A New Era of Ransomware: Data Leaks, Physical Threats and Wiped Backups

Kate O’Flaherty explores the evolving ransomware landscape, and asks what CISOs can do to build cyber resilience

Despite the big-name breaches hitting the headlines, ransomware actors aren’t having the best of times financially. Just a third of victims pay their extorters, according to one new report. And last year saw a 35% annual decline in crypto-payments to threat actors, says another. But these groups are nothing if not resourceful.

Ransomware actors are increasingly expanding their tactics beyond data encryption and exfiltration, wiping backups or deleting shadow copies of files. In a majority of cases, they eschew ransomware altogether, preferring data theft extortion. With the government pushing ahead to ban ransom payments for the public sector and critical national infrastructure (CNI), the pressure is set to mount on CISOs caught in the firing line.

AI-charged attacks

One technology helping to supercharge ransomware attacks is AI. In August, Anthropic reported its Claude Opus chatbot is being used to orchestrate attacks. An adversary used the AI for reconnaissance, code generation, credential theft, infiltration, and generating ransom notes in attacks targeting over two dozen organisations, according to the company.

“The ransom payment ban on certain sectors could create a two-tier environment”

In July, researchers at cybersecurity outfit ESET uncovered a “proof-of-concept” they dubbed PromptLock: a new type of ransomware that leverages generative AI to execute attacks. The malware runs a locally accessible AI language model to generate malicious scripts in real time, autonomously deciding which files to search, copy or encrypt.

“A well-configured AI model is now enough to create complex, self-adapting malware,” Anton Cherepanov, senior malware researcher at ESET, said in a press release.

If properly implemented, threats such as this could “severely complicate detection and make the work of cybersecurity defenders considerably more challenging”, he warned.

Ramping up the pressure

At the same time, with firms less likely to pay, figures show adversaries are ramping up the pressure to extort cash from victims. A July report from Semperis reveals that executives were physically threatened in 40% of ransomware incidents last year. And in in 47% of cases, threat actors threatened to file regulatory complaints against them if they hadn’t already reported the incident.

Traditional attacks focussed on encrypting data and causing business interruption have “evolved to data theft”, Adam Harrison, managing director in the cybersecurity practice at FTI Consulting, tells Assured Intelligence. “In the future we can expect more theft of data, public shaming, pressure campaigns on partners and customers, and other actions aimed at exerting pressure,” he says.

Some groups are already experimenting with physical threats or targeting operational technology to maximise disruption, Harrison warns. The Chaos ransomware group has been seen threatening victims with further attacks and telling competitors and customers about the breach, Cisco Talos researchers found.

Highly organised campaigns

There’s also been a shift from “random, opportunistic strikes” to “highly organised campaigns targeting specific sectors”, Nominet CISO, Paul Lewis, tells Assured Intelligence. For example, the Scattered Spider collective focused heavily on the retail sector earlier in the year, attacking M&S, the Co-op and Harrods.

“In the future, we can expect more theft of data, public shaming, pressure campaigns on partners and customers, and other actions” Adam Harrison

Even groups previously dismantled by law enforcement are regrouping and coming back stronger, Lewis says, citing the example of the Qilin group.

In order to gain initial access, ransomware groups are exploiting vulnerabilities, compromising credentials, or taking advantage of misconfigured appliances, Pierre Noel, field CISO EMEA at Expel tells Assured Intelligence.

Identity-based attack attempts dominate, accounting for 68% of the incidents Expel’s security operations centre handled in the second quarter of 2025, he says. Meanwhile, 14% of observed threats were non-targeted malware.

Carl Wearn, head of analysis and future ops at Mimecast, tells Assured Intelligence that cybercriminals are increasingly turning to “living off trusted services” tactics to stay hidden. “This sees them exploiting legitimate platforms such as Microsoft 365, DocuSign, Dropbox and even internal helpdesk functions to orchestrate attacks,” he claims.

The impact of ransom payment bans

All this comes as ransom payment bans are being mooted across the world, including the UK. If enacted, it makes cyber resilience even more important for CISOs – so that they can prevent breaches in the first place, or lessen the impact if they do become a victim.

It’s also clear that ransom payments do not guarantee recovery. Semperis’ report found that 15% of ransomware victims that paid either did not receive decryption keys or were handed corrupted keys. An additional 3% received usable keys but discovered that the attackers had published or illegally used their stolen data anyway.

“Executives were physically threatened in 40% of ransomware incidents last year.”

The ransom payment ban on certain sectors could create a two-tier environment: CNI operators facing stricter rules while other industries still retain discretion. This could see attackers pivot towards “softer” targets outside of CNI or increase pressure on the suppliers and partners of regulated entities, FTI Consulting’s Harrison says.

The government’s strategy is about deterrence – if there’s no money to be made, the hope is criminals will lose interest, Nominet’s Lewis says. “But it’s a gamble, because some attackers may persist simply for the thrill of it, not just for financial gain,” he adds. “Cybercriminals tend to follow the money – but we must be prepared for those who don’t.”

If ransom payments are restricted, organisations will also lose what some have seen as a “last resort”, Harrison adds. That makes it even more important to harden defences, detect intrusions quickly, and ensure recovery is possible without negotiating with attackers, he advises.

How CISOs can prepare

The growing sophistication of attacks is certainly a concern, but CISOs can do a few things to minimise the impact of ransomware on their organisation.

Backups remain essential, but they must be “immutable, offline, and regularly tested” if they are going to be effective as part of a resilience strategy, says Harrison. At the same time, CISOs need to think in terms of defence-in-depth, says Nominet’s Lewis. “This means layering security controls so that if one fails, others stand in the way.”

Basic cybersecurity measures such as multi-factor authentication (MFA) and timely patching are key. Alongside this, zero trust architectures, supply chain risk management and proactive threat hunting will help, FTI Consulting’s Harrison advises.

The National Cyber Security Centre (NCSC) warns that, over the coming two years, AI “will almost certainly continue to make elements of cyber intrusion operations more effective and efficient, leading to an increase in frequency and intensity of cyber threats.” As ransom bans start to bite, CISOs with a clear plan for building resilience will be best placed to keep their organisation safe.