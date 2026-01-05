Ransomware has evolved from being an operational nuisance confined to the IT department into one of the most significant strategic risks faced by organisations today. Last year’s disruptive campaigns run by groups such as UNC3944, also known as Scattered Spider, highlight how these attacks have moved beyond technical exploitation, now centring on social engineering and identity abuse. These developments should be a wake-up call for boards of directors. Identity has become the new security perimeter, and the board’s role in safeguarding it has never been more important.

The changing face of ransomware

Incidents linked to the hacking group, Scattered Spider, have spread rapidly across multiple sectors, from retail in the United Kingdom to insurance and aviation companies in the United States. Their campaigns have created widespread outages, loss of customer data and lasting reputational damage. More significantly, these operations reveal how adversaries are bypassing traditional technical defences altogether.

One of the group’s most effective methods is voice phishing. By impersonating employees, attackers persuade help desk staff to reset credentials or adjust multifactor authentication settings. This gives criminals the ability to register their own devices for authentication, effectively handing them legitimate access to corporate systems. This tactic undermines the assumption that multifactor authentication alone provides a strong barrier. It also shows how vulnerable human processes can be when they fall outside the direct control of security teams.

Another shift is the targeting of modern IT infrastructure. As organisations pursue digital transformation and move workloads into the cloud, they create opportunities for attackers who can navigate between on-premises and cloud environments. Compromised accounts in single sign-on systems have allowed adversaries to extend their reach across a broad range of business applications. This approach transforms what once would have been a limited intrusion into a full-scale compromise of an enterprise environment.

At the heart of these campaigns lies the abuse of identity. Ransomware actors increasingly rely on valid credentials rather than custom malware or exploits. The implication is clear. Protecting identity is now the most important line of defence.