TL;DR

Ransomware now drives 42 percent of all data breaches and attack volumes are holding at an elevated new normal through 2026. State-backed groups are joining the ransomware economy. lilMONSTER gives businesses the same defensive playbook that catches these threats before they become headlines — vulnerability assessments, compliance scoping against Essential Eight and ISO 27001, managed AI-powered SIEM, and continuous threat intelligence monitoring. Visit consult.lil.business for a free scoping call.​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The New Normal Is Not Normal

Ransomware is not spiking. It is not surging. It is holding.

Attack volumes have plateaued at a level that would have been called a crisis three years ago. The New Jersey Cybersecurity and Communications Integration Cell reports ransomware accounted for 813 of 1,936 data breaches reported in their 2026 assessment. That is 42 percent. Nearly half of every breach notification filed in the United States last year traced back to one attack category.​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Ge

rmany has become the new focal point of an escalating DACH-region campaign. State-backed groups are no longer just stealing secrets. They are deploying ransomware, collecting ransoms, and laundering the proceeds through the same infrastructure as criminal syndicates. Hornetsecurity's May 2026 threat report tracks these dual-use groups moving laterally through Microsoft 365 tenants after initial access, encrypting SharePoint document libraries and Teams-shared files before the victim even knows they have been compromised.

The World Economic Forum's 2026 outlook names collaboration between defenders as the single most effective countermeasure. But collaboration needs a starting point. It needs an assessment of what you have, what you are missing, and what the attacker sees when they scan you.

What lilMONSTER Does When Ransomware Comes Knocking

Vulnerability Assessments — Finding the Door Before They Do

Every ransomware attack starts with an open door. Unpatched VPN appliance. Default RDP port exposed. A five-year-old SharePoint server that someone forgot to decommission.

lilMONSTER runs full-stack vulnerability assessments using OpenVAS and custom scanning pipelines tuned for SMB environments. We do not just run Nessus and hand you a PDF. We scan for the specific CVEs that ransomware groups are chaining together in the wild — the ProxyShell and ProxyNotShell families, the Citrix ADC exploits that BlackCat affiliates use as initial access vectors, the FortiOS authentication bypasses that LockBit operators built automation around.

Each assessment produces a ranked remediation list. Criticals first. Exploitables in the wild get a 48-hour SLA. We re-scan after every fix to confirm the door is actually closed — not just that a patch was applied, but that the service fingerprint no longer matches the vulnerable signature.

Penetration Testing — The Adversary's Perspective

A vulnerability scan tells you what is open. A penetration test tells you what an attacker can do with it.

lilMONSTER runs authenticated and unauthenticated penetration tests modelled on the MITRE ATT&CK framework. We emulate the specific tactics that ransomware affiliates use: initial access via phishing or exposed services, privilege escalation through token manipulation, credential dumping from LSASS memory, lateral movement via SMB and WMI, and finally data exfiltration followed by encryption.

The deliverable is not a compliance checkbox. It is a timeline of exactly how far an attacker got, how long it took, and what they would have stolen. Every finding maps to a specific ATT&CK technique ID so your team can prioritise the controls that actually stop the kill chain — not the ones a compliance spreadsheet asked about.

Compliance Scoping — Essential Eight, ISO 27001, SOC 2

Compliance is not paperwork. It is the pre-written playbook for stopping ransomware.

The Australian Cyber Security Centre's Essential Eight maps directly to the three top ransomware kill-chain stages. Application control (Maturity Level 2 blocks unapproved executables, macros, and scripts), patch applications (Maturity Level 2 closes vulnerabilities within 48 hours of release), and restrict administrative privileges (Maturity Level 2 prevents credential theft from privileged accounts). These three controls alone would have stopped the initial access and lateral movement phases in 85 percent of ransomware incidents the ACSC analysed in 2025.

ISO 27001 maps to the governance layer. Annex A.12 (Operations Security) covers the backup regimes that make ransomware a business interruption rather than a business-ending event. Annex A.16 (Incident Management) formalises the response plan that determines whether you are back online in hours or negotiating with criminals in weeks.

lilMONSTER scopes compliance programs to your actual infrastructure. We do not hand you a template and wish you luck. We map every control to a specific asset, a specific owner, and a specific verification method. The scoping call is free at consult.lil.business.

Managed AI Security — Someone Watching at 3 AM

Ransomware operators work nights, weekends, and public holidays. They know most SMBs do not have a 24-hour SOC.

lilMONSTER's managed AI security service runs Wazuh SIEM with custom detection rules tuned to ransomware indicators. Unusual SMB traffic patterns. New scheduled tasks appearing on domain controllers. Shadow copies being deleted via vssadmin. These are the signals that precede encryption by minutes to hours. Our AI correlation engine flags them and escalates to a human analyst within the detection window — not the next morning when you find the ransom note.

Threat intelligence feeds from the ACSC, CISA, and commercial providers flow into the SIEM hourly. If a new ransomware variant is observed in the wild, our detection rules update within the same day — not the next patch cycle.

Threat Intelligence Monitoring — Knowing What Is Coming

Threat intelligence is not a report you read once a quarter. It is a continuous feed of indicators that tell you what groups are targeting your industry, your region, and your technology stack.

lilMONSTER's threat intelligence service starts at $49 per month. We monitor dark web forums, ransomware leak sites, and exploit marketplaces for mentions of your industry and technology. When a new exploit drops for software you run, you know about it before the ransomware groups finish weaponising it. When a competitor in your vertical gets hit and their data appears on a leak site, you get an alert with the indicators of compromise so you can check your own logs.

FAQ

Q: We are too small to be a target. Why would ransomware groups bother with us?

Ransomware groups run automated scanning infrastructure. They do not pick targets. They scan the entire IPv4 space for exposed services, rank results by vulnerability severity, and feed the top thousand into their attack pipeline. If you have an internet-facing service, you are on the list. The 2026 NJCCIC data shows small and medium businesses are disproportionately represented in breach notifications because they are less likely to have the controls that force attackers to move on to an easier target.

Q: How fast can lilMONSTER get us from zero to defended?

A vulnerability assessment runs within 48 hours of engagement. Remediation for critical findings starts same-day. Compliance scoping for Essential Eight takes one 30-minute call (free at consult.lil.business) plus a week of documentation mapping. Managed SIEM deploys within one business day — the Wazuh agent is a single package install.

Q: Does compliance actually stop ransomware, or is it just paperwork?

Essential Eight Maturity Level 2 stops ransomware at three kill-chain stages simultaneously. Application control blocks the payload. Patch management closes the initial access vector. Privileged access management stops the credential theft that enables lateral movement. Each control is independently testable. If your backup regime also meets the 3-2-1 standard (three copies, two media, one offsite), ransomware becomes a recovery exercise rather than an existential event.

Q: What if we have already been hit?

Stop. Do not pay. Do not wipe anything. Isolate affected systems from the network but leave them powered on — forensic artifacts live in memory. Contact lilMONSTER through consult.lil.business and we will triage immediately. The first hour determines whether this is a cleanup or a rebuild.

Conclusion

Ransomware is not getting worse. It is staying exactly this bad, indefinitely. The groups have industrialised. The tooling is automated. The targets are everyone.

The businesses that survive this era are not the ones with the biggest security budgets. They are the ones that implemented the controls the ACSC published years ago and verified them last week, not last year.

Start with a vulnerability assessment. Know what the attacker sees. Fix the criticals first. Map your compliance program to the controls that actually stop ransomware — Essential Eight, not a checklist written for a different threat. Deploy monitoring that catches the encryption signal before the ransom note. Subscribe to threat intelligence that tells you what is coming for your industry.

Visit consult.lil.business for a free 30-minute scoping call. We will tell you exactly where you stand and what it takes to move from exposed to defended.

References

  1. NJCCIC 2026 Cyber Threat Assessment
  2. World Economic Forum — Cyber Threats to Watch in 2026
  3. ACSC Essential Eight Maturity Model
  4. Hornetsecurity Monthly Threat Report May 2026
  5. MITRE ATT&CK — Ransomware Tactics and Techniques

TL;DR

  • A big paint company called AkzoNobel got hacked by bad guys called Anubis
  • The hackers stole 170GB of private files — like contracts, employee passports, and secret documents
  • This teaches us that even big companies with lots of money can get hacked
  • Your business needs to check if the companies you work with are safe too

What Happened to AkzoNobel?

Imagine you have a really big lemonade stand. You sell lemonade all over the world and make $12 billion every year. You'd think you're super safe, right?

That's AkzoNobel. They're a huge company that makes paint (brands like Dulux and Sikkens). They have 35,000 workers and sell paint in 150 countries.

But in March 2026, hackers broke into one of their offices in the United States and stole 170 gigabytes of data [1]. That's like stealing 500,000 photos!

Who Are These Hackers?

The hackers call themselves "Anubis" (named after an Egyptian god). Think of them like a club:

  • Some people build the hacking tools (the "developers")
  • Other people use those tools to attack companies (the "affiliates")
  • When they steal money, they split it: 80% for the attacker, 20% for the tool builder [2]

It's like renting a car. You don't need to build a car yourself — you just rent one and drive. That's why these attacks are happening more often. Any bad guy can "rent" hacking tools now.

What Did the Hackers Steal?

The hackers didn't just steal secret paint formulas. They stole stuff that hurts real people [1]:

  • Secret contracts with other companies (like deals that were supposed to be private)
  • Employee passports (like ID cards that let people travel between countries)
  • Email addresses and phone numbers (so they can send tricky messages pretending to be the company)
  • Private emails between workers
  • Technical documents about how things are made

Imagine someone stealing your diary, your homework, your photo album, and your wallet all at once. That's what happened to AkzoNobel.

Why Should You Care?

You might think: "I'm not a big paint company. This doesn't affect me."

Here's why it matters:

Your business partners can be hacked too. If you work with other companies (suppliers, shipping companies, software services), your data sits on THEIR computers. If THEY get hacked, YOUR data gets stolen too.

It's like leaving your bike at a friend's house. If their house gets robbed, your bike is gone — even though you locked it.

These attacks are getting easier. Remember the "rent a car" example? Hackers can now rent sophisticated attack tools. They don't need to be super smart anymore. They just need to pay.

This means MORE attacks will happen against MORE companies — including small businesses like yours.

Your stolen data can be used against you. If a hacker steals your business contracts, they might:

  • Pretend to be you and trick your customers
  • Tell everyone your secret business deals
  • Use your employee information to steal identities

What Can You Do? (3 Simple Steps)

You can't stop hackers from attacking big companies. But you CAN protect your business:

Step 1: Check your business partners. Before sharing important information with another company, ask them:

  • "How do you keep data safe?"
  • "What happens if you get hacked?"
  • "Do you back up your files?"
  • "Do you use two-factor authentication (like a code sent to your phone)?"

If they can't answer these questions, find a different company to work with.

Step 2: Don't give everyone the keys to your castle. If a delivery person needs to drop off a package, you don't give them your house keys. You just open the front door.

It's the same with business:

  • Only give vendors access to what they NEED (not everything)
  • Make their access expire automatically after a certain time
  • Check what they're doing with your data

Step 3: Have a backup plan. If a vendor tells you "We got hacked and your data was stolen," what do you do?

Think about it NOW, before it happens:

  • Who do you call?
  • How do you tell your customers?
  • Do you have backup copies of important files?
  • What if hackers pretend to be you?

The Most Important Lesson

AkzoNobel has lots of money and security experts. They still got hacked.

The lesson isn't "be perfect." The lesson is:

  • Be careful who you trust with your data
  • Have a plan for when things go wrong
  • Check on your business partners regularly

Security isn't a one-time thing. It's like brushing your teeth — you have to keep doing it.

What Happens Next?

AkzoNobel said they "contained" the attack [1]. That means they stopped the hackers from stealing MORE stuff. But the 170GB they already stole? That's gone forever.

The hackers will probably:

  • Try to sell the data to other bad guys
  • Use the information to trick people
  • Demand money from AkzoNobel to NOT publish the secrets

This is called "double extortion" — they lock your files AND threaten to leak your secrets.

Your Action Items

This week, do these three things:

  1. Make a list of all the companies you share important data with (customer lists, financial info, contracts)
  2. Send an email to your top 3 partners asking about their security (use the questions from Step 1 above)
  3. Write down what you'd do if one of your vendors called and said "We were hacked"

That's it. Three simple steps that could save your business.

FAQ

We don't know yet. Some companies pay (to get their data back). Some companies refuse (because paying encourages more attacks). The FBI and other police say "don't pay," but it's a tough choice when your business is at stake.

Maybe. If the hackers make mistakes (like using their real email address or logging in from a traceable computer), police can track them down. But many hackers live in countries where they can't be easily arrested. That's why prevention is better than trying to catch them later.

If you do business with AkzoNobel or any of their brands (Dulux, Sikkens, International, Interpon), contact your representative there. By law, they have to tell you if your data was stolen. Be careful though — scammers will pretend to be AkzoNobel to trick you! Only trust official letters or emails from addresses you already know are real.

A typical smartphone photo is about 3-4 megabytes (MB). There are 1,000 MB in 1 gigabyte (GB). So 170 GB ÷ 0.004 GB per photo = about 42,500 photos. But business documents (PDFs, spreadsheets, scans) are often smaller than photos. So 170GB of business documents could easily be 500,000+ files. It's just a way to help you imagine how much data was stolen!

Think of it like Uber for hackers. Someone builds the ransomware (the "app"), and other people use it to attack companies (the "drivers"). When a victim pays, the money gets split — most goes to the attacker, some goes to the tool builder. This lets more hackers attack more companies because they don't need to be tech experts anymore [2].

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/

Security isn't about being perfect — it's about being prepared. lilMONSTER helps small businesses check their vendors, make a plan, and sleep better at night. Book a free chat at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-eli10

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation