BLACK HAT 2025, LAS VEGAS – Ransomware is a critical risk to SMBs, enterprises, and nation states, and it’s a risk that shows no sign of slowing down.
This week at BHUSA25, Expert Insights have been chatting to ransomware experts about how ransomware is evolving, where threats are going, and how you can protect your business.
The New Normal: Data Exfiltration
The way ransomware gangs operate is evolving, fast. Zscaler ThreatLabz’s 2025 Ransomware Report highlights that extortion is now the name of the game for ransomware gangs, not old-school encryption.
The way it works is simple: ransomware gangs steal your data. They prove they have it. And then you get a phone call demanding millions of dollars for them to delete it. The attack works because ransomware gangs know that if they leak the data, the cost to your business would be much more than whatever they want from you.
This technique is a win-win for ransomware gangs. The attacks are lower profile, meaning less scrutiny from law enforcement. They also don’t have to worry about creating more sophisticated ransomware code to get past cybersecurity defenses that are getting better at stopping ransomware all the time.
The targets are shifting too. “A lot of these groups are focusing on companies that have sensitive data, where they’re willing to pay a high ransom to avoid having that data leaked,” Brett Stone-Gross, Senior Director of Threat Intelligence at Zscaler, tells Expert Insights.
“We saw a new group that popped up specifically going after healthcare companies and they’re telling them it’s better to pay us this ransom than for us to leak the data; you’re going to be paying a much higher price in violations.”
Fracturing Ransomware Ecosystems
One of the big trends in the ransomware space is that law enforcement has cracked down hard on ransomware gangs in the last couple of years. But while we see big ransomware gangs taken down as good news, smaller ransomware players see an opportunity.
Cynthia Kaiser, former Deputy Assistant Director of the FBI’s Cyber Division and SVP, Halcyon Ransomware Research Center, tells Expert Insights that the US and UK’s efforts to take down LockBit in 2024 left a huge vacuum across the ransomware ecosystem.
“We’ve seen all these affiliates that are part of these big groups fracture into smaller groups. Some of them are a little more closed off, trying to see if they can act in a way in which they’re not getting under the scrutiny of law enforcement. It’s still incredibly dangerous,” she says.
“One of the major trends we see now is the ability and desire to turn off endpoint detections to blind the detections that you already have in your system, as well as continuing to target organizations that can’t tolerate downtime, like hospitals or other critical infrastructure.”
Kaiser believes that we need much stronger intelligence to help put a stop to the activity of ransomware gangs. Her team at Halycon—a company dedicated to stopping ransomware attacks—has launched the Ransomware Research Center. Halycon describes it as first ever public-private coalition that unites threat researchers, policy leaders, and operational defenders around a shared mission to defeat ransomware actors.
“I’m really excited about it. Our aims are both to put out really great information and to be able to partner with others in industry to bring that all together… The disconnected defense that we have right now does help ransomware groups find those gaps and they exploit them. They’re excellent at exploiting gaps.”
Let Them Fight
Ransomware gangs often don’t get taken out completely, but they do get disrupted, which can seriously damage their prestige.
“It’s not often where you can get that level of impact where you’re actually putting handcuffs on people,” says Michael DeBolt, Chief Intelligence Officer at Intel 471.
“These groups are not unlike any company that relies on their brand image. If you do any reputational harm to them by taking down infrastructure for even just a week, that’s always going to be a good thing.”
The fractured ransomware ecosystem left behind after law enforcement action has led to an interesting dynamic: infighting between different ransomware groups.
“Because of the vacuum, I anticipate that over the next 12 months we’ll see more of the internecine battles across some of these groups fighting each other,” Kaiser says.
“We still haven’t filled that vacuum of these large groups. There are groups out there that envision themselves as those successors. You’re going to see these groups fighting each other, which is good for all of us. But that battle is likely going to play out throughout the next 12 months.”
One of the most notorious ransomware gangs on the scene today is DragonForce, who are known for their attacks on UK retailers like M&S, the Co-op, and Harrods.
They have also been brazen in attacking other ransomware gangs, says Tony Anscombe, Chief Security Evangelist at ESET.
“They’re taking out the competition; it’s like a turf war. And they certainly disrupted a couple of the other groups—they even went after RansomHub and disrupted their service. It’s interesting that they’re fighting between each other,” he says.
“The only caution I’d have,” he adds, “is that a lot of these groups are very related. I think some of these people move around and they’re not as separate as sometimes we’d be led to believe.”
“While they’re infighting, though, that’s a good thing for everybody else, isn’t it? Because if they’re fighting each other, they’re taking their eye off the ball.”
To Ban, Or Not To Ban?
The debate on whether or not to ban ransomware payments has been in the news again recently, particularly in the UK where the government has announced a plan to ban UK public sector organizations from making ransomware payments.
“I was somewhat shocked to read that, because it kind of implies that a local authority or public body has paid, but they haven’t. Nobody can tell me of a public body that’s used taxpayer-funded money to pay some of their demand,” says Anscombe.
But should ransomware payments be banned altogether?
“I have not been able to come up with a way in which [a ban] is implemented that it solves our problems,” Kaiser says. “What happens when a ransomware actor targets a hospital? Are you choosing lives, or choosing the ban? And if you make exceptions for life-saving efforts, who’s going to be targeted more?
“I think the better model is requiring anyone paying a ransom to also have to tell law enforcement. That enables law enforcement to do its job, to be able to claw back funds or better understand actors. I think, in the end, that would have a more detrimental effect against ransomware groups.”
“Go after the money,” Anscombe says. “That’s what needs to happen. You’ve got all those masses of affiliates; they’re going to take their business from one group to another. You need to go and take the people out at the top. Because if you take the groups out at the top, then the affiliates die.”
Staying Protected Against Ransomware
The more things change, the more things stay the same. Improving your resilience against ransomware means having the security fundamentals in place.
“The basics matter,” Kasier says. “Patching, having multi-factor authentication, and hardening your multi-factor authentication to be more phishing resistant. Finally, ensuring you have defense in depth—endpoint detections are so important.
“There are really cool technical solutions out there. I’m very positive about them, because while AI is making our adversaries better, it’s also making us better, and that’s exciting to me.”
