomware gets the headlines, but Business Email Compromise is actually the most common cyber insurance claim — 31% of all incidents [1]. This is where someone gets into your email, or pretends to be your accountant or boss, and convinces someone in your business to transfer money somewhere fraudulent.
The average loss is $27,000 per incident [1]. The prevention is simple: for any payment change request that arrives by email, call the person directly to confirm. No exceptions. That one phone call prevents most of these attacks.
What to Do This Week
- Check your backup setup: Can a hacker who already has your passwords access your backups? If yes, fix that first.
- Write a recovery runbook: If everything broke today, how would you get back up? Write the steps down.
- Turn on file transfer alerts: In Microsoft 365 or Google Workspace, turn on alerts for large downloads or unusual sharing activity.
- Add a phone confirmation rule: Any payment change request by email must be confirmed by phone. No exceptions.
Your business is already more resilient than it was two years ago — the data proves it. These four steps make that resilience last.
FAQ
Both. The frequency of attacks is flat and the average damage is down 19% — which means backup strategies are working. But attackers have adapted by also stealing data before encrypting it (dual extortion), so the nature of the threat has changed even if the raw financial damage is dropping [1].
Cloud backup services start at under $20/month for small businesses. Microsoft 365 Business includes backup options. The cost of doing nothing is $262,000 on average — and that's the better outcome [1]. This is one of the highest-ROI investments a small business can make.
No — 86% of businesses don't pay and most recover successfully [1]. The key is having backups in place before an attack. Without backups, you're in a much harder position. With them, you restore and move on.
BEC is when attackers either hack into a business email account or convincingly impersonate someone — usually a boss, vendor, or bank — to trick employees into making fraudulent payments. The single best prevention is a verbal confirmation policy: any payment instruction received by email must be confirmed by phone before action is taken [1].
References
[1] Coalition, "2025 Cyber Claims Report," Coalition, 2026. [Online]. Available: https://www.coalitioninc.com/blog/coalition-cyber-claims-report-2025
[2] CyberProof, "CyberProof 2026 Global Threat Intelligence Report," CyberProof, 2026. [Online]. Available: https://www.cyberproof.com/cyberproof-2026-global-threat-intelligence-report/
[3] Help Net Security, "Backup strategies are working, and ransomware gangs are responding with data theft," Help Net Security, March 6, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/06/cyber-claims-report-ransomware-gangs-data-theft/
[4] Cybersecurity and Infrastructure Security Agency, "Malicious Domain Blocking and Reporting (MDBR)," CISA, 2026. [Online]. Available: https://www.cisa.gov/resources-tools/services/malicious-domain-blocking-and-reporting-mdbr
[5] eSecurity Planet, "CyberProof 2026 Report Warns of Rising Identity and AI Cyberattacks," eSecurity Planet, March 6, 2026. [Online]. Available: https://www.esecurityplanet.com/threats/cyberproof-2026-report-warns-of-rising-identity-and-ai-cyberattacks/
Want someone to check if your backup setup would actually survive a ransomware attack? That's exactly what lilMONSTER does. Book a free 30-minute consultation →
