News brief: Ransomware trends show new twists to old game
Check out the latest security news from the Informa TechTarget team.
If ransomware is the problem that won't go away, it is also the problem that doesn't stay the same. Tactics continue to change, as do the strategies to counter the threats.
Ransomware gangs target governments, education institutions, healthcare providers, retailers and others, making it a struggle for organizations of all sorts and sizes. It is so prevalent that the "2025 Verizon Data Breach Investigations Report" concluded that ransomware was involved in 44% of all security breaches -- up from 32% the previous year. Precise numbers are hard to pin down, but recent statistics estimate that ransomware payments range from $267,000 to $1 million.
While phishing and other common attack methods still work well, bad actors are also turning to voice-based and AI-fueled methods to more precisely and efficiently target their intended victims. Some security experts expect to see AI tools used to create autonomous ransomware pipelines. That prospect is among several developments on the ransomware landscape featured in this week's news.
Researchers see signs that ransomware gangs might be organizing
The DragonForce ransomware group is attempting to adopt a cartel-like model inspired by organized crime, emphasizing collaboration among ransomware gangs. According to an analysis by managed cybersecurity services company LevelBlue, this approach would enable affiliates to operate independently while using DragonForce's extensive resources, such as storage, server monitoring and decryption services.
The strategy by DragonForce appears designed to consolidate power within the ransomware ecosystem, creating a mafia-style network that mirrors territorial organization and cooperation seen in traditional crime syndicates.
DragonForce called for cooperation among major ransomware operators, ostensibly to "stabilize the ransomware 'market,' increase collective profits and present a unified front," the LevelBlue researchers wrote. DragonForce's pitch included standardizing competitive conditions, eliminating public conflicts among groups and agreeing on equal terms for affiliates, especially regarding deposit requirements and profit sharing.
CISA changes ransomware statuses without notice
A researcher at cybersecurity company GreyNoise uncovered a significant issue with CISA's Known Exploited Vulnerabilities (KEV) catalog: silent updates to ransomware statuses.
In 2025, 59 vulnerabilities had their ransomware status changed from "Unknown" to "Known" without public announcements, leaving security teams unaware of evolving threats unless they monitored the catalog daily. These updates, which included vulnerabilities from Microsoft, Fortinet and other major vendors, highlight the need for better transparency as ransomware operators increasingly exploit remote code execution and authentication bypass flaws.
To address this, GreyNoise researcher Glenn Thorpe developed an RSS feed to track updates, urging organizations to stay vigilant and reassess risks proactively.
Telecoms at high risk of ransomware attack, FCC warns
The Federal Communications Commission (FCC) this week issued a warning to telecommunications companies, urging them to adopt stronger cybersecurity measures to combat the rising threat of ransomware attacks. The alert highlights vulnerabilities in U.S. communications networks that pose risks to national security, public safety and business operations.
Over the past year, ransomware incidents targeting small to medium-sized telecom firms have disrupted services, exposed sensitive data and locked providers out of critical systems. The FCC noted a fourfold global increase in ransomware attacks on telecom firms between 2022 and 2025.
The FCC recommended regular system patching, MFA, network segmentation and monitoring for supply chain vulnerabilities. Companies are also advised to back up data, train employees and test incident response plans. The alert included guidance on reporting attacks and evaluating third-party vendors' cybersecurity practices.
AI could drive autonomous ransomware pipelines
A new report highlighted key movements toward a hacking ecosystem increasingly dominated by AI.
In 2025, cybercriminals began using AI to accelerate and enhance the effectiveness of their attacks, according to a report from antimalware vendor Malwarebytes. It noted that AI-driven tools have enabled deepfake-based social engineering, vulnerability discovery and autonomous ransomware attacks. While traditional hands-on-keyboard intrusions remained prevalent, 2025 saw the first confirmed AI-orchestrated attacks.
Malwarebytes warned that this year could see the arrival of fully autonomous ransomware pipelines, enabling small groups to use AI to target multiple victims at unprecedented scales.
Read the full article by Eric Geller on Cybersecurity Dive.
Editor's note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.
Phil Sweeney is an industry editor and writer focused on cybersecurity topics.
