Skip to main content
Global EnglishFrançais Morocco EnglishFrançais Europe EnglishFrançais

Choose your region and language

Region
Language
Scoping call

Practical guide

Ransomware in Morocco: what to do in an attack and how to protect

Ransomware in Morocco — the attack chain, from initial access to ransom demand.

Ransomware has become the threat that turns a technical incident into a business crisis. In Morocco it hits the SME that discovers one morning its servers are encrypted just as readily as the subsidiary of an international group whose operations grind to a halt. Two questions always come up, and in this order: what to do now while the attack is under way, and how to prevent it from happening again. This guide answers both, operationally, from the point of view of a firm that helps organizations reduce this risk before the incident and measure their exposure after.

What is ransomware?

In one sentence: ransomware is malicious software that encrypts your data — and, increasingly, steals it first — then demands a ransom in exchange for the decryption key and its silence.

The model has evolved. Modern attacks practice double extortion: before encrypting, the attacker exfiltrates your sensitive data and threatens to publish it if you do not pay — so a backup alone no longer protects you from blackmail. Ransomware has also industrialized as Ransomware-as-a-Service: groups rent their tooling to affiliates, which multiplies the number of attackers and lowers the technical bar. The target is therefore no longer only the large enterprise: any organization that is reachable and able to pay is in scope.

How does a ransomware attack work?

Direct answer: encryption is the last step, not the first. Understanding the attack chain is understanding where to stop it.

The ransomware attack chain: initial access, lateral movement, privilege escalation, exfiltration, then encryption and ransom demand — with a detection window of days to weeks before encryption.

A typical attack unfolds in several stages: an initial access — most often through phishing, an internet-exposed service (RDP, a misconfigured VPN) or an unpatched flaw — then lateral movement across the network, privilege escalation up to administrator accounts, exfiltration of sensitive data, and only at the end the encryption followed by the ransom demand. Between initial access and encryption, days often pass, sometimes weeks. That window — and each of its stages — is what a well-built defense seeks to detect and interrupt.

What to do in a ransomware attack? The first hours

Direct answer: isolate, preserve evidence, pay nothing in haste, and restore from clean backups once the entry point is closed. In order:

  1. Isolate, without destroying everything. Disconnect affected machines from the network (unplug the cable, turn off Wi-Fi) to stop the spread. Do not abruptly power off systems if you can avoid it: RAM and logs hold valuable clues for the investigation.
  2. Preserve the evidence. Do not reformat or overwrite machines right away. Without them, it is impossible to understand how the attacker got in — and therefore to stop them coming back. Evidence also serves any regulatory or insurance process.
  3. Activate the crisis team. Bring the right people together — leadership, IT, communications, legal counsel — per your response plan. If you do not have one, immediately name a coordination lead.
  4. Assess the extent and the state of backups. What is encrypted? What may have been exfiltrated? Are your backups intact and beyond the attacker’s reach?
  5. Check your obligations. Depending on your exposure, a notification may be required — to the CNDP under Law 09-08 if personal data is involved, or to the DGSSI under Law 05-20 for the entities in scope. To confirm with your counsel: we do not provide legal advice.
  6. Do not pay under the pressure of panic (see the next section).
  7. Restore cleanly. Find and close the entry point before restoring, or you will be re-encrypted. Rebuild from backups whose integrity you have verified.

These steps are a general framework, not a substitute for incident response run live by specialists. If the attack is active, mobilize the necessary skills without delay.

Should you pay the ransom?

Direct answer: as a rule, no — payment is a last resort, not a solution, and the authorities as well as most specialists advise against it.

The reasons are concrete. Paying does not guarantee recovery: a share of victims who pay never recover fully usable data. Payment funds criminal activity and marks you as a target willing to pay — which raises the risk of a repeat. It can also expose you legally, particularly if the receiving group is under sanctions. And in a double-extortion scheme, paying does not erase the fact that your data was stolen: nothing proves it will not be resold. The decision belongs to your leadership and your counsel; it must be made calmly, knowing the real state of your backups, never under the sole pressure of a countdown.

How to recover data after ransomware?

Direct answer: the only reliable path is restoration from clean backups — after identifying and closing the entry point.

Before any restoration, make sure the attacker no longer has access: restoring onto a still-compromised environment means being re-encrypted moments later. Verify backup integrity (a backup that is itself encrypted or corrupted is not one) and rebuild from trusted images. In some cases a decryption tool exists for a specific strain — the No More Ransom project lists them for free — but that is the exception, not the plan. If your backups are unusable, the options narrow drastically: that is exactly the scenario prevention exists to never have to live.

How to protect against ransomware?

Direct answer: no single measure is enough; resilience comes from several layers that together make the attack hard to run and quick to contain.

  • Backups on the 3-2-1 rule, tested and offline. Three copies, two media, one off-site — and at least one immutable or disconnected copy, beyond the reach of an attacker who has taken over the network. A backup that has never been tested is not a backup.
  • Reduce the attack surface. Multi-factor authentication (MFA) everywhere, closing exposed RDP/VPN access, patches applied on exposed systems. Most intrusions go through one of those three points.
  • Segment the network. Compartmentalizing limits lateral movement: a compromised machine must not open the whole information system.
  • Detect early. Centralized logging and a detection solution on endpoints and servers (EDR) to catch the reconnaissance phase before encryption.
  • Raise phishing awareness. Phishing remains the leading initial-access vector — your teams’ vigilance is a line of defense in its own right.
  • Prepare and exercise the response. A written incident response plan, up-to-date contacts and a tabletop exercise turn panic into procedure.
  • Verify that all of this holds. A security assessment or a penetration test puts your segmentation, your access and your backups’ ability to get you running again to a real test — before an attacker does it for you.

The Moroccan context: obligations and market pressure

In Morocco, the framework is taking shape. Law 05-20 on cybersecurity and the DGSSI reference frameworks define obligations for administrations, vital infrastructure and the operators in scope; Law 09-08, supervised by the CNDP, governs the personal data a breach may touch. In parallel, pressure comes from the market: cyber insurers requiring measures before they cover you, large clients and European partners asking pointed questions about your resilience. We do not provide legal advice — interpreting these texts is for your counsel — but we make your level of protection demonstrable against these requirements.

How HackingByte helps

Our role sits before and after the incident, not in place of a live response team. Before, we reduce the risk and make it measurable: a security assessment that reveals your exposure paths, a penetration test that verifies segmentation, access and backups actually hold, and GRC advisory that helps build a response plan and a governance that withstand contact. After an incident, we run a security assessment to understand how the attacker got in and close the breach for good. Every engagement is senior-led and ends with reproducible evidence and a prioritized action plan — not a PDF of alarm.

Where to start

If you want to know where you really stand against ransomware — would your backups get you running again, would your network contain an intrusion, would an insurance review find holes — a scoped security assessment answers directly. If a threat is already active, handle the emergency first with the right skills, then let’s talk about what comes next.

Request a scoping call · See security assessments

Frequently asked questions

What is ransomware?

Malicious software that encrypts your data — and often steals it beforehand — then demands a ransom in exchange for the decryption key and its silence. Modern attacks practice double extortion: backing up is no longer enough to guard against the threat of publication.

What should you do in a ransomware attack?

Isolate affected machines from the network without abruptly powering everything off, preserve the evidence, activate a crisis team, assess the extent and the state of backups, check your notification obligations, and restore from clean backups once the entry point is closed. Do not pay in haste.

Should you pay the ransom?

As a rule, no. Paying does not guarantee recovery, funds criminal activity, marks you as a target and can expose you legally. It is a last resort, decided calmly with your leadership and your counsel, never under sole pressure.

How do you recover data after ransomware?

By restoring from clean backups, after closing the entry point so you are not re-encrypted. A decryption tool sometimes exists for a given strain (the No More Ransom project), but that is the exception. Without usable backups, the options are very limited.

How do you protect a company against ransomware?

Through several layers: 3-2-1 backups tested and offline, MFA and closing exposed access, patching, network segmentation, detection (EDR and logging), phishing awareness, and an exercised response plan. A penetration test verifies these defenses actually hold.

How does ransomware get into a system?

Most often through phishing, an internet-exposed service (RDP, a misconfigured VPN) or an unpatched flaw. Encryption only comes after a phase of movement across the network, which leaves a window to detect and stop the attack.

Is a Moroccan SME really concerned?

Yes. The industrialization of ransomware (Ransomware-as-a-Service) targets any organization that is reachable and able to pay, whatever its size. SMEs are often targeted precisely because they are less prepared.

  • Security assessments — measure your ransomware exposure before the incident, or understand the breach after.
  • Penetration testing — verify that segmentation, access and backups hold against an attacker.
  • GRC advisory — response plan, governance and resilience that hold between audits.

Read next: Phishing in Morocco: recognize an attack and protect your company. Operating in Morocco? See how we work: Cybersecurity in Morocco.

All posts