| A ransomware attack encrypts your business data and demands payment for its return. In 2026, ransomware myths are as dangerous as the attacks themselves — businesses that believe they are safe because they are small, because they have backups, or because they would simply pay the ransom and move on are operating on assumptions that no longer hold. |
Ransomware is no longer just a threat to large organisations. A South Island manufacturer was locked out of its systems and halted production this year after a ransomware attack demanded a six-figure ransom. A professional services firm had its client database exfiltrated and held for a second ransom before the original encryption was even resolved.
These are not isolated incidents. According to CERT NZ, NZ businesses lost $7.8 million to cybercrime in Q1 2025 alone — a 14.7% increase on the previous quarter. Ransomware is the primary driver of the most costly incidents. And in 2026, the ransomware myths that lead businesses to underinvest in protection are more dangerous than ever before.
| NZ Business Cyber Security Report 2026: 44% of large NZ businesses suffered a successful cyber attack in the past year. One in five faced extortion. One in three said they would be willing to pay a ransom — despite no guarantee of data recovery. |
The Five Ransomware Myths That Put NZ Businesses at Risk
| 1 | Ransomware Myth: We are too small to be targeted |
The reality: ransomware myths about size put small businesses most at risk
This is the most persistent and most damaging of the ransomware myths facing NZ SMEs. The assumption is that attackers focus on large corporations because the payouts are bigger. In practice, the opposite is increasingly true.
As larger organisations invest in sophisticated defences, smaller businesses have become low-hanging fruit. NZ cyber security research confirmed that nearly half of ransomware attacks targeted small and medium businesses, with the average cost of a breach estimated at $173,000.
Ransomware-as-a-Service (RaaS) has made this worse. Skilled developers now build ransomware kits and rent them to low-skill affiliates who run the attacks and split the profits. A criminal does not need technical expertise to target your business — they just need to purchase a kit and pick a victim. CERT NZ’s guidance on ransomware makes clear that no business is too small to be at risk.
If you operate in Christchurch or Dunedin and assume your size protects you, that assumption is a ransomware myth that could cost your business its data, its reputation, and potentially its survival.
| 2 | Ransomware Myth: Our backups will save us |
The reality: Attackers now target your backups first
Having backups is essential. Assuming backups alone will protect you from ransomware is one of the most dangerous myths circulating among NZ businesses right now.
Modern ransomware operators spend weeks inside a network before triggering encryption. During that time, they locate and either encrypt or delete backup systems. The goal is to ensure that when the attack lands, you have no clean restore point. By the time you realise you have been hit, your backups may already be compromised.
- Standard cloud backups are often accessible from the same compromised credentials attackers already hold
- On-premises backup devices connected to the network are encrypted alongside everything else
- Backups that have never been tested frequently fail at restore time — often the worst possible moment
The answer is not to abandon backups — it is to build them properly. Immutable backups that cannot be altered or deleted, air-gapped copies stored offline, and the 3-2-1-1 rule (three copies, two media types, one offsite, one offline) provide meaningful ransomware protection where standard backups do not. Believing otherwise is one of the most costly ransomware myths an NZ business can hold. Our data backup strategy guide covers how to build a backup approach that actually holds up under attack.
| 3 | Ransomware Myth: Paying the ransom solves the problem |
The reality: ransomware myths about payment are costing NZ businesses twice over
One in three NZ businesses say they would pay a ransom if attacked, according to recent NZ cyber security research. It is an understandable response under pressure. It is also one of the ransomware myths that has cost businesses far more than the original ransom.
Paying does not guarantee your data comes back. Ransomware operators are criminals — there is no legal obligation for them to honour the decryption. Internationally, companies including UK freight firm KNP paid the ransom in full and still collapsed months later. Travelex paid US$2.3 million and still went out of business.
In 2026, double and triple extortion have become standard. Attackers no longer just encrypt your data — they steal it first. The ransom demand comes in two parts: pay to decrypt, and pay again to prevent publication of the stolen data on the dark web. Triple extortion adds a third layer: direct contact with your clients, suppliers, or patients, threatening to release their personal data unless they pressure you to pay.
Paying the first ransom does not stop the second or third demand. And organisations that pay are frequently targeted again — marked as willing to pay.
NZ cyber security research consistently reinforces this point: once a ransom is paid, there is no guarantee the criminal will honour the deal — and they may still re-sell any data that was stolen. Payment signals willingness to pay, which frequently makes a business a target for repeat attacks. Our BCDR guide explains how a tested continuity plan makes payment a last resort rather than an inevitability.
| 4 | Ransomware Myth: Antivirus software is enough |
The reality: ransomware myths about antivirus leave systems exposed
Antivirus software detects known threats by matching them against a database of recognised malware signatures. Modern ransomware is built specifically to defeat this approach.
AI-powered polymorphic ransomware rewrites its own code on each deployment, generating a unique signature that no existing antivirus database contains. By the time the signature is identified and added to the database, the attack is already complete.
Beyond the technical limitations, antivirus addresses only one layer of a multi-vector threat. Ransomware enters through phishing emails, compromised credentials, unpatched software, and supply chain vulnerabilities. Antivirus sits at the endpoint and does nothing to address the credential theft or phishing that enabled access in the first place.
Effective ransomware protection requires layered defences: email filtering, endpoint detection and response (EDR), privileged access controls, network segmentation to limit spread, and proactive patching. Our guide on defence in depth explains how these layers work together to contain attacks that bypass individual controls.
| 5 | Ransomware Myth: Recovery is quick once the ransom is resolved |
The reality: ransomware myths about recovery time lead to dangerous under-preparation
Businesses that have not experienced a ransomware attack often imagine recovery as a linear process: pay or restore from backup, decrypt or rebuild, resume operations. These ransomware myths about recovery are among the most operationally dangerous.
NZ cyber security industry data shows that one in three NZ ransomware victims took two months or more to fully recover. That recovery period covers rebuilding systems, restoring and verifying data integrity, investigating the scope of the breach, notifying affected parties under the NZ Privacy Act 2020, managing the reputational fallout, and implementing the additional security controls needed to prevent a repeat attack.
During that period, revenue stops or slows, staff productivity drops, and legal and compliance costs accumulate. The NCSC reported $12.4 million in direct financial losses from cybercrime in Q3 2025 alone — up 118% from the previous quarter. Those figures represent the reported losses. Indirect costs from downtime, staff time, and reputational damage are typically several times higher.
A tested incident response plan significantly shortens recovery time. Knowing exactly who makes decisions, who communicates with staff and clients, and how systems are restored in what order turns a chaotic incident into a managed response. Our business continuity planning guide covers what a tested plan looks like and how to build one before you need it.
What Actually Protects NZ Businesses From Ransomware
Addressing ransomware myths is the first step. Building the right defences is the second. These are the controls that provide meaningful ransomware protection in 2026.
Immutable and air-gapped backups with tested restores
Backups that cannot be altered, deleted, or accessed via compromised credentials. Copies stored offline and offsite. Restore tests conducted quarterly — not assumed to work. This is the non-negotiable foundation of ransomware resilience.
Email security and phishing-resistant authentication
Ransomware enters through email in the majority of cases. Advanced email filtering blocks the phishing scams that deliver ransomware payloads. Phishing-resistant MFA — hardware security keys rather than SMS codes — closes the credential theft vector that gives attackers their initial foothold. Our email security service covers both layers for South Island businesses.
Endpoint detection and response
EDR tools monitor endpoint behaviour rather than matching signatures. When ransomware begins to behave like ransomware — accessing and encrypting files at unusual speed — EDR detects and isolates the affected device before the attack spreads across the network.
Network segmentation
Separating systems so that a compromise in one part of the network does not automatically spread to everything else. A ransomware attack that reaches the accounts system should not be able to reach the production system, the backup system, or the client database simultaneously.
Tested incident response plan
A written plan that has never been tested is not a plan — it is a document. A tested plan, run through a tabletop exercise at minimum annually, gives your team the muscle memory to respond quickly when an actual attack occurs. Speed of response is directly correlated with cost of recovery.
Is Your Business Protected Against Ransomware in 2026?
Exodesk works with South Island businesses in Christchurch and Dunedin to build layered ransomware defences — from immutable backups and email security through to incident response planning and tested recovery procedures. Our fixed-price managed IT model means you have ongoing protection without unpredictable costs.
If your current ransomware protection is based on any of the myths above, we can help you identify the gaps and close them before an attack forces you to find out the hard way.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions About Ransomware Myths
What are ransomware myths and why do they matter?
Ransomware myths are dangerous misconceptions about how ransomware attacks work, who gets targeted, and what protects against them. They matter because businesses that believe these ransomware myths tend to underinvest in the controls that actually reduce risk — making them significantly more vulnerable when an attack occurs. The most damaging ransomware myths are that small businesses are safe, that backups are sufficient, and that paying the ransom resolves the incident.
What is a ransomware attack?
A ransomware attack is a cyber attack in which criminals encrypt your business data and demand payment — typically in cryptocurrency — for the decryption key. In 2026, most ransomware attacks also involve data theft before encryption, meaning attackers can demand a second ransom to prevent publication of stolen data even after you pay to decrypt your files.
Are small NZ businesses really at risk from ransomware?
Yes — and increasingly so. Ransomware-as-a-Service has lowered the technical barrier for attackers, making small and medium businesses frequent targets precisely because they tend to have weaker defences than larger organisations. NZ cyber security research found nearly half of NZ ransomware attacks targeted SMEs, with the average cost of a breach reaching $173,000.
Should I pay the ransom if my business is hit?
Payment is not recommended and does not guarantee recovery. Attackers have no obligation to provide working decryption keys, and many businesses that have paid still lost their data or went out of business. In 2026, double and triple extortion mean paying the first demand frequently leads to second and third demands. Businesses that pay are also frequently targeted again. A tested backup and recovery plan is the only reliable alternative to payment.
What is double extortion ransomware?
Double extortion is a ransomware tactic in which attackers steal your data before encrypting it, then issue two separate ransom demands — one to decrypt your files and one to prevent publication of the stolen data on the dark web. Triple extortion adds a third layer, contacting your clients or patients directly and threatening to release their personal information. Both tactics are now standard in NZ ransomware incidents.
What is Ransomware-as-a-Service?
Ransomware-as-a-Service (RaaS) is a criminal business model in which skilled developers build ransomware tools and rent them to less technical affiliates who run the attacks and split the profits — typically 60% to the affiliate and 40% to the developer. RaaS has dramatically lowered the skill barrier for launching ransomware attacks, which is why NZ SMEs are increasingly targeted despite being smaller and lower-profile than enterprise victims.
Will backups protect my business from ransomware?
Standard backups alone are not sufficient. Modern ransomware operators spend weeks inside a network locating and disabling backup systems before triggering encryption. Protection requires immutable backups that cannot be altered or deleted, offline or air-gapped copies inaccessible via compromised credentials, and quarterly tested restores. Backups that have never been tested frequently fail when they are needed most.
How long does it take to recover from a ransomware attack?
NZ industry data shows that one in three ransomware victims took two months or more to fully recover. Recovery covers system rebuilding, data integrity verification, breach investigation, Privacy Act notification obligations, reputational management, and implementing additional security controls. A tested incident response plan significantly shortens recovery time.
What NZ legal obligations apply after a ransomware attack?
If a ransomware attack results in a data breach involving personal information that is likely to cause serious harm, the NZ Privacy Act 2020 requires notification to the Office of the Privacy Commissioner and, in most cases, to the affected individuals. Failing to notify in a timely manner can result in fines and reputational damage beyond the breach itself. Incident response planning should include clear notification protocols and designated contacts for regulatory communication.
Is antivirus software enough to prevent ransomware?
No. Modern ransomware uses polymorphic code that rewrites itself on each deployment, generating unique signatures that standard antivirus databases do not yet contain. Effective ransomware prevention requires layered defences including email filtering, endpoint detection and response, privileged access controls, network segmentation, and regular patching — not a single tool.
How does Exodesk help NZ businesses protect against ransomware?
Exodesk provides layered ransomware protection for South Island businesses from our offices in Christchurch and Dunedin. This includes immutable backup design and management, advanced email security, endpoint detection and response, access control reviews, network segmentation, and incident response planning. Our fixed-price managed IT model covers ongoing protection so businesses are not left to manage ransomware risk in isolation.
