Ahmet Ö.
Kurumsal
- Thread Author
- #1
Ransomware attacks continued their increase for the fourth consecutive month in December 2025, rising by 13% to a total of 783 attacks.
Cybercrime is increasingly becoming an organized industry. According to NCC Group's Cyber Threat Intelligence Report, ransomware-as-a-service (RaaS) gangs are adopting structured partnership models, actively recruiting malicious insiders and cybersecurity professionals. This surge, paralleled by a 13% monthly increase in December 2025, indicates signs of professionalization within the ransomware ecosystem. Companies experiencing staff shortages during holiday periods are particularly targeted by RaaS gangs.
RaaS gangs view employees, contractors, and trusted business partners as entry points into organizations. By recruiting insiders, criminals gain legitimate access to systems, credentials, and processes, thereby bypassing security measures. Employees with extensive access in IT and technical fields are particularly targeted, as a single compromised account can open many doors in the modern digital landscape.
The NCC Group report reveals that strong financial incentives are one of the main reasons for insider recruitment; ransomware groups promise high commissions and anonymity for collaboration.
An example of this model was seen in September 2025 when the Medusa ransomware gang attempted to recruit a BBC employee as an insider. They offered a 15% share of a future ransom payment in exchange for access to internal systems, which was increased to 25% when the initial attempt failed. This highlights both the financial pressure and the strategic value of insider access.
Matt Hull, Vice President of Cyber Intelligence and Response at NCC Group, stated, "Attacking high-profile targets like the BBC is both financially attractive and commercially strategic. Even limited success against well-known brands brings notoriety and reputation, facilitating future partnerships. While well-resourced groups like Medusa and Qilin can offer financial incentives to attract insiders, smaller gangs struggle in this competition."
Hull emphasized, "This situation underscores that companies must shift their defense focus from purely technical methods to human-centric risk management. Insider threat programs, robust access management, and solid offboarding processes are critical in reducing the risk of current or former employees becoming involved in the ransomware supply chain."
The report also notes that insider recruitment is not limited to employees. In December 2025, two cybersecurity professionals pleaded guilty to collaborating with the BlackCat/ALPHV gang; they were involved in ransomware attacks against five organizations in the healthcare and manufacturing sectors in the US. This incident is one of the first documented examples of cybersecurity experts using their technical knowledge and understanding of processes to directly support RaaS activities. Factors such as financial incentives, rising cost of living, and dissatisfaction with salaries can increase susceptibility to collaboration.
Matt Hull continued: "Ransomware has transformed into an organized business model. These groups are now planning not just attacks, but recruitment, incentives, scale, and growth. These tactics are not new; trust, deception, social engineering, and financial pressure have always been effective, but now they are being applied much more systematically and at scale. The recruitment of cybersecurity professionals demonstrates how ransomware groups exploit expertise, access, and human trust."
### Other Report Highlights
- The consumer products sector accounted for 22% of ransomware attacks in December; the information technology sector accounted for 10%.
- North America accounted for half of the attacks in December 2025.
These developments indicate that cybercriminals are operating in an increasingly professional and organized manner.
