The New Ransomware Reality: How Criminal Enterprises Are Weaponizing Your Recovery Strategy

Don’t let ransomware attackers take you by surprise. Understand who makes the ideal target and why, and what you can do to avoid becoming the next statistic.

Ransomware Attackers

image_pdfimage_print

It’s Cybersecurity Awareness Month and while ransomware attacks are still in the spotlight, the story has fundamentally shifted. Traditional file encryption has evolved into a sophisticated ecosystem of criminal enterprises that treat backup systems, AI training data, and recovery infrastructure as primary targets.

The very systems designed to help you in the event of a disaster could be taken out first.

Recent research reveals that 93% of ransomware attacks now actively target backup infrastructure, with groups deploying specialized techniques specifically designed to compromise recovery systems and force ransom payments. “The Gentlemen,” a new ransomware group that appeared in September 2025, have already claimed 32 victims across 17 countries with systematic targeting of backup services, databases, and security systems.

The Evolution of Enterprise-Scale Criminal Operations

These aren’t opportunistic attacks anymore so much as coordinated business operations with enterprise-level sophistication. 

The current threat landscape features roughly 88 active ransomware groups—up from 76 in late 2024—with 35 entirely new groups emerging in the first half of 2025 alone

Some patterns to note:

Ransomware-as-a-Service (RaaS) Democratization: Platforms like RansomHub and Lynx operate comprehensive affiliate programs that democratize advanced cyber capabilities. Lynx alone claimed 148 incidents in Q1 2025, with 30% targeting industrial sectors. This service model means attacks no longer require years of specialized training—criminals with minimal technical skills can now deploy sophisticated ransomware using AI-generated code and automated attack platforms.

AI-Enhanced Attack Sophistication: FunkSec employs AI-generated code with “flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection.” Criminal organizations are now using AI throughout their entire attack lifecycle—from reconnaissance and victim profiling to ransom negotiation and data analysis.

The Gentlemen: Blueprint for Modern Threats: Since emerging last month, The Gentlemen took methodical approaches to exploit legitimate vulnerable drivers (BYOVD techniques), manipulate Group Policy Objects for domain-wide deployment, and adapt methods in real-time during campaigns. Their systematic targeting of backup services represents a deliberate strategy to eliminate recovery options and increase ransom payment likelihood.

Where Things Are Headed: From Encryption to Ecosystem Disruption

The most significant tactical evolution involves the systematic targeting of backup infrastructure. Google’s APAC security research reveals that groups like UNC3944 (Scattered Spider), UNC2165, UNC4393, and UNC2465 now routinely access backup data, delete recovery routines, and modify permissions to prevent system restoration.

The chaos of disruption-based attacks is giving way to leverage-based attacks, making ransom payments a primary recovery option when systems can’t be independently restored. The sophistication includes:

  • Backup Service Termination: Groups systematically shutdown services related to Veeam, Oracle, MySQL, and other backup solutions before encryption begins
  • Shadow Copy Elimination: Attackers delete Windows shadow copies and empty event logs to prevent forensic recovery
  • Credential-Based Access: Approximately 47% of cloud incidents in early 2025 involved stolen credentials specifically targeting backup environments

A concerning new trend: threatening to corrupt AI training data and intellectual property, which can amount to years of computational investment. The LunaLock group introduced a novel extortion technique by threatening to submit stolen artwork to AI companies for training dataset inclusion, making the data effectively permanent unlike traditional dark web leaks.

Criminal organizations are banking on the immense value of your data:

  • AI Training Data that represents irreplaceable intellectual property worth millions in development costs
  • Log Data that contains behavioral patterns and security insights valuable for future attacks
  • Proprietary Models that can be reverse-engineered or corrupted to compromise AI-driven business operations

Groups like Cl0p and Hunters International have abandoned traditional encryption in favor of pure data extortion, significantly reducing operational complexity while maintaining pressure effectiveness. This approach allows faster victim pressure through immediate data leak threats while avoiding the technical overhead of system-wide encryption.

High-Impact Target Categories and Attack Economics

2025 attacks demonstrate clear preferences for high-impact targets that maximize both financial return and operational disruption:

  • Manufacturing Leadership: Manufacturing remains the most targeted sector in 2025, with attacks averaging 4,484 weekly incidents. The sector’s operational technology integration and supply chain dependencies create cascading impact opportunities.
  • Transportation: A major ransomware attack caused widespread disruptions across European airports, with the EU confirming ransomware as the cause.
  • Healthcare Systems: Average ransom payments spiked to approximately $1.13 million in Q2 2025, with healthcare representing premium targets due to operational criticality and regulatory compliance pressures.
  • Government: Government telecommunications average 2,678 weekly attacks, reflecting the high-value data and typically under-resourced security environments.

Attackers prioritize managed service providers and essential service providers to create cascading outages across multiple client organizations. This mirrors the REvil attack on Kaseya, which affected thousands of downstream customers through a single compromise point.

Related Reading: Can Next-gen Resiliency Architectures Help Dilute the ‘Defining Threat of Our Generation’?

Personalized Phishing Campaigns: Ransomware groups deploy AI-assisted campaigns producing “highly personalized phishing emails tailored to specific roles, interests, and communication styles”. Black Basta has been observed using AI-generated IT support impersonations via Microsoft Teams for initial access.

Voice-Based Social Engineering: Campaigns like ShinyHunters employ voice phishing to bypass multi-factor authentication and compromise trusted accounts, particularly targeting Salesforce and other cloud platforms.

EDR Killer Deployment: Threat actors deploy specialized malware designed to disable endpoint detection and response solutions before ransomware deployment, representing direct responses to improved enterprise security controls.

“Living Off the Land”: Attackers utilize legitimate tools like PuTTY, AnyDesk, and LogMeIn for lateral movement, blending malicious activity with normal administrative operations.

Vulnerable Driver Exploitation: The Gentlemen group’s exploitation of ThrottleStop.sys (renamed ThrottleBlood.sys) demonstrates BYOVD techniques that gain kernel-level privileges to terminate security software processes normally protected against deletion.

The Pure Storage platform: Your Complete Cyber Resilience Ecosystem

Pure Storage delivers comprehensive protection across the entire attack lifecycle, from prevention through recovery, ensuring business continuity even against the most sophisticated threats. Storage becomes an active part of your security and recovery posture—not a passive component.

Before an Attack – Threat Intelligence and Preparation: Pure Storage serves as a high-performance platform for ingesting logs and providing scale-out performance for security analytics tools used by threat hunters. The data protection assessment in Pure1® compares configurations against leading practices, while anomaly detection identifies sudden changes in data reduction ratios that may indicate compromise. Work with technical service professionals to document storage recovery plans through the ransomware recovery SLA in Evergreen//One™.

During an Attack – Immutable Protection: Pure Storage SafeMode™ snapshots provide immutability that cannot be changed once written, creating an additional layer of snapshot protection that cannot be deleted from arrays even by processes with administrative credentials. Built-in AES-256 encryption that cannot be disabled provides data protection with zero performance impact, ensuring your data remains secure even during active attacks.

After an Attack – Rapid Restoration: The RapidRestore capability recovers data at speeds greater than 270TB/hour—crucial when speed determines business survival. The Evergreen//One ransomware recovery SLA guarantees next-business-day shipping of clean arrays and onsite professional services engineers to restore normal operational levels quickly.

This approach creates a cyber resilience ecosystem where each component strengthens the others—threat detection improves through better data analytics performance, immutable protection preserves clean recovery points, and rapid restoration capabilities minimize business impact regardless of attack sophistication.

Discover a comprehensive cyber resilience ecosystem that can maintain business continuity and competitive advantage even when facing the most advanced threats.