Ransomware has become a significant risk factor for organisations worldwide. Allan Liska, threat intelligence analyst at Recorded Future, examines emerging ransomware trends, highlighting how attackers are adapting their tactics and why companies are increasingly shifting towards proactive threat-hunting strategies rather than waiting to respond after an incident.
The UK government has identified ransomware as the most pressing serious and organised cybercrime threat and is introducing measures to strengthen protection for both public and private sectors. Current proposals include a ban on ransom payments by public sector organisations and a regime to restrict payments by private enterprises. While these steps aim to reduce incentives for criminals, they raise an important question: could such restrictions prompt attackers to target entities not bound by legislation? Many companies are unwilling to take that risk and are moving to bolster defences now rather than wait to see how events unfold.
The evolving risks of ransomware
Ransomware continues to be the most lucrative form of cybercrime, offering rapid returns with relatively low technical barriers. While other cybercrimes, such as business email compromise or fraud schemes, can generate high returns, they typically require months of effort and careful orchestration.
Ransomware operators follow well-established playbooks for gaining initial access, moving within networks, extracting payments, and laundering funds. Even less experienced groups can achieve results by leveraging a wider ecosystem of supporting actors and services. Threat actors are continuously adapting, developing new tactics to challenge even the most advanced organisational defences.
Key trends in ransomware tactics and attacker evolution
- Help desk attacks
Ransomware groups are increasingly targeting help desks as an entry point into corporate systems. These attacks rely on impersonation and social engineering to bypass security measures.
One common tactic involves overwhelming an employee with phishing emails, then calling them while posing as the help desk to “resolve” the issue. Groups such as Black Basta have used this approach to gain direct access to systems.
Another method sees criminals impersonating employees when contacting the help desk, persuading staff to reset passwords or disable multi-factor authentication. This type of attack was observed in the Clorox breach, where attackers exploited human trust and procedural gaps rather than technical vulnerabilities.
- Advanced social engineering tactics
Generative Artificial Intelligence (AI) is giving cybercriminals sophisticated tools to manipulate trust and influence human behaviour. These attacks extend well beyond basic phishing emails, evolving into highly personalised campaigns that persuade employees to act in ways they ordinarily would not.
The process often begins with footprinting, where attackers analyse a target’s digital presence — from professional profiles to casual social posts — to learn how individuals communicate, who they interact with, and which topics resonate with them.
AI then amplifies this intelligence. Criminals can craft messages in a company’s style, clone voices with local accents, and reference real colleagues or workplace events. These capabilities make scams appear authentic enough for victims to bypass security protocols, share login codes, or authorise unusual actions in the belief they are helping a trusted contact.
AI also broadens access to these tactics. For example, while help desk attacks were once largely associated with Western groups such as Scattered Spider or ShinyHunters, Russian threat actors are now using AI to translate scripts and impersonate employees in native languages. This ability to convincingly adopt any persona makes such attacks far more difficult to detect and resist.
The real risk lies not in AI itself, but in its fusion with social engineering. By exploiting human instincts such as trust, helpfulness, and urgency, attackers can influence decisions that would normally trigger suspicion.
- Finding weak links in supply chains
Rather than directly attacking a target business, cybercriminals are increasingly focusing on finding gateways in supply chains. For example, hackers might find software partners, which they know their victim will trust and rely on. An attack will then leverage zero-day flaws in software or hardware to gain undetected access to the partner’s network and create a hard-to-detect route into the main target’s secure systems, to deploy ransomware.
The shift towards proactive threat management
An increasing number of organisations are moving beyond a purely defensive cybersecurity approach towards a proactive strategy. This includes the use of cyber threat intelligence, enabling companies to act as threat hunters. Security teams actively monitor the evolving threat landscape to understand potential attack vectors. By analysing attacker tactics, businesses can anticipate, prioritise, and mitigate risks before they escalate into incidents that disrupt operations or cause significant damage.
Ransomware threats continue to evolve rapidly, and cyber threat intelligence provides enhanced visibility into the challenges organisations face. Four specific ransomware trends illustrate how quickly attackers are adapting their tactics.
How can companies fight back?
- Multilayered threat intelligence
A multi-layered, threat intelligence programme can monitor and determine how ransomware threats are changing shape. This creates opportunity for proactive mitigation. For example, against wiper-style attacks, the most critical action is to ensure the recoverability of core systems and data, regardless of whether ransomware is deployed. This includes implementing immutable, offline backups that cannot be altered or deleted by attackers, as well as regularly testing restoration procedures under simulated attack conditions. Since data exfiltration typically occurs before destruction, organisations must also strengthen data loss prevention and insider threat detection capabilities, ensuring sensitive assets are tagged, monitored, and access is tightly controlled.
Moreover, every month there are tens of millions of leaked credentials from infostealer malware dumped on criminal marketplaces, making it incredibly likely that credentials from organisations are available to anyone who wants them, cheaply. Organisations need to monitor for these leaked credentials and take action when they are discovered. Of course, multi factor authentication is important, but so it means taking action and forcing password changes as soon as leaked credentials are discovered or reported.
- Supply chain management
Defending against ransomware attacks delivered via zero-day vulnerabilities requires full supply chain risk management. This can include tracking third-party dependencies, validating update integrity through code signing, and requiring vendors to demonstrate secure development practices.
Additionally, organisations must maintain a mature vulnerability management programme capable of rapidly ingesting threat intelligence, assessing exploitability, and deploying emergency patches or compensating controls before widespread abuse occurs. This means being able to act within days, not weeks. When a new vulnerability is announced, especially for common platforms targeted by ransomware groups and the initial access brokers that support them – such as SSL VPNs or certain firewalls – scanning for that vulnerability starts almost immediately and exploitation starts within 24-48 hours.
- Don’t underestimate ‘lower risk’ groups
The emergence of ‘lone wolf’ ransomware attackers can mean that the successful takedown or disruption of an RaaS group by law enforcement, doesn’t necessarily spell the end of a group’s ransomware. Organisations need to be alert to this and continue to monitor for code, tools and techniques from RaaS groups they believe to be defunct or lower risk.
- Keep up with AI ransomware trends
Being aware of how attackers are using AI in ransomware attacks is crucial to adapting and testing defences. For example, regular employee training and communications should be informed by changing criminal techniques. Staff have to be shown realistic examples of the risks they face, with simulated exercises creating awareness of how convincing AI-assisted attacks can be.
The future of ransomware
With ransomware attacks targeting organisations of every size and sector, both public and private entities must treat cyber security as a strategic business risk. There is no single, universal defence, as attacks can originate from many directions. Effective protection requires a clear understanding of the threat landscape and a coordinated response across the organisation. The encouraging news is that many organisations already possess the necessary tools. Success often comes down to refining existing capabilities to safeguard the business, its workforce, and its customers.