As a former Gartner analyst and now CMO at Morphisec, I’ve seen firsthand how ransomware continues to evolve—faster, more targeted, and far more disruptive than in years past. In our recent CTO Briefing on the Future of Ransomware Defense, I had the opportunity to sit down with our Chief Technology Officer, Michael Gorelik, to explore what’s driving these changes and, more importantly, what security teams can do about it.
If you weren’t able to attend the live session, I highly recommend watching the full on-demand webinar. But for now, here’s a recap of the key takeaways that every security leader should know.
The State of Ransomware: From Broad Attacks to Surgical Strikes
Despite reports suggesting a slight decline in the number of ransomware attacks in 2024, the truth is more nuanced. As Michael pointed out, these numbers often overlook unreported incidents and focus only on publicly visible events.
What’s undeniable, though, is the massive increase in financial impact. Median ransom payouts jumped by 80% in late 2024, and average demands now sit in the $500,000 to $600,000 range. Why? Because ransomware operators are adapting—fewer attacks, yes, but more precise and more devastating when they hit.
We’re seeing a rise in ransom payments not for decrypting data, but for silencing the leak of exfiltrated files. In fact, nearly 30% of victims are paying ransoms to prevent the public release of sensitive data. The rest are often backed into a corner because their backups—if they exist—are either encrypted, stored incorrectly, or too slow to be viable in a business continuity crisis.
AI Is Supercharging Ransomware Ops
One of the most fascinating (and alarming) developments Michael highlighted is the role of AI in ransomware operations. Ransomware gangs are now using AI for faster reconnaissance, automated vulnerability discovery, and highly convincing impersonation attempts.
Take the Clop group, for instance. In Q1 2025 alone, they ran more than 80 campaigns—many exploiting file transfer platforms like Cleo. These attacks were fast, targeted, and executed with astonishing speed. What used to take weeks of manual setup can now be done in days, or even hours, thanks to automation and AI.
Ransomware is no longer a blunt-force tool. It’s a scalpel.
The Ransomware Threats You Need to Know
Michael also took us under the hood of three highly advanced ransomware strains that should be on every CISO’s radar:
1. Mimic Ransomware — Mimic Ransomware breaks detection by distributing its operations across multiple processes—file enumeration, encryption, and network spread all run independently.
It also:
- Uses legitimate IT tools like “Everything” to avoid suspicion.
- Bypasses Microsoft Defender by adding exclusions instead of disabling it.
- Deletes forensic evidence, making investigation nearly impossible.
- Exfiltrates data before encryption using standard browsers and cloud services.
2. ShrinkLocker — ShrinkLocker takes a novel approach: it weaponizes BitLocker—even on machines without TPM chips.
It:
- Shrinks partitions and creates new boot sectors.
- Locks out users by generating encryption keys and disabling recovery mechanisms.
- Alters system configurations to disable remote access and enforce multi-factor logins.
- Encrypts critical network targets using built-in Windows tools, rendering traditional decryption and recovery efforts useless.
3. RansomHub — RansomHub plays the long game. It reboots systems into Safe Mode, where most security tools are inactive, then executes:
- Privilege escalation using COM elevation techniques.
- Forced login into Safe Mode with elevated credentials.
- Multi-layered encryption (AES + ECC) and deletes itself afterward to erase its tracks.
- Propagates via misconfigured SMB shares using tools like smbexec.
Why Traditional Tools Are No Longer Enough
Here’s the uncomfortable truth: most EDR solutions and security stacks were not built to stop ransomware at its earliest stages. They focus on detecting and responding to threats—after damage is already underway.
Morphisec’s approach is different. We stop ransomware before it can execute. Our pioneering Automated Moving Target Defense (AMTD) technology prevents ransomware at the pre-execution stage by morphing the attack surface, confusing and neutralizing threats before they gain a foothold.
It’s this prevention-first mindset that organizations need now more than ever.
What Every Security Team Should Be Doing Right Now
In our Q&A, one recurring question was: How do we prioritize ransomware defense, especially with limited resources?
Here’s what Michael and I recommend:
- Start with Prevention: Incorporate anti-ransomware technology like Morphisec that neutralizes attacks before execution.
- Don’t Rely Solely on Backups: Backups are essential, but they’re not enough—especially if they’re online or misconfigured.
- Patch Critical Systems Fast: Especially internet-facing services and high-risk applications.
- Segment Your Network: Contain lateral movement and minimize the blast radius of a breach.
- Work with MSSPs: Many MSSPs now offer ransomware protection-as-a-service, bringing enterprise-grade security to smaller orgs.
Final Thoughts
Ransomware isn’t slowing down. If anything, it’s evolving faster than most defenses can keep up with. As security professionals, we need to stop viewing ransomware as a singular malware event—it’s a business model, and one that’s rapidly adapting with the help of AI, automation, and sophisticated recon.
At Morphisec, we’re focused on helping organizations meet this threat head-on—with prevention-first solutions that complement and enhance their existing defenses.
If you’re serious about protecting your organization against what’s coming next, I invite you to watch the full webinar on-demand and see for yourself how ransomware has changed—and how Morphisec is changing the game in response.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
