Understanding & Defending Against
Ransomware Attacks

What is Ransomware and How Does It Work?

Ransomware is malicious software that encrypts files or locks systems, extorting a financial payment from the victim to restore access to the compromised data.

Ransomware infects computer systems through various methods, such as malicious email attachments, fake software updates, or drive-by downloads from compromised websites. Once the malware is executed on a device, it initiates a resource-intensive process to encrypt files or lock the hardware, rendering the system completely inaccessible until a ransom is paid.

The Unique Threat of Ransomware to SAP Environments

SAP systems are high-value targets for ransomware operators because they house mission-critical enterprise data, meaning successful encryption causes immediate operational paralysis and maximum financial leverage.

Because SAP applications serve as the central nervous system for modern enterprises, threat actors increasingly prioritize them in targeted ransomware campaigns. Securing these environments requires understanding their unique risk profile compared to standard IT infrastructure:

Maximum Financial Leverage

SAP environments run core business operations. Taking them offline causes catastrophic revenue loss, giving attackers immense leverage to extract high ransoms.

Double Extortion Risks:

Attackers routinely exfiltrate highly sensitive SAP data like intellectual property and financial records before encryption, threatening public leaks to enforce ransom demands.

Architectural Complexity:

The massive complexity of custom SAP code and proprietary protocols creates critical visibility gaps. Traditional IT security tools frequently miss application-layer threats, allowing attackers to deploy payloads undetected.

Patching Constraints:

Updating mission-critical SAP systems requires scheduled operational downtime, causing delayed patching cycles. Ransomware operators actively exploit these known vulnerability windows to gain initial access before fixes are applied.

The Different Types of Ransomware

The primary types of ransomware include encrypting malware, lockers, scareware, doxware, mobile ransomware, and Ransomware-as-a-Service (RaaS) models.
There are several distinct types of ransomware, each utilizing specific operational methods:

Encrypts files or data, making them inaccessible without a decryption key.

Locks the computer or device entirely, preventing hardware and file access.

Displays fake warnings claiming the device is infected with a virus, prompting payment for fraudulent anti-virus software to remove the supposed threat.

Threatens to publish sensitive information, such as personal files or confidential data, unless the ransom is paid.

Targets smartphones or tablets to lock the device or encrypt its data.

Distributed through a network of affiliates who utilize pre-packaged ransomware kits to launch attacks in exchange for a percentage of the ransom payments.

Onapsis Ransomware Attacks Common Threat Vectors

Common Threat Vectors for Ransomware Infection

Some common sources that can often lead to a ransomware attack include:

  • Internet-Facing Vulnerabilities and Misconfigurations
  • Phishing
  • Precursor Malware Infection
  • Third Parties and Managed Service Providers
Ch4tter Report

400% increase in ransomware attacks involving compromising SAP systems & data*

*Between 2021 and 2023

Read the report

Best Practices for Protecting Against Ransomware Attacks

Protecting enterprise networks against ransomware requires maintaining secure data backups, applying continuous software updates, enforcing access controls, and training employees.

Maintain frequent data backups on separate devices or in secure cloud environments to enable data restoration without paying a ransom.

Apply the latest security patches to operating systems, software, and applications to close known vulnerabilities.

Provide ongoing training on identifying and avoiding phishing emails and other social engineering attack vectors.

Enforce the principle of least privilege to limit access to sensitive data and deploy multi-factor authentication (MFA) to add an extra layer of security.

Protecting Business Critical Applications Against Ransomware

Defending business-critical applications against ransomware requires continuous vulnerability management, real-time threat detection, and pre-production code analysis.

Protecting the application layer serves as an essential component for securing SAP and Oracle applications against ransomware operators:

  • Vulnerability Management: Deploying Onapsis Assess provides automatic visibility into critical vulnerabilities, missing security updates, and misconfigurations to identify potential entry points. Closing these gaps systematically reduces the overall attack surface before threat actors can exploit them.
  • Continuous Monitoring: Utilizing Onapsis Defend delivers real-time alerts that monitor and flag unauthorized attempts to access critical SAP and Oracle systems. This continuous threat detection ensures security operations centers can isolate compromised accounts before ransomware payloads are deployed.
  • Code Analysis: Integrating Onapsis Control to scan custom code and transports prior to production release identifies embedded malware or structural vulnerabilities. Because organizations often maintain millions of lines of custom code, automated validation is required to prevent supply chain risks from reaching business-critical systems.
Onapsis Ransomware Attacks Protect
Onapsis Ransomware Attacks Develop

Developing a Ransomware Incident Response Plan

A structured ransomware incident response plan follows six critical phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

According to the SANS Institute, properly handling a security incident requires a systematic approach:

  • Preparation: Preparing for a security or ransomware incident begins with research of existing processes, who within the organization should have access to information, and who needs to be involved should an incident occur.
  • Identification: Identifying your most valuable data, where it is located, and how you will operate should this data be inaccessible is the next step.
  • Containment: Developing a plan for how you will contain a given security incident or ransomware attack is the next critical step.
  • Eradication: Planning for how your team will eradicate ransomware is another vital step in your incident response plan.
  • Recovery: If any sensitive or proprietary data was lost or encrypted, this step aims to recover that data and ensure it is no longer in the wrong hands.
  • Lessons Learned: What part of this response plan worked? What didn’t? This is the time to truly evaluate the effectiveness of your response plan and communication.

Annual Tabletop Exercises

Onapsis Ransomware Attacks CISA

CISA Tabletop Exercise Packages (CTEPs) for example, can be a starting point or foundation for your organization’s preparedness. Simulated ransomware attacks enable an organization to identify gaps in incident response plans. This can not only help the IT and security teams feel prepared, but the board and other stakeholders. Practice and preparedness helps teams be measured instead of chaotic in the event of an incident.

Read The Whitepaper

Watch On Demand Webinar

Steps Organizations Can Take in 2026 to be More Prepared for Ransomware

Organizations can enhance ransomware preparedness in 2026 by routinely testing incident response plans, prioritizing vulnerability patching, and mapping the complete attack surface.

  1. Review incident response plans and continuously evaluate their sufficiency against modern threats.
  2. Conduct tabletop exercises with organizational stakeholders at least once a year.
  3. Patch known, exploited vulnerabilities and systematically address insecure misconfigurations.
  4. Establish full visibility over the organization’s attack surface to anticipate how threat actors might exploit existing weaknesses.
Onapsis Ransomware Attacks Prepare
Onapsis Ransomware Attacks Recover

Steps Organizations Can Take in 2026 to Recover from a Ransomware Attack

Recovering from a ransomware attack requires immediately isolating infected systems, assessing the structural damage, restoring clean data from backups, and deploying additional security controls.

In the event an organization falls victim to a ransomware attack, the Cybersecurity and Infrastructure Security Agency (CISA) recommends the following high-level recovery steps:

  1. Isolate Infected Systems: Immediately disconnect infected systems from the network to prevent the ransomware from spreading to other hardware.
  2. Assess the Damage: Determine which systems and data subsets are affected. Conduct a thorough investigation to identify the initial access vector and scope of the attack.
  3. Restore Data from Backups: Restore data from secure backups. Validate that the backups are clean and do not contain dormant malware.
  4. Implement Additional Security Measures: Deploy additional security controls, such as forcing password resets, updating software, and reinforcing access controls, to prevent immediate reinfection.
  5. Conduct a Post-Incident Review: Evaluate the effectiveness of the response, identify operational bottlenecks, and update the incident response plan to improve the overall security posture.

Recent Ransomware Attacks in the News

News

A large water provider in the United Kingdom recently shared that the ransomware attack they suffered in February 2024 cost them $5.7M.

Learn More

Blog

Stoli Group USA (“Stoli”) filed for Chapter 11 bankruptcy in November 2024, citing a ransomware attack as a contributing factor to their filing.

Learn More

Press Release

A study of 500 cybersecurity professionals showed 46% of enterprises experience four or more ransomware attacks in a single year.

Learn More

Threat Research

Data from Flashpoint & Onapsis Research Labs showed an increase in ransomware attacks specifically targeting SAP in this research report.

Learn More

News

MOVEit Hackers Pivot to SysAid Zero-Day in Ransomware Attacks

Learn More

News

The U.S. Marshalls Department suffered a ransomware attack, which reportedly resulted in a loss of critical data on a standalone computer system.

Learn More

News

The city of Tulsa, Oklahoma, was hit by a ransomware attack that resulted in the city’s email system being shut down for several days, causing disruption to city services.

Learn More

News

The ransomware group Conti claimed responsibility for a cyber attack on the Irish health service, resulting in the disruption of healthcare services across the country.

Learn More

News

The Japanese multinational company Toshiba reported that it had been hit by a ransomware attack that resulted in the theft of sensitive corporate data.

Learn More

News

The ransomware group REvil demanded a $70 million ransom from the U.S. food processing company JBS after they were hit by a cyber attack that disrupted the company’s operations.

Learn More

Further Reading

Want a more in-depth exploration? Start with these related pieces, then visit our Resources page for more.

All Resources
Onapsis Ransomware Attacks Ready

Ready to eliminate your SAP cyber security blindspot?

Let us show you how simple it can be to protect your business applications.

Request a Demo

Frequently Asked Questions

How does ransomware spread in enterprise networks?

Ransomware typically spreads through enterprise networks by exploiting unpatched software vulnerabilities, compromised credentials, and malicious email phishing campaigns. Once initial access is achieved, threat actors move laterally across the infrastructure, escalating administrative privileges to reach mission-critical databases and deploy encryption payloads simultaneously across multiple systems.

Can ransomware infect SAP systems?

Yes, ransomware operators actively target SAP systems because these environments process highly sensitive corporate data and mission-critical operations, providing attackers with maximum financial leverage. Threat actors exploit specific architectural misconfigurations and delayed patching cycles in SAP infrastructure to deploy specialized malware. Securing these systems requires dedicated application-layer visibility beyond the scope of traditional IT security tools.

What is double extortion ransomware?

Double extortion ransomware is a cybercriminal tactic where attackers exfiltrate sensitive corporate data before encrypting the network, threatening to publish the stolen information if the ransom is not paid. This strategy forces victim organizations to navigate both catastrophic operational downtime and severe regulatory data breach implications simultaneously.

Should organizations pay the ransom during a cyberattack?

Global cybersecurity authorities universally advise against paying ransoms, as payment does not guarantee data recovery and directly funds future criminal operations. Instead of paying extortion demands, organizations must focus on maintaining secure, isolated data backups and implementing robust incident response plans to ensure operational continuity and facilitate independent system recovery.

How does Onapsis protect ERP systems from ransomware?

Onapsis protects ERP systems from ransomware by automating vulnerability management, providing real-time threat detection, and securing custom code within SAP and Oracle environments. The Onapsis Platform hardens the application layer by identifying insecure configurations, validating security patches, and alerting security operations centers to unauthorized access attempts before threat actors can deploy encryption payloads.