Insights

Ransomware on Critical Services: The Relentless Threat

Written by Andrés Lozada | Jul 9, 2026 7:23:39 PM

Imagine that on a Monday morning your team powers on their computers and, instead of the usual system, finds a note: your files are encrypted and you must pay to recover them. During 2019 this scene stopped being exceptional. Ransomware migrated from the home user toward hospitals, water utilities, municipal networks and critical-service companies, where an outage means not just inconvenience but lives, water, energy and the trust of thousands of citizens on the line. At SUMāTO we watch this trend closely, and we want to explain why it happens and, above all, how to defend against it.

In short: Ransomware has stopped chasing volume and now pursues impact: it targets organizations that cannot afford to be down. The entry vectors are well known and preventable (phishing, exposed RDP and unpatched vulnerabilities), and effective defense combines layered prevention with something many organizations neglect: a tested recovery capability that works when everything else fails.

Why ransomware migrated to high-impact targets

The logic behind this shift is purely economic. Encrypting the device of a user who can pay a modest ransom generates limited income. Encrypting the network of an organization that delivers an essential service changes the equation entirely: when a critical system goes down, the pressure to restore it is enormous and the willingness to pay rises accordingly.

Critical services share characteristics that make them attractive targets:

  • Low tolerance for downtime: every hour of inactivity carries operational, financial and, in some cases, human consequences.
  • Heterogeneous infrastructure: modern systems coexist with legacy technology that is hard to update.
  • Limited security resources: many entities operate with small teams facing broad attack surfaces.
  • Sensitive data: information on citizens, patients or customers that raises the value of extortion.

The attacker does not need extreme sophistication; it is enough to find an organization with scattered defenses and a lot to lose. Understanding this calculation is the first step toward turning the logic in your favor.

The most common entry vectors

The good news is that most attacks do not rely on exotic techniques. Three entry points account for the vast majority of intrusions, and all three are defensible.

Phishing. Malicious email remains the number one vector. A convincing message with an attachment or a link is enough for an employee, without malicious intent, to hand over credentials or execute code. The defense combines email filtering, continuous awareness and multi-factor authentication so that a stolen password is not enough on its own.

Exposed RDP. The Remote Desktop Protocol, when left accessible from the internet with weak passwords, is an open invitation. Attackers scan entire ranges looking for open ports and test credentials in an automated way. RDP should never be exposed directly: it must live behind a VPN, with MFA and restricted access.

Unpatched vulnerabilities. Many incidents exploit known flaws for which a fix already exists but has not been applied. The window between the release of a patch and its installation is precisely the period the attacker exploits.

Layered defense: no single barrier is enough

There is no single tool that stops ransomware. The strategy that works is defense in depth: multiple controls that reinforce one another, so that if one fails, another contains the damage. A comprehensive cybersecurity approach is usually organized into these layers:

  • Identity: multi-factor authentication on all access, strong passwords and the principle of least privilege.
  • Perimeter and network: segmentation so that a compromised device does not infect the entire organization, and elimination of unnecessary exposed services.
  • Endpoint: advanced protection capable of detecting anomalous behavior, not just known signatures.
  • Patching: a disciplined process to update operating systems and applications without delay.
  • People: recurring training, because an informed employee is a layer of defense, not a weak point.

Each layer reduces the probability that an attack will succeed. Together, they turn an easy target into one that is costly to compromise.

Early detection: seeing the attacker before encryption

Encryption is almost never the attacker's first step. Before it there is a period, sometimes of days or weeks, in which the intruder explores the network, escalates privileges and locates the most valuable data and backups. That interval is your best opportunity to stop them.

Detecting that activity requires visibility and continuous monitoring. A Security Operations Center (SOC) watches for signals that go unnoticed in an organization without dedicated oversight:

  • Access at unusual hours or from improbable locations.
  • Lateral movement between systems that normally do not communicate.
  • Attempts to disable security tools or delete backups.
  • Anomalous data transfers that may signal an impending double extortion.

Detecting and responding during that reconnaissance phase can be the difference between a contained incident and a full-blown crisis.

Why tested recovery is decisive

Here is the point most organizations underestimate. No matter how solid your prevention is, you must assume an attack could succeed. When that happens, the only thing that determines whether you pay a ransom or restore operations on your own is the quality of your backups and, above all, your real ability to restore them.

The key word is tested. Having backups is not the same as being able to recover. Too many organizations discover, in the middle of a crisis, that their copies were incomplete, corrupted, or connected to the same network the ransomware encrypted. A reliable recovery scheme meets several requirements:

  • Immutable, isolated copies: backups the attacker cannot reach or delete, offline or on storage that does not allow modification.
  • Periodic restore testing: real drills that verify the data comes back and the systems work.
  • Defined time objectives: knowing how long it will take to be operational again and how much data you could lose, before the incident occurs.
  • Documented plan: clear roles and rehearsed steps so that no one improvises under pressure.

A well-designed disaster recovery and continuity strategy transforms ransomware from an existential catastrophe into a manageable setback. When you can restore with confidence, extortion loses its power.

Frequently asked questions

Is it worth paying the ransom?

Paying never guarantees that you will recover the data or that the attacker will not return, and it reinforces the ransomware business model. The sound alternative is to have tested backups that let you recover without negotiating. The decision, moreover, should be made with specialized advice and in light of the applicable legal framework.

Is a good antivirus enough?

No. Antivirus is a valuable layer, but modern ransomware evades many traditional solutions. Real protection comes from combining identity, network, endpoint, patching, continuous detection and recovery. No single tool covers every front.

Are small organizations also at risk?

Yes. Attackers automate the search for victims and often prefer targets with weak defenses, regardless of size. A small entity that delivers an essential service can be just as attractive as a large one, and usually has fewer resources to hold out.

How often should we test our backups?

Restore tests should be periodic, ideally quarterly, and repeated after any significant change to the infrastructure. A backup that has not been tested by restoring it cannot be considered reliable until it proves that it works.

The first step

Ransomware against critical services will not stop, because it will remain profitable as long as it finds vulnerable targets. The difference between being a victim and being a resilient organization lies not in luck but in preparation: layered prevention, early detection and a recovery capability you have tested and can trust.

Do not wait for an incident to discover the gaps. At SUMāTO we help organizations across LATAM assess their exposure, strengthen their defenses and build recovery capabilities that work on the day they matter most. Let's talk about how to protect your operation and take the first step today toward a security posture that does not depend on hope.