Evolving ransomware tactics with AI-enhanced attacks and ransomware as a service

March 2026  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2026 Issue

The UK government has estimated that the cost of cyber attacks to UK businesses is more than £14bn and suggests that the UK is the most targeted country by threat actors in Europe.

According to a 2025 survey by the Home Office, 612,000 businesses identified a cyber attack in the preceding 12 months – and those are just the businesses that submitted a report, with the true figure likely to be significantly higher.

Developments in ransomware as a service (RaaS) and subsequently artificial intelligence (AI) have led to these attacks becoming increasingly sophisticated and complex, meaning more than ever businesses need to proactively manage and improve the resilience of their systems.

Recent examples over the past 12 months have demonstrated the significant impact of cyber attacks: the cyber hack on Jaguar Land Rover not only caused a widespread media frenzy but also impacted the UK’s gross domestic product, with an estimated cost to the business of £1.9bn to date. The attack caused a lengthy shutdown of Jaguar Land Rover’s systems, and the halt in production resulted in a ripple effect across its supply chain, impacting thousands of small businesses across the country.

Marks and Spencer was also targeted by ransomware operators in April 2025 and, although we understand that minimal customer data was stolen, the costs of lost sales and damage reached into the millions, with the business still trying to recover.

These two cases are just a snapshot of the current trends, but clearly demonstrate that the most immediate threat to organisations subject to cyber attacks can be operational, rather than simply a loss of data.

The risks are only heightened with the increasing professionalisation and commercialisation of the cyber crime ecosystem. The increasing popularity of and reliance on RaaS is a case in point. RaaS operators will package up and sell ransomware and encryption keys to their customers to enable them to quickly and easily deploy ransomware and target their attacks.

The commercialisation of ransomware in this way is big business, with user reviews, 24/7 support and forums often part of the package being sold to affiliates via the dark web, either on a subscription model or using a profit-sharing agreement where the RaaS operator receives a cut of the ransom paid. The more effective the attack, the greater the commercial gain for the RaaS operators and its affiliates.

In 2024, a joint paper from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) stated that “ransomware continues to be the most significant, serious and organised cybercrime threat faced by the UK”. With the aim of putting pressure on organisations to elicit payment of a hefty ransom, often in some form of cryptocurrency, ransomware is increasingly being adapted to exploit the risks that are particular to organisations.

So, those threat actors targeting the logistics and manufacturing industries will focus on keeping plant and machinery offline for as long as possible to disrupt production, those targeting healthcare and education will focus on the exfiltration of personal and sensitive personal data and subsequent threat of its publication, and those targeting sectors that are heavily regulated, such as financial services, will focus on the risk of significant reputational and regulatory scrutiny.

To help with this, RaaS operators will often offer up further services to their affiliates to make this as smooth as possible, such as providing platforms for communicating with victims and negotiating a ransom, alongside data leak sites through which exfiltrated data can be published if no ransom payment is forthcoming.

While highly commercialised for the operators, RaaS also makes the cyber threat landscape more disjointed and complex, with new groups and individual threat actors masterminding attacks that previously may have been in the hands of a few prolific groups. As the use of RaaS increases, it also lowers the barrier to entry, meaning that less sophisticated threat actors and smaller criminal groups can deploy ransomware, increasing the range and number of victims, regardless of size.

Furthermore, AI advancements have resulted in hackers using both deepfakes and automated phishing tools to gain access into internal systems by accurately resembling audio, video and text to trick the recipient into believing it is authentic. A recent assessment by the NCSC found that AI has made cyber attacks, including those using ransomware, more effective and efficient, which has resulted in heightened intensity for targeted businesses. AI-driven cyber tools also give hackers a wider platform: it is no longer just so-called ‘state actors’ driving the hacks; other cyber criminals are able to gain access at a lesser cost.

This means that it is not just large global corporations that are at risk. With threat actors having better access to the tools they need at a relatively low cost, they are able to target a range of organisations in terms of size, turnover and sector, and to effect debilitating and damaging attacks. These attacks can impact on every area of an organisation from finance to operations, directly affecting employees, customers and stakeholders alike.

According to the UK government’s ‘Cyber Security Breaches Survey 2025’, while instances of cyber crime remained broadly static between 2024 and 2025, the instances of ransomware being used among businesses significantly increased. Stopping or mitigating against the threat requires a multilayered and coordinated approach, from intelligence agencies, government and legislators, and businesses themselves.

The NCA is working hard to limit this threat by actively going after the key RaaS operators and has had success in taking down Lockbit, which was described as being one of the most prolific RaaS operators. It was estimated that the group was responsible for 25 percent of ransomware attacks over 2023-24, including the severely disruptive attack on Royal Mail.

Alongside action being taken by intelligence, crime and security agencies to stop these operators in their tracks, the government is also in the process of bolstering legislation in this area through the Cyber Security and Resilience Bill, which is currently making its way through parliament.

The purpose of the Bill is to update older legislation, and to increase the cyber resilience standards required of those considered to be an essential part of the economy, including their supply chains. As it stands, the Bill will increase the number of organisations in scope for these enhanced requirements, strengthen regulation and enforcement against those that do not comply, and allow the NCSC and regulators to obtain up to date information about current risks and attack vectors being used.

While all this work goes on at a national level, one of the most significant ways that risks can be mitigated is for businesses to engage with the risk head on. While the speed at which technology is developing means that it can be hard, if not impossible, for many businesses to completely protect themselves from risk, there is much that can be done to lessen the impact in the event of an attack.

Alongside the range of tools, frameworks and guidance, such as the ‘Cyber Essentials and Cyber Essentials Plus’ schemes published by the NCSC to help businesses to protect themselves from impact, it is key that corporate boards engage.

A helpful ‘Cyber Governance Code of Practice’ was published jointly by the NCSC and the UK government in April 2025 setting out the following critical areas of governance for boards and directors to consider when looking at cyber risk profile: (i) setting risk appetite and strategy; (ii) planning incident response and subsequent recovery; (iii) ensuring employees are adequately trained to understand and spot risks; and (iv) ensuring boards receive much needed assurance as to whether cyber risk is being adequately handled within the business.

In light of the fast-evolving landscape of the cyber world, the key message is that businesses need to work proactively to properly mitigate the risk of cyber hacking. RaaS operators are targeting a range of industries and organisations – both large and small – and are making the most of developing technologies to do so.

Strong assessments of a business’s vulnerabilities and risk appetite should be undertaken and strategies implemented from board level down in order to protect against both loss of data as well as critical operations.

 

Charlotte Clayson is a partner and Madeleine Harper is a trainee solicitor at Trowers & Hamlins LLP. Ms Clayson can be contacted on +44 (0)20 7423 8087 or by email: cclayson@trowers.com. Ms Harper can be contacted on +44 (0)20 7423 8059 or by email: mtharper@trowers.com.

© Financier Worldwide

BY

Charlotte Clayson and Madeleine Harper

Trowers & Hamlins LLP

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.