Ransomware: An Economy Scaling Up

In just a few years, ransomware actors have transformed what was initially a relatively artisanal activity into a value chain model. The model has gradually evolved into an industry where roles are distributed across initial access, compromise, negotiation, exfiltration, and monetization. A market for skills has emerged, with its service providers, affiliates, and specialized intermediaries. “We are facing a fragmentation of cybercriminal groups with specializations that make access to criminal tools much easier. The technical barrier to entry is decreasing significantly, allowing less experienced actors to participate in highly damaging operations,” said Pierre Meganck, cybersecurity consultant at Linkt, during a roundtable at the Forum INCYBER 2026 in Lille.

For targeted organizations, attacks are no longer limited to a few encrypted endpoints. They now target entire information systems, combining operational sabotage, exfiltration, and extortion, and require heavier, more costly, and more complex protection mechanisms—especially for SMEs, mid-sized companies, and local authorities. “We have felt this structuring, this industrialization of attacks, for twenty years. What is changing today is the scale. We are no longer dealing with a single encrypted machine on a network, but with global attacks involving extortion, exfiltration, and multiple forms of pressure,” noted Pascal Le Digol, Country Manager France at WatchGuard Technologies.

Data, the primary target of cybercriminals

The most significant shift concerns data. It has become the main target for attackers. It enables extortion, but also fuels resale, targeting of future operations, and sometimes the preparation of physical actions. “We should speak less about cybercrime and more about ‘cyber’ serving crime. What is now at stake is the exploitation of data itself,” observed Christophe Cencig, Deputy Head of the Cyber Investigations Unit at Ofac, National Directorate of the Judicial Police. Hervé Petry, Commander of the National Cyber Unit of the French Gendarmerie, added: “What must be understood today is a triple hybridization between cybercriminal groups, traditional organized crime, and hostile state entities. In this context, stolen data is not only a monetizable asset—it also becomes a lever to prepare other forms of attacks.”

This triple hybridization is reinforced by the growing use of OSINT (Open Source Intelligence) and social engineering. Data from social networks, previous breaches, or publicly accessible files is used to refine targets, improve fraud scenarios, and reduce preparation time. Attackers no longer seek only software vulnerabilities. They also exploit habits, personal exposure, and professional routines. “With the tools they have, they can know everything about us with remarkable precision. They aggregate data into panels and lookups, creating a concerning asymmetry. The more traces we leave, the more material they have to target, refine, and act,” commented Hervé Petry.

An attack surface extending beyond the enterprise

Another major shift: the attack surface now extends far beyond the boundaries of the organization. Instead of directly targeting the primary objective, attackers look for the easiest entry point. Web service providers, accounting firms, technical subcontractors, or intermediary software vendors become prime targets. “The priority attack vectors will be smaller organizations that large companies work with. This could be the provider that built the website or a less protected partner. They become an easier entry point to a larger target,” explained Pierre Meganck.

Artificial intelligence is another major accelerator. By improving phishing emails, automating target identification, assisting in processing large volumes of data, and reducing workforce needs, AI compresses the time required to move from observation to action, creating a true scaling effect. “Cybercrime has always been about scale, but AI takes this model to the next level. What previously required time and manpower can now be automated. A single actor can run an activity that previously required several people,” said Michaël de Laet, Team Lead at the European Cybercrime Center at Europol.

Reducing asymmetry through cooperation and reporting

This acceleration creates a broader risk: a growing gap between offensive and defensive capabilities. With significant financial resources and rapid recruitment capacity, criminal groups bypass many constraints and gain access to increasingly powerful tools. Even if not fully exploited yet, these tools widen the gap with organizations that remain unevenly prepared. “Attackers already have a real technological reserve. They have access to capabilities they do not even need to fully exploit yet because the level of defense remains insufficient in many organizations,” analyzed Pascal Le Digol.

In this context, the response highlighted by participants can be summed up in two words: cooperation and reporting. Cooperation between agencies, countries, and public and private actors. Reporting as well, because an unreported attack is difficult to leverage from both judicial and analytical perspectives. “If victims do not report incidents, it becomes impossible to connect cases and build a solid response,” noted Christophe Cencig. Incident reporting, filing complaints, and sharing indicators directly impact both detection quality and dismantling operations. “We are strengthening international cooperation and collaboration with the private sector to make these exchanges more operational. The objective is to turn available information into concrete actions capable of disrupting the infrastructure, services, and business models of criminal groups,” concluded Michaël de Laet.