Ex-negotiator voicing fear amidst ransomware threats of violent actions: 'I dread to anticipate the upcoming events'
In the rapidly evolving world of cybercrime, ransomware attacks have undergone significant changes in 2025. A survey of 1500 security and IT professionals revealed that these transformations include a shift from traditional file encryption to data extortion, with attackers stealing sensitive information and threatening to leak it publicly.
Jeff Wichman, Semperis' director of breach preparedness and response, expressed concerns about these threats, stating, "These threats of physical harm are concerning." However, current publicly available reports indicate that ransomware attackers focus primarily on digital extortion tactics like data theft and leak threats rather than physical intimidation.
The survey also revealed that 52% of digital intruders still threaten system lockouts, and 63% threaten data destruction. Interestingly, almost half of the respondents reported that attackers have threatened to file regulatory complaints against them, similar to ALPHV's SEC complaint against MeridianLink.
However, a concerning trend emerged when the survey found that 40% of respondents reported receiving physical threats from miscreants. Wichman believes that the attackers are not yet revealing what sort of violence they might carry out. He added that these threats tend to be generic to increase the fear-factor. In the past, Wichman, who was a professional ransomware negotiator before joining Semperis, has witnessed extortionists making threats against executives' families, including information about their internet surfing traffic and where their families lived and went to school.
Despite these threats, ransom payments often do not guarantee that stolen data will not be leaked or sold. Attackers frequently threaten or follow through on public exposure of sensitive data even after a ransom is paid, leveraging the reputational and regulatory impact to maximize pressure. Reports indicate that paying ransom can increase the risk because attackers can demand more or use the payment as a trust signal to escalate extortion with new threats.
Organisations should, therefore, emphasise prevention, detection, and response over paying ransoms. The shift to personalised, stealthy, and AI-assisted attacks requires improved proactive defence and incident response strategies. The financial and healthcare sectors remain high-value targets due to sensitive data and damage potential, with healthcare breaches being the costliest, averaging $9.8 million per incident.
Ransomware groups such as RansomHub, Clop, Akira, and Qilin are driving a surge in attacks, with Qilin notably increasing activity by 47.3% in June 2025. Attackers increasingly target backup systems, with 96% of ransomware incidents aiming to compromise backup locations, complicating recovery without payment. The median time between initial system access and ransomware deployment is about 6 days, showing the rapid pace of attack execution once inside networks.
In conclusion, ransomware in 2025 is characterised by data extortion over encryption, growing use of AI for attack automation, and highly targeted campaigns. While physical threats to employees and families are not a mainstream trend, they remain a concerning aspect that organisations should be vigilant against. Improved cybersecurity measures and incident response strategies are crucial in mitigating the impact of ransomware attacks.
- In the rapid evolution of ransomware attacks, the use of Artificial Intelligence (AI) is observed for attack automation, which poses a significant challenge to general-news cybersecurity.
- Despite the growing focus on digital extortion tactics like data theft and leak threats, concerns have been raised about physical threats to employees, who have reported receiving such threats from miscreants.
- As ransomware groups continue to drive a surge in attacks, targeting backup systems has become a common strategy, making incident response strategies in cybersecurity crucial for organisations to ensure data security and protect against potential financial and reputational damage.
