Ransomware attacks are proving a major concern for businesses. Richard LaTulip, Field Chief Information Security Officer at cyber threat intelligence specialists Recorded Future, looks at how ransomware hackers are developing attacks to exploit companies and why forward-thinking businesses are turning into threat hunters to stay ahead of criminals.

The growing risks of ransomware

Ransomware has repeatedly hit the headlines in recent months. High-profile attacks have caused significant problems for well-known retailers, and these are businesses that take such risks seriously. They invest in sophisticated cyber defences and routinely test supply chains, processes and systems to address vulnerabilities. The attacks and deployment of ransomware in these instances is symptomatic of how quickly attackers change and develop their tactics to crack even the most robust defences. 

UK government considers ransomware as the greatest of all serious and organised cybercrime threats and is taking measures to better protect both the public and private sectors. Proposals and consultations are considering a ransomware payment ban for public sector organisations and a payment prevention regime for private sector enterprises. This is a positive move designed to deter the intent of criminals, but will it, inadvertently, leave businesses exposed to a greater threat of ransomware attacks? If criminals know public sector organisations can’t pay ransoms, will they concentrate on those entities that aren’t subject to a legislation-backed ransomware payment ban? Our experience shows that businesses aren’t prepared to wait to find out. 

We’re seeing a growing number of businesses evolving cybersecurity strategies from a robust defensive posture to a more proactive approach. This involves cyber threat intelligence, which is turning companies into threat hunters. Cybersecurity teams are actively monitoring the cyber threat landscape to better understand what attacks could look like. By building knowledge and insight about criminals’ tactics, businesses can better predict, prioritise and prevent possible attacks. Action can be taken to mitigate risks, before they have the chance to materialise into events that cause critical disruption and destruction.   

Ransomware threats evolve at pace and cyber threat intelligence can provide businesses with enhanced visibility of what they are up against. There are four ransomware trends in particular that show just how quickly attackers are adapting tactics. 

Four key ransomware trends 

1) Advanced social engineering tactics

Generative Artificial Intelligence (AI) is providing cybercriminals with more advanced tools to manipulate trust and human behaviour. These attacks go beyond simple phishing emails, evolving into personalised social engineering campaigns that encourage employees to take actions they normally wouldn’t.

The process often begins with footprinting, where attackers study a target’s digital footprint by analysing social networking profiles, professional accounts, and casual online posts. From this, they understand how individuals communicate, who they interact with, and what topics are important to them.

AI then amplifies this intelligence. Criminals can generate convincing messages in a company’s style, clone voices with local accents, and even reference real colleagues or workplace events. Combined, this makes scams feel authentic enough that victims may bypass security protocols, share login codes, or authorise unusual transactions, believing they are helping a trusted contact.

The real danger lies not in AI alone, but in the marriage of AI and social engineering. By exploiting human instincts like trust, helpfulness, and urgency, attackers can manipulate people into decisions they would normally question. 

2) Wipers and ransomware

Ransomware groups are making wiper malware part of their attacks. Wipers are designed to permanently destroy data, making recovery near impossible. Traditionally, state-sponsored attacks and sabotage have deployed destructive wiper payloads, with criminals now using this tactic to intensify the pressure on victims. 

In a typical ransomware scenario, attackers demand payment, so that businesses can, by large, restore access and prevent data leaks. If the ransom is refused, attackers are now threatening to unleash a wiper, leaving victims concerned about backups being completely erased and systems being corrupted. Flawed encryption can block recovery attempts and poses a critical risk to business continuity. 

3) Finding weak links in supply chains

Rather than directly attacking a target business, cybercriminals are increasingly focusing on finding gateways in supply chains. For example, hackers might find software partners, which they know their victim will trust and rely on. An attack will then leverage zero-day flaws in software or hardware to gain undetected access to the partner’s network and creating a hard-to-detect route into the main target’s secure systems, to deploy ransomware. 

4) Rise of ‘Lone Wolfs’

While many ransomware attacks stem from the Ransomware-as-a-Service (RaaS) model, where groups sell malicious code to other criminals, there’s a new wave of attackers operating on a much smaller scale. 

Rather than developing new ransomware, ‘lone wolfs’, who are often individuals or a small group of hackers, repurpose leaked code from well-known strains like LockBit, Chaos, and Conti. This strategy allows hackers to launch stealthier attacks, making it harder for businesses to anticipate or prepare for specific threats. 

Staying ahead of ransomware attacks 

A multi-layered, threat intelligence programme can monitor and determine how ransomware threats are changing shape. This creates opportunity for proactive mitigation. For example, against wiper-style attacks, the most critical action is to ensure the recoverability of core systems and data, regardless of whether ransomware is deployed. This includes implementing immutable, offline backups that cannot be altered or deleted by attackers, as well as regularly testing restoration procedures under simulated attack conditions. Since data exfiltration typically occurs before destruction, organisations must also strengthen data loss prevention and insider threat detection capabilities, ensuring sensitive assets are tagged, monitored, and access is tightly controlled.

Defending against ransomware attacks delivered via zero-day vulnerabilities requires full supply chain risk management. This can include tracking third-party dependencies, validating update integrity through code signing, and requiring vendors to demonstrate secure development practices. Additionally, organisations must maintain a mature vulnerability management program capable of rapidly ingesting threat intelligence, assessing exploitability, and deploying emergency patches or compensating controls before widespread abuse occurs.

The emergence of ‘lone wolf’ ransomware attackers can mean that the successful takedown or disruption of an RaaS group by law enforcement, doesn’t necessarily spell the end of a group’s ransomware. Organisations need to be alert to this and continue to monitor for code, tools and techniques from RaaS groups they believe to be defunct or lower risk.

Being aware of how attackers are using AI in ransomware attacks is crucial to adapting and testing defences. For example, regular employee training and communications should be informed by changing criminal techniques. Staff have to be shown realistic examples of the risks they face, with simulated exercises creating awareness of how convincing AI-assisted attacks can be.  

Ultimately, ransomware is no longer just a containment issue; it is a strategic risk that requires the integration of cybersecurity into governance, vendor management, and regulatory readiness. Building ongoing intelligence of evolving threats is imperative to this, so that fast-changing criminal techniques don’t outpace defences.