Imagine that on a Monday morning your team powers on their computers and, instead of the usual system, finds a note: your files are encrypted and you must pay to recover them. During 2019 this scene stopped being exceptional. Ransomware migrated from the home user toward hospitals, water utilities, municipal networks and critical-service companies, where an outage means not just inconvenience but lives, water, energy and the trust of thousands of citizens on the line. At SUMāTO we watch this trend closely, and we want to explain why it happens and, above all, how to defend against it.
In short: Ransomware has stopped chasing volume and now pursues impact: it targets organizations that cannot afford to be down. The entry vectors are well known and preventable (phishing, exposed RDP and unpatched vulnerabilities), and effective defense combines layered prevention with something many organizations neglect: a tested recovery capability that works when everything else fails.
The logic behind this shift is purely economic. Encrypting the device of a user who can pay a modest ransom generates limited income. Encrypting the network of an organization that delivers an essential service changes the equation entirely: when a critical system goes down, the pressure to restore it is enormous and the willingness to pay rises accordingly.
Critical services share characteristics that make them attractive targets:
The attacker does not need extreme sophistication; it is enough to find an organization with scattered defenses and a lot to lose. Understanding this calculation is the first step toward turning the logic in your favor.
The good news is that most attacks do not rely on exotic techniques. Three entry points account for the vast majority of intrusions, and all three are defensible.
Phishing. Malicious email remains the number one vector. A convincing message with an attachment or a link is enough for an employee, without malicious intent, to hand over credentials or execute code. The defense combines email filtering, continuous awareness and multi-factor authentication so that a stolen password is not enough on its own.
Exposed RDP. The Remote Desktop Protocol, when left accessible from the internet with weak passwords, is an open invitation. Attackers scan entire ranges looking for open ports and test credentials in an automated way. RDP should never be exposed directly: it must live behind a VPN, with MFA and restricted access.
Unpatched vulnerabilities. Many incidents exploit known flaws for which a fix already exists but has not been applied. The window between the release of a patch and its installation is precisely the period the attacker exploits.
There is no single tool that stops ransomware. The strategy that works is defense in depth: multiple controls that reinforce one another, so that if one fails, another contains the damage. A comprehensive cybersecurity approach is usually organized into these layers:
Each layer reduces the probability that an attack will succeed. Together, they turn an easy target into one that is costly to compromise.
Encryption is almost never the attacker's first step. Before it there is a period, sometimes of days or weeks, in which the intruder explores the network, escalates privileges and locates the most valuable data and backups. That interval is your best opportunity to stop them.
Detecting that activity requires visibility and continuous monitoring. A Security Operations Center (SOC) watches for signals that go unnoticed in an organization without dedicated oversight:
Detecting and responding during that reconnaissance phase can be the difference between a contained incident and a full-blown crisis.
Here is the point most organizations underestimate. No matter how solid your prevention is, you must assume an attack could succeed. When that happens, the only thing that determines whether you pay a ransom or restore operations on your own is the quality of your backups and, above all, your real ability to restore them.
The key word is tested. Having backups is not the same as being able to recover. Too many organizations discover, in the middle of a crisis, that their copies were incomplete, corrupted, or connected to the same network the ransomware encrypted. A reliable recovery scheme meets several requirements:
A well-designed disaster recovery and continuity strategy transforms ransomware from an existential catastrophe into a manageable setback. When you can restore with confidence, extortion loses its power.
Paying never guarantees that you will recover the data or that the attacker will not return, and it reinforces the ransomware business model. The sound alternative is to have tested backups that let you recover without negotiating. The decision, moreover, should be made with specialized advice and in light of the applicable legal framework.
No. Antivirus is a valuable layer, but modern ransomware evades many traditional solutions. Real protection comes from combining identity, network, endpoint, patching, continuous detection and recovery. No single tool covers every front.
Yes. Attackers automate the search for victims and often prefer targets with weak defenses, regardless of size. A small entity that delivers an essential service can be just as attractive as a large one, and usually has fewer resources to hold out.
Restore tests should be periodic, ideally quarterly, and repeated after any significant change to the infrastructure. A backup that has not been tested by restoring it cannot be considered reliable until it proves that it works.
Ransomware against critical services will not stop, because it will remain profitable as long as it finds vulnerable targets. The difference between being a victim and being a resilient organization lies not in luck but in preparation: layered prevention, early detection and a recovery capability you have tested and can trust.
Do not wait for an incident to discover the gaps. At SUMāTO we help organizations across LATAM assess their exposure, strengthen their defenses and build recovery capabilities that work on the day they matter most. Let's talk about how to protect your operation and take the first step today toward a security posture that does not depend on hope.