THOUGHT LEADERSHIP
The disastrous impacts of cyberattacks have hit headlines in recent months – from financial downtown, brand reputational hits and damaged customer trust. In line with this, the UK government regards ransomware as the most significant organised cybercrime threat and is taking steps to strengthen protections for both the public and private sectors. Current proposals include banning ransom payments by public sector organisations and introducing measures to restrict payments in the private sector. These initiatives aim to deter criminal activity, but could they unintentionally make businesses more vulnerable? If attackers know public bodies cannot pay, will they focus instead on organisations outside the scope of such legislation? In our experience, many businesses are unwilling to take that risk.
The emerging threat of ransomware
Ransomware remains, by far, the most profitable type of cybercriminal activity with the lowest barrier of entry and the fastest payout. Other types of cybercrime, such as Business Email Compromise or Romance Scams, can be more profitable but they usually take months for payout and they require a lot of time and patience.
Ransomware groups have a well-documented blueprint for initial access, movement within a victim network, accepting payment and laundering funds. Even less capable threat actors, which make up the vast majority of new ransomware groups, can easily outsource these activities because there is an entire ecosystem of secondary and tertiary groups built up around supporting ransomware attacks. Attackers are rapidly changing and developing tactics to crack even the most robust defences.
How are attackers evolving?
• Help desk attacks
Ransomware groups are increasingly targeting help desks as an entry point into corporate systems. These attacks rely on impersonation and social engineering to bypass security measures.
One common tactic involves overwhelming an employee with phishing emails, then calling them while posing as the help desk to‘ resolve’ the issue. Groups such as Black Basta have used this approach to gain direct access to systems.
Another method sees criminals impersonating employees when contacting the help desk, persuading staff to reset passwords or disable multi-factor authentication. This type of attack was observed in the Clorox breach, where attackers exploited human trust and procedural gaps rather than technical vulnerabilities.
• Advanced social engineering tactics
Generative Artificial Intelligence( AI) is giving cybercriminals sophisticated tools to manipulate trust and influence human behaviour. These attacks extend well beyond basic phishing emails, evolving into highly personalised campaigns that persuade employees to act in ways they ordinarily would not.
The process often begins with footprinting, where attackers analyse a target’ s digital presence – from professional profiles to casual social posts – to learn how individuals communicate, who they interact with and which topics resonate with them.
AI then amplifies this intelligence. Criminals can craft messages in a company’ s style, clone voices with local accents and reference real colleagues or workplace events. These capabilities make scams appear authentic enough for victims to bypass security protocols, share login codes or authorise unusual actions in the belief they are helping a trusted contact.
AI also broadens access to these tactics. For example, while help desk attacks were once largely associated with western groups such as Scattered Spider or ShinyHunters, Russian threat actors are now using AI to translate scripts and impersonate employees in native languages. This ability to convincingly adopt any persona makes such attacks far more difficult to detect and resist.
The real risk lies not in AI itself, but in its fusion with social engineering. By exploiting human instincts such as trust, helpfulness and urgency, attackers can influence decisions that would normally trigger suspicion.
• Finding weak links in supply chains
Rather than directly attacking a target business, cybercriminals are increasingly focusing on finding gateways in supply chains. For example, hackers might find software partners, which they know their victim will trust and rely on. An attack will then leverage zero-day flaws in software or hardware to gain undetected access to the partner’ s network and create a hard-to-detect route into the main target’ s secure systems to deploy ransomware.
Allan Liska, Threat Intelligence Analyst, Recorded Future
www. intelligentcxo. com
47