Ransomware is no longer a purely technical threat confined to encrypted files and IT disruption. It has evolved into a sophisticated business risk that targets data, operations and reputation in equal measure. According to the latest findings from BlackFog, this shift is accelerating. Its 2025 State of Ransomware Report reveals a 49% year-on-year increase in publicly disclosed attacks, alongside a sharp rise in incidents that never reach the public domain, underscoring the scale and opacity of the modern threat landscape.
The report highlights how attackers are increasingly leveraging AI to operate with greater speed, scale and precision, enabling large-scale campaigns that prioritise data exfiltration and extortion over traditional system disruption. With 130 active ransomware groups and organisations across 135 countries impacted, ransomware has become a pervasive global challenge affecting nearly every sector.
To explore what’s driving this transformation—and what it means for business leaders—this interview with BlackFog CEO Dr Darren Williams examines how ransomware has evolved into a multi-layered extortion model. From AI-driven reconnaissance and the rise of double and triple extortion, to the growing gap between incident response and long-term business impact, his insights point to a critical shift: organisations must move beyond reactive recovery and focus on protecting the data that attackers value most.
Why has ransomware evolved into a broader business disruption model rather than remaining a purely technical attack?
“The ultimate goal of ransomware is to make money, and so cyber criminals have optimised their business models to get paid. In the early days it involved encrypting files, but this wasn’t the most effective means to get paid. It turns out organisations are more likely to pay if they have a data breach with either intellectual property or more importantly customer data which also triggers legal and regulatory mandatory reporting. That is before you consider the operational, reputational and financial implications. As a result, ransomware has evolved to leverage these, as they are highly effective in ensuring victims pay.”
How are attackers identifying and exploiting the most critical pressure points within organisations?
“Targeting phishing and detailed reconnaissance using AI has been very effective in finding the weak point in any organisation. This typically focuses on key individuals so the cybercriminal can create a “beachhead” into the organisation, and then move laterally, ultimately leading to data exfiltration and extortion.”
What does the rise of double and triple extortion reveal about organisational weaknesses?
“Cybercriminals focus on what works, and they know that the weakest point is data security. In fact, virtually all EDR/XDR products on the market focus on detection rather than preventing data loss. Cybercriminals know they focus on the systems rather than the data and use this exploit to remove data before it is even detected (which often takes hours or days). Attackers are known to dwell for days, and sometimes months, before even sending data, so until organisations monitor the data, they are virtually impossible to detect.
“Many organisations also fail to understand that backups only get your systems back online, they don’t solve the underlying problem that data has been extracted. As we know, once the data has gone, it has been lost forever and can be used and leveraged for many years, whether the ransom has been paid or not.”
Are current incident response strategies still fit for purpose in this new ransomware landscape?
“Incident response strategies were always designed to contain, restore and resume. This misses the fundamental point of ransomware, which is to disrupt operations and trigger legal, regulatory, reputational and financial fallout. Sure, you might be able to get your systems back online, but that doesn’t stop the loss of the data and the fallout from the attack. That will continue for months and years.”
How should leadership teams balance the decision to pay or not pay in increasingly complex scenarios?
“There is pretty clear guidance on this from all major governments, that it is better not to pay the ransom and focus on recovery. As long as there is someone willing to pay, it only fosters the development of more ransomware.”
What role does cyber insurance play in shaping attacker behaviour—and is it helping or harming resilience?
“Cyber insurance as an industry varies widely between providers. The landscape has shifted substantially in the last few years, and there has been more focus on cybersecurity prevention than ever before. In fact, most insurers will not even provide insurance unless some level of protection is in place. They have also implemented more controls on ransomware payments, with less focus on paying demands and more on recovery to dissuade attackers.
“It has also shaped the ransomware demands significantly, with most attacks falling in the bands of typical policy limits. There are still many organisations that use insurance to shift the responsibility, rather than invest in preventative measures to stop data exfiltration and the subsequent extortion that follows.”
How can organisations quantify and prioritise the business risks associated with ransomware beyond IT systems?
“Businesses need to move from thinking about tactical responses, such as servers being down, to the operational problems, legal and operational issues of an attack. As we know the consequences to the reputation and costs associated with remediation far outweigh the actual ransomware cost. The questions to ask are: how do I keep my business running if we are attacked, and what can we do to prevent that from happening in the first place? A salient example is what happened at Marks and Spencer and Jaguar Land Rover, which sent both companies into tailspins and showed how ill-prepared they were in the first place.”
What practical steps can companies take to move from reactive recovery to proactive resilience?
“Ransomware is predicated on the ability to steal information so the victim can be extorted. This requires the attacker to break into the organisation and exfiltrate data which can be used as leverage to pay a ransom. If companies focus on the data security and ultimately prevent data exfiltration, then there will be no ransom in the first place. Proactive, real-time defence is critical in stopping these attacks.”
“With more than 6,000 products in the space, organisations may struggle to understand the differences between solutions and the segments in which vendors excel. Many organisations think that having a product from a large provider, such as Microsoft, is enough, when in fact, these legacy vendors are significantly behind and unable to keep pace with the latest AI attack vectors. Instead, the focus is now shifting to more nimble vendors that can adapt and solve these rapidly evolving threats in real-time.”
Dr Darren Williams, Founder and CEO of BlackFog.
Dr Williams is a serial entrepreneur and founder of three technology startups over the last 20 years, two of which have been sold to public companies. He is currently the founder and CEO of BlackFog, Inc., a global cybersecurity company focusing on ransomware prevention and cyber warfare. Dr Williams is responsible for strategic direction and leads global expansion for BlackFog, and has pioneered anti-data exfiltration technology to prevent cyber attacks across the globe.
