Ransomware gangs expand insider recruitment to fuel growth

Cybercrime is increasingly resembling a structured commercial enterprise, as ransomware groups adopt formal recruitment, incentive and growth strategies once associated with legitimate businesses, according to a new report from NCC Group.

The firm's latest Cyber Threat Intelligence Report indicates that ransomware-as-a-service (RaaS) operations are professionalizing rapidly, with gangs actively recruiting employees, contractors and even cyber security professionals to gain trusted access into target organizations. The shift comes as ransomware activity rose 13 percent month over month in December 2025, a period that historically sees heightened attacks as companies operate with reduced staffing during the holidays.

Insiders increasingly targeted as access points

Rather than relying solely on phishing or technical exploits, RaaS groups are increasingly focused on insiders who already hold legitimate credentials and system access. Employees in IT and technical roles are particularly attractive targets, as a single compromised account can provide broad visibility across cloud platforms, internal networks and identity systems.

Financial incentives play a central role in these recruitment efforts. NCC Group's report details how ransomware gangs offer commissions and anonymity to entice collaboration, reframing cybercrime participation as a low-risk, high-reward proposition.

One high-profile example surfaced in September 2025, when the Medusa gang attempted to recruit an employee of the BBC. The group initially offered 15 percent of a future ransomware payout in exchange for internal access, later increasing the offer to 25 percent after the approach failed. The incident underscored both the financial leverage being applied and the strategic value placed on insider access at globally recognized organizations.

"Targeting high-profile organizations like the BBC is both financially attractive and commercially strategic," said Matt Hull, vice president of cyber intelligence and response at NCC Group. "Even limited success against a well-known brand can generate notoriety and credibility, helping groups attract future affiliates and opportunities."

Cyber professionals drawn into ransomware operations

The report also highlights that insider recruitment is not limited to non-technical staff. In December 2025, two cyber security professionals pleaded guilty to collaborating with BlackCat/ALPHV, admitting their role in ransomware attacks against five U.S.-based organizations in healthcare and manufacturing. The case is believed to be among the first documented instances of security practitioners directly supporting RaaS operations using their professional expertise.

Rising living costs, dissatisfaction with compensation and the promise of significant financial rewards are cited as contributing factors that may increase vulnerability to collusion, particularly in a tight labor market for cyber talent.

Hull noted that this evolution requires organizations to rethink defensive strategies. "For organizations, this shifts the focus from purely technical defense to human risk management," he said. "Insider threat programs, strong access governance and robust offboarding processes are critical to reducing the risk that current or former employees become part of the ransomware supply chain."

The findings align with broader industry observations of ransomware groups operating more like businesses, complete with affiliate programs, revenue-sharing models and branding strategies designed to attract recruits. Recent campaigns have also shown increased coordination, faster negotiation cycles and more targeted sector selection.

In December 2025, consumer discretionary companies accounted for 22 percent of ransomware attacks, while information technology firms represented 10 percent. North America remained the most heavily targeted region, accounting for roughly half of all reported incidents.

As ransomware groups continue to scale their operations through recruitment and financial incentives, the report suggests that trust, access and human behavior may prove as critical to cyber defense as firewalls and encryption.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.