Ransomware encrypts data and demands a ransom. Effective defense combines 3-2-1-1-0 immutable backups, EDR, segmentation, MFA and an incident response plan.
Ransomware is, beyond any doubt, the most devastating threat for Spanish companies in 2026. Every 11 seconds a ransomware attack occurs somewhere in the world, and the average ransom attackers demand exceeds 250,000 euros. But the real cost is not the ransom (which you should never pay): it is the business interruption, which can last weeks or months, the loss of irreplaceable data, the reputational damage and the regulatory penalties if personal data is affected. This guide gives you everything you need to know to prevent, detect and recover from a ransomware attack. If you are looking for the real-world case, jump to the anonymized private clinic case.
Real 2024-2025 figures · Ransomware in Spain
The most recent Spanish figures (sources: INCIBE, CCN-CERT and the National Technology Observatory) outline the problem at SME scale:
| Indicator | 2024-2025 value | Source |
|---|---|---|
| Cybersecurity incidents handled by INCIBE | 58,000 (40% in SMEs) | INCIBE-CERT |
| Average ransomware recovery cost, Spanish SME | 60,000-180,000 € | Insurers + INCIBE |
| Average ransom demanded | 250,000 € (range 5,000-2M €) | Sophos State of Ransomware |
| Average SME downtime after an attack | 4-12 days | INCIBE-CERT |
| % of SMEs with tested backups | 38% | INCIBE |
| % of companies that pay and fully recover data | 8% | Sophos · CCN-CERT |
| % of companies that suffer a second attack after paying | 80% | Cybereason · ENISA |
| Main entry vector in Spanish SMEs | Phishing 60% · RDP/VPN 22% · supply chain 12% | CCN-CERT |
Anatomy of a modern ransomware attack
Modern ransomware attacks are not simple: they are planned operations that can last weeks from the initial infiltration to the encryption of the data. The typical sequence begins with the initial access, which usually happens through a phishing email with a malicious attachment or link (the most frequent vector, responsible for 60% of infections), the exploitation of a vulnerability in an internet-facing service (VPN, RDP remote desktop, web server), credentials stolen or bought on the dark web, or a compromised supplier in the supply chain.
Once inside the network, the attacker moves laterally to gain administrator privileges and access the most valuable systems. In this phase, which can last days or weeks, the attacker stays silent while mapping the network, identifying the most critical data, disabling the backups it finds accessible and extracting data to use it for double extortion. Only when it has full control does it run the mass encryption of all the data it has reached and present the ransom note.
The 10 most effective prevention measures
Protecting the main entry vector: email
Email is the entry vector in 6 out of every 10 ransomware attacks. The fundamental measures are configuring SPF, DKIM and DMARC on your domain to prevent spoofing, an advanced anti-phishing filter that analyzes attachments and links before delivering them to the user, disabling macros in Office documents received by email, and periodic staff training with phishing simulations.
Read my article on email security for a detailed SPF/DKIM/DMARC configuration guide.
Ransomware-resistant backups (the 3-2-1-1-0 rule)
Backups are your last line of defense. But modern ransomware searches for and encrypts the backups it finds accessible on the network. To protect them, apply the 3-2-1-1-0 rule: 3 copies of the data (production + 2 backups), 2 different media, 1 offsite copy, 1 offline or immutable copy (air-gapped or write-once with a time lock), 0 errors in the quarterly restore tests. This rule is the standard recommended by INCIBE, CCN-CERT and most cyber-risk insurers. Keep multiple backup generations (not just the most recent one, which could already be encrypted).
Endpoint protection with EDR / MDR
A traditional antivirus does not detect modern ransomware, which uses sophisticated evasion techniques. An EDR (Endpoint Detection and Response) solution analyzes process behavior in real time and can detect and block the encryption activity before it completes. For SMEs without an internal security team, the MDR (Managed Detection and Response) model outsources the operation to the MSSP, with response times of under 30 minutes 24x7. It is the protection technology with the greatest impact against ransomware.
Privileged access management
The principle of least privilege is critical: if an infected user has administrator permissions, the ransomware encrypts everything that user can access. Limit administrator privileges to the minimum necessary, use separate accounts for system administration, and do not browse the internet or open emails with privileged accounts.
Network segmentation
Divide your network into isolated segments so that ransomware infecting one segment cannot spread to the others. At a minimum, separate servers from workstations, and backups from everything else. In industrial environments, segregate OT from IT with an industrial firewall.
MFA on all external access
Enable mandatory MFA for the VPN, remote desktop, cloud email and any access from the internet. App-based MFA solutions (Authenticator, Authy) or FIDO2 are preferable to SMS (which is vulnerable to SIM swapping).
Continuous patching
Apply security patches within 30 days for high vulnerabilities and within 7 days for critical ones. The vulnerabilities most exploited by ransomware in 2024-2025 were in VPNs (Fortinet, Pulse Secure, Cisco), Exchange servers (ProxyShell, ProxyNotShell) and VMware ESXi servers.
Training and phishing simulations
Quarterly simulations with immediate training for the employees who fall for them. The target click rate at 12 months should be under 5% in an SME.
Asset and supplier inventory
You cannot protect what you do not know you have. Keep an up-to-date inventory of critical assets and of suppliers with access to your infrastructure (the supply chain is a growing vector).
A documented and tested incident response plan
A plan that is not tested does not work. Run drills (tabletop exercises) at least annually with management, IT and communications.
What to do if you suffer a ransomware attack
The first 60 minutes are critical
If you detect ransomware activity (files changing extension, ransom notes, systems slowing down abnormally), act immediately. Isolate the affected systems from the network (unplug the network cable or disable Wi-Fi, but do not power off the machines, as that may destroy forensic evidence). Notify the security manager and the incident response team. Assess the initial scope of the attack (which systems are affected, whether the backups are compromised).
Do not pay the ransom
The reasons not to pay are many and compelling. Only 65% of companies that pay recover their data, and usually not all of it. Paying funds criminal organizations and makes you a target for future attacks (80% of companies that pay suffer a second attack). You have no guarantee that the attackers have not left backdoors to return. And in some cases, paying can have legal implications if the funds reach sanctioned organizations.
Mandatory notifications
If the attack affects personal data, you must notify the AEPD (Spanish Data Protection Agency) within a maximum of 72 hours in accordance with the GDPR. If your organization is subject to Spain's National Security Framework (ENS), you must notify CCN-CERT through the LUCIA platform. If you are an essential or important operator under NIS2, you must notify the reference CSIRT within 24 hours. And if the attack constitutes a crime (it always does), you must report it to the State security forces or to the Guardia Civil's Cybercrime Unit.
What does the recovery process look like?
Recovery follows a strict order. First, eradicate the threat (identify the entry vector, remove the malware, close the breach). Second, restore from clean backups (verifying that the copies are not infected). Third, validate that the restored systems work correctly. Fourth, restore access in a controlled way (with new passwords for all accounts). And fifth, monitor intensively during the following weeks to detect any reinfections.
Cyber-risk insurance as a complement
Cyber-risk insurance does not prevent attacks, but it can cover the incident response costs (forensics, legal, communication), the loss of income during the business interruption, the claims of affected third parties and, in some cases, regulatory penalties.
The cost of cyber-risk insurance for an SME ranges between 500 and 3,000 euros a year, depending on the sector, the size and the security measures in place. Insurers increasingly require more security measures as a condition of the policy (MFA, immutable backup, EDR/MDR, response plan, training), which creates a virtuous circle.
Anonymized real-world case: a private clinic · ransomware attack, April 2025
A mid-sized Spanish private clinic (40 employees, 3 physicians, 1 outpatient operating room, ~120 patients/day, specially protected data under Article 9 of the GDPR) suffered a double-extortion ransomware attack in April 2025. Entry vector: the medical director's VPN credentials leaked in a breach of a third-party SaaS service (with no MFA on the VPN), later confirmed by forensic analysis.
Timeline:
- D-23 (March): initial access via VPN. Silent persistence, network mapping, escalation to Domain Admin.
- D-7: exfiltration of approximately 240 GB including medical records, financial data and payroll (double extortion).
- Day 0 (April): mass encryption of the file server, the electronic health record server, the administrative server and the backup NAS (which was on the same network). A ransom note demanding 180,000 euros in Bitcoin.
- Day 0-1: the clinic was paralyzed. Paper scheduling, cancelled surgeries, no billing, no access to medical records.
- Day 2: an incident response service was engaged. AEPD notification (72h met). Report to the Guardia Civil's Cybercrime Unit. Communication to the Medical Association.
- Day 3-5: forensic analysis, containment, partial reconstruction from a monthly offline copy 21 days old (the only one unaffected).
- Day 6: return to partial operation (administrative server and scheduling).
- Day 8-12: reconstruction of the electronic health record with a loss of 18 days of data (partly recovered from paper and secondary devices).
Documented total cost: 80,000 € (forensic response 18,000 € + infrastructure reconstruction 28,000 € + legal and AEPD advice 6,000 € + 6 days of lost billing 22,000 € + patient communication 6,000 €). The ransom was NOT paid. An AEPD penalty is pending (health data, Article 9 of the GDPR): the case is ongoing.
Post-incident plan executed over 6 months (an additional 45,000 €): implementation of ISO 27001 + ISO 22301 (business continuity) + ENS Medium (as a supplier to mutual insurers that require ENS), EDR/MDR on 28 endpoints, immutable Veeam backup + a quarterly offline copy in a physical safe, mandatory MFA on the VPN and all external access, network segmentation into 4 VLANs, a documented response plan and a half-yearly tabletop drill. In the 12 months after implementation: 0 incidents, the cyber-insurance premium cut from 4,500 to 1,800 euros/year, and patient trust restored through transparent communication.
Mini glossary of ransomware
- Ransomware: malware that encrypts data and demands a ransom.
- Double extortion: a modern variant that adds exfiltration before encryption to coerce with the threat of publication.
- EDR / MDR / XDR: endpoint / managed / extended detection and response.
- The 3-2-1-1-0 rule: 3 copies, 2 media, 1 offsite, 1 offline/immutable, 0 errors in tests.
- Air gap: a copy physically isolated from the network (not reachable online).
- Immutable backup: a copy that cannot be modified or deleted for a period (WORM).
- RTO / RPO: Recovery Time / Point Objective · the maximum recovery time and the maximum data loss that is acceptable.
- Tabletop exercise: a tabletop incident drill with the key stakeholders.
- LUCIA: the CCN-CERT platform for incident notification by ENS bodies.
- Cybercrime Unit: the Guardia Civil's Telematic Crime Group.
Do you want to assess your level of protection against ransomware? Let's talk about a vulnerability diagnosis that identifies the gaps in your defenses before an attacker finds them.
Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalization for SMEs, based in Aranda de Duero (Burgos).