Cyber Daily Report

News

Home News

Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI

  • Teri Robinson--securityboulevard.com
  • published date: 2026-04-13 00:00:00 UTC

None

<p><span data-contrast="auto">Double extortion is bad enough—that’s the current tactic favored by ransomware groups—but the emerging quadruple extortion promises to further complicate mitigation and response by targeted organizations, prompting an escalation in extortion payments. </span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="auto">Yet that’s just one piece of evidence that ransomware continues to evolve despite high-profile takedowns by law enforcement—they just reincarnate or rebrand as new groups, new research by Akamai shows. Of course, the biggest game-changer is GenAI, as RasS operators like Black Basta and FunkSec press LLMs into service to generate code and greatly improve the social engineering techniques that give bad actors a foot in the door and to scale up attacks, opening the door for even less sophisticated actors to execute damaging attacks.</span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="auto">“Ransomware groups continue to seek additional ways to generate profit, such as by pressuring victims and weaponizing compliance,”  researchers at Akamai note in their </span><a href="https://www.akamai.com/resources/state-of-the-internet/ransomware-trends-2025?utm_source=mkto&amp;utm_medium=email&amp;utm_campaign=NP21434&amp;mkt_tok=NjQyLVNLTi00NDkAAAGg6BqqyKRRdlaYKqvWIJSF8BF3KJ8ROf5AFiDcYC1JD23jfrjHD1aspVqr1tVU84V6p39zPXIYYJxpV0KBKkY3-7-ep94bXPLYOLPQWZ858W3NCeVm" target="_blank" rel="noopener"><span data-contrast="none">Ransomware Report 2025</span></a><span data-contrast="auto">.</span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="none">Noting that ransomware tactics have moved “away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods,” Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace, says, “rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":276}'> </span></p><p><span data-contrast="auto">Their efforts are paying off, with groups in 2025 extorting more than $724 million in cryptocurrency using TrickBot malware family strains, popular among ransomware operators. </span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="none">“Criminals have established a scalable business model, and we expect to see ransomware attack volume to continue growing,” says Trey Ford, chief strategy and trust officer at Bugcrowd. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":276}'> </span></p><p><span data-contrast="none">“We also need to keep in mind that there will be a gap in reported incidents versus total ransomware incidents,” says Ford. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":276}'> </span></p><p><span data-contrast="auto">One of the most dramatic shifts in the threat landscape, though, is the rise of hybrid ransomware hacktivist groups blending political and ideological motives with criminal intent. Those groups spent last year leveraging RaaS platforms like CyberVolk, Dragon RaaS, KillSec, Stormous and DragonForce to amp up the impact of their attacks. The hacktivist groups Head Mare, Twelve and Nullbulge tapped LockBit ransomware to provoke political disruption, with the latter targeting AI-driven online communities and platforms as well as gaming tools. </span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="auto">The hacktivist groups Head Mare, Twelve, and NullBulge often use LockBit ransomware (built from leaked or publicly available builders) for political disruption. NullBulge specifically uses it to target online communities and platforms that are operating with AI and online gaming tools. </span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="none">“The growth of RaaS marketplaces places greater opportunity on the side of threat actors who no longer must extract ransom payments to see profit, as they can use subscription models to return revenue for their ransomware development and deployment,” says Jones. </span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":276}'> </span></p><p><span data-contrast="auto">The report also found that the goals and strategies of cryptominers are in accordance with ransomware groups—almost 50%  of the cryptomining attacks analyzed “targeted nonprofit and educational organizations, likely because they possess substantial computational resources and are less secure than other industries,” the researchers said.</span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="auto">Defenders must act accordingly.</span><span data-ccp-props='{"201341983":0,"335559740":276}'> </span></p><p><span data-contrast="none">“Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology), mitigating exposure to this attack pattern; it is still an unsolved space,” says Ford.</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":276}'> </span></p><p><span data-contrast="none">And James Maude, field CTO at BeyondTrust, says that “to effectively deal with ransomware and other threats, we need to invest in shifting left and think more about securing identities and access to reduce our attack surface and blast radius in the event of compromise rather than just thinking post breach.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":276}'> </span></p><p><span data-contrast="none">Ransomware and other threats, he contends, “are only as effective as the privileges and access they manage to acquire, so if we can implement better hygiene and focus on least privilege, then the threat actors are far less likely to ransomware us in the first place.”</span><span data-ccp-props='{"201341983":0,"335557856":16777215,"335559739":0,"335559740":276}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/ransomware-lives-on-blending-hacktivism-and-crime-fueled-by-ai/" data-a2a-title="Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-lives-on-blending-hacktivism-and-crime-fueled-by-ai%2F&amp;linkname=Ransomware%20Lives%20On%2C%20Blending%20Hacktivism%20and%20Crime%2C%20Fueled%20by%20AI%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-lives-on-blending-hacktivism-and-crime-fueled-by-ai%2F&amp;linkname=Ransomware%20Lives%20On%2C%20Blending%20Hacktivism%20and%20Crime%2C%20Fueled%20by%20AI%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-lives-on-blending-hacktivism-and-crime-fueled-by-ai%2F&amp;linkname=Ransomware%20Lives%20On%2C%20Blending%20Hacktivism%20and%20Crime%2C%20Fueled%20by%20AI%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-lives-on-blending-hacktivism-and-crime-fueled-by-ai%2F&amp;linkname=Ransomware%20Lives%20On%2C%20Blending%20Hacktivism%20and%20Crime%2C%20Fueled%20by%20AI%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fransomware-lives-on-blending-hacktivism-and-crime-fueled-by-ai%2F&amp;linkname=Ransomware%20Lives%20On%2C%20Blending%20Hacktivism%20and%20Crime%2C%20Fueled%20by%20AI%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>

Most Popular

CEOs: You Don’t Add AI. You Rebuild for It.

  • None -- securityboulevard.com
  • Published date: 2026-04-13 00:00:00 UTC

Simply opening a PDF could trigger this Adobe Reader zero-day

  • None -- securityboulevard.com
  • Published date: 2026-04-13 00:00:00 UTC

Anthropic Just Gave Defenders a Firehose. They’re Already Drowning.

  • Jack Poller -- securityboulevard.com
  • Published date: 2026-04-13 00:00:00 UTC

Ransomware Lives On, Blending Hacktivism and Crime, Fueled by AI

  • Teri Robinson -- securityboulevard.com
  • Published date: 2026-04-13 00:00:00 UTC

Why Anthropic’s Mythos Is a Systemic Shift for Global Cybersecurity

  • None -- securityboulevard.com
  • Published date: 2026-04-12 00:00:00 UTC