Ransomware defence is now a race against time

Ransomware is evolving beyond a straightforward data theft issue as technology advances criminal capabilities. Models like Anthropic’s Mythos, which has demonstrated potential to outperform humans at some hacking and cybersecurity tasks, are adding to concerns that the window between vulnerability discovery and exploitation is shrinking. Businesses now face the dilemma of building resilience as ransomware becomes faster and capable of causing longer-term disruption.

Ransomware’s lucrative evolution

Ransom-based cyberattacks are becoming more invasive, enabling criminals to move faster and target operations more aggressively than before. “Ransomware remains one of the most disruptive cyber threats organisations face because attackers are no longer just targeting data. Instead, they are centring their efforts on operations, recovery processes and an organisation’s ability to continue functioning under pressure,” says Mark Molyneux, Field CTO North Europe, at Commvault.

He adds: “The growing focus on AI-driven threats, highlighted by developments such as Anthropic’s Claude Mythos, has reinforced how quickly the gap between vulnerability discovery and real-world disruption is shrinking. What once felt theoretical is now operational, and organisations need to be prepared for threats that move faster and place greater emphasis on business continuity.”

As these capabilities continue to advance, they are allowing threat actors to scale operations, fuelling financial incentives and making attacks even more severe. This is highlighted by Stephan Badesha, CISO, at Node4: “Ransomware attacks have surged over the past year, fuelled by the profitability of these crimes, the expansion of remote and cloud environments, and the emergence of Ransomware-as-a-Service. The integration of AI has further increased both the frequency and sophistication of attacks, enabling criminals to target high-value systems with greater precision and scale their operations more rapidly.”

The risk of defending at yesterday’s speed

The problem organisations now face is that, while threats are becoming more sophisticated, their technology and security processes are not evolving at the same pace. When systems are outdated, or remediation processes are slower, security gaps remain open for longer.

These delays in response time are now becoming a growing risk, as Shobhit Gautam, Staff Solutions Architect, EMEA, at HackerOne, explains: “Ransomware risk is no longer defined by the number of vulnerabilities an organisation has, but by how quickly they can remediate them. The time between vulnerability disclosure and exploitation has now reduced to less than a day, or even just a few hours. Attackers are becoming faster at identifying and exploiting vulnerabilities as they adopt AI and weaponise its capabilities. As the risk of ransomware attacks grows, security programs built around lengthy triage and remediation cycles are no longer sustainable.”

This issue is particularly relevant in retail, as attacks in the retail industry increased by 61% at the end of 2025. Abdelkader Keddari, VP EMEA Solution Engineering, at Fluent Commerce, notes the danger of retailers not having operations up to date: “Over the past year, high-profile ransomware attacks on major UK retailers have exposed the harsh reality that many still rely on outdated legacy systems which leave them vulnerable and slow to respond. When trust is breached, particularly where customer data is concerned, the damage to brand reputation and revenue can be severe.”

He advises: “Retailers should consistently assess where their operational weaknesses lie. Unable to provide real-time visibility or adapt quickly in a crisis, legacy systems prevent effective decision-making. As the industry relies more on an omnichannel approach, that lack of adaptability is more than a day-to-day issue – it’s a major business risk.”

The result is a widening gap between the speed of attacks and the ability to respond, leaving businesses vulnerable to major disruption.

Building robust systems for faster responses

Some level of exposure will always remain, as organisations can never be completely protected from ransomware. This means that ensuring a layered, proactive security approach is the best method to reduce the fallout from these attacks. 

Node4’s Badesha highlights why resilience must be top of mind: “The true cost of ransomware goes well beyond the initial ransom payment. Downtime, reputational harm, regulatory penalties, and recovery expenses can far exceed the ransom itself. While these attacks may seem increasingly unavoidable, organisations that prioritise resilience over prevention alone are better positioned to reduce the impact and recover more quickly.”

Continuous threat monitoring is another layer in moving towards more robust defences, adds HackerOne’s Gautam: “It is up to defenders to identify these risks before attackers can. While fortunately, discovery is scaling quickly, validation, ownership and remediation are not. Unless businesses can act on these insights, the situation will only get worse. It is key that the focus be on reducing the window of exposure and acting on vulnerability discovery quickly.”

He continues: “This is why organisations are increasingly adopting a continuous threat exposure management (CTEM) approach, focused on constantly identifying, validating and reducing vulnerabilities before attackers can strike. From here, businesses can work alongside security researchers and defence experts capable of mitigating these risks and shutting down any potential threats before they can be realised. This is the path to effective cyber resilience in the face of ransomware attacks.”

Ultimately, robust defences are crucial to reduce long-term impacts on businesses, as current and looming threats intensify. Commvault’s Molyneux states: “Anti-Ransomware Day is a reminder that resilience is no longer just about what happens after an attack. It is a continuous discipline that shapes how businesses prepare, respond and maintain critical services when disruption occurs.”

He concludes: “Those that will succeed will not be the organisations that assume they can prevent every incident, but those that can recover quickly and keep operating – even when under attack.”