TL;DR

Ransomware attacks jumped 47% in 2025 with 7,200 publicly reported incidents. Attackers are bundling DDoS with encryption, skipping encryption entirely for pure data extortion, and actively disabling security tools before deploying payloads. lilMONSTER's security assessments, compliance scoping, and managed AI security give you the visibility and controls to catch these attacks before they cost you six figures in downtime and ransom demands.

The Ransomware Landscape Has Changed

7,200 publicly reported ransomware incidents in 2025. That's up from 4,900 the year before, a 47% increase tracked by Recorded Future Intelligence. Around half of those attacks never touched a single file on disk. Attackers exfiltrated data, threatened to leak it, and demanded payment without ever deploying encryption. The playbook changed and most businesses still have defences built for 2022.

Three things are driving this shift. Ransomware-as-a-Service operators are packing DDoS capabilities into their affiliate toolkits to apply pressure from multiple angles at once. Groups are recruiting insiders on dark web forums to bypass perimeter security entirely. And attackers are using legitimate tools like Rclone and RDP registry modifications to move through networks without tripping signature-based detection.

lilMONSTER approaches this differently. We don't sell you a product and walk away. We find the gaps attackers actually use.

Threat 1: Multi-Layered Extortion Campaigns

Modern ransomware gangs run coordinated campaigns. They encrypt your files, steal your data, and launch DDoS attacks against your public-facing services all at once. If you refuse to pay for decryption, they pivot to threatening a data leak. If you still won't pay, they take your website offline. Each layer is designed to break a different stakeholder inside your organization.

How lilMONSTER addresses it: Our technical security assessments simulate exactly this. We run credentialed vulnerability scans using Nessus Professional and OpenVAS against your entire internal network, not just the external perimeter. We test your backup integrity because if an attacker can reach your backup server, encryption keys won't matter. Our penetration testing includes DDoS resilience checks and data exfiltration path mapping. We find where sensitive data lives, what can reach it, and whether your monitoring would notice it leaving.

Threat 2: Data Extortion Without Encryption

No file encryption. No ransom note on every desktop. Just 400GB of customer PII walked out through a cloud storage sync tool that your IT team approved three years ago and forgot about. This is the fastest-growing attack category in 2026 because it's quieter, faster, and harder to attribute. By the time you notice, the data is already indexed on a leak site.

How lilMONSTER addresses it: Compliance scoping is the countermeasure most businesses skip. ISO 27001 Annex A.8 covers asset management and data classification. If you don't know where your sensitive data lives, you can't protect it. We map your data flows, classify your information assets, and build the controls that make exfiltration detectable. SOC 2 criteria force you to monitor access to customer data. The Essential Eight maturity model requires application control and user application hardening, which directly blocks the abuse of legitimate tools like Rclone, MegaSync, and rsync that attackers use for data staging.

Threat 3: Security Tool Disabling Before Payload Deployment

Attackers are spending more time in reconnaissance specifically to identify and disable your security stack. They modify registry keys to enable RDP. They create firewall rules allowing inbound connections on port 3389 with a single netsh command. They kill EDR processes, stop Windows Defender services, and disable logging before dropping the payload. If your security tools are the first thing to go dark, you're fighting blind.

How lilMONSTER addresses it: Our penetration tests include explicit defence evasion scenarios. We test whether a compromised user account can disable your endpoint protection or modify firewall rules. We check if your SIEM alerts on process termination of security services. Our managed AI security monitoring watches for the exact registry modifications documented in Broadcom's 2026 ransomware white paper. You get alerts when fDenyTSConnections flips from 1 to 0, not a summary report two weeks later.

Threat 4: AI-Driven Attack Automation

Attackers are using LLMs to generate phishing lures, write targeted PowerShell scripts, and scan for vulnerabilities at machine speed. What took a human operator three days in 2024 now takes an AI-assisted workflow under an hour. The volume of attempted initial access has scaled beyond what manual review can handle.

How lilMONSTER addresses it: We fight AI with AI, but we do it with your data staying on your infrastructure. Our managed AI security runs threat detection models against your network telemetry inside your environment. The same AI-assisted scanning that attackers use for reconnaissance, we use to find and close your exposures first. Our vulnerability assessment toolchain includes automated CVE correlation against your specific software inventory so you patch what matters, not every bulletin that hits your inbox.

Threat 5: Supply Chain and Third-Party Exposure

Attackers increasingly compromise managed service providers, software vendors, and cloud platforms to reach dozens of downstream targets through a single breach. Your own security posture matters less if your payroll provider, your cloud backup vendor, or your building management system hands over a privileged connection.

How lilMONSTER addresses it: Our compliance scoping extends to your suppliers. ISO 27001 requires supplier security assessment. SOC 2 demands vendor due diligence. We help you build a third-party risk management program that identifies which vendors have network access, what data they hold, and what happens to your operations if they go dark. Our threat intelligence monitoring tracks breach announcements and dark web chatter about compromised service providers in your industry and region.

FAQ

Do I need all three compliance frameworks? No. Most Australian SMBs start with Essential Eight maturity level one because it's practical, measurable, and directly maps to ACSC guidance. ISO 27001 and SOC 2 are valuable when you need to prove security to enterprise clients, government contracts, or insurers. We scope what's right for your business.

How long does a security assessment take? A full internal and external assessment for a business with 50 to 200 staff typically runs two to three weeks. Smaller engagements can turn around in a week. You get a prioritized remediation list, not a 200-page PDF nobody reads.

What's the difference between a vulnerability scan and a penetration test? Scans find known vulnerabilities using automated tools. Penetration tests have a human operator actively trying to break in, chain exploits, escalate privileges, and exfiltrate data. You need both. Scans catch the low-hanging fruit. Penetration tests catch the attack chains that scanners miss.

Will AI security monitoring flood me with false alarms? No. Our managed AI security correlates events before alerting. A single failed login doesn't trigger anything. A failed login followed by a registry modification and a new outbound connection to an untrusted IP does. You get actionable alerts, not log dumps.

Conclusion

Ransomware in 2026 is faster, quieter, and more layered than it was two years ago. Attackers are using your own tools against you, disabling your defences before you know they're inside, and extracting data without touching a single file. The businesses that survive these attacks are the ones that knew where their gaps were before the attacker found them.

lilMONSTER finds those gaps. Technical security assessments that test backup integrity, DDoS resilience, and exfiltration paths. Compliance scoping that builds controls around your data, not a checklist. Managed AI security that watches for the exact TTPs ransomware operators use in 2026.

Visit consult.lil.business for a free scoping call. We'll tell you what your business actually needs, not what sounds good in a sales deck.

References

  1. Recorded Future: New Ransomware Tactics to Watch Out For in 2026
  2. Broadcom: Ransomware 2026 White Paper
  3. Securelist by Kaspersky: Reviewing the Trends in Ransomware Attacks in 2026
  4. NJCCIC: 2026 Cyber Threat Assessment
  5. GuidePoint Security: Ransomware Reaches Elevated New Normal

Verifier warning: verifier returned no output

TL;DR

  • A big paint company called AkzoNobel got hacked by bad guys called Anubis
  • The hackers stole 170GB of private files — like contracts, employee passports, and secret documents
  • This teaches us that even big companies with lots of money can get hacked
  • Your business needs to check if the companies you work with are safe too

What Happened to AkzoNobel?

Imagine you have a really big lemonade stand. You sell lemonade all over the world and make $12 billion every year. You'd think you're super safe, right?

That's AkzoNobel. They're a huge company that makes paint (brands like Dulux and Sikkens). They have 35,000 workers and sell paint in 150 countries.

But in March 2026, hackers broke into one of their offices in the United States and stole 170 gigabytes of data [1]. That's like stealing 500,000 photos!

Who Are These Hackers?

The hackers call themselves "Anubis" (named after an Egyptian god). Think of them like a club:

  • Some people build the hacking tools (the "developers")
  • Other people use those tools to attack companies (the "affiliates")
  • When they steal money, they split it: 80% for the attacker, 20% for the tool builder [2]

It's like renting a car. You don't need to build a car yourself — you just rent one and drive. That's why these attacks are happening more often. Any bad guy can "rent" hacking tools now.

What Did the Hackers Steal?

The hackers didn't just steal secret paint formulas. They stole stuff that hurts real people [1]:

  • Secret contracts with other companies (like deals that were supposed to be private)
  • Employee passports (like ID cards that let people travel between countries)
  • Email addresses and phone numbers (so they can send tricky messages pretending to be the company)
  • Private emails between workers
  • Technical documents about how things are made

Imagine someone stealing your diary, your homework, your photo album, and your wallet all at once. That's what happened to AkzoNobel.

Why Should You Care?

You might think: "I'm not a big paint company. This doesn't affect me."

Here's why it matters:

Your business partners can be hacked too. If you work with other companies (suppliers, shipping companies, software services), your data sits on THEIR computers. If THEY get hacked, YOUR data gets stolen too.

It's like leaving your bike at a friend's house. If their house gets robbed, your bike is gone — even though you locked it.

These attacks are getting easier. Remember the "rent a car" example? Hackers can now rent sophisticated attack tools. They don't need to be super smart anymore. They just need to pay.

This means MORE attacks will happen against MORE companies — including small businesses like yours.

Your stolen data can be used against you. If a hacker steals your business contracts, they might:

  • Pretend to be you and trick your customers
  • Tell everyone your secret business deals
  • Use your employee information to steal identities

What Can You Do? (3 Simple Steps)

You can't stop hackers from attacking big companies. But you CAN protect your business:

Step 1: Check your business partners. Before sharing important information with another company, ask them:

  • "How do you keep data safe?"
  • "What happens if you get hacked?"
  • "Do you back up your files?"
  • "Do you use two-factor authentication (like a code sent to your phone)?"

If they can't answer these questions, find a different company to work with.

Step 2: Don't give everyone the keys to your castle. If a delivery person needs to drop off a package, you don't give them your house keys. You just open the front door.

It's the same with business:

  • Only give vendors access to what they NEED (not everything)
  • Make their access expire automatically after a certain time
  • Check what they're doing with your data

Step 3: Have a backup plan. If a vendor tells you "We got hacked and your data was stolen," what do you do?

Think about it NOW, before it happens:

  • Who do you call?
  • How do you tell your customers?
  • Do you have backup copies of important files?
  • What if hackers pretend to be you?

The Most Important Lesson

AkzoNobel has lots of money and security experts. They still got hacked.

The lesson isn't "be perfect." The lesson is:

  • Be careful who you trust with your data
  • Have a plan for when things go wrong
  • Check on your business partners regularly

Security isn't a one-time thing. It's like brushing your teeth — you have to keep doing it.

What Happens Next?

AkzoNobel said they "contained" the attack [1]. That means they stopped the hackers from stealing MORE stuff. But the 170GB they already stole? That's gone forever.

The hackers will probably:

  • Try to sell the data to other bad guys
  • Use the information to trick people
  • Demand money from AkzoNobel to NOT publish the secrets

This is called "double extortion" — they lock your files AND threaten to leak your secrets.

Your Action Items

This week, do these three things:

  1. Make a list of all the companies you share important data with (customer lists, financial info, contracts)
  2. Send an email to your top 3 partners asking about their security (use the questions from Step 1 above)
  3. Write down what you'd do if one of your vendors called and said "We were hacked"

That's it. Three simple steps that could save your business.

FAQ

We don't know yet. Some companies pay (to get their data back). Some companies refuse (because paying encourages more attacks). The FBI and other police say "don't pay," but it's a tough choice when your business is at stake.

Maybe. If the hackers make mistakes (like using their real email address or logging in from a traceable computer), police can track them down. But many hackers live in countries where they can't be easily arrested. That's why prevention is better than trying to catch them later.

If you do business with AkzoNobel or any of their brands (Dulux, Sikkens, International, Interpon), contact your representative there. By law, they have to tell you if your data was stolen. Be careful though — scammers will pretend to be AkzoNobel to trick you! Only trust official letters or emails from addresses you already know are real.

A typical smartphone photo is about 3-4 megabytes (MB). There are 1,000 MB in 1 gigabyte (GB). So 170 GB ÷ 0.004 GB per photo = about 42,500 photos. But business documents (PDFs, spreadsheets, scans) are often smaller than photos. So 170GB of business documents could easily be 500,000+ files. It's just a way to help you imagine how much data was stolen!

Think of it like Uber for hackers. Someone builds the ransomware (the "app"), and other people use it to attack companies (the "drivers"). When a victim pays, the money gets split — most goes to the attacker, some goes to the tool builder. This lets more hackers attack more companies because they don't need to be tech experts anymore [2].

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/

Security isn't about being perfect — it's about being prepared. lilMONSTER helps small businesses check their vendors, make a plan, and sleep better at night. Book a free chat at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-eli10

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation