Ransomware has evolved – so must our defences | #ransomware | #cybercrime

Ransomware is no longer a single, disruptive event. It has evolved into a sustained, multi-stage campaign designed to systematically compromise an organisation’s infrastructure and undermine its credibility. The shift we are witnessing is not only tactical, but also strategic. Threat actors have progressed from opportunistic attacks to highly coordinated operations that exploit both technological vulnerabilities and human psychology.

What was once a straightforward approach of encrypting data and demanding payment has morphed into a multi-faceted multi-stage extortion scheme. Increasingly, attackers are combining data theft, encryption, distributed denial-of-service attacks, and public shaming tactics, a strategy now widely referred to as triple extortion. These methods aim not only to disrupt operations, but to erode the trust of customers, partners, and regulators.

Real-world incidents illustrate the new reality

The cyberattacks on retailers Marks & Spencer (M&S) and the Co‑op were coordinated breaches that involved the Scattered Spider hacking collective. The group used sophisticated social engineering techniques, such as help-desk impersonation, SIM swapping, and MFA push-bombing to trick IT staff at a third-party service provider into granting access. From there, attackers gained elevated privileges and moved laterally within corporate networks, using native administration tools to evade detection while exfiltrating sensitive data and disrupting operations.

The consequences were severe: M&S had to disable its online store for nearly seven weeks, and financial losses were estimated around £300 million. These types of cyberattacks frequently bypass traditional antivirus systems and signature-based detection tools and exemplifies how contemporary attackers exploit the human layer of security with a level of precision that conventional defences are ill-equipped to handle.

Legacy security measures are no longer sufficient

The increasing complexity and professionalism of ransomware operations have rendered traditional security measures inadequate. Many attackers now operate as part of a broader criminal ecosystem, with specialised roles such as negotiators, infrastructure providers, and even customer support for victims. This maturity has led to a rise in highly organised, targeted campaigns.

Signature-based detection methods, while once the cornerstone of many security systems, are insufficient in this context. These approaches are still widely used across the industry because they’re effective at identifying known malware and attack patterns. However, they fall short when facing modern threats that rely on novel tactics, legitimate credentials, and living-off-the-land techniques, methods specifically designed to evade detection by conventional means. These tools rely on known indicators of compromise and are easily circumvented by novel or customised attack techniques.

Behavioural analytics tools establish baselines for normal user and system activity and flag anomalies that suggest malicious intent. Unlike signature-based detection, which relies on identifying known malware patterns, behavioural analytics can detect novel and sophisticated attacks that exploit legitimate credentials and avoid traditional indicators.

As ransomware tactics advance, signature-based systems can’t keep up. Behavioural analytics, by contrast, adapt to what is actually happening in the environment, making it far better suited to detect the subtle, credential-based threats that characterise today’s attacks. These systems excel at surfacing real-world signs of compromise that would otherwise go unnoticed, such as abnormal account usage patterns or unexpected data flows.

Internal network monitoring is a necessity

Modern ransomware campaigns don’t begin with encryption, they start with stealthy infiltration, lateral movement and data exfiltration. These early and critical stages often unfold unnoticed within an organisation’s internal network. That’s why east-west visibility is essential: it provides the insight required to detect attackers as they move through environments using legitimate credentials and living-off-the-land techniques.

Traditional defences typically monitor north-south traffic (from inside to outside the network), missing the lateral movement that characterises today’s threats. By monitoring internal traffic flows, privileged account behaviour and unusual data transfers, organisations gain the ability to identify suspicious actions in real time and contain threats before they escalate to ransomware deployment or public extortion.

The ransomware attack on NASCAR illustrates this breakdown. Attackers from the Medusa ransomware group infiltrated the network using stolen credentials and quietly exfiltrated sensitive user data before launching a broader extortion campaign. Because these internal activities weren’t spotted early, the attack matured to a point of public disclosure, operational disruption and reputational harm.

Start preparing for the next phase of ransomware now

The emergence of triple extortion and the increasing sophistication of threat actors indicate that ransomware has entered a new phase. It is no longer solely about file encryption; it is about leveraging every available vector to apply maximum pressure on victims.

Organisations must respond accordingly. Relying exclusively on prevention is no longer viable. Detection and response must be prioritised equally. This demands a strategic investment in technologies that provide real-time visibility, contextual insight and adaptive response capabilities.

Attackers are innovating continuously, and to match their pace, defenders must invest in tools and strategies that go beyond legacy systems. If an organisation lacks visibility into its environment, it cannot respond effectively. That lack of visibility can mean the difference between a contained incident and a catastrophic breach.

Key takeaways

• Attackers are much more sophisticated than they used to be. They’re now combining data theft, encryption, distributed denial-of-service attacks, and public shaming tactics, a strategy now widely referred to as triple extortion. It’s now as much about trust erosion as disrupting operations.
• Many attackers now operate as part of a broader criminal ecosystem, and traditional security systems are failing to keep up.
• Behavioural analytics are better able to adapt to advancing ransomware strategies rather than signature detection methods.
• Detection and response must be prioritised equally. Real-time visibility, contextual insight and adaptive response capabilities are crucial.

Jamie Moles is senior technical manager at ExtraHop.