A Binary Choice Between Data Recovery or Payment? How Should We Combat Ransomware?

Cybercrime has become fully industrialized, with an increasing division of labor between the development and execution of ransomware attacks. Sophos’s Yusuke Nishino sounded the alarm, noting that “attackers are increasingly extorting victims solely through data theft, even without encrypting users’ data.”

Cases involving the destruction of backups are particularly severe. Attackers are targeting shadow copies and backup servers, shattering the traditional assumption that backups guarantee security. According to a 2025 survey by Sophos, only 49% of companies were able to recover their data by paying a ransom, while only 54% were able to recover their data from backups.

Paying a ransom invites follow-up attacks and can risk violating the Foreign Exchange and Foreign Trade Act, while also delaying identification of the point of compromise. On the other hand, although data recovery requires time and cost, it allows organizations to reinforce their security through root cause analysis and permanent countermeasures. “Only companies that choose recovery can turn a painful experience into a learning opportunity. However, advance preparation is critical,” Nishino emphasized.

So what countermeasures are effective? Nishino explained, “The basics are asset inventory and vulnerability management. External-facing systems must be prioritized for patch application. Multifactor authentication and privileged ID management are also critical. For threat detection, endpoint detection and response alone is insufficient. Extended detection and response (XDR), which provides cross-domain monitoring across networks and the cloud, and managed detection and response (MDR), which provides 24/7 containment, are also vital.”

However, implementing these measures solely in-house is difficult. Sophos acquired Secureworks to establish a framework that enables it to provide comprehensive solutions from products to monitoring and response. The company offers Taegis XDR or Taegis MDR for large companies and Sophos MDR for medium-sized companies, creating a platform for companies of all sizes to handle security threats. Under its “Prevention First” philosophy, Sophos also offers CryptoGuard, a service that immediately reverses abnormal encryption, as well as providing a warranty that covers up to one million dollars. Nishino concluded his presentation by emphasizing that “the most important point is to put the necessary preparations in place before you are forced to choose between recovery and payment.”