Experts say the corporate-like organisation explains the efficiency of modern attacks
Ransomware attacks have risen by nearly half this year, fuelled by criminal gangs adopting the structures and tactics of legitimate businesses, according to new research.
Data from security firm NordStellar shows more than 200 ransomware groups in operation, with 60 still active. Vakaris Noreika, a cybersecurity expert at the company, said defenders make a mistake in thinking attackers are lone wolves. “Ransomware groups are organised crime, and it’s extremely dangerous to underestimate how equipped they are. They function like a corporation, with individuals assigned to specific tasks so operations run smoothly,” he said.
Noreika added that some groups even place insiders inside target companies to provide access to sensitive systems, and recruit skilled hackers through a stringent vetting process that resembles corporate HR. “Candidates can only be invited by already established individuals,” he said.
A business model for crime
Experts say the corporate-like organisation explains the efficiency of modern attacks. Groups often operate on a ransomware-as-a-service (RaaS) model, hiring affiliates to spread attacks while keeping profits flowing. “Like every other criminal organisation, they are businesses,” said Trey Ford, chief strategy officer at Bugcrowd, noting that ransom payments, usually in cryptocurrency, have been climbing since late 2023.
Nathaniel Jones, vice-president of security and AI strategy at Darktrace, said attackers are also moving away from simply encrypting data. “Threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen information unless their ransom demands are met,” he said.
Critical infrastructure remains the top target, particularly in the U.S., but retail services and other high-traffic industries are also being singled out, said Fletcher Davis of BeyondTrust.
How defenders can respond
Experts stress that companies need to focus on the basics of security. “Knowing your total attack surface, testing your environment, and efficient remediation are key,” Ford said. Multi-factor authentication, strict management of privileged accounts, and comprehensive logging are among the most important measures.
Davis urged firms to strengthen vendor access controls, adopt time-limited permissions, and verify identities across multiple channels before granting access. Ngoc Bui of Menlo Security said companies must treat attacks as lessons: “Use it as a learning opportunity to adjust security measures and ensure you are using actionable intelligence.”
While ransomware gangs may be operating with the discipline of corporations, experts argue defenders can still blunt their effectiveness by tightening basic controls and closing gaps. Otherwise, they warn, organisations may be left with little choice but to pay up.