Skip to content

Business glossary

Ransomware & Cyber Threats

A type of malicious software that encrypts an organisation's files or systems and demands a ransom payment to restore access. It is the most financially damaging cyber threat facing businesses, with average incident costs exceeding EUR 4 million in 2025.

Digital

What is ransomware

Ransomware is malware that encrypts victim data and demands payment (typically in cryptocurrency) for the decryption key. Modern variants practise double extortion: in addition to encrypting data, they exfiltrate it and threaten to publish it if the ransom is not paid. Some groups have progressed to triple extortion, adding DDoS attacks or contacting the victim’s customers directly.

Common attack vectors

  • Phishing and spear-phishing: fraudulent emails tricking employees into downloading malware or revealing credentials
  • Vulnerability exploitation: unpatched software (VPNs, web servers, public-facing applications)
  • Compromised remote access: stolen or weak RDP credentials
  • Supply chain attacks: compromising a software vendor to distribute malware to its customers

A ransomware attack in the EU triggers multiple concurrent notification requirements:

  • GDPR: notification to the supervisory authority (AEPD in Spain) within 72 hours if personal data is affected
  • NIS2: early warning within 24 hours and full notification within 72 hours to the reference CSIRT
  • DORA: for financial entities, notification to the financial supervisor under prescribed timelines
  • Securities regulation: listed companies may need to disclose material cyber incidents

Prevention and response

Effective prevention combines technical measures (immutable backups, network segmentation, EDR, multi-factor authentication, regular patching) with organisational measures (employee training, phishing simulations, tested incident response plans). The decision to pay a ransom has legal, ethical, and strategic implications — including potential sanctions law violations — that require specialist advice.

Frequently asked questions

What notification obligations does a ransomware attack trigger in Spain?
A ransomware attack affecting personal data triggers GDPR notification to the AEPD within 72 hours. If the company is subject to NIS2, an early warning to the reference CSIRT is required within 24 hours and a full notification within 72 hours. Financial entities under DORA have separate notification obligations to their supervisory authority. Listed companies may also need to disclose material cyber incidents.
Should a Spanish company pay a ransomware ransom?
The decision to pay involves legal, ethical, and strategic considerations that require specialist advice. Paying may violate sanctions laws if the threat group is on a sanctions list. Payment does not guarantee data recovery or prevent future attacks. Spanish authorities and INCIBE generally advise against paying. Companies should engage incident response specialists and legal counsel before making any payment decision.
What technical measures most effectively prevent ransomware attacks in Spain?
Immutable and offline backups are the most critical defence, enabling recovery without paying ransom. Complementary controls include multi-factor authentication (especially for RDP and VPN access), network segmentation, endpoint detection and response (EDR) tools, regular patching of public-facing applications, and employee phishing simulation training. INCIBE provides free cybersecurity resources for Spanish SMEs.
What is double extortion ransomware and how does it affect GDPR obligations?
Double extortion combines data encryption with data exfiltration and a threat to publish the stolen data if the ransom is not paid. This means even if backups allow recovery without paying, the personal data breach has already occurred. Under GDPR, the exfiltration itself triggers notification obligations to the AEPD and potentially to affected individuals, regardless of whether the ransom is paid.

Related service

Legal

Discover our services in this area

Related sectors

Technology & Startups Financial Services

Related terms

ISO 27001 (Information Security Management System) NIS2 Directive CISO (Chief Information Security Officer)
Back to glossary

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact