The Ransomware Task Force report five years later: Progress has slowed

Two American cybersecurity professionals were sentenced Thursday to four years each in prison for deploying the ALPHV BlackCat ransomware against U.S. organizations in 2023. In one attack they extorted one victim for approximately $1.2 million in Bitcoin. Another co-conspirator, a ransomware negotiator for victim firms, has pleaded guilty to a charge and will be sentenced in July.

It was another score for law enforcement agencies around the world against a ransomware operation. They have a lot of notches on their belts. One of them represents the obliteration of ALPHV BlackCat ransomware. The FBI released a decryption tool allowing hundreds of victims to restore their scrambled IT systems, crippling the threat.

In a recent quarterly threat intelligence report the NCC Group noted other recent victories. The U.S. seized RAMP (Russian Anonymous Marketplace), one of the last major Russian-language cybercrime forums still permitting RaaS advertising, disrupting affiliate recruitment and access-broker activity. The FBI also launched Operation Winter SHIELD, which focuses on strategic containment and resilience-focused controls designed to reduce exploitation rather than relying on post-incident response. And Europol in collaboration with international law enforcement groups disrupted ‘SocksEscort’, a malicious proxy which allegedly compromised over 369,000 routers and IoT devices in 163 countries, degrading the anonymity and infrastructure used by ransomware operators.

Thursday was also notable because the Institute for Security and Technology (IST) celebrated the fifth anniversary of the release of a report by the Ransomware Task Force into this devastating malware. It made 48 recommendations back then, and there is no doubt many national and local legislatures have acted since, pouring money, laws and regulations into the fight.

Unfortunately, the task force concluded in a report released yesterday, progress has slowed.

“Ransomware doesn’t present the grave national security risk it did when we launched the report” five years ago,” acknowledged Megan Stifel, IST chief strategy officer and executive director of the task force, told an online panel discussion.

“At the same time that does not mean we solved the risk of ransomware. In fact it’s quite the opposite.” While fewer than 30 per cent of victims in U.S. chose to pay a ransom after data has been encrypted and/or stolen, the number of ransomware incidents keeps going up. In 2022 there were about 3,000 reported incidents but in 2025 there were 8,000. Small wonder panelist Michael Phillips, head of global cyber portfolio underwriting at insurer Coalition, Inc. described ransomware as an epidemic.

One troubling trend: Many victims are now small firms, who have the least resources to fight a breach of security controls. And while — so far — the U.S. has been spared a repeat of the Colonial Pipeline attack, hospitals are still regularly targeted.

Also troubling, Stifel said, is the lack of solid data on the number of attacks and payments. That data would give governments and insurance companies solid facts on which to base actions to drive down risk. (Two years ago an organization made the largest ransomware payment, US$75 million, Stifel said. We still don’t know who.)

Giving in to a ransomware demand is a sensitive issue. Some demand governments forbid payment to crooks. But others note that organizations with sensitive data — like hospitals — may not have a choice if they want to get IT operations back online. A ban could “begin a game of chicken with threat actors” and victims willing to pay under the table, Stifel said. In fact the task force couldn’t agree on recommending a payment ban. As a compromise some governments forbid government departments from caving in, but won’t include the private sector.

(On the other hand panelist Michael Daniel CEO of Cyber Threat Alliance, suggested there’s no sense banning ransomware payments until most organizations meet minimum cybersecurity standards.)

Also, some governments — particularly the U.S. — have stalled implementing certain legislation, Stifel added.

One thing keeps Stifel up is what is happening as AI adoption spreads not only to established ransomware gangs but to others. Panelist Anja Shortland, professor in political economy, at King’s College London and author of the just published book on ransomware called Dark Screens (titled We Know You Can Pay A Million in the U.S.), called the revelation of Anthropic’s powerful Mythos AI model a “scary moment” that, if released publicly could put “superior hacking capacities” in the hands of people who didn’t have it before. It’s so good at finding software vulnerabilities Anthropic has given only select firms the ability to access it so they can run Mythos on their software and correct holes before its generally released.

Mythos means the rate of discovery of vulnerabilities is about to massively increase, said panelist Jen Ellis, founder of NextJenSecurity and a member of the UK Cyber Advisory Board. That also means the accompanying need for IT admins to patch faster than ever. And, Daniel of the Cyber Threat Alliance pointed out, the need for IT pros to triage faster the vulnerabilities in their particular environments that have to be addressed first.

“We are not prepared for the tsunami,” Ellis warned.

What can your organization do? For one thing, Ellis said, get IT off vulnerability-plagued legacy equipment. Some organizations claim they can’t afford it. Others have money but put it elsewhere. She recalled a Microsoft exec telling her of a mining firm with a drill running on — wait for it — Windows NT. It was goo expensive to replace the equipment, so it paid Microsoft a million dollars a year to keep support for Win NT.

Perhaps to get firms off legacy IT gear governments need to offer generous tax incentives.

Another suggestion: Squeeze IT firms to improve product security. Not to focus on one firm, but last month Amazon reported an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) software.

Finally, IT leaders can make sure their firms at least follow cybersecurity basics and best practices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers them here. By the way, the CISA also just released guidance on how to implement a zero-trust environment for operational technology (OT) environments like pipelines and factories. Canadians can find best cyber practices advice from the Canadian Center for Cyber Security. See also the U.K. National Cyber Security Centre’s advice and guidance section.