Critical Infrastructure Is Under Siege. What It Means For Every IT Team

If you are responsible for keeping systems running, the recent ransomware headlines can feel personal. One day it is a pipeline or a hospital in the news. The next day it is a manufacturer, a state agency, or a financial institution. Behind every incident there are teams working long hours, trying to bring services back online while customers, patients, and citizens wait.

From January through September 2025, researchers recorded 4,701 ransomware incidents worldwide, up from 3,219 in the same period last year. That is a 34 percent jump in less than twelve months. Roughly half of those attacks hit critical industries such as manufacturing, healthcare, energy, transportation, and finance. The United States now accounts for about half of all known ransomware attacks, with a sharp increase year over year.

These are not only big enterprise or national security problems. They are resilience problems for organizations of every size that support these industries or depend on them.

The new ransomware map: critical sectors in the crosshairs

Across recent reports, the pattern is consistent.

Ransomware operators are zeroing in on sectors where disruption hurts the most: manufacturing, healthcare, business services, energy, transportation, and financial services. In some industries, like oil and gas, attack volumes have grown dramatically in a single year.

Analysts tracking thousands of incidents in 2025 highlight that more than half of recorded attacks hit critical infrastructure and adjacent services. Other research shows manufacturing and business services at the top of the target list, with healthcare steadily rising as well.

In the United States, the FBI’s Internet Crime Complaint Center continues to list ransomware as one of the most significant cyber threats to critical infrastructure operators. Complaints related to attacks on critical manufacturing, healthcare, government facilities, financial services, and information technology rose again year over year, and these sectors now make up a large share of total ransomware reports.

Attackers are drawn to organizations whose downtime affects public safety, supply chains, or financial stability. If your organization provides services, components, or expertise into those ecosystems, you are part of that picture , whether you are a global enterprise or a regional firm with a small IT team.

Why organizations of all sizes should care

The Verizon Data Breach Investigations Report helps explain how this plays out in everyday environments.

Within complex attacks that involve malware, lateral movement, and often encryption or extortion, ransomware appears in the majority of cases. For smaller and mid sized organizations, the numbers are even more stark. They experience proportionally more ransomware when a breach does occur, because attackers see them as easier to compromise and valuable in supply chains.

For many organizations, risk now runs in two directions:

• You can be targeted directly because your operations are essential in a larger ecosystem.
• You can be targeted as a path into a larger organization you serve or partner with.

This is why ransomware can no longer be treated as something that only happens to household names. Any organization that depends on digital services, connects to partners, or holds sensitive data is part of the threat landscape.

The goal is not to create fear. The goal is to acknowledge the reality clearly so you can make calm, informed decisions about how to protect your business and the people who rely on you.

Ransomware tactics are evolving fast

The way attackers operate is changing.

Recent research shows a significant increase in “public extortion,” where victims are named on data leak sites and pressured to pay to prevent disclosure of stolen information. At the same time, the volume of data taken by top groups has climbed sharply, with many terabytes of sensitive information exfiltrated in the last year.

More groups are also experimenting with pure data theft and extortion, sometimes skipping encryption entirely. This method can be faster, less noisy, and just as damaging, especially in regulated industries where exposure drives legal, contractual, and reputational consequences.

For IT and security teams, this means the impact of an incident is no longer limited to whether you can restore systems quickly. You also need to plan for the possibility that confidential data has already left your environment before anyone sees an alert.

What this means for your backup and recovery strategy

Given this landscape, simply having backups in place is not enough. Every organization, from small teams to large enterprises, should revisit backup and disaster recovery with a few assumptions in mind:

• An incident is likely at some point, even for well run environments.
• Attackers will look for backups and try to corrupt, encrypt, or delete them.
• Data theft may take place long before any visible disruption.

The good news is that there are practical steps you can take.

Design RPO and RTO around business services, not servers

Begin with the services that matter most to your customers, patients, or users. Identify the applications, data, and infrastructure that support each of those services. Use that understanding to set realistic recovery time objectives (RTO) and recovery point objectives (RPO) that reflect business impact instead of convenience.

This exercise is about clarity. When an incident happens, your team should already know which systems come first and what “good enough” recovery looks like for each one.

Implement the 3-2-1 rule with immutability and isolation

Strengthen your backup posture by following the 3-2-1 principle: three copies of your data, across two different media types, with at least one copy offsite. For modern ransomware, add two more ideas: immutability and isolation.

• Use immutable storage for critical backups so recovery points cannot be altered for a defined period.
• Separate backup credentials and management from general administration accounts.
• Keep at least one backup copy in a different security domain or location so an attacker has a much harder time reaching everything at once.

Segment backup and recovery infrastructure

Treat your backup and recovery systems as crown jewels rather than background utilities.

Limit who can administer backup platforms, storage, and replication. Segment these systems on the network, and require strong authentication for any privileged access. Avoid shared accounts where possible. Clear ownership and segmentation reduce the chance that a single compromised credential gives an attacker control over your safety net.

Plan for data extortion scenarios

Because so many modern attacks involve data theft, your plans should address more than service restoration.

Work with legal, compliance, and communications teams to define in advance how your organization will respond if sensitive data is exposed. That plan might include regulatory notifications, customer communications, and enhanced monitoring for misuse of leaked information. When these expectations are discussed early, your team can act more confidently if the worst happens.

Test restores and full recovery regularly

Tabletop exercises and live recovery tests are some of the most compassionate investments you can make in your future self and your team.

Regular practice helps you confirm that backups are usable, runbooks are clear, and responsibilities are understood. It also reveals gaps that are much easier to fix on a quiet day than during a crisis.

How CyberFortress supports ransomware resilience

At CyberFortress, we believe backup and recovery are about more than storage. They are about protecting people, livelihoods, and the trust your organization has earned.

Backup as a Service (BaaS)

CyberFortress BaaS helps you put a strong 3-2-1 strategy into practice, with offsite, immutable copies that are segmented from production systems. This approach makes it far more difficult for ransomware to encrypt or erase the backups you rely on when every minute counts.

Disaster Recovery as a Service (DRaaS)

With DRaaS, you can define and orchestrate failover for your most important workloads. Recovery plans align with your RTOs and business priorities, so you can bring essential services back online in a controlled, predictable way whether you operate a single site or a global environment.

Backup Recovery as a Service (BRaaS)

BRaaS focuses on planning, documentation, and testing. The CyberFortress team works with you to map dependencies, capture runbooks, and rehearse recovery. The goal is simple: no one should have to invent a strategy in the middle of an incident.

Ransomware is hitting critical infrastructure harder than ever, and the blast radius now includes organizations of every size. By strengthening backup and disaster recovery today, you give your organization something invaluable: the confidence that when a difficult day arrives, you will have a clear path to recovery and a partner walking that path with you. Talk to a cyber defense expert at CyberFortress to get started.