Ransomware tactics evolve: Is your business prepared? ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
SKADI_Character
SKADI_LOGO

THE ARROW

Ransomware Evolution

Issue #03 • June 2026
Published by SKADI Cyber Defense 

01 THE TRAJECTORY
In Issue #02, we described how AI has made attacks faster, cheaper, and harder to spot. This issue focuses on where most of those attacks are heading: ransomware. It's present in 44% of all breaches — up from 32% just a year ago (VDBI Report 2025). But the ransomware of 2026 looks different from what most people picture. The business model has shifted, the targets have shifted, and the assumption that "we're too small to matter" has never been more dangerous.

— The SKADI Arrow Editorial Team
02 THREE NUMBERS
44%
of all data breaches involved ransomware in 2025 — up sharply from 32% the year before.
Source: Verizon Data Breach Investigations Report 2025
88%
of breaches at small and mid-sized businesses involved ransomware, compared to 39% at large organizations.
Source: Verizon Data Breach Investigations Report 2025
$5.08M
average total cost of a ransomware incident in 2025, including downtime, recovery, and remediation — far beyond the ransom itself.
Source: IBM Cost of a Data Breach 2025
03 HOW RANSOMWARE HAS CHANGED
Ransomware used to work like this: criminals got into your systems, locked your files, and demanded payment for the key. Pay up, get your data back, move on. That model still exists — but it's no longer the whole story.
01   They Don't Just Lock Your Files Anymore
The bigger shift in ransomware is that attackers now steal your data before they do anything else. Then they threaten to publish it — client records, financial information, employee data, confidential communications — unless you pay.

Even if you have a perfect backup and can restore your systems without paying a cent, the threat of your data being posted publicly remains. For a business with client confidentiality obligations, regulatory requirements, or simply a reputation to protect, that's a separate and serious problem. The European Union Agency for Cybersecurity found that attackers are increasingly exploiting fear of regulatory consequences as part of their pressure tactics — knowing that a data leak could trigger fines, not just headlines.
02   The Criminal Business Model Has Professionalized
Ransomware is no longer the domain of lone hackers. It has become a service industry. Criminal groups now operate Ransomware-as-a-Service platforms — essentially franchises — where one group builds the attack tools and others pay to use them, splitting the proceeds. This has dramatically lowered the barrier to entry and dramatically increased the volume of attacks.

The attack on Jaguar Land Rover in August 2025 illustrates what this ecosystem looks like in practice. Believed to be the most damaging cyberattack in British history, it was carried out by multiple criminal groups sharing tools and access. The result: production lines shut down for weeks, an estimated £50 million in losses per week, thousands of supply chain workers sent home, and an eventual economic impact estimated at £1.9 billion. The Bank of England cited it as a contributing factor to slower economic growth that quarter. One attack. Multiple criminal groups. National economic consequences.
03   Smaller Businesses Are the Preferred Target
Here's the number that matters most for the organizations reading this: 88% of ransomware breaches hit small and mid-sized businesses — more than double the rate seen at large enterprises (Verizon Data Breach Investigations Report 2025). Attackers target smaller organizations precisely because they are less likely to have mature defences, faster to pressure into paying, and less likely to report the incident.

The assumption that criminal groups only go after large, high-profile targets is outdated. Volume is the strategy now. Ransomware-as-a-Service makes it economical to run thousands of smaller attacks rather than a handful of large ones. Your size is not a shield — in 2026, it's closer to an invitation.
04 WHAT TO WATCH FOR
You don't need to be a security expert to recognize these warning signs:
→
Slow or unusual system behaviour with no obvious cause
Ransomware operators typically spend time inside a network before activating an attack — copying data, mapping systems, disabling backups. Unusual slowdowns, unexpected software running, or disabled security tools are early indicators worth investigating immediately.
→
Requests for payment or threats arriving by email
Extortion communications have become increasingly professional — well-written, specific, and designed to create urgency. Any communication threatening to release your data or demanding payment should be treated as an active incident, not a decision to make alone.
→
Backups that haven't been tested recently
Criminal groups specifically target and disable backups before launching an attack. A backup that hasn't been tested isn't a guaranteed lifeline. Knowing your recovery capability before an incident is one of the most important things a business can do.
→
Third-party or supplier access to your systems
Many ransomware attacks enter through a vendor, supplier, or service provider with legitimate access to your network. Third-party connections are a common entry point — and one that's easy to overlook.
05 THE BIGGER PICTURE
The good news is that more organizations are refusing to pay ransoms — 64% in 2025, up from 50% two years prior (VDBI Report 2025). Law enforcement has disrupted major criminal groups. Recovery capabilities are improving.

The bad news is that attack volume went up 58% in the same period. When paying becomes less reliable, criminal groups don't stop — they attack more. And the shift toward data theft means that even a successful technical recovery doesn't fully resolve the incident.

The total cost of a ransomware attack — downtime, forensics, legal, recovery, reputational damage — averages $5.08 million (IBM Cost of a Data Breach 2025). For a small or mid-sized business, that number doesn't need to be accurate to the dollar to be devastating.
06 WE HAVE YOUR BACK
Ransomware doesn't stick out. It moves quietly, disabling defences and copying data before most organizations know anything is wrong. The window between intrusion and impact is often days or weeks — but catching the early signs requires watching continuously, not just periodically.

Frostbow™ monitors your environment around the clock, learning what normal looks like and flagging anything that deviates — including the quiet, early-stage behaviours that precede a ransomware deployment. It doesn't wait for an attack to be obvious. It acts before it gets there.

If you're a SKADI client, that watch is already running.
Next issue: Identity-Based Intrusions — why 88% of web application attacks now use stolen credentials, and what it means when attackers don't break in, they log in.
Have a question about anything in the report? Reply to this email — we read every reply and respond personally.

SKADI Cyber Defense Corporation, 16 Dominion St., Bracebridge, ON P1L2B5, Canada

Unsubscribe Manage preferences