4 important trends in ransomware and how to deal with them

How are ransomware attacks changing and what does that mean for your organization? Paul Pols, principal security specialist at Secura, sees 4 trends when it comes to ransomware.

... > Ransomware Resilience Assessment (RRA) > 4 Important Trends in Ransomware

4 trends in ransomware

Two major casinos were hit; private data of high level Dutch footballers were in danger of being leaked: the fall-out from ransomware attacks makes the news every week. But what are the developments behind these attacks? Paul Pols, principal security specialist at Secura, sees 4 trends when it comes to ransomware.

1. Criminals are using new tactics: ads and help desk

Ransomware was traditionally spread through phishing emails, more specifically through attached Microsoft Office documents: Word documents with infected macros. 'But Microsoft has made this a lot harder,' Pols says. 'So we see that ransomware actors are looking for other ways to gain access and achieve infections.'

Attackers still use phishing emails, with the malware in all kinds of other attachments, but they are broadening their tactics, says Pols: 'Over the past year, we've seen actors abuse search engine results, for example. They place malicious ads at the top of search pages and lure people to a non-legitimate website. Once there these people download malicious software.'

New tricks

Social engineering is also on the rise, Pols observes. 'Ransomware actors might call a help desk and induce an employee to reset a password or bypass multifactor authentication.' The recent ransomware attack at MGM Resorts likely started with this kind of social engineering of a help desk employee.

This trend means that organizations are less able to predict where a potential ransomware attack might begin. 'I do expect consolidation to occur here,' Pols says. 'After a while, one method will prove to work best. But right now, the old method is failing, and we see ransomware groups trying to find out which new tricks to use.'

Quote by

Paul Pols

Principal ransomware specialist


Right now, we see that ransomware groups are trying to find out what new tricks they can use to spread ransomware.

2. More organizations are published on leak sites

No one knows exactly how many ransomware attacks occur each year, because concrete data are hard to find. But the number of organizations that end up on a so-called dark web leak site keeps growing, Pols observes. What does this mean?

'If an organization does not intend to pay a ransom, ransomware groups often threaten to leak their data. The website of a ransomware group might say, 'We hacked the Dutch Football Association. They have 10 days to pay up. If they don't, we will publish their data.'

The number organizations published on leak sites in the first nine months of 2023 was as high as the entire number for 2022. 'If you look at those numbers, the number of ransomware attacks worldwide seems to be increasing. Of course, it could be that organizations are ending up on leak sites more often because they are more reluctant to pay the ransom. But we don't have that indication.'

'We know from multiple sources, for example through the disbanded ransomware group Hive, that about 80% of ransomware victims pay ransom before being placed on a leak site. That means the actual number of ransomware attacks is probably about five times the number of victims published on leak sites.'

Image in image block

3. The debate on paying ransom is becoming more divisive

To pay or not to pay? This simple question is becoming a minefield for organizations, especially now large ransomware attacks are becoming more frequent. The Dutch Football Association, which paid a ransom to LockBit, was reprimanded by the Dutch Data Protection Authority for contributing to 'a reprehensible revenue model.'

Pols, who studied philosophy in addition to cybersecurity, recognizes a clash of two types of interests and behavior in this discussion. He explains: "Philosophically, we have two ways to label people's actions: rational or reasonable. The rational action is the behavior that makes sense to an individual in a certain position; this behavior is often driven by self interest. The reasonable action takes the interest of the group into account: if everyone acted reasonably in a given situation, the resulting outcome would be the best one possible for everyone.'

Clashing interests

These two interests collide when it comes to ransomware, Pols explains: "The interest of an individual organization is to minimize the damage from an attack. Sometimes it's cheaper to pay a ransom than to accept a data breach. But from a societal point of view, the best outcome is for an organization to choose the second option - to go bankrupt rather than pay, so to speak. Because ultimately, as a society, you want to send the message: 'We won't pay.'

What is the solution to these clashing interests? 'Legislation. It can ensure that what is rational and what is reasonable are aligned. I see that as a government's role in an issue like this: to set the rules of the game. So that if organizations act within them in their own interests, this does not clash with the interests of society. For example, you might require organizations to choose remediation, even if this is the more expensive option - as long as it does not threaten the survival of the organization.'

4. Professional negotiators are changing the playing field

When organizations decide to pay the ransom demanded after a ransomware attack, they are increasingly likely to hire a professional negotiator to at least reduce the amount. This development is having unintended consequences, Pols sees: 'Professional negotiators are putting pressure on the revenue model of ransomware groups.'

Pols: 'Professional negotiators are sometimes able to move ransomware operators to give them large discounts: up to 90% off the original demand. The operator, who actually carries out the attack, might be new to the game and might be more inclined to accept a small ransom rather than write off the chance of payment. But we now see some ransomware groups taking measures against these discounts.'

Price fixing ransomware

Ironically, some ransomware groups are also trying to align individual interest and group interest, Pols says: "Ransomware groups are discussing minimum amounts and maximum discounts for ransom demands. For example: as an operator, you have to demand a minimum of 3% of the victim's annual turnover. You can give a discount, but no more than 50%, leaving a minimum of 1.5% of the turnover as a ransom demand.' This means Ransomware actors are fixing prices on ransom amounts.

What do these trends mean for your organization?

"There is no 'silver bullet' to protect an organization against ransomware," Pols says. One important focus area: protecting your internal infrastructure. 'Since actors are finding different ways to gain access, it's becoming more important to really protect the internal network. In many organizations, this network is most vulnerable. But one compromised employee laptop can mean a ransomware group taking control of the entire IT infrastructure.'

Better safe than sorry

The chances of an organization being hit by a ransomware attack seem to be increasing. Pricing agreements on ransom demands show us the immediate damage an attack can do. 'But a ransomware attack causes much more damage - from reputational damage to damage to employees' mental well-being. Therefore, the motto for becoming more resilient against ransomware attacks remains: better safe than sorry.'


Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.


Prevent Ransomware

Would you like to know how resilient your organization is against ransomware? Contact us through the form below and we will get back to you within one business day.

Paul Pols

Lead Ransomware Resilience