TL;DR

Ransomware operators in 2026 exploit unpatched edge devices, abuse AI for credential phishing, and destroy backups as a default tactic. Every one of these threats is addressable with controls you can name — but naming them isn't enough. Insurers, boards, auditors, and AI governance reviewers increasingly demand evidence that controls are implemented, maintained, and effective. lilMONSTER trust-assurance services — from the Security Assurance Snapshot to Cyber Insurance Readiness and AI Governance Readiness — give you the evidence layer that turns security intent into provable defence.


The 2026 Ransomware Landscape: What's Actually Dangerous

Ransomware has matured into a layered extortion economy. The threat surface that matters most this year can be grouped into five categories, each of which carries a specific evidence obligation for the organisations they threaten.

1. Unpatched Edge Device Exploitation

Edge infrastructure — VPN concentrators, firewalls, secure file transfer appliances, and remote management interfaces — is the most common initial access vector in 2026. Attackers mass-scan for known CVEs within hours of disclosure, exploiting windows where patches exist but haven't been applied. MOVEit, Citrix NetScaler, Fortinet, and Palo Alto vulnerabilities remain high-value targets, and successful exploitation hands attackers a foothold that bypasses endpoint protections entirely.

What you must prove: that your attack surface is inventoried, that critical patches are applied within defined SLAs, and that exception management is documented. An Essential Eight readiness assessment gives you this baseline — the ASD's mitigation strategies directly target edge device exploitation through application control, patching cadence, and macro restriction. But readiness is a snapshot, not a state. Evidence maintenance ensures that snapshot stays current.

2. RaaS Affiliate Churn and New Brand Volatility

The disintegration of LockBit and the fragmentation of ALPHV/BlackCat successors has flooded the market with experienced operators forming new RaaS brands. These groups carry operational playbooks, double-extortion infrastructure, and known TTPs forward under new names, making attribution harder and defensive intelligence more important. Supply chain compromise — where an attacker breaches a trusted vendor to reach downstream customers — is now a standard RaaS play, not an anomaly.

What you must prove: that your third-party risk is assessed, that critical vendors have their own assurance evidence, and that your contracts require breach notification. lilMONSTER vendor risk assessment maps this exposure. ISO 27001 readiness ensures your supplier relationships are governed by Annex A controls (A.15), and a Security Assurance Snapshot can prioritise which suppliers warrant deeper review.

3. Double and Triple Extortion: Data Theft Plus Operational Disruption

Modern ransomware no longer relies on encryption alone. Attackers exfiltrate data first, threaten public release, contact customers directly, and launch DDoS attacks as pressure tactics. This means your defensive posture must cover data loss prevention, outbound traffic monitoring, and incident communications — not just recovery.

What you must prove: that you've identified sensitive data, implemented access controls and logging, and rehearsed an incident response plan that addresses extortion-specific scenarios. ISO 27001 readiness covers the management system (Annex A.5 through A.18), while secure implementation ensures controls like network segmentation, privileged access management, and immutable logging are actually deployed. Cyber Insurance Readiness verifies your policy covers extortion scenarios and that you can demonstrate compliance with policy warranties.

4. AI-Enhanced Social Engineering

Generative AI has industrialised spear-phishing and business email compromise. Deepfake voice calls, hyper-personalised lures crafted from LinkedIn and breach data, and automated credential harvesting kits have reduced the cost of convincing initial access to near zero. This is not a future threat — it's the current baseline.

What you must prove: that your workforce is trained, that phishing-resistant MFA is deployed, and that you've assessed how AI is used within your own organisation and by your vendors. This is where AI Governance Readiness (ISO 42001) becomes essential. AI systems that process data or make decisions need their own assurance framework. lilMONSTER AI Governance Readiness assesses your AI lifecycle controls, model risk documentation, and human oversight — the same evidence your auditors and regulators will ask for.

5. Backup Destruction and Recovery Reality

Ransomware operators now target backup infrastructure as a first move, not an afterthought. If your backups are online, domain-joined, or using shared credentials, they will be destroyed before encryption begins. Recovery without tested, isolated backups is theoretical.

What you must prove: that backups follow the 3-2-1 rule, that at least one copy is offline or immutable, and that you've tested restoration within an acceptable RTO. Evidence maintenance documents these tests over time — single-point-in-time validation is insufficient for insurance or audit purposes.


Practical Recommendations

Start with the evidence gap, not the control list. Most organisations already know they need patching, MFA, and backups — what they lack is provable, maintained documentation that those controls exist and function. The lilMONSTER Security Assurance Snapshot is designed to surface that gap quickly: it reviews your current control state against a recognised framework, identifies the highest-exposure areas, and produces prioritised, evidence-backed findings. From there, targeted readiness work — Essential Eight, ISO 27001, ISO 42001, or Cyber Insurance Readiness — builds the durable evidence set that stakeholders require.

If you're approaching a tender, insurance renewal, board review, or AI governance assessment, sequence the work backwards from the deadline. Insurers want evidence of implemented controls at application time. Tenders require ISO 27001 certification or equivalent. Boards need risk-register entries tied to control owners. AI governance reviewers need lifecycle documentation. lilMONSTER services are mapped to these stakeholder demands.


FAQ

What's the difference between having controls and proving them?

Controls are the technical and procedural safeguards — MFA, backups, access reviews. Proof is the documented evidence that those controls are implemented, maintained, and effective. Insurers, auditors, and boards need proof, not assertions. Evidence maintenance is what keeps proof valid between assessments.

We have backups. Is that enough for ransomware recovery?

Untested backups aren't a recovery strategy. If backups are online, share credentials with production systems, or haven't been restored in a drill, they're vulnerable to the same attack that encrypted your primary environment. The 3-2-1 rule — three copies, two media types, one offline — is the minimum, and restoration testing should be documented.

Do we need ISO 27001 and ISO 42001?

They serve different purposes. ISO 27001 governs your information security management system — the overarching controls framework. ISO 42001 governs your AI management system — how you develop, deploy, and oversee AI systems. If your organisation uses or builds AI, ISO 42001 readiness addresses the governance gap that 27001 doesn't cover. A Security Assurance Snapshot can help prioritise which framework applies first.

What does a vendor risk assessment actually do?

It maps your third-party dependencies, assesses each vendor's security posture, identifies concentration risk, and documents contractual protections like breach notification and right-to-audit. For ransomware specifically, it identifies which vendors have direct access to your environment and whether their compromise would give attackers a path in.


Conclusion

Ransomware defence in 2026 is less about acquiring new tools and more about proving the controls you already have. Edge devices need patching SLAs and exception logs. Backups need isolation and tested restoration. Third parties need risk-rated oversight. AI systems need lifecycle governance. Each of these carries an evidence obligation that insurers, auditors, boards, and customers will enforce — and that evidence needs to be maintained, not produced once.

If you're preparing for an insurance renewal, tender response, board review, or AI governance assessment, start with a qualified triage at https://consult.lil.business/. The process begins with authority verification — confirming you're the right person to commission the work — followed by scoped consent, where we agree on exactly what's reviewed and what isn't. We set evidence expectations upfront: what artefacts are needed, how they're handled, and how findings are delivered. Rules of engagement are defined before any work begins, covering communication channels, timelines, and boundaries.

No credentials, tenant invites, live-system testing, or active scanning are requested or performed before signed scope and access verification. The work is evidence review and trust-assurance planning — structured, documented, and aligned to the frameworks your stakeholders already use.


References

  1. Australian Signals Directorate — Essential Eight Mitigation Strategies
  2. CISA — #StopRansomware Guide
  3. NIST — Cybersecurity Framework 2.0
  4. ISO/IEC 27001:2022 — Information Security Management Systems
  5. ISO/IEC 42001:2023 — AI Management Systems

TL;DR

  • A big paint company called AkzoNobel got hacked by bad guys called Anubis
  • The hackers stole 170GB of private files — like contracts, employee passports, and secret documents
  • This teaches us that even big companies with lots of money can get hacked
  • Your business needs to check if the companies you work with are safe too

What Happened to AkzoNobel?

Imagine you have a really big lemonade stand. You sell lemonade all over the world and make $12 billion every year. You'd think you're super safe, right?

That's AkzoNobel. They're a huge company that makes paint (brands like Dulux and Sikkens). They have 35,000 workers and sell paint in 150 countries.

But in March 2026, hackers broke into one of their offices in the United States and stole 170 gigabytes of data [1]. That's like stealing 500,000 photos!

Who Are These Hackers?

The hackers call themselves "Anubis" (named after an Egyptian god). Think of them like a club:

  • Some people build the hacking tools (the "developers")
  • Other people use those tools to attack companies (the "affiliates")
  • When they steal money, they split it: 80% for the attacker, 20% for the tool builder [2]

It's like renting a car. You don't need to build a car yourself — you just rent one and drive. That's why these attacks are happening more often. Any bad guy can "rent" hacking tools now.

What Did the Hackers Steal?

The hackers didn't just steal secret paint formulas. They stole stuff that hurts real people [1]:

  • Secret contracts with other companies (like deals that were supposed to be private)
  • Employee passports (like ID cards that let people travel between countries)
  • Email addresses and phone numbers (so they can send tricky messages pretending to be the company)
  • Private emails between workers
  • Technical documents about how things are made

Imagine someone stealing your diary, your homework, your photo album, and your wallet all at once. That's what happened to AkzoNobel.

Why Should You Care?

You might think: "I'm not a big paint company. This doesn't affect me."

Here's why it matters:

Your business partners can be hacked too. If you work with other companies (suppliers, shipping companies, software services), your data sits on THEIR computers. If THEY get hacked, YOUR data gets stolen too.

It's like leaving your bike at a friend's house. If their house gets robbed, your bike is gone — even though you locked it.

These attacks are getting easier. Remember the "rent a car" example? Hackers can now rent sophisticated attack tools. They don't need to be super smart anymore. They just need to pay.

This means MORE attacks will happen against MORE companies — including small businesses like yours.

Your stolen data can be used against you. If a hacker steals your business contracts, they might:

  • Pretend to be you and trick your customers
  • Tell everyone your secret business deals
  • Use your employee information to steal identities

What Can You Do? (3 Simple Steps)

You can't stop hackers from attacking big companies. But you CAN protect your business:

Step 1: Check your business partners. Before sharing important information with another company, ask them:

  • "How do you keep data safe?"
  • "What happens if you get hacked?"
  • "Do you back up your files?"
  • "Do you use two-factor authentication (like a code sent to your phone)?"

If they can't answer these questions, find a different company to work with.

Step 2: Don't give everyone the keys to your castle. If a delivery person needs to drop off a package, you don't give them your house keys. You just open the front door.

It's the same with business:

  • Only give vendors access to what they NEED (not everything)
  • Make their access expire automatically after a certain time
  • Check what they're doing with your data

Step 3: Have a backup plan. If a vendor tells you "We got hacked and your data was stolen," what do you do?

Think about it NOW, before it happens:

  • Who do you call?
  • How do you tell your customers?
  • Do you have backup copies of important files?
  • What if hackers pretend to be you?

The Most Important Lesson

AkzoNobel has lots of money and security experts. They still got hacked.

The lesson isn't "be perfect." The lesson is:

  • Be careful who you trust with your data
  • Have a plan for when things go wrong
  • Check on your business partners regularly

Security isn't a one-time thing. It's like brushing your teeth — you have to keep doing it.

What Happens Next?

AkzoNobel said they "contained" the attack [1]. That means they stopped the hackers from stealing MORE stuff. But the 170GB they already stole? That's gone forever.

The hackers will probably:

  • Try to sell the data to other bad guys
  • Use the information to trick people
  • Demand money from AkzoNobel to NOT publish the secrets

This is called "double extortion" — they lock your files AND threaten to leak your secrets.

Your Action Items

This week, do these three things:

  1. Make a list of all the companies you share important data with (customer lists, financial info, contracts)
  2. Send an email to your top 3 partners asking about their security (use the questions from Step 1 above)
  3. Write down what you'd do if one of your vendors called and said "We were hacked"

That's it. Three simple steps that could save your business.

FAQ

We don't know yet. Some companies pay (to get their data back). Some companies refuse (because paying encourages more attacks). The FBI and other police say "don't pay," but it's a tough choice when your business is at stake.

Maybe. If the hackers make mistakes (like using their real email address or logging in from a traceable computer), police can track them down. But many hackers live in countries where they can't be easily arrested. That's why prevention is better than trying to catch them later.

If you do business with AkzoNobel or any of their brands (Dulux, Sikkens, International, Interpon), contact your representative there. By law, they have to tell you if your data was stolen. Be careful though — scammers will pretend to be AkzoNobel to trick you! Only trust official letters or emails from addresses you already know are real.

A typical smartphone photo is about 3-4 megabytes (MB). There are 1,000 MB in 1 gigabyte (GB). So 170 GB ÷ 0.004 GB per photo = about 42,500 photos. But business documents (PDFs, spreadsheets, scans) are often smaller than photos. So 170GB of business documents could easily be 500,000+ files. It's just a way to help you imagine how much data was stolen!

Think of it like Uber for hackers. Someone builds the ransomware (the "app"), and other people use it to attack companies (the "drivers"). When a victim pays, the money gets split — most goes to the attacker, some goes to the tool builder. This lets more hackers attack more companies because they don't need to be tech experts anymore [2].

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/


Security isn't about being perfect — it's about being prepared. lilMONSTER helps small businesses check their vendors, make a plan, and sleep better at night. Book a free chat at https://consult.lil.business/?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-eli10

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage