Ransomware: When Your Business Goes Dark.

by | Mar 20, 2026 | Cybersecurity

Ransomware: When Your Business Goes Dark.

What every Malaysian business owner needs to know before it happens to them.

🚨 A Monday Morning No Business Owner Should Ever Face

It is 8:47 AM on a Monday. Your Operations Manager calls, voice tight: the warehouse management system is locked. Your finance team cannot access the accounting software. Your customer database is encrypted. On every screen, the same message: pay USD$150,000 in Bitcoin within 72 hours, or your data will be deleted permanently.

You call your IT person. They have no idea how it happened. You call your bank. The transfer is irreversible if you pay. You call a lawyer. It will take days just to understand your legal exposure.

By Wednesday, your business has lost four days of revenue. Your staff are idle. Your customers are calling and you have no answers. Your reputation, built over years, is now a news headline.

This is not fiction. In March 2025, Kuala Lumpur International Airport (KLIA) faced exactly this scenario, receiving a ransom demand of USD$10 million after attackers disrupted flight information displays and check-in counters. And KLIA had a full IT department.

Source:
1. The Record (Recorded Future News) — March 25, 2025
2. Dark Reading — March 28, 2025
3. South China Morning Post — March 26, 2025

42%

Increase in ransomware attacks on Malaysian businesses year-over-year (CyberSecurity Malaysia Annual Report 2025)

105+

Malaysian organisations on ransomware leak sites as of early 2026 (Ransomware.live)

67%

Malaysian SMEs hit by ransomware in 2025, up from 48% in 2024 (CyberSecurity Malaysia 2025)

USD$57B

Global ransomware damage costs projected for 2025 (Cybersecurity Ventures)

🔍  How Ransomware Works, in Plain Business Language

Ransomware is malicious software that silently enters your business systems, usually through a staff member clicking a convincing email link or opening a malicious attachment. Once inside, it spreads across your network and encrypts your files. Without the attacker’s decryption key, your data is unreadable, your systems are frozen, and your business stops.

Modern ransomware attacks typically follow five stages that every business owner should understand:

STAGE
WHAT IS HAPPENING TO YOUR BUSINESS
Entry
A staff member receives a convincing email, clicks a link, or opens an attachment. Attackers are now inside your network, silently.
Reconnaissance
Over days or even weeks, attackers quietly map your systems, identify your most valuable data, and locate your backups.
Data Theft
Before triggering encryption, attackers copy your sensitive data. This is called double extortion: they can threaten to publish it even if you restore from backup.
Encryption
Everything locks. Files become unreadable. Systems go dark. This is the moment you discover the attack.
Ransom Demand
A message appears on every screen. You have a deadline, typically 48 to 72 hours, to pay. The clock is already running.

🌐What the World’s Experts Are Saying

PwC Malaysia: Cyber Threats 2024, A Year in Retrospect

PwC’s threat intelligence team confirmed that ransomware has become one of the most significant threats to Malaysian firms, with notorious operators including RansomHub, Qilin, and Lynx actively targeting Malaysian organisations across multiple sectors.

PwC noted that Malaysian CEOs now rank cyber risk above macroeconomic volatility and inflation as their foremost business concern, a sentiment echoed by corporate directors in PwC’s own board survey.

Source: PwC Malaysia: Charting Cyber Threats 2025

Sophos: State of Ransomware Report 2025

Sophos surveyed 3,400 IT professionals across 17 countries and found:

    • Over two-thirds of ransomware attacks between 2024 and 2025 targeted businesses with fewer than 500 employees
    • Average ransomware recovery cost in 2025 is USD$1.53 million, not including the ransom payment itself
    • Average business downtime after a ransomware attack is 24 days before full operational restoration
    • 69% of organisations that paid a ransom were attacked again within 12 months

The Sophos finding is direct: paying the ransom solves very little. Recovery capability and advance preparation are what determine whether a business survives.

Source: Sophos State of Ransomware 2025

Cybersecurity Ventures: 2025 Ransomware Damage Cost Report

Global ransomware damage costs are projected to reach USD$57 billion in 2025, equivalent to USD$2,400 every single second. By 2031, a new ransomware attack is forecast to occur every 2 seconds globally, up from every 11 seconds in 2021.

Ransomware-as-a-Service (RaaS) is a major driver of this growth. Criminal groups now rent out their ransomware tools to anyone willing to share the proceeds. This model allows technically inexperienced attackers to launch sophisticated campaigns at scale, and SMEs are their preferred volume targets.

Source: Cybersecurity Ventures: Ransomware Report 2025

CyberSecurity Malaysia Annual Report 2025 and MyCERT Q3 2025 Incident Report

CyberSecurity Malaysia’s Annual Report 2025 confirmed ransomware attacks on Malaysian businesses rose 42% year-over-year. A separate Starlight Intelligence analysis found ransomware activity targeting Malaysia more than doubled from 2023 to 2025. MyCERT’s Q3 2025 Cyber Incident Report recorded 17 ransomware incidents in Q3 alone, a 19% increase over Q2. Most frequently observed attack patterns:

  • Active Directory (AD) server exploitation, enabling ransomware to propagate across entire networks simultaneously
  • Virtualisation platform attacks targeting VMware and ESXi servers to compromise multiple systems at once
  • Phishing, brute force attacks, and stolen credentials as the primary initial entry points

MyCERT’s conclusion for 2025 and beyond: ransomware incidents will continue to grow, impacting businesses and critical national infrastructure across Malaysia.

Sources: MyCERT Q3 2025 Incident Report  |  SimplyData Malaysia Cybersecurity Threat Report 2025

💸 The Real Business Cost: Beyond the Ransom Demand 

Most business owners focus on the ransom figure when they think about ransomware. That is understandable. But the ransom is often the smallest line in the total cost.

The Full Cost of a Ransomware Attack on a Malaysian Business

💰  The Ransom Demand
Ransomware groups targeting Malaysian SMEs in 2025 demand between RM500,000 and RM5 million. Larger organisations face demands running into tens of millions. Paying is no guarantee of recovery. 69% of businesses that paid were attacked again within 12 months, and Sophos confirms only 97% of data is typically recovered even by those who do pay.

  Operational Downtime
The average business is offline for 24 days after a ransomware attack. For a company generating RM100,000 monthly, that is over RM80,000 in lost revenue, before a single cent of recovery cost is counted.

🔧  Recovery and Restoration
Rebuilding encrypted systems, restoring data, forensic investigation, and emergency IT support typically costs between RM80,000 and RM400,000 for a mid-sized Malaysian business, even with good backups in place.

  Legal and Regulatory Exposure
Under Malaysia’s PDPA 2024, if customer or employee personal data was accessed during the attack, you must notify the authorities within 72 hours. Failure to notify, or to demonstrate adequate prior security measures, risks fines of up to RM1 million per offence.

📉  Customer and Reputational Loss
Research indicates that 58% of small businesses that suffered a serious ransomware event in 2024 were forced to close within months. Even businesses that recover technically can take years to restore the trust of customers, suppliers, and partners.

The ransom is what makes the headlines. The recovery cost is what determines whether your business survives.

🎯 Why Malaysian SMEs Are a Primary Target

It is tempting to assume ransomware attacks are aimed at large corporations with deep pockets. The data tells a different story. Over two-thirds of ransomware attacks globally in 2024 and 2025 targeted businesses with fewer than 500 employees. Here is the reasoning behind this:

Ransomware-as-a-Service (RaaS) Criminal groups now rent out ransomware tools to anyone willing to share a portion of the proceeds. Even technically inexperienced attackers can now launch sophisticated campaigns. SMEs are targeted at volume because there are many of them, and their defences are typically lighter.

Valuable Data, Lighter Defences SMEs process payments, store customer personal data, hold supplier contracts, and manage payroll. That data has significant value to attackers. The security protecting it is often less structured than at larger organisations, creating an attractive imbalance.

No Dedicated Security Team Malaysia faces a shortage of 12,000 cybersecurity professionals. Most SMEs rely on generalist IT support rather than dedicated security specialists. When an attack occurs at 2 AM on a Sunday, who is monitoring your systems?

Supply Chain Targeting Attackers increasingly target SMEs not only for their own data but as an entry point into the larger corporations they serve. A smaller business with lighter defences can become the access route into a major client’s network. Many large Malaysian corporates are now beginning to require cybersecurity standards from their suppliers and vendors.

🛡️ What Ransomware Protection Looks Like in Practice

Ransomware is not an inevitability. Businesses that build the right foundations recover faster, pay less, and in many cases prevent attacks from succeeding at all. Here is what good ransomware readiness looks like across each layer of protection, based on current industry best practice:
PROTECTION LAYER
WHAT TO EXPECT FROM YOUR IT PROVIDER
Email Security and Phishing Defence
Since phishing is the primary entry point for ransomware, your provider should deploy advanced email filtering that catches malicious links and attachments before they reach staff inboxes, going well beyond basic spam filters.
Endpoint Detection and Response (EDR)
Every device on your network is a potential entry point. A qualified provider deploys tools that monitor device behaviour in real time, detecting ransomware activity and isolating infected machines before an attack can spread network-wide.
Tested Backup and Recovery
The most critical ransomware defence is a backup system that is isolated from your main network, updated automatically, and tested regularly. Ask your provider: when did we last run a full end-to-end recovery test?
Staff Security Awareness Training
Human error remains the primary cause of successful ransomware attacks. Regular, practical training equips staff to recognise phishing emails and social engineering attempts before they act on them.
Incident Response Planning
If an attack does occur, a written and rehearsed response plan is the difference between recovering in days versus weeks. Your provider should help you build and test this plan as standard practice.

5 Ransomware Readiness Questions to Ask Your IT Provider

Bring these questions to your next IT review. The answers will tell you a great deal about your current level of ransomware readiness:

      • When did we last test our backup and recovery system, and how long would a full restore take?
      • Do we have email filtering specifically designed to block ransomware delivery methods such as phishing and malicious attachments?
      • Are our backups stored in a location that is isolated from our main network so ransomware cannot reach them?
      • Have our staff completed security awareness training in the past 12 months, and do they know how to report suspicious emails?

Do we have a written incident response plan for a ransomware attack, and has it ever been rehearsed?

If any of these questions reveal a gap in your current setup, that is where the conversation with your IT adviser should begin. These are not complex or costly issues to resolve when caught early.

One Action You Can Take Right Now

Ask your IT team or provider this single question today: if ransomware encrypted every file in our business tonight, what would we do first, and how long would a full restore take? If there is no clear, confident answer, you have just identified your most urgent cybersecurity priority. The conversation itself is the starting point.

Ransomware Preparedness Begins with a Conversation.

The best time to prepare is before an incident, not during one.

We encourage every Malaysian business owner to review their ransomware readiness with their current IT adviser or service provider. Use the five questions above as a practical starting point. Ask for a written backup and recovery plan. Request a risk assessment. These are reasonable, professional conversations that any qualified IT partner should welcome.

If you would like a second perspective, or if you are evaluating your options and want an independent view of your ransomware readiness, BigBand is happy to offer a no-obligation conversation. We are not here to replace your current provider. We are here to make sure your business is as protected as it can be.

Your next step is to start the conversation. Where that conversation leads is entirely your decision.

FREE BUSINESS TOOL

Cyber Security
Risk Review Checklist

Most organisations are unsure of their actual cyber risk exposure. BigBand’s self-assessment tool evaluates your protection across 7 critical areas and places your organisation into one of four risk levels.

✓ Low Exposure

⚠ Moderate Risk

⚠ High Risk

✕ Critical Exposure

Reviews: Firewall & network · Endpoint coverage · Remote access · Backup readiness · Email & phishing · Monitoring capability · Incident response

Download Your Free Checklist

** Your details are kept strictly confidential. No spam, ever. **