Ransomware gangs recruit malicious insiders as attacks surge over holidays
- Ransomware levels rose for the fourth consecutive month in December 2025, increasing by 13% to total 783 attacks.
- Industrials accounted for 29% of ransomware attacks in December.
- Qilin was responsible for 22% of all attacks in December 2025, with 92 more attacks than its closest follower, Akira.
29 January 2026, Manchester - Cyber crime is increasingly operating as an organised industry, according to NCC Group’s latest Cyber Threat Intelligence Report, with ransomware-as-a-service (RaaS) gangs adopting structured affiliate models and actively recruiting malicious insiders and cyber security professionals. The shift comes as ransomware activity rose by 13% month-on-month in December 2025, alongside growing evidence of professionalisation across the ransomware ecosystem.
RaaS gangs increasingly view employees, contractors and trusted partners as gateways into organisations. By recruiting insiders, criminals gain legitimate access to credentials, systems and internal processes, allowing them to bypass security controls. Employees with wide-ranging access, particularly in IT and technical roles, are common targets, as a single compromised account can open multiple pathways across modern digital environments.
NCC Group’s report shows that strong financial incentives are a key driver of insider recruitment, with ransomware groups offering large commissions and promised anonymity to encourage collaboration.
A clear example of this model in action was reported in September 2025, when the Medusa ransomware gang attempted to recruit a BBC employee, offering 15% of a future ransomware payment in exchange for access to internal systems. When the approach failed, the offer was increased to 25%, highlighting both the financial leverage being used and the strategic value placed on insider access.
Matt Hull, Head of Threat Intelligence at NCC Group, said,
“Targeting high-profile organisations like the BBC is both financially attractive and commercially strategic. Even limited success against a well-known brand can generate notoriety and credibility, helping groups attract future affiliates and opportunities. Well-resourced groups like Medusa and Qilin can afford to use financial incentives to attract insiders, but smaller gangs often lack the means to compete.
“For organisations, this shifts the focus from purely technical defence to human risk management. Insider threat programmes, strong access governance and robust offboarding processes are critical to reducing the risk that current or former employees become part of the ransomware supply chain.”
The report also notes that employees are not the only individuals being recruited into ransomware operations. In December 2025, two cyber security professionals pleaded guilty to collaborating with BlackCat/ALPHV, admitting their involvement in a series of ransomware attacks against five US-based organisations, including companies in the healthcare and manufacturing sectors.
The case is believed to be one of the first documented examples of cyber professionals using their technical expertise, industry knowledge and operational understanding of security processes to directly support RaaS activity. Strong financial incentives are likely to have been a key motivator, alongside broader pressures such as rising living costs and dissatisfaction with pay, which can increase vulnerability to collusion.
Hull added:
“Ransomware has evolved into an organised business model. These groups now think in terms of recruitment, incentives, scale and growth, rather than just attacks.
“What’s striking is that these tactics aren’t new. Trust, deception, social engineering and financial pressure have always worked, they’re just being organised and scaled in new ways. The recruitment of cyber security professionals shows how far this has gone: ransomware groups are exploiting expertise, access and human trust to operate like structured criminal enterprises.”
Ransomware activity at a glance:
- Ransomware levels steadily rose for the fourth consecutive month in December 2025, increasing by 13% to total 784 attacks. This aligns with annual seasonal rise in activity, as RaaS gangs target understaffed companies during the holiday period.
- Industrials accounted for 29% of ransomware attacks in December, followed by Consumer Discretionary 22% and Information Technology 10%.
- Qilin was responsible for 22% of all attacks in December 2025, with 12% more attacks than its closest follower, Akira.
- North America accounted for half of all attacks in December 2025.