**Ransomware Gangs Focus on Winning Hearts and Minds: A Growing Menace**
The world of ransomware has evolved into a sophisticated, organized business model, with gangs scaling rapidly and adopting structured affiliate models to recruit new members. According to NCC Group's latest threat environment report, the financial success of these gangs is enabling them to offer stronger incentives, improved operational security measures, and a growing professionalization in their ecosystem.
The rise of ransomware-as-a-service (RaaS) gangs has led to a 13% increase in recorded attacks during December 2025. These groups now view employees, contractors, and trusted partners as gateways into victim organizations, targeting them to gain legitimate access to credentials, systems, and processes. This allows them to bypass security controls and reduce the risk of discovery before executing a cyber attack.
NCC's Matt Hull highlighted a notable incident where the Medusa ransomware gang approached BBC cybersecurity correspondent Joe Tidy with a lucrative offer: 15% of a future ransomware payment in exchange for access to his PC. When Tidy declined, the gang increased their offer to a quarter of the BBC's revenues and promised he would never have to work again.
"Targeting high-profile organizations like the BBC is both financially attractive and commercially strategic," said Hull. "Even limited success against a well-known brand can generate notoriety and credibility, helping groups attract future affiliates and opportunities."
Hull emphasized that smaller gangs often lack the means to compete with larger groups' financial incentives. As a result, organizations must shift their focus from purely technical defense to human risk management. Insider threat programs, strong access governance, and robust offboarding processes are critical in reducing the risk of current or former employees becoming part of the ransomware supply chain.
But employees are not the only ones being targeted. In November 2025, US authorities indicted three men accused of extorting five victims using the ALPHV/BlackCat ransomware. The twist? All three worked in cybersecurity, specializing in incident response and ransomware negotiations. One of them became involved due to debt, while two others pled guilty to obstruction of commerce through extortion.
"Ransomware has evolved into an organized business model," added Hull. "These groups now think in terms of recruitment, incentives, scale, and growth, rather than just attacks." He noted that these tactics are not new, but the growing professionalization of ransomware gangs is a worrying trend: "Trust, deception, social engineering, and financial pressure have always worked; they're just being organized and scaled in new ways."
During December 2025, NCC's telemetry observed 170 Qilin ransomware attacks, approximately double the volume of their closest rival Akira. LockBit 5.0, Safepay, and Sinobi rounded out the top five with 68, 67, and 54 observed attacks to their names, respectively.
The end-of-year rise in ransomware attacks is a well-documented event, as cybercriminals target organizations left understaffed during the holiday period. North America remained the most targeted geography, accounting for 50% of the attacks seen by NCC, with Europe and Asia following closely behind.
As the threat landscape continues to evolve, it's clear that ransomware gangs are adapting their tactics to stay ahead of the game. Organizations must remain vigilant and take a proactive approach to human risk management, or they may find themselves as victims of this growing menace.