James Doggett , CISO, Semperis January 28, 2026 4 Min Read Source: Natee Jindakum via Shutterstock QUESTION: Ransomware attack groups are getting more violent. How should CISOs respond to this change in tactics? Jim Doggett, CISO, Semperis: At the start of 2025, it seemed like the world may have turned a corner in the fight against ransomware. Blockchain analysis revealed a major drop in ransom crypto-payments, with revenue declining for the first time since 2022. Sadly, our optimism was short-lived. Threat actors are an adaptable bunch. When cornered, they can also be dangerous. Recent Semperis research shows that in two-fifths of ransomware attacks over the study period, adversaries threatened executives with physical harm. In addition, over two-thirds of organizations that were successfully breached ended up paying their extortionists. There's only one way out of this corporate security nightmare: Improve cyber resilience. How bad is it? According to Chainalysis, ransomware actors received an estimated $814 million in payments from victims in 2024, a 35% decrease from the record-breaking $1.3 billion in 2023. Even assuming these figures are accurate, they don't tell the whole story. Faced with fewer victims willing to pay up, threat groups are doubling down on those who do. Our data reveals 56% of organizations in the United States, United Kingdom, France, Germany, Spain, Italy, Singapore, Canada, Australia, and New Zealand were successfully breached by ransomware in 2024, and 69% of them paid a ransom. Also, 55% of organizations that paid did so multiple times, with 29% paying three or more times. Once adversaries single out an organization with a poor security posture, they are increasingly likely to return. The impact of these ransomware attacks on businesses can be severe. Among the organizations in our research that paid the ransom, we estimate that half suffered losses of between $500,000 and $1 million annually. For nearly one in 10 organizations, the figure is over $1 million. That's not counting other costs, such as a potential hike in cyber-insurance premiums and collateral damage to the business, including job losses, data breaches, and budget cuts. CISO Rule 1: Adapt and Thrive Ransomware actors play the hand they are dealt. When confronted with potentially fewer victims willing to pay, they're not only resorting to threats of physical violence but also trying other tactics. Most (63%) of the victims we surveyed were threatened with data destruction, and in almost half (47%) of the cases, adversaries tried to blackmail them by threatening to file regulatory complaints. Threat actors also continue to excel at probing the attack surface for weaknesses. Identity systems such as Active Directory, Entra ID, and Okta were compromised in 83% of the attacks we analyzed, enabling adversaries to establish persistence, move laterally, and elevate privileges. Infostealers and credential phishing also offer potentially rich rewards — especially when organizations allow personal devices to connect to corporate assets. These tactics, techniques, and procedures will continue to evolve, as long as the bad guys need them to. British government security experts warn that artificial intelligence (AI) will not only supercharge social engineering, but also victim reconnaissance, malware generation, and vulnerability research and exploit development. Organizations unable to respond, contain and recover swiftly may find themselves targeted multiple times. CISO Rule 2: Assume Breach, and Build Resilience The concern is that as AI lowers the barriers to entry for wannabe ransomware affiliates and makes attacks cheaper, cybercrime groups will continue to proliferate. This could feasibly happen, even as ransom payments decline and law enforcers improve takedown and disruption efforts. So what's the answer? CISOs must commit to a long-term culture of resilience built on the classic combination of people, processes, and technology. In practice, this means improving user awareness and education programs, prompt patching, and multifactor authentication to reduce avenues of initial access. And it means preparing for the worst with backups and automated defense, response, and recovery functions. By improving detection of suspicious activity and accelerating containment and remediation, it's possible to minimize the impact of serious attacks. The speed and thoroughness of recovery are particularly important to avoid repeat attacks. This can be achieved by developing and testing customized, well-documented, and clearly communicated incident response processes. All of the above must also apply as rigorously to suppliers as to the organization itself. CISOs Don't Have to Go Underground Hopefully, no CISO or business leader reading this will consider paying up the next time they are hit with a ransomware breach. Not only will threat actors likely come back for a second or third payday, but in many (15%) cases, victims don't even receive functional decryption keys. However, banning ransom payments is not the answer either, as the UK government may soon find out. Banning payment could imperil critical infrastructure, put companies at risk of bankruptcy, and potentially force payments underground — among other unintended consequences. Our study finds 83% of UK public-sector respondents paid a ransom last year when compromised, hinting at trouble ahead. Instead, CISOs need to learn a thing or two from their adversaries. Threat groups have developed a cockroach-like resilience to disruption over the past decade or more. So must security teams and the networks they defend. About the Author James Doggett CISO, Semperis James Doggett is the CISO at Semperis and a veteran in the information security and risk space. He previously served as partner at Ernst & Young, where he helped build the company’s cybersecurity practice during his 27-year tenure. Before Semperis, Jim worked as CISO and head of US operations at Panaseer. He has also held positions as CTRO at AIG, CSO and CTRO at Kaiser Permanente, and managing director at JP Morgan Chase, where he was global leader of Information Risk and Resiliency, Treasury and Security Services. See more from James Doggett