Strengthening cybersecurity and resilience should be a key priority for organisations. A survey of 5,000 small and medium-sized businesses across four continents by Mastercard, reveals that 46% have suffered a cyberattack.
Similar numbers are reported in the UK government’s ‘Cyber Security Breaches Survey 2025’. This shows just over four in ten businesses (43%) experienced a cybersecurity breach or attack in the last 12 months, with numbers slightly higher at 48% among finance or insurance companies.
The risk of cyberattacks is a high priority for government. The Cyber Security and Resilience Bill is progressing through Parliament, with plans for this to be introduced in 2025. New legislation is intended to be pro-business to support economic growth, while addressing the growing risk posed by cyber criminals and hostile states. This involves a strong focus on ransomware attacks.
UK government has recently consulted on ransomware legislative proposals, as it considers ransomware ‘the greatest of all serious and organised cyber crime threats’. High-profile ransomware attacks in recent months and years, spanning both the public and private sectors, have shown the serious disruption that this type of breach can cause to systems and networks.
It’s now more crucial than ever that organisations remain alert to the threats of ransomware. Legislation is likely to make new requirements of how these attacks are approached and handled, while ransomware threats evolve at pace. There are four ransomware trends in particular that organisations should be aware of.
Four key ransomware trends
1) AI-assisted scams. Attackers are exploiting generative Artificial Intelligence (AI) to increase the scale and plausibility of IT helpdesk scams. In most cases, this is a phishing method, where criminals impersonate IT support to trick unsuspecting employees into revealing genuine user access credentials. Secure systems can then be accessed to deploy ransomware.
The voice generating and changing capabilities of AI can be used to create human-sounding voices, with accents regionalised to make them seem realistic. The tech can also be used to harvest information about employees being targeted. Conversations led by scammers seem increasingly convincing, as they may reference real workplace situations or colleagues. Employees perceive the attacker to be legitimate and are socially engineered into sharing passwords and other authentication details they may otherwise be more guarded about.
2) Ransomware and wipers. There’s an emerging trend of financially motivated ransomware groups using wiper malware as part of their attacks. A wiper is designed to completely erase information, making it irrecoverable. The malware has been more commonly associated with state-sponsored attacks, with systems and databases wiped to conceal tracks and sabotage infrastructure. Criminals are now leveraging this threat to enhance their extortion power.
Typically, during a ransomware attack, victims are pressured into paying a ransom to re-access and recover data, and to prevent its external release. If organisations decide not to pay, criminals will threaten to deploy a deliberately destructive payload – the wiper – that erases backups and corrupts systems or use broken encryption that makes recovery near-impossible. Operational data or intellectual properly can be lost, seriously jeopardising business continuity. It’s a deplorable tactic used to weaken the negotiating power of ransomware victims.
3) New entry points for ransomware. Rather than directly targeting an organisation to deploy malware, attackers are looking at earlier points in supply chains. A growing number of attacks are directed at trusted software providers. Criminals will look to leverage unidentified security flaws in software or hardware (zero-day vulnerabilities) to gain silent access to networks.
This tactic was prominently demonstrated in the MOVEit Transfer zero-day campaign attributed to the CLOP ransomware group, reflecting patterns seen in earlier supply chain compromises, such as SolarWinds. In both cases, attackers bypassed conventional defences not through phishing or brute force, but by embedding themselves within software already trusted by their targets.
What makes this approach particularly dangerous is its scale and stealth. A single zero-day exploit or tampered vendor update can give attackers access to hundreds or thousands of downstream organisations. Often, victim environments remain unaware of the intrusion until ransomware is deployed, by which time sensitive data has been exfiltrated and internal systems have been compromised.
4) Lone wolf attacks. Ransomware attacks are often associated with cybercrime models that see a group develop ransomware and sell its code to other criminals. Known as Ransomware-as-a-Service (Raas), this model can provide hackers with quick and easy access to sophisticated code. The widespread use of certain types of ransomware can also allow organisations to develop an understanding of the type of attack they are facing.
There’s now a growing trend of attackers eschewing the traditional RaaS model. Individuals or very small groups are operating independently to enhance the stealth of their attacks and to reduce the opportunity for targets to adapt preparedness and defences. Lone wolf attackers don’t tend to create new ransomware. Instead, they will repurpose leaked builders from the likes of LockBit, Chaos and Conti.
Staying ahead of evolving ransomware
As ransomware tactics evolve, so to must the defensive posture of organisations. It’s important that CIOs and cybersecurity professionals build knowledge by proactively monitoring and determining how threats are changing shape. A multi-layered, threat intelligence programme can provide insights that enhance visibility, resilience and response.
Emphasis must shift towards threat hunting, so that organisations are keeping pace – and staying ahead – of changing criminal activity. For example, against wiper-style attacks, the most critical action is to ensure the recoverability of core systems and data, regardless of whether ransomware is deployed. This includes implementing immutable, offline backups that cannot be altered or deleted by attackers, as well as regularly testing restoration procedures under simulated attack conditions. Since data exfiltration typically occurs before destruction, organisations must also strengthen data loss prevention and insider threat detection capabilities, ensuring sensitive assets are tagged, monitored, and access is tightly controlled.
Defending against ransomware attacks delivered via zero-day vulnerabilities requires full supply chain risk management. This can include tracking third-party dependencies, validating update integrity through code signing, and requiring vendors to demonstrate secure development practices. Additionally, organisations must maintain a mature vulnerability management program capable of rapidly ingesting threat intelligence, assessing exploitability, and deploying emergency patches or compensating controls before widespread abuse occurs.
The emergence of lone wolf ransomware attackers can mean that the successful takedown or disruption of an RaaS group by law enforcement, doesn’t necessarily spell the end of a group’s ransomware. Organisations need to be alert to this and continue to monitor for code, tools and techniques from RaaS groups they believe to be defunct or lower risk.
Being aware of how attackers are using AI in ransomware attacks is crucial to adapting and testing defences. For example, regular employee training and communications should be informed by changing criminal techniques. Staff have to be shown realistic examples of the risks they face, with simulated exercises creating awareness of how convincing AI-assisted attacks can be.
Ultimately, ransomware is no longer just a containment issue; it is a strategic risk that requires the integration of cybersecurity into governance, vendor management, and regulatory readiness. Building ongoing intelligence of evolving threats is imperative to this, so that fast-changing criminal techniques don’t outpace defences.
Richard LaTulip, a Field Chief Information Security Officer at Recorded Future.
