Over 35 years ago, ransomware arrived not as a headline-grabbing cybercrime, but as a deceptively ordinary mailing: floppy disks disguised as a healthcare questionnaire sent to attendees of a World Health Organization AIDS conference. Once installed, the malware laid dormant before locking users out of their systems and demanding payment to restore access.
Attacker Dr. Joseph Popp told his victims to send $189 to a P.O. Box in Panama to regain access. Simplistic by today’s standards, the experiment established the basic logic of modern ransomware: encrypting systems, locking users out, and demanding payment for restoration. What began as an isolated attack in 1989 has evolved into a global criminal enterprise, with ransomware attacks happening every 11 seconds.
You Can’t Miss the Headlines about Ransomware
If ransomware was once a background threat, 2026 has made it impossible to ignore. A steady stream of high-profile attacks has pushed ransomware back into the spotlight, underscoring how quickly a single incident can escalate into a brand, operational, and public trust crisis.
Much of this attention has been driven by groups like ShinyHunters. Operating since 2020, ShinyHunters is a financially motivated cybercrime group known for stealing and leaking data from major organizations and using extortion to pressure victims into paying. Their 2026 targets have included Canvas (Instructure), Charter Communications, Carnival Cruises, and 7-Eleven, with each incident fueling another wave of headlines.
Finals week turns into a cyber crisis
The attack on Canvas was particularly disruptive. Nearly 9,000 educational institutions were impacted, with roughly 275 million records tied to students, teachers, and staff exposed. ShinyHunters accessed the platform twice within a nine-day period by exploiting two vulnerabilities. The timing couldn’t have been worse: thousands of students were taking final exams, while faculty suddenly lost access to grading systems. While Canvas paid a ransom to ShinyHunters that is estimated to be about $10 million, the company has not publicly disclosed the amount.
Social engineering strikes major consumer brands
In the cases involving Charter Communications, Carnival Cruises, and 7-Eleven, a similar pattern emerged. At Carnival Cruises, attackers used social engineering to deceive an employee, ultimately exfiltrating personal data belonging to nearly 6 million individuals. At Charter Communications, ShinyHunters conducted a vishing (voice phishing) attack to obtain an employee’s Microsoft Entra credentials. This allowed them to access Salesforce systems and export data from approximately 4.9 million accounts.
When refusing to pay leads to a data leak
The 7-Eleven breach followed a slightly different path but led to similar results. Attackers gained access through a third-party system and extracted more than 600,000 franchise-related records. After the company refused to pay the ransom, the data was publicly leaked.
While ShinyHunters has been the shiny headlines this year, they are far from alone. They represent just one of many cybercrime groups operating in an increasingly crowded and sophisticated threat landscape, one that continues to challenge businesses with expanding attack surfaces and rising stakes.
It’s a Different Ransomware Landscape
Ransomware used to unfold slowly and with an attack sequence that was time intensive. In many early attacks, adversaries had to gain access, wait for the right moment, trigger encryption, and then wait again for victims to realize what had happened. Today, that timeline has collapsed. Research on 2026 threats shows attackers are using AI to automate more of the intrusion lifecycle, while ransomware-as-a-service (RaaS) has made it easier for lower-skilled criminals to launch attacks at scale.
That combination is fueling a larger and noisier threat environment. Instead of a small number of highly technical operators, organizations are now facing a broader ecosystem of affiliates, ransomware services, and AI-assisted campaigns that can be launched quickly and at scale.
Attacks are faster and easier to launch
The speed of today’s ransomware attacks is often paired with a more sophisticated extortion strategy. Rather than relying solely on encryption, many cybercriminals now steal data first and use that exfiltrated information as leverage, which means victims face pressure to pay even if they can restore systems from backups.
Extortion has evolved beyond encryption
This shift has also introduced multiple layers of extortion in modern-day attacks. In a single extortion scenario, attackers encrypt systems and demand payment for recovery. Double extortion adds data theft, with victims threatened by public disclosure if they refuse to pay. Triple extortion goes even further, adding additional pressure — such as targeting customers, partners, or employees, or deploying disruptive tactics — to intensify the ransom demand.
AI is reshaping the phishing threat
Another emerging dimension of this threat landscape is how easily attackers can now create highly convincing look-alike domains and phishing sites using generative AI. Unlike traditional phishing kits which often had recognizable patterns or reusable templates, large language models (LLMs) allow attackers to simply prompt, “replicate this company’s website.” In just minutes, a near-identical version of a legitimate site complete with branding, structure, and language is generated. From the LLM’s perspective, this isn’t inherently malicious as it’s just fulfilling an ask to recreate publicly available content. But in practice, it dramatically lowers the barrier to entry for building deceptive, high-quality phishing infrastructure at scale.
This shift introduces a deeper challenge for defenders. Because these pages are often created as one-off outputs rather than reused kits, they lack the signatures security teams have traditionally relied on for detection. As a result, these phishing sites are harder to identify, block, and track. While controls like multi-factor authentication (MFA) remain an important safeguard, particularly against credential theft, they cannot stop an attack on their own. As seen in recent attacks, adversaries can still bypass MFA through social engineering techniques. In this evolving environment, organizations must assume that both identities and trust signals can be compromised and adapt to defenses accordingly.
What to Do to Protect Against Today’s Ransomware Attacks
Protecting against ransomware requires more than a single control or point-in-time solution. It calls for a coordinated, end-to-end approach across the entire attack lifecycle.
According to Gartner’s report, How to Prepare for Ransomware Attacks, cybersecurity leaders need a comprehensive strategy that covers the full ransomware defense lifecycle including preparation, prevention, detection, response, and recovery. Taking this end-to-end approach helps organizations spot threats faster, investigate incidents more efficiently, and limit the impact of a breach through stronger recovery capabilities.
Building a strong ransomware defense is not all that different from a broader cybersecurity strategy. It comes down to doing the fundamentals well: building a balanced approach across prevention, detection, and response.
An ounce of prevention
Effective ransomware prevention starts with understanding your data, specifically, knowing where sensitive and high-risk information lives across the environment. Discovery and classification capabilities help organizations identify and map this data so they can prioritize what needs the most protection. The goal is simple: reduce exposure by gaining visibility into where your most risky data resides and how it is being accessed.
From there, prevention focuses on reducing the overall attack surface, so attackers have fewer paths in. Key controls include vulnerability management, multi-factor authentication (MFA), security awareness training, penetration testing, and data loss prevention (DLP).
The more effort invested in prevention, the less strain is placed on downstream security efforts. Once an attacker is inside the environment, they can operate on their own terms, making it far more difficult to contain the impact. Limiting initial access is therefore critical to reducing overall risk.
Recognizing a ransomware attack in real time
Effective detection depends on visibility across the full footprint of your digital environment. This can include monitoring for business email compromise (BEC) and integrity monitoring that could signal malicious activity.
Modern detection increasingly relies on AI-powered solutions that identify both indicators of compromise and indicators of attack. A combination of signature-based and behavior-based detection is important, since early-stage attacks often look like routine activity. Attackers tend to favor the path of least resistance, which makes early detection of simple entry points especially important.
Responding to ransomware
Ransomware response is as much about practice as it is about planning. Because live testing in a real attack is not an option, organizations should rely on simulated exercises such as adversary simulations and red team engagements.
These exercises test both technical controls and security operations center (SOC) readiness under realistic conditions. They help identify gaps, improve decision-making under pressure, and strengthen response coordination. While no simulation fully replicates a real attack, it is one of the most effective ways to prepare teams for how ransomware incidents unfold in practice.
Bringing Ransomware Defense into Focus
From its origins as a single experiment to today’s crippling, AI-enabled campaigns, ransomware has evolved into a persistent and increasingly complex business risk. The tactics may change, but the core reality remains the same: attackers are targeting trust, identities, and critical data at every stage of the attack lifecycle.
To keep pace, organizations must move beyond reactive defenses and adopt a proactive, end-to-end approach that prioritizes visibility, resilience, and readiness. In a landscape where attacks unfold in minutes and impact millions, the organizations that survive and succeed will be those that treat ransomware not as an isolated threat, but as a continuous challenge requiring constant adaptation.
For organizations looking to strengthen their ransomware defenses, Fortra provides the visibility, protection, and response capabilities needed to stay ahead of modern threats and reduce business impact when attacks occur.
