Ransomware gangs focus on winning hearts and minds

The tried-and-tested ‘business models’ favoured by some of the world’s most adept, and dangerous, ransomware gangs are scaling rapidly as cyber criminals increasingly adopt structured affiliate models and actively seek out new recruits, including malicious insiders and even cyber pros themselves, according to NCC Group’s latest monthly round-up of the threat environment.

That cyber criminal gangs operate as an organised industry is of course nothing new, and is well-known and understood across the security industry and these days, beyond its confines.

However, said NCC, amid a 13% rise in recorded ransomware attacks during December 2025, the growing financial ‘success’ of ransomware gangs is enabling them to offer stronger financial incentives – including larger commissions – to their new recruits, and improved operational security (OpSec) measures, both signs of growing professionalisation in the ecosystem/

NCC’s Matt Hull said that ransomware-as-a-service (RaaS) gangs now view employees, contractors, and trusted partners as gateways into victim organisations, and enthusiastically target them in order to gain legitimate access to credentials, systems and processes. This allows them to both bypass security controls and dial back their reliance on the use of vulnerabilities that may be discovered and patched at any moment, which in turn reduces the risk of discovery and exposure prior to executing a cyber attack

He cited a well-reported incident in which the Medusa ransomware gang unwisely targeted the BBC by approaching its cyber security correspondent, Joe Tidy. The gang messaged Tidy on the encrypted Signal application to offer him 15% of a future ransomware payment if he gave them access to his PC. When this was rebuffed, Medusa’s recruiter upped the offer to a quarter of 1% of the BBC’s revenues, and promised Tidy he would never have to work again.

 “Targeting high-profile organisations like the BBC is both financially attractive and commercially strategic,” said Hull. “Even limited success against a well-known brand can generate notoriety and credibility, helping groups attract future affiliates and opportunities. Well-resourced groups like Medusa and Qilin can afford to use financial incentives to attract insiders, but smaller gangs often lack the means to compete.

“For organisations, this shifts the focus from purely technical defence to human risk management. Insider threat programmes, strong access governance and robust offboarding processes are critical to reducing the risk that current or former employees become part of the ransomware supply chain.”

But employees are not the only ones being targeted. In November 2025, the US authorities indicted three men accused of extorting a total of five known victims using the ALPHV/BlackCat ransomware. The sting in the tale was that all three worked in the cyber security field, specialising in incident response and ransomware negotiations. The Department of Justice (DoJ) said that one of the men became involved in the scheme because he was in debt.

Two of the accused, named as Ryan Goldberg and Kevin Martin, pled guilty to obstruction of commerce through extortion at the end of December 2025 and are due to be sentenced in March.

“Ransomware has evolved into an organised business model. These groups now think in terms of recruitment, incentives, scale and growth, rather than just attacks,” added Hull.

“What’s striking is that these tactics aren’t new. Trust, deception, social engineering and financial pressure have always worked, they’re just being organised and scaled in new ways. The recruitment of cyber security professionals shows how far this has gone: ransomware groups are exploiting expertise, access and human trust to operate like structured criminal enterprises.”