Ransomware 2026: Current Trends and Concrete Protection Measures

Ransomware isn’t the worst cyber risk for SMBs and the mid-market — it’s just the most expensive. A targeted data loss without ransom demand can be equally existential. But ransomware incidents have one property that makes them especially visible in our industry: they typically force the victim into a crisis decision within hours, with consequences that play out over months.

This article frames the situation in 2026, describes the three dominant attack patterns, and walks through a seven-layer protection model that we at DATAZONE find pragmatically enforceable in the mid-market — without each layer eating a separate security budget.

Important caveat: we deliberately avoid fabricated statistics in this article. Where we refer to threat conditions, we point to the annual reports of the German BSI and to publicly readable vendor reports from CrowdStrike, Mandiant, Microsoft, and Sophos. Concrete percentages and loss figures can be found there — we deliberately avoid marketing numbers without verifiable sources.

Three Attack Patterns That Dominate 2026

1. Big Game Hunting

Attacks target larger, payment-capable organizations — typically mid-market to enterprise — where a high ransom is realistic. Victim selection isn’t random: attackers research revenue size, insurance status, IT maturity. Initial access often comes via compromised VPN credentials, unpatched edge devices (firewalls, VPN gateways), phishing with MFA fatigue, or via initial-access brokers selling existing footholds.

For SMBs this means: even if you consider yourself “too small”, you can be a target — especially if you’re part of a supply chain to a larger company (supply-chain attack).

2. Double Extortion

The “classic” pattern of pure encryption was overtaken long ago: attackers steal data before they encrypt. The double-extortion demand reads: “Pay, or we don’t decrypt — and we publish the stolen data too.”

Practical consequence: a perfectly working backup prevents data loss, but not the data leak. Anyone who in 2026 still believes a good backup plan is enough is missing this part. The damage question shifts from “Can we get the data back?” to “Which data is allowed to be published where?”. GDPR notification duties, customer communications, reputational damage — all of these arise even if technical operations are back up the next day.

3. Data-Theft-Only

A growing variant: attackers skip encryption entirely and threaten only publication of stolen data. Attacker-side advantage: fewer detection triggers (no encryption I/O setting off EDR systems), no recovery pressure on the victim — but the extortion threat remains.

For defenders this means: detection of exfiltration becomes at least as important as detection of encryption. Egress anomalies (unusual amounts of data leaving), DNS tunneling, and outbound TLS to unknown hosts belong in monitoring.

The Seven-Layer Protection Model

None of the following points are new. What matters is the combined effect: a defender who covers five of seven layers well is significantly harder to compromise than a target with two perfect and five forgotten layers.

Layer 1: Patch Management

Initial access often comes via unpatched edge devices and via Microsoft Exchange / Outlook CVEs. Concretely, “good patch management” for us means:

• Internet-exposed systems first (firewalls, VPN gateways, reverse proxies): patch window ≤ 7 days after critical CVE publication
• Servers and hypervisors: monthly maintenance cycle with test stage
• Workstations: automatic patching via WSUS, Intune, or comparable RMM
• Third-party software (Acrobat, Java, browsers): checked at every login, not annually

An RMM tool such as Tactical-RMM, ConnectWise, or N-able delivers reporting; without reporting, patch management cannot be proven — and is worthless in an insurance audit.

Layer 2: Multi-Factor Authentication (MFA)

MFA for all privileged access is no longer negotiable in 2026:

• VPN login and remote desktop gateways: MFA mandatory
• Microsoft 365 and Azure admin accounts: FIDO2 hardware keys, not SMS
• TrueNAS, Proxmox, OPNsense admin access: enable MFA (available on all three systems without plugins)
• Local domain-admin accounts: just-in-time activation, not active 365 days a year

Important: MFA fatigue (push-bombing a user until they tap “accept” out of exhaustion) is a real threat. Number-matching in Microsoft Authenticator and passkey-based methods reduce it.

Layer 3: Endpoint Detection & Response (EDR)

Antivirus is no longer enough in 2026. What we recommend:

• EDR on every endpoint and server — Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, or comparable
• Central monitoring with 24/7 readiness (in-house or managed detection & response)
• Behavioural rules rather than purely signature-based detection — ransomware encryption behaviour has been well described for years and can be blocked by behaviour

Without monitoring on the EDR console, EDR is an expensive logger. If you can’t run a 24/7 SOC, buy an MDR service — the hourly cost of an incident almost always exceeds the annual cost of MDR licences.

Layer 4: Network Segmentation

Flat networks are a gift to any attacker who has taken over the first host. Concrete segmentation:

Zone	Contents	Reachable from outside
Server VLAN	Hypervisors, DCs, file services	None directly
Client VLAN	Workstations, printers	None directly
OT / IoT VLAN	Machines, printers, IP cameras	None directly
DMZ	Web servers, mail servers	Inbound, filtered
Guest Wi-Fi	External devices	Internet only
Admin network	Management interfaces	VPN + MFA + jump host

OPNsense or a comparable firewall with inter-VLAN routing rules makes this enforceable. Important: the server VLAN must not be able to reach the admin network — otherwise tier-0 protection is moot.

Layer 5: Air-Gap or Offline Backups

The “3-2-1-1-0” rule is the 2026 minimum standard:

• 3 copies of the data
• 2 different media (disk + tape, or disk + object storage)
• 1 copy offsite
• 1 copy offline / immutable / air-gapped
• 0 errors on the last tested restore

Concretely, air-gapped means: the backup medium is, at the moment of an attack, unreachable to the attacker — be it a tape library with auto-eject, a logically separated backup VLAN with its own credentials, or a cloud backup with object lock.

Layer 6: Immutable Snapshots (ZFS Snapshots)

This layer solves a specific problem: even if the attacker compromises the backup system, they cannot overwrite the snapshots. ZFS snapshots are read-only by default — once created, they cannot be modified, only deleted. If the deletion right is administratively restricted, the snapshots survive even a compromised backup admin.

On TrueNAS this means:

• Snapshot tasks with long retention plans (e.g., 30 daily, 12 weekly, 12 monthly)
• Snapshot hold on particularly important snapshots — prevents deletion even by admin
• Replication into a second dataset on a second TrueNAS system that has no write back
• Audit logging of all snapshot operations — deletion events stand out

In combination with Proxmox Backup Server, which also offers prune protection and verify jobs, you build a storage layer that survives a compromised hypervisor.

Layer 7: Incident-Response Plan

The first two hours of a ransomware incident determine weeks of follow-up cost. An IR plan answers the questions that can’t be thought through clearly under pressure:

• Who decides? (Crisis team named, deputies defined)
• Who calls whom? (Insurance, police / national CERT, external IR provider)
• Which systems do we isolate first? (Domain controllers, backup servers, OT networks)
• When do we pull the plug? (Criteria for “full network disconnect”)
• How do we communicate when email is dead? (Out-of-band channel — Signal group, phone list)
• What data must we not destroy? (Forensically relevant logs, memory dumps)

We recommend running the plan through a tabletop exercise at least annually — 90 minutes with management, IT lead, DPO, and external provider.

How the Layers Work Together

A typical 2026 attack chain looks like:

1. Phishing email with MFA fatigue or initial access via unpatched VPN gateway (layers 1, 2)
2. Lateral movement in the server VLAN, often via Active Directory weaknesses (layers 3, 4)
3. Data exfiltration over several days or weeks, often quietly (layer 3)
4. Encryption of large volumes, often at night or on weekends (layers 3, 5, 6)
5. Ransom demand with double-extortion threat (layer 7)

A defender with clean layers 1 and 2 avoids step 1. With layers 3 and 4, they detect and interrupt steps 2 and 3. With layers 5 and 6, they survive step 4 with manageable data loss. With layer 7, they avoid the six-week downtime.

No one masters all seven layers perfectly. But each added layer reduces risk noticeably.

What We Recommend at DATAZONE

For a typical mid-market environment (50–500 employees, one to three sites) the concrete action list is:

1. Patch reporting via RMM — visible compliance rate, monthly review
2. MFA everywhere — FIDO2 for admins, authenticator app for end users
3. EDR + MDR service — if no in-house SOC exists
4. OPNsense with VLAN separation and logged cross-zone rules
5. TrueNAS with snapshot schedules + replication to a second system with its own admin
6. Proxmox Backup Server with air-gap tape or object-lock cloud
7. IR plan with annual tabletop exercise — not in a drawer, but documented and practised

Related DATAZONE articles:

• Backup Test Day: prove restores in 30 minutes
• Restic: encrypted backups, explained clearly
• TrueNAS data security against ransomware

Conclusion

In 2026, ransomware is not a single technical problem but a process problem with technical components. The protective measures have been known for years — what changes is the speed at which individual weaknesses are exploited, and the fact that data is stolen before it is encrypted. Taking the seven layers seriously won’t get you to “absolute security” — but it gets you significantly closer to the “no worthwhile target” category. And in the big-game-hunting model, that is the most effective defence.

Sources

• BSI: situation report on IT security in Germany
• CrowdStrike: Global Threat Reports
• Mandiant: M-Trends Reports
• Microsoft Digital Defense Report
• Sophos: State of Ransomware