Shobhit Gautam, Staff Solutions Architect for EMEA at HackerOne, explores emerging ransomware attack trends and offers insights into strengthening organisational defences. He evaluates the effectiveness of current response strategies and highlights key priorities for organisations in the aftermath of an attack.
What are the latest trends in ransomware attacks and how have they evolved recently?
Nearly 90% of organisations were targeted by ransomware attackers in 2024, with an uptick in targeted attacks against key sectors such as healthcare, education and manufacturing. This surge can be attributed to the growing dependence on digital systems within these industries, combined with the comparatively lower commitment to security measures and tools.
Digital extortion has emerged as the prevailing ransomware attack model. This approach begins like a standard ransomware attack, with the victim pressured to pay up to regain access to encrypted files. Unknown to the victim, the attackers have already absconded with a substantial amount of data. Failure to meet their demands results either in threats to publicise the attack or peddle the stolen data.
Another growing concern is RaaS (Ransomware-as-a-Service). The accessibility of ransomware tools and expertise broadens the pool of potential attackers. Hackers no longer require extensive programming knowledge to launch a ransomware attack. RaaS operates under a franchise system where a central syndicate develops ransomware tools and rents them out to affiliates who carry out the attacks, available for as low as US$40 USD. This model has lowered the entry barrier for cybercriminals and expanded the scale of attacks.
How can organisations better defend themselves, especially with critical infrastructure under threat?
To build a strong cyberdefence, it is essential to remain constantly proactive. One way to ensure this is through bug bounty programs. When employed as part of a defence-in-depth approach, this model can help organisations adapt their security strategy to meet the latest threats.
For example, public bug bounty programs help offset the risk of ransomware attacks by counteracting the ransomware incentive model with a vulnerability rewards incentive model. These programs will incentivise security analysts to highlight gaps in defences that can be exploited by ransomware gangs.
Enabling security analysts to conduct periodic security audits, assessments and attack similar drills to identify and address potential weaknesses in the organisation’s infrastructure and processes will allow businesses to make truly informed decisions on their security posture and strategy – making them a less appealing target for ransomware groups.
Organisations that approach security this layered and flexible way can create a continuous feedback loop, where findings from one layer inform and refine the effectiveness of the others.
It is also essential for leaders to employ and promote a security-first culture based on accountability and responsibility for cybersecurity throughout the entire organisation. By providing the appropriate training and increasing internal transparency, every team member can then feel responsible for the upkeep of the defensive shield around the business.
Finally, fear is not in a name. Whether a group goes by one name or another, what is most important is what tactics they are employing, not who is employing them.
There will always be cybercriminals, the best you can do is reduce the chances these criminals succeed.
What role does AI play in both defending against ransomware and enabling attacks?
Recent AI developments are enabling criminals with minimal or no knowledge to plan and enact attacks at scale. No longer the domain of highly skilled criminals, Generative AI has created a new generation of powerful and user-friendly tools that automate and simplify the hacking process. Cybercriminals can use AI to analyse data to identify high-value targets, tailoring ransom demands accordingly.
AI technology also enables attackers to craft realistic audio and visual content using deepfake technology, contributing to more convincing and sophisticated phishing and vishing campaigns. These obfuscate the traditional ‘tells’ that alert employees and organisations to attack.
On top of this, Machine Learning could be used to develop ransomware that bypasses traditional security measures. As a result of these developments, HackerOne research found that 48% of security professionals now consider AI the most significant security risk to their organisation.
However, while AI may be reshaping the activities of bad actors, it is also revolutionising how security teams deploy their advanced skills to battle cybercriminals. AI enables advanced behavioural analytics to flag potential attacks for faster incident response; automates threat detection in real-time; spots phishing attempts; identifies vulnerabilities; and can process large volumes of threat intelligence data to identify emerging threats and attack patterns. AI can also automate routine tasks, such as speeding up the reading of source code.
AI also plays a significant role in collaborative security. Vulnerabilities usually demand detailed technical guidance and clear instruction for remediation. AI can translate complicated industry jargon into clear, actionable steps, ensuring teams work together more effectively. All of these faster tasks and processes add up to more free time security teams can spend focused on strategically important tasks.
In 2024, the UK introduced the Cyber Security and Resilience Bill which aims to make reporting ransomware incidents mandatory, expand the scope of cyber-regulatory requirements, strengthen regulators’ powers, and possibly ban ransomware payments completely. This bill would align the UK’s regulatory policy more with the EU’s NISC2 Directive.
The reporting of ransomware incidents remains a crucial intermediate step, so law enforcement can better track their movements to connect the dots between similarities of attacks, targets and vectors. Ultimately, over time, these bills could make tracking ransomware groups and individual perpetrators easier.
In the meantime, we are witnessing policymakers and global law enforcement agencies starting to work together with hackers and security experts to combat cybercrime. Governments are also starting to use vulnerability reward programs to incentivise responsible disclosure of vulnerability to reduce their threat landscape.
How does the rise of cryptocurrency payments impact ransomware and can this be disrupted?
Cryptocurrencies such as Bitcoin use blockchain technology to track transactions, making it challenging to identify criminals. Ransomware operators obscure funds through multi-step processes, ‘chainhopping’ between cryptocurrencies, and using mixing services or privacy coins like Monero. Adding to this, ransomware operators now refrain from sharing wallet addresses in their ransom demands, making it even more difficult to trace the flow of funds.
However, law enforcement agencies are able to employ blockchain analysis tools (such as coinfirm, ciphertrace and chainalysis) to better track these cryptocurrency ransom payments. This is achieved through analysing transaction histories, identifying patterns and following the flow of funds across various wallets. Agencies worldwide are now operating in close collaboration to track down international ransomware gangs through coordinated investigations and shared intelligence.
What’s the future of ransomware and how can collaboration improve global defences?
In 2025, AI’s deepening role in business operations and the cyberthreat landscape is set to heighten the arms race between security teams and cybercriminals. Over half (58%) of security researchers predict that AI will increasingly drive this competitive escalation, as both defenders and attackers leverage AI to outmanoeuvre each other. Already, cybercriminals are harnessing AI-driven tools – like chatbots, voice cloning and Generative AI – for sophisticated attacks, including phishing, impersonation and widespread misinformation campaigns.
As new emerging technologies like AI come into play, models like RaaS will become supercharged with additional features and an even greater variety of offerings. For example, a dashboard that offers analytics or insights into which targets or industries are most vulnerable to a specific form of attack and malware. These new developments make it infinitely more challenging for defenders to keep up and underscore the need for regular, continuous adversarial testing.
