Ransomware attacks have evolved dramatically. In 2025, threat actors are no longer just encrypting data — they are exfiltrating it, threatening public disclosure, targeting supply chains, and launching coordinated attacks against critical infrastructure. The energy sector is among their primary targets.
Having led ransomware preparedness programmes across 20+ countries at ENGIE, I have seen firsthand what works, what fails, and what most organisations dangerously overlook.
The New Threat Landscape
Ransomware attacks increased by approximately 70% in 2024, with average ransom demands exceeding $2 million per incident. But the financial demand is rarely the largest cost. Downtime, reputational damage, regulatory fines under GDPR and NIS2, and the long-tail cost of forensic investigation often dwarf the ransom itself.
Three shifts define the 2025 threat environment:
- Double extortion — attackers encrypt and exfiltrate data, threatening to publish it if the ransom is not paid.
- Supply chain attacks — compromising a trusted vendor to reach multiple downstream targets simultaneously.
- OT/ICS targeting — operational technology systems (SCADA, DCS) in energy, utilities, and manufacturing are now active targets, not just IT systems.
Five Strategies That Actually Work
1. Zero Trust Architecture — Assume Breach
Zero Trust is not a product. It is a philosophy: never trust, always verify. Every user, device, and network flow must be authenticated and authorised, regardless of whether it originates inside or outside your perimeter. Implementing microsegmentation limits the blast radius when — not if — an attacker gains a foothold.
2. Immutable, Offline Backups
The most reliable ransomware recovery tool remains a clean, tested, offline backup. Immutable backups — stored in a way that cannot be overwritten or encrypted by an attacker with admin credentials — are your last line of defence. Test your restore procedures quarterly. A backup you have never restored is a backup you cannot trust.
3. Privileged Access Management (PAM)
The majority of ransomware incidents involve compromised privileged credentials. Implementing PAM — vaulting admin credentials, enforcing just-in-time access, and recording privileged sessions — significantly reduces the attack surface. At ENGIE Africa, PAM implementation was one of the highest-return security investments we made.
4. Tabletop Exercises and Incident Response Plans
A plan that lives in a PDF is not a plan. Run quarterly tabletop exercises that force your leadership team — including the CEO and CFO, not just IT — to make real decisions under simulated pressure. Who authorises paying a ransom? Who communicates to regulators within 72 hours as required by GDPR? Who speaks to the press?
5. Cyber Insurance — Understand What You Actually Have
Cyber insurance policies have become significantly more restrictive since 2021. Before your next renewal, audit your policy carefully: what is excluded, what requires prior notification, and what controls must be in place for the policy to pay out. Many organisations discover coverage gaps only after an incident.
A Note on NIS2 Compliance
For European organisations — and African subsidiaries of European groups — NIS2 introduced mandatory incident reporting obligations, board-level accountability for cybersecurity governance, and supply chain security requirements. Non-compliance carries administrative fines up to €10M or 2% of global turnover. Ransomware preparedness and NIS2 compliance are now inseparable.
What I Recommend as a Starting Point
If you are unsure where to begin, start with a gap assessment against the NIST Cybersecurity Framework or ISO 27001. It will surface your most critical exposures quickly and give you a prioritised remediation roadmap that you can present to your board with credibility.