ransomware

Defensible by Design: Ransomware and Cybersecurity in 2026

Ransomware is now a major concern for organizations, affecting strategy and leadership. CISOs face increasing pressure as ransomware evolves, requiring adaptability and focus on defensible, resilient systems over security illusions. Leadership development should involve real incident experiences and business-focused training. Traditional security budgets are insufficient, pushing for a shift towards recoverability and flexible response strategies. Investors now consider cybersecurity a key factor in funding decisions, linking security posture directly to organizational value. In 2026, success for CISOs will hinge on their ability to withstand and quickly recover from ransomware incidents.

https://www.halcyon.ai/blog/defensible-by-design-ransomware-and-cybersecurity-in-2026

The Hidden Risk in Virtualization: Why Hypervisors Are a Ransomware Magnet

Hypervisors, critical for virtual environments, are increasingly targeted by ransomware, particularly the Akira group. Attacks can risk numerous VMs simultaneously due to limited security visibility. Effective defenses include robust access controls, multi-factor authentication, hypervisor hardening, regular patching, and effective backup strategies. Organizations should also enhance monitoring for anomalous activities to detect potential breaches early and prepare for recovery scenarios, emphasizing a holistic security approach to protect hypervisors from escalating ransomware threats.

https://www.bleepingcomputer.com/news/security/the-hidden-risk-in-virtualization-why-hypervisors-are-a-ransomware-magnet/

New DroidLock Malware Locks Android Devices and Demands a Ransom

New DroidLock malware targets Android users, locks screens for ransom, and can access personal data. It spreads via fake apps, gaining permissions to control devices. It can wipe data, change passwords, and threaten file destruction. Android users are advised to avoid sideloading apps and check permissions.

https://www.bleepingcomputer.com/news/security/new-droidlock-malware-locks-android-devices-and-demands-a-ransom/

Ransomware IAB Abuses EDR for Stealthy Malware Execution

Ransomware group Storm-0249 exploits EDR tools like SentinelOne to stealthily execute malware. Using social engineering, they trick users into running malicious commands that lead to DLL side-loading, making attacks appear as normal EDR processes, thus evading detection. Recommendations include behavior-based detection and stricter controls on execution of potentially harmful commands.

https://www.bleepingcomputer.com/news/security/ransomware-iab-abuses-edr-for-stealthy-malware-execution/

FinCEN Says Ransomware Gangs Extorted Over $2.1B From 2022 to 2024

FinCEN reports ransomware gangs extorted over $2.1 billion from 2022 to 2024, peaking in 2023 with 1,512 incidents and $1.1 billion in payments. A decline in 2024 saw 1,476 incidents and $734 million in payments, attributed to law enforcement actions against gangs like BlackCat and LockBit. The manufacturing, financial services, and healthcare sectors were most affected, with these industries suffering significant losses. Over 267 ransomware families were identified, with Akira being the most reported. Majority of payments were made in Bitcoin (97%).

https://www.bleepingcomputer.com/news/security/fincen-says-ransomware-gangs-extorted-over-21b-from-2022-to-2024/

The Golden Scale: ‘Tis the Season for Unwanted Gifts

SLSH (Scattered LAPSUS$ Hunters) has resumed activities with claims of accessing Salesforce data through a Gainsight breach, threatening to leak information and demanding ransom before a self-imposed deadline. Their new ransomware, “ShinySp1d3r,” currently targets Windows, with plans for broader compatibility. Additionally, there are reports of insider recruitment attempts and involvement in significant data theft on a large scale. With a volatile holiday season approaching, cybersecurity vigilance is critical as SLSH escalates their threats, fostering concerns for various organizations.

https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

Rey, admin of the notorious cybercriminal group “Scattered LAPSUS$ Hunters” (SLSH), has been identified following an interview where he confirmed his real identity. SLSH, comprising three hacking groups, has extorted major corporations through social engineering, including companies like Toyota and FedEx. Rey previously managed data leak operations for other ransomware groups and recently launched a new ransomware service called ShinySp1d3r. Despite initially engaging in cybercrime, Rey, now 15, claims to be trying to distance himself from the criminal activities and has communicated with law enforcement about his involvement. His digital footfalls, however, led to his identification.

https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/

Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns

Ransomware landscape in Q3 2025 shows record fragmentation with 85 active groups and 1,590 victims. Despite law enforcement efforts, smaller, decentralized operations have emerged post-takedowns, reducing credibility in ransom payments. New brands like LockBit 5.0 highlight a potential return to centralization, increasing operational scale and trust. Ransomware tactics are evolving, making traditional tracking methods ineffective; analysts now need to monitor affiliate behavior and economic motivations to navigate the changing ecosystem.

https://thehackernews.com/2025/11/ransomwares-fragmentation-reaches.html

Violent Cybercrime Surges in Europe Amid Big Payouts

Cybercriminals in Europe are increasingly engaging in violent tactics, with 18 reported incidents in 2025, predominantly in France. This surge, termed “violence as a service,” includes high-profile cases like the kidnapping of Ledger co-founders. The UK remains the most targeted country for cybercrime, with over 2,100 attacks recorded since 2024, primarily from ransomware and data theft groups. The rise in violence is linked to organized networks that facilitate traditional cybercrime and physical theft, especially concerning cryptocurrency.

https://www.theregister.com/2025/11/04/cybercriminals_increasingly_rely_on_violence/

Ransomware Hackers Look for New Tactics Amid Falling Profits

Ransomware profits are down, forcing cybercriminals to adopt new tactics to demand payment, including bribing insiders and using social engineering techniques such as callback phishing. Fewer organizations are paying ransoms, and the average payment has dropped significantly. This has fragmented the ransomware ecosystem, with smaller groups targeting industries and regions that weren’t previously affected. Attackers now focus on recruiting insiders, directly contacting executives with ransom demands, and exploiting supply chains. Enterprises should become more vigilant against internal threats as hackers adapt their techniques to make up for lost earnings.

https://www.databreachtoday.com/ransomware-hackers-look-for-new-tactics-amid-falling-profits-a-29867

Ransomware Profits Drop as Victims Stop Paying Hackers

Ransomware payments have dropped to 23% among breached companies, marking a continuous decline. Enhanced security and pressure from authorities are cited as reasons for this trend. As ransomware groups shift focus from encryption to data theft, newer attacks show only a 19% payment rate when data is stolen without encryption. Average ransom payments decreased to $377,000. Targeting mid-sized firms increases as larger companies fortify defenses. Cyber attackers may pivot to social engineering to gain access as profits dwindle.

https://www.bleepingcomputer.com/news/security/ransomware-profits-drop-as-victims-stop-paying-hackers/

LockBit Returns — and It Already Has Victims

LockBit ransomware has resurfaced, targeting organizations globally with a new variant, LockBit 5.0. This group, previously disrupted in early 2024, has resumed operations, exploiting vulnerabilities across Windows, Linux, and ESXi systems. With enhanced evasion techniques, faster encryption, and multi-platform support, it poses a renewed threat to businesses.

https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/

New LockBit 5.0 Targets Windows, Linux, ESXi

LockBit 5.0 ransomware targets Windows, Linux, and ESXi systems, utilizing advanced obfuscation and anti-analysis techniques for enhanced cross-platform attacks. Key features include randomized file extensions, Russian system avoidance, and comprehensive encryption capabilities affecting entire virtual infrastructures. Significant improvements over previous versions include sophisticated payload loading methods and anti-forensics measures. Organizations need robust cross-platform defenses to mitigate risks from LockBit 5.0's evolving threat landscape.

https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html

Unmasking Akira: The Ransomware Tactics You Can’t Afford to Ignore

Zensec highlights the ransomware group Akira's tactics, focusing on their operation since 2023, impacting various UK industries. Akira employs double extortion, exploiting SSL VPN vulnerabilities for initial access, and using tools like Netscan and AnyDesk for execution. Key findings from investigations show their methods in privilege escalation, data exfiltration, and encryption processes, which often include targeting backup systems. Recommendations for organizations include ensuring multi-factor authentication on VPNs, regular software updates, and rigorous monitoring of security tools to prevent such attacks.

https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/

Scroll to Top