Ransomware has evolved and grown horns. When it attacks, it’s more destructive and harder to fight. Many organizations are falling victim and losing millions to it. In this blog, we uncover what a modern ransomware attack looks like, share anecdotes of such attacks, and discuss security solutions such as microsegmentation to fight against them.
Marks & Spencer (M&S) is a UK-based multinational retail brand with close to 1,400 stores all around the world. M&S last reported revenues of upwards of USD 18.8 billion. Along with the retail stores, the company has strong digital presence that contributes to its growing revenues.1
In April 2025, the retailer suffered a ransomware attack that disrupted operations for weeks, severely denting Easter week sales. The attack was a result of a phishing and social engineering attempt by cyber criminals (Scattered Spider and DragonForce). The hackers gained access to critical M&S systems by entering through helpdesk systems (likely managed by a third-party contractor).
After gaining access and establishing a foothold, attackers launched ransomware that encrypted some of the company’s systems. M&S acted swiftly to take some of its systems offline to prevent the ransomware from spreading further. In the meanwhile, the company resorted to pen-and-paper-based manual methods to keep operations running. For about six weeks or more, e-commerce revenues tanked.2
With this incident impacting business, the retailer is estimated to have sustained losses of about USD 400 million. Their stock prices also plummeted, resulting in a loss of market cap of hundreds of millions of dollars. The company also admitted that customer data had been stolen.3
Although the company has significant security measures in place, the incident clearly demonstrated that those measures weren’t enough, especially for protection against ransomware. After collaborating with multiple security agencies, the retailer restored the systems weeks after the attack. M&S plans to increase its investment in security to further strengthen its cyber security posture.
Ransomware has evolved rapidly over the years. Modern attacks no longer rely solely on encrypting files; instead, they follow a multi-extortion model, stealing data before encryption, then threatening to leak it, launch distributed denial of service (DDoS) attacks, or notify regulators and customers to pressure victims into paying.
Modern ransomware attacks may or may not involve data encryption, which used to be the primary case a few years back. About 30% of organizations (employee size: 501-5000) experience both data encryption and data theft.4
These campaigns are highly targeted, with attackers using social engineering, compromised third-party vendors, and stolen credentials to gain access and move laterally within networks. Many are now human-operated and even use AI to automate reconnaissance (gathering intelligence) and bypass detection tools.
Critical infrastructure and operational technology (OT) environments, such as manufacturing plants and hospitals, have become prime targets due to their reliance on legacy systems and the high risk of disruption. This evolution has turned ransomware into a professionalized, stealthy, and profit-driven industry, making traditional defenses such as backups insufficient, and pressing for advanced anti-ransomware measures.
Apart from the financial repercussions, security teams in organizations experience increased stress and guilt after a ransomware incident. Hence, it’s imperative for organizations to identify the causes of ransomware attacks. Some of the most common causes are vulnerabilities, compromised credentials, malicious emails, phishing, brute force attacks, and downloads.
Many organizations see inadequate security measures as a key driver of ransomware attacks—along with factors such as limited expertise and poor awareness of existing security gaps.
Organizations require a layered security approach that includes network segmentation, zero trust architecture, endpoint detection and response (EDR), and active threat monitoring to withstand this new breed of ransomware. In this blog, we’ll discuss how microsegmentation can specifically help organizations prevent the spread of a ransomware attack.
In the event of a ransomware attack, microsegmentation serves as a critical containment and control mechanism that significantly limits the attack’s blast radius. Unlike traditional network segmentation, which relies on broad perimeter-based boundaries such as virtual local access networks (VLANs) or subnets, microsegmentation enforces fine-grained, application-aware security policies at the workload or host level. This enables organizations to restrict the communication flow between devices within the same network or data center, also known as east-west traffic, meaning even if a ransomware variant compromises one endpoint, it cannot move laterally to infect other systems.
Technically, microsegmentation is implemented using software-defined security controls that apply at the kernel or hypervisor layer, often using agents installed on endpoints, virtual machines, or containers. These controls operate independently of the underlying network infrastructure, which is particularly effective in dynamic environments such as data centers or hybrid clouds.
For example, a zero-trust microsegmentation policy can restrict communication between a web server and a file server, unless explicitly allowed based on identity, role, or process. This prevents unauthorized access even if the attacker obtains valid credentials or exploits a vulnerability on one host.
In a ransomware scenario, microsegmentation plays a dual role: prevention and containment. First, it drastically reduces the surface area available for lateral movement by enforcing least-privilege access. Second, during an active attack, it enables real-time isolation of infected workloads without disrupting unaffected services. This containment not only prevents the ransomware from encrypting critical systems or backup repositories, but also provides security teams with the necessary time to investigate and remediate the incident.
Additionally, microsegmentation policies can be integrated with security information and event management (SIEM) or extended detection and response (XDR) platforms to trigger automated responses such as traffic blocking, quarantine, or alerting based on anomalous behavior.
In conclusion, microsegmentation transforms network security from a perimeter-based defense model into a distributed, context-aware enforcement layer. It is a foundational control for ‘zero trust’ architectures and a decisive safeguard against ransomware propagation. Organizations serious about cyber resilience must adopt microsegmentation as a core part of their defense-in-depth strategy.
According to Gartner, by 2027, about 25% of enterprises adopting zero trust technology will have more than one microsegmentation deployment. Gartner anticipates that more organizations will seek microsegmentation to achieve fine-grained zoning, enable workload-level policy, gain visibility into traffic, and manage workload policies at scale.6
Going back to the case of the M&S ransomware attack, microsegmentation could have significantly limited the damage by preventing the attackers from moving laterally across internal systems. Since the breach originated through a third-party contractor and escalated to core retail operations and e-commerce systems, microsegmentation would have enforced strict, policy-based controls between environments such as separating contractor access zones from production workloads or isolating e-commerce applications from backend databases and payment systems.
This would have blocked unauthorized communication paths and prevented ransomware from spreading beyond the initially compromised endpoints, keeping critical systems functional and reducing downtime.
Microsegmentation doesn’t just block threats; it also provides deep visibility into network traffic at the application and workload level. Unlike traditional firewalls that monitor traffic between network zones, microsegmentation tools (such as Akamai Guardicore) show who is talking to whom, what services are used, and whether that communication is necessary. This visibility spans cloud, on-premises, and hybrid environments, helping IT teams identify misconfigurations, shadow IT, and risky behavior. It’s like turning on the lights inside your network.
This visibility is critical for security and compliance. It enables organizations to map application dependencies, detect unauthorized connections, and create highly specific access policies. During an attack, visibility enables faster detection of lateral movement and targeted containment. It also supports compliance frameworks such as HIPAA, PCI, or SOC 2 by showing which systems interact with sensitive data and proving segmentation policies are enforced.
A U.S. healthcare provider deployed Akamai Guardicore segmentation and got immediate insight into internal traffic, exposing over 4,000 attempted attacks on day one. It allowed the team to isolate a misconfigured device and control east-west communication across the network. With a small IT team, they achieved better security, reduced attack surface, and improved compliance, all without disrupting patient care or legacy systems.7
Most cyber attack attempts may be invisible to any organization. With the right tools, these threats can be seen and thwarted. The number of attacks on an organization could be in thousands per day, and any of these attempts could potentially lead to a full-blown cyber attack. According to a Microsoft report, about 600 million attacks are attempted on any given day around the globe.8
Organizations that implement microsegmentation benefit from stronger protection against internal threats and post-breach activity, such as ransomware lateral movement or privilege escalation. Because traffic is restricted to only what is explicitly allowed, compromised devices or user accounts are far less likely to impact other assets, especially sensitive ones such as financial data, intellectual property, or regulated customer information.
From a business standpoint, this results in lower cyber risk exposure, reduced breach costs, and higher operational resilience. Microsegmentation also helps organizations meet compliance requirements (such as PCI DSS, HIPAA, and GDPR) by enforcing isolation among sensitive data environments. Additionally, it simplifies incident response by narrowing attack surfaces and accelerating containment.
Features
Benefits
Ultimately, stopping ransomware today requires deep cyber security expertise, real-time visibility, and layered defenses. T-Systems, as a managed detection and response (MDR) service provider, delivers that expertise through 24/7 security operations centers (SOC) monitoring, threat intelligence, and advanced technologies including microsegmentation powered by Akamai Guardicore. By combining strong prevention capabilities with rapid incident response and proactive threat hunting, T-Systems enables organizations to fend off sophisticated ransomware threats while maintaining business continuity and trust.
To protect against modern-day ransomware threats, get in touch with us today.
1 Marks and Spencer Statistics, 2025, Statista
2 M&S Cyber Attack Article, 2025, BBC
3 Marks & Spencer Breach, 2025, Blackfog
4 The State of Ransomware Report, 2025, Sophos
5 The State of Ransomware Report, 2025, Sophos
6 Market Guide for Microsegmentation, 2025, Gartner
7 Healthcare Case Study, 2025, Akamai
8 Microsoft Digital Defense Report, 2024, Microsoft.
