Ransomware has changed a lot in the past few years. The term refers to a form of malware that attackers load to restrict access to files and other data with the goal of extorting money from the owners of that data.
CableLabs is working to ensure that individual and business subscribers have the tools they need to not only prepare and prevent, but also should they be targeted by ransomware actors.
Let’s take a look at how the ransomware landscape has evolved, how law enforcement has changed its approach and how one important document can change the course of your network’s future.
Law enforcement front
The global climate has changed at the regulatory, legislative and law enforcement levels, as you can see in the table below.
Technical developments
Direct AI as a vector, or hiding malware in learning models Indirect use of AI, where phishing is still the primary vector but audio, video, deep fake text, etc. are used AI tools used to encrypt Common Vulnerabilities and Exposures (CVE) history and find vulnerable applications
Participation in politics
US Cyber Incident Reporting Requirements (FTC/SEC) effective December 18, 2023. February 2025 testimony from the US Cybersecurity and Infrastructure Security Agency (CISA) before the Senate on threat actors and ransomware. Stop Ransomware documents released by CISA and FBI
Threat actors and threat evolution
Encryption/Denial of Service or Access, Extended Data Exfiltration: Threat to Attack Web Presence with Extended DDoS: Threat to Notify Victims
Cyber insurance market
Reinsurers struggle with how to accurately underwrite risks Companies are adjusting risk management to mitigate ransomware directly
Law enforcement
Significant efforts are made to target, detect, and deny threat actors. Increased global willingness to cooperate, share information, and stalk/act.
National security implications
Infrastructure to test advanced persistent threats (APTs) at the nation-state level, as well as to infiltrate and install malware
Evolution of threat actor behavior
We are also seeing changes in the behavior of threat actors. There was a sharp increase in the number of victims (more than 200 percent) and the number of ransomware variants (more than 30 percent) in 2025, a deviation from last year’s trends.
The increasing use of ransomware as a service (RaaS), the open availability of threat tools and malicious actor connections continue to evolve. The threat actor no longer has to find a way to gain access to systems, but can now purchase unlocked systems and immediately move to the ransomware stage. Horizontal market segmentation has enabled more threat actors to engage with more victims, with less technical expertise. Exploited vulnerabilities are now the primary method for malicious access, followed by compromised credentials and email/phishing.
Cooperation in combating threat actors
CableLabs cooperates with numerous Information Sharing and Analysis Centers (ISACs) and anti-abuse groups. One of the most focused groups is the Messaging, Malware, and Mobile Abuse Working Group (M3AAWG), where we are proud to have helped create the “M3AAWG Ransomware Active Attack Response Best Common Practices” document (and then sponsor updates).
We do this work because – although the doctrine of cybersecurity defense is prepare, prepare, prepare – the reality is that no matter how good network defenses are, they can always be stronger.
This common best practices document begins with advice from previously injured victims, goes through steps to follow, lists several resources, provides a high-level view of what to expect, and finally provides decision guidelines about who to involve and when. The document assists in detection, analysis and response activities; Explains how to communicate; It lists the necessary results for each stage.
This document does not describe specific behaviors, but it helps ensure that the reader is equipped with the right questions to ask, as well as a thoughtful arrangement of approaches to addressing the problem.
There will be decisions to make about when to declare an event, whether you have a reporting requirement, what the role of law enforcement is, what disclosures are necessary, whether to pay a ransom (or whether it is legally permitted in your case), when and how to engage in cybersecurity insurance, and what potential negotiation options are.
There are always collateral victims in such attacks, and there may be potential or preferred actions on those fronts that need to be evaluated. This process is one of many that will involve others within the organization. This document helps identify who should be considered at each step.
The importance of having a plan
Everyone hopes that this aspect of the global economy will come to a decisive end, but in reality, this is neither the trend nor the expectation. In a world fraught with risk, it’s best to have a plan for how your company will act in many situations – even unpleasant ones.
The shared best practices document is a tool for checking current policies, technologies and people involved in prevention plans, but it can also serve as a cheat sheet for those who have had to balance their other needs with external threats and suddenly find themselves in a difficult situation.
Read the “Common Best Practices for Responding to an Active M3AAWG Ransomware Attack” document to learn more about the options available to victims of ransomware attacks. This document is one resource in an extensive toolkit that helps defend against and manage ransomware threats. For more, see:
Winston Churchill famously said: “If you’re going through hell, keep going.”
These resources can show you how to do this.
