Phila May, Executive GTM at inq. Digital.
Ransomware attacks are evolving rapidly, moving beyond the simple encryption of files to target the systems organisations rely on to recover from an attack. According to Phila May, Executive GTM at inq. Digital, this shift is forcing technology leaders to rethink how they approach resilience.
“Ransomware used to be about locking files and demanding payment for a decryption key,” says May. “Today, attackers are far more strategic. They often target identity systems, backup environments and sensitive data before deploying encryption. The goal is to remove an organisation’s ability to recover quickly.”
This evolution has turned ransomware into a broader business risk rather than just a technical incident. If attackers compromise identity platforms or disable backup systems, organisations can face operational disruption, regulatory exposure and the potential public release of stolen data.
“In many cases, the attackers no longer need to encrypt anything. If they can access sensitive information or disrupt the systems needed for recovery, they already have leverage.”
The changing nature of ransomware is also exposing weaknesses in how many organisations approach cyber resilience. Traditional security strategies often focus heavily on preventing attacks, but far less attention is paid to what happens when an attacker gains access.
“Prevention is important, but it cannot be the only line of defence. Modern security architecture assumes that breaches will happen at some point. The real question is how quickly you can detect the problem, contain it and recover,” adds May.
One area receiving increased attention is identity infrastructure. Attackers are increasingly targeting platforms such as Microsoft Entra ID because control of identity systems allows them to move across networks, disable protections or lock legitimate users out of critical services.
At the same time, backup systems have become a primary target. If attackers can delete or encrypt backups, organisations may be left with no practical way to restore operations.
“For many organisations, the decision about whether to pay a ransom ultimately comes down to recovery capability. If your backup environment is compromised or your recovery process has never been properly tested, the pressure to pay becomes much greater.”
To counter this, many enterprises are prioritising immutable backups and isolated recovery environments that compromised administrator accounts cannot alter. Cloud-based backup platforms and disaster recovery architectures are also playing a growing role in ensuring organisations can restore operations quickly after an incident.
According to May, testing recovery processes is just as important as implementing the technology itself.
“Backup systems are only valuable if you know they work when you need them. Organisations should regularly validate that they can restore critical systems and data within the timeframes their business requires.”
As ransomware groups continue to refine their tactics, resilience is becoming a key priority for CIOs and technology leaders.
“Ransomware resilience is not about a single tool or product,” May concludes. “It is about building an architecture that protects identities, safeguards backups and ensures the organisation can recover quickly. When recovery is reliable and proven, attackers lose the leverage that ransomware depends on."
