Ransomware in 2022: operational continuity matters more than antivirus

The first half of 2022 saw a notable rise in ransomware attacks against mid-size and large businesses. The LockBit group and its affiliate network hit organisations across sectors - manufacturing, logistics, professional services. Average downtime after a successful attack: several weeks. Ransom demands: from hundreds of thousands to millions of dollars.

I will not discuss the technical details of the malware. That is not the conversation founders and executives need. The conversation they need is different: what do you do if this happens to your company?

The right answer is that you should know this before an incident, not during one.

Why antivirus is not the answer

Modern ransomware attacks are not an automated virus catching a random file. They are operations: attackers enter a network, study it, acquire privileges, and only then trigger encryption. This process takes anywhere from a few days to several months.

By the time files are encrypted, antivirus is no longer relevant. Its job was to stop the initial intrusion, but most attacks use legitimate administration tools that antivirus does not block.

The question for an executive is not "how do we prevent the intrusion". That matters, but it is not sufficient. The question is: "what will we do if encryption happens anyway?"

Three layers of readiness

Readiness for a ransomware attack is not one measure - it is several layers.

The first layer - backups that cannot be encrypted together with the primary data. This means physical or logical isolation: backups on media not connected to the main network, or in cloud storage with immutability enabled. Backups connected to the same infrastructure get encrypted alongside it.

The second layer - tested recovery procedures. The backup exists, but nobody has verified that restoration from it actually works. This is a critical mistake. Recovery must be tested regularly - not theoretically, but in practice, measuring real elapsed time.

The third layer - a communication and decision-making plan. Who declares the incident? Who decides whether to pay the ransom? Who talks to customers and regulators? These decisions must not be made for the first time at three in the morning, under pressure from a decryption-key countdown.

What "operational continuity" means

Operational continuity is the ability of a company to keep functioning under partial or complete failure of IT infrastructure. This is a broader task than ransomware protection, but ransomware attacks are a good test of whether you are ready for it.

Specific questions for self-assessment:

1. If all your servers are locked tomorrow - which critical operations can you continue?
2. What is the actual RTO (recovery time objective) for your key systems - and have you measured it in practice?
3. Where are the recovery instructions stored - and are they accessible if the infrastructure is unavailable?
4. Does your team know who to call and what to do in the first 30 minutes of an incident?
5. Have you run a cyber incident drill at least once in the last two years?

A practical step this week

If none of these questions has a confident answer, start with the simplest one: verify that data can actually be restored from the last backup. Not "does a backup exist", but "can someone on the team restore from it right now".

That takes a few hours and will tell you more than any paper audit.