Ransomware gangs are increasingly operating like structured criminal enterprises, actively recruiting new members – even cybersecurity professionals – and scaling their operations, according to recent findings. This shift is fueled by the growing financial success of these groups, enabling them to offer lucrative incentives and bolster their security measures.
Ransomware Evolves: From Attacks to Organized Recruitment
Cybercriminals are now prioritizing recruitment, incentives, and growth, transforming ransomware into a sophisticated business model.
- Ransomware groups are adopting affiliate models and actively seeking new recruits, including those with cybersecurity expertise.
- Financial incentives, such as larger commissions, are driving recruitment efforts.
- Employees, contractors, and trusted partners are now viewed as potential access points to victim organizations.
- Qilin ransomware was the most active strain in December 2025, accounting for 170 attacks.
The evolving tactics of ransomware gangs were highlighted in December 2025, with NCC Group reporting a 13% rise in recorded attacks during the month. Matt Hull of NCC Group explained that ransomware-as-a-service (RaaS) groups are increasingly targeting individuals with legitimate access to systems and credentials, bypassing traditional security controls and reducing the risk of detection.
What’s driving this change? Ransomware groups are realizing that exploiting trust and access is often more effective – and less risky – than relying solely on exploiting software vulnerabilities. This strategic shift underscores a growing professionalization within the ransomware ecosystem.
In a particularly brazen incident, the Medusa ransomware gang directly contacted Joe Tidy, the BBC’s cybersecurity correspondent, via the encrypted Signal application. They initially offered him 15% of a future ransomware payment for access to his PC, escalating the offer to a quarter of the BBC’s revenues and a promise of financial security when he declined. “Targeting high-profile organisations like the BBC is both financially attractive and commercially strategic,” Hull said. “Even limited success against a well-known brand can generate notoriety and credibility, helping groups attract future affiliates and opportunities.”
The recruitment isn’t limited to opportunistic approaches. In November 2025, US authorities indicted three men accused of extorting victims using the ALPHV/BlackCat ransomware. Notably, all three individuals were employed in the cybersecurity field, specializing in incident response and ransomware negotiations. The Department of Justice (DoJ) revealed that financial hardship motivated one of the men to participate in the scheme.
Ryan Goldberg and Kevin Martin, two of the accused, pled guilty to obstruction of commerce through extortion at the end of December 2025 and are scheduled for sentencing in March. “Ransomware has evolved into an organised business model,” Hull added. “These groups now think in terms of recruitment, incentives, scale and growth, rather than just attacks.”
The Rise of Qilin and Geographic Targeting
During December 2025, NCC Group’s telemetry identified 170 attacks attributed to the Qilin ransomware, nearly double the number carried out by Akira, its closest competitor, which recorded 78 attacks. LockBit 5.0, Safepay, and Sinobi followed with 68, 67, and 54 attacks, respectively. NCC Group noted that the end of the year typically sees a surge in ransomware attacks as criminals target organizations with reduced staffing during the holiday season.
North America remained the primary target, accounting for 50% of the attacks observed by NCC Group. Europe followed with 25%, and Asia with 12%. Industrials were the most frequently targeted sector, representing 30% of attacks, followed by consumer discretionary (22%) and IT companies (10%).
For organizations, Hull emphasized the need to shift focus towards human risk management. “Insider threat programmes, strong access governance and robust offboarding processes are critical to reducing the risk that current or former employees become part of the ransomware supply chain.”
