In the first half of 2025, the number of ransomware attacks on Belgian organizations doubled. Belgium thus rose to the top 10 most affected countries worldwide. From the Antwerp hospital AZ Monica to parts specialist TVH in Waregem, ransomware affects companies of all sizes and in every sector.
The good news? With the right protection measures, you significantly reduce the risk. In this guide, you’ll learn how ransomware penetrates your business, what 7 layers of protection you need, what an attack could cost your SME, and what measures NIS2 now requires by law.
How ransomware invades your business
Ransomware is malicious software that encrypts your files and demands a ransom to release them. In modern attacks, criminals steal your data on top of that and threaten to make it public if you don’t pay up. Thus, victims are doubly pressured.
The three main entry points for ransomware among SMEs are:
Phishing emails remain by far the most commonly used method. According to the ENISA Threat Landscape 2025 report, about 60% of all ransomware attacks start via phishing. AI-generated phishing emails make the problem worse: They are grammatically perfect and barely distinguishable from real messages. Want to know how well your team recognizes phishing? A phishing simulation maps that out.
Vulnerable remote access is the second major vector. Unsecured Remote Desktop Protocol (RDP) connections, VPNs without multifactor authentication or outdated software with known vulnerabilities give attackers a direct gateway. A pen test or vulnerability scan reveals these vulnerabilities.
Supply chain compromise is gaining in importance. The attack on Brussels Airport in September 2025 is the perfect example: attackers struck the check-in system not directly, but through a vulnerability at supplier Collins Aerospace. One weak link in the chain suffices.
7 layers of protection against ransomware for SMEs
Effective ransomware protection is not a matter of installing one product. You need multiple layers of defense so that a breach in one layer does not immediately lead to a complete compromise. Here are the 7 layers every SMB should implement.
1. E-mail filtering and anti-phishing
Since the majority of ransomware attacks start with an email, your mail filtering is the first line of defense. Invest in a solid spam filter that detects suspicious attachments and links. Combine this with regular phishing simulations to keep your employees on their toes. The CCB reported that Safeonweb received nearly 10 million reports of suspicious messages by 2025.
2. Patch management and vulnerability management
Attackers exploit known vulnerabilities in software that has not been updated in a timely manner. Establish a structural patch policy: operating systems, applications and firmware should be updated regularly and in a timely manner. Automate where possible, and prioritize patches for systems that are directly accessible via the Internet.
3. Network segmentation
Dividing your network into separate segments prevents ransomware from spreading throughout your organization after an initial infection. If a workstation in administration becomes infected, it should not provide direct access to your production environment or backup servers. Learn more about how network segmentation works and why it is a basic requirement.
4. Backup strategy: the 3-2-1-1 rule
A reliable backup is your last resort in the event of a ransomware attack. But standard backups aren’t enough: modern ransomware actively seeks out backup servers to encrypt them with. The Veeam 2025 study found that 89% of attacks targeted the backup environment.
The solution is the 3-2-1-1 rule, based on photographer Peter Krogh’s (2005) classic 3-2-1 backup rule, which is also endorsed by CISA:
- 3 copies of your data (the original + 2 backups)
- 2 different storage media (e.g., local drive and cloud)
- 1 copy offsite (protection against fire, theft or flooding)
- 1 copy immutable or air-gapped (immutable or physically disconnected from the network)
That extra “1” is crucial. An immutable backup cannot be encrypted or deleted, even by an attacker with administrator privileges. According to Veeam, only 45% of all backup storage is currently immutable. Therein lies a great potential for improvement.
Want to know how sophisticated ransomware groups target your backups? Then read our article on how hackers find your backups.
5. Endpoint Detection & Response (EDR).
Classic antivirus software works on the basis of known virus signatures. That is no longer sufficient against modern ransomware that is constantly changing form. EDR solutions monitor behavior on each device in real time and can automatically block and isolate suspicious activity, such as mass file encryption.
6. Multifactor authentication (MFA).
MFA is one of the most cost-effective protection measures in existence. Criminals use stolen passwords in 29% of all ransomware attacks, according to Febelfin. MFA adds an additional layer of authentication, making a stolen password alone no longer sufficient. Enable MFA on all remote access points: VPN, email, cloud applications and remote desktop.
7. Security awareness training
Technology protects your systems, but your employees protect your organization. The VLAIO Cybersecurity Barometer 2024 shows that 42.8% of Flemish companies cite insufficient training and awareness as the biggest cyber risk. A structural awareness program, with regular training and simulated attacks, makes your team the first line of defense rather than the weakest link.
What does a ransomware attack cost your Flemish SME?
The financial impact of ransomware goes far beyond the ransom amount. According to the Eye Security Incident Response Report 2026, based on 630 incidents in the Benelux and Germany, the average ransom demand was €613,000. But the real cost is elsewhere.
A realistic cost scenario for a Flemish SME with 20 to 50 employees:
| Cost category | Estimated range | Explanation |
|---|---|---|
| Downtime and lost productivity. | €20.000 – €50.000 | 3-7 days of downtime, employees unable to work |
| External IT assistance and forensics | €10.000 – €30.000 | Incident response, system recovery, forensic analysis |
| Loss of sales and contractual penalties | €15.000 – €100.000+ | Depending on sector and contractual obligations |
| Reputational damage and customer loss | Difficult to quantify | Long-term impact on trust |
Insurer Vanbreda Risk & Benefits analyzed claims from Belgian companies and found that 80% of cyber incidents with professional help were limited to €20,000 in damages. But for the remaining 20%, the costs quickly mounted: 4% of claims reached amounts in the millions, mainly due to prolonged business downtime.
The IBM Cost of a Data Breach Report 2025 confirms this pattern: the average cost of a data breach in the Benelux is $6.24 million (about €5.7 million), the third highest worldwide.
Belgian companies targeted: recent ransomware incidents
Ransomware is not an abstract risk. In recent years, dozens of Belgian companies and organizations have been affected, including well-known names from various sectors.
AZ Monica (January 2026) had to preemptively shut down all servers after a ransomware detection. Only 30% of scheduled care was able to continue; more than 70 patients were sent home. It took over a month for all IT systems to be operational again.
TVH Waregem (March 2023) was hit by LockBit ransomware. All systems went down: website, internal communications, ordering platform. Employees communicated via WhatsApp. Recovery took almost a full month. CFO Marc Oosterlinck afterwards called it “a good but very expensive lesson.”
Duvel Moortgat (March 2024) saw production shut down at all of its Belgian breweries after an attack by the Stormous group. Thanks to intact backups, recovery was relatively quick, but the attackers still published stolen company data. Read our detailed analysis of the Duvel attack.
City of Antwerp (December 2022) was disrupted for months. Estimated damages amounted to up to €70 million. Read more details in our article on the hack at City of Antwerp.
In 2025, the CCB recorded a total of 105 ransomware incidents and conducted 103 emergency interventions. The actual number is undoubtedly higher: not every incident is reported.
NIS2 mandates ransomware protection
Since Oct. 18, 2024, the Belgian NIS2 law has been in effect. This law obligates essential and important entities to concrete cyber security measures directly related to ransomware protection.
Article 30 of the law (the transposition of EU Article 21) mandates 11 specific measures. The most relevant for ransomware protection are:
- Backup management and business continuity: you are required to have tested backups and a disaster recovery plan
- Incident handling: procedures for incident detection, analysis, control and response
- Cyber hygiene and training: structural awareness training for employees
- Multifactor authentication: secure authentication solutions are explicitly included
- Supply chain security: you must assess suppliers for cybersecurity
Article 31 additionally places personal liability on directors: they must approve the measures, oversee implementation, and undergo cybersecurity training themselves. For non-compliance, essential entities risk fines of up to €10 million or 2% of annual global turnover.
The first conformity assessment deadline is fast approaching: April 18, 2026. Want to know what NIS2 means concretely for your company? Read our complete NIS2 guide for Flemish companies.
VLAIO grants: ransomware protection becomes affordable
The Flemish government realizes that cybersecurity for SMEs is an investment that not everyone can bear on their own. Therefore, there are two subsidy mechanisms that significantly reduce your investment in ransomware protection.
The VLAIO Cybersecurity Improvement Programs subsidize up to 50% of a guided cybersecurity pathway. That includes an audit, implementation of protection measures and follow-up. Cyberplan is an approved pathway partner. A concrete calculation example: a €10,000 improvement trajectory will still cost you €5,000 after subsidy.
In addition, since Feb. 1, 2026, the SME portfolio offers grants exclusively for cybersecurity advice: 45% for small enterprises and 35% for medium-sized enterprises, up to a maximum of €7,500 per year.
Want to know more about grant opportunities? Read our article on the VLAIO cybersecurity improvement program.
Frequently asked questions about ransomware protection
What is the most effective measure against ransomware?
No single measure provides complete protection. The combination of immutable backups, multifactor authentication and security awareness training is the most effective basic package. Sophos research (2025) shows that only 54% of organizations use backups for recovery after ransomware, the lowest percentage in 6 years.
What does ransomware protection cost for an SME?
The investment depends on your current security level and company size. A cybersecurity audit as a starting point costs on average around €4,700 for a medium-sized company (after deduction of SME portfolio). Through VLAIO grants, you get 45-50% back on your investment. That’s a fraction of the potential damage in the event of an attack.
Do I have to pay a ransom in a ransomware attack?
Experts and the CCB strongly advise against it. Payment does not guarantee data recovery and encourages criminals. The Hiscox Cyber Readiness Report (2024) found that only 18% of payers recovered all their data. Major Belgian victims, including Picanol, Duvel Moortgat, TVH and Stad Antwerpen, did not pay a ransom.
Does my SME fall under the NIS2 requirement for ransomware protection?
NIS2 applies to organizations in certain industries with at least 50 employees and €10 million in revenue. But smaller companies may also be indirectly affected: large customers or clients may contractually impose cybersecurity requirements on their suppliers.
How quickly can my company recover after a ransomware attack?
It depends greatly on your preparation. Companies with tested, immutable backups and an incident response plan recover within days. Without that preparation, recovery can take weeks to months. At TVH, recovery took nearly a month; AZ Monica needed more than a month.
What should I do if my company is hacked now?
Immediately isolate the affected systems from the network, but do not shut them down (forensic traces will be lost). Call your IT manager or a cybersecurity partner. Read our roadmap: Business hacked? These are the first 7 steps .
Start your ransomware protection today
Ransomware doesn’t wait for your planning. With the NIS2 deadline of April 18, 2026 approaching and the number of attacks on Belgian companies continuing to rise, now is the time to take action.
The first step? A cybersecurity audit that maps out where your organization stands and which layers of protection should be prioritized. Our certified experts (OSCP, CISSP, CEH, CISM) translate the results into a concrete roadmap with quick wins and structural improvements, in human language.
And through the VLAIO grants, you never pay the full amount yourself.
Schedule a no-obligation consultation and find out how Cyberplan protects your business from ransomware.
