Ransomware groups standardise workflows
Cyfirma reports that ransomware groups in March standardised double-extortion techniques and used AI to assist targeting, making their reconnaissance and extortion workflows more repeatable. The standardisation suggests detections around identity and access precursors—like service-account anomalies, privileged access to backups, and admin-console access—are high‑value. (industrialcyber.co)
Ransomware crews are running more like franchises now, with repeatable playbooks for stealing data, locking systems, and pressuring victims to pay. (cyfirma.com) Cyfirma said it recorded 772 ransomware incidents in March 2026 and described the market as “maturing,” “industrialized,” and increasingly modular, with affiliates and initial-access brokers splitting up the work. The firm published the report on April 8, 2026. (cyfirma.com) In practical terms, “double extortion” means attackers steal data before they encrypt files, then threaten to leak the data if the victim refuses to pay. Industrial Cyber, citing Cyfirma’s March findings, said groups are standardizing that model and adding artificial-intelligence-assisted reconnaissance and victim profiling. (industrialcyber.co) Cyfirma said the shift in March was less about brand-new malware than about faster execution: rapid exploitation of internet-facing flaws, credential abuse, living-off-the-land tools, and low-detection methods. It also said intrusion stages are being decoupled, so access, persistence, reconnaissance, and deployment can be handled separately. (cyfirma.com) That model changes what defenders need to watch first. Cyfirma said groups are relying more on credential-based access and identity compromise, while the United States government’s updated Stop Ransomware guidance puts compromised credentials, cloud backups, and threat hunting at the center of prevention and response. (cyfirma.com) (cisa.gov) Backup access has become part of the same fight. The United Kingdom’s National Cyber Security Centre said attackers have destroyed copied files or disrupted recovery processes before launching ransomware, and said backup accounts and solutions should be protected with tighter access controls. (ncsc.gov.uk) Cyfirma said the United States remained the main target in March, and that attackers kept concentrating on professional services, manufacturing, healthcare, and information technology. Industrial Cyber reported that professional goods and services alone accounted for 245 incidents in Cyfirma’s March data. (cyfirma.com) (industrialcyber.co) The money is shifting, too. Cyfirma said victim payment rates are falling even as ransom demands rise, a pattern it tied to more selective, higher-value extortion; GuidePoint Security’s 2026 annual report separately said large language models are reducing barriers for less-skilled actors and speeding adaptation across the ecosystem. (cyfirma.com) (guidepointsecurity.com) Palo Alto Networks’ Unit 42 described the same broader direction in 2025, reporting more aggressive extortion tactics and more cases stopped at the intrusion stage before encryption or data theft fully landed. That is where the latest Cyfirma report puts the emphasis: catch the account abuse, the privileged backup access, and the admin-console activity before the ransom note arrives. (unit42.paloaltonetworks.com) (industrialcyber.co)
