The Malicious Economy: What Happens If Your Defenses Are Insufficient?

Brian Scriber

3 weeks ago

Ransomware has changed a lot in the past few years. The term refers to a form of malicious software loaded by attackers to restrict access to files and other data with the intention of extracting payment from the owners of that data.

CableLabs has been working to make sure that residential and business subscribers have the tools they need not only for preparedness and prevention, but also in the event that ransomware actors target them.

Let’s take a look at how the ransomware landscape has evolved, how law enforcement has changed its approach and how one important document can alter the course of your network’s future.

The Law Enforcement Front

The global climate on the regulatory, legislative and law enforcement front has changed, as you can see in the table below.

Technical Developments Direct AI as a vector, or hiding malware in learning models Indirect use of AI, in which phishing is still the primary vector but deep fake audio, video, text, etc., is used AI tools used to code to a Common Vulnerabilities and Exposures (CVE) record and find vulnerable implementations	Policy Involvement U.S. cyber incident reporting requirements (FTC/SEC) in effect as of Dec. 18, 2023 February 2025 testimony by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to the Senate on threat actors and ransomware Release of Stop Ransomware docs from CISA and FBI
Threat Actors & Threat Evolution Encryption/denial of service or access Data exfiltration Expanded: Threat to attack web presence with DDoS Expanded: Threat to inform victims	Cyber Insurance Market Re-insurers struggling with how to underwrite the risk accurately Companies adjusting risk management to mitigate ransomware directly
Law Enforcement Significant efforts targeting, uncovering and disadvantaging threat actors Increasing global willingness to collaborate, share information and hunt/act	National Security Implications Nation-state advanced persistent threats (APTs) testing infrastructure, as well as malware penetration and footing

Evolving Threat Actor Behavior

We’re also seeing changes in threat actor behavior. There’s been a sharp increase in both the number of victims (over 200 percent) and the number of ransomware variants (over 30 percent) in 2025 — a deviation from last year’s trends.

The increased use of ransomware-as-a-service (RaaS), the open availability of threat tools and malicious actor communication all continue to evolve. No longer does the threat actor have to find a way to access systems, they can now buy opened systems and immediately move to the ransom phase. The horizontal disaggregation of the marketplace has enabled more threat actors to engage against more victims, with less technical know-how. Exploited vulnerabilities are now the primary method of malicious access, followed by compromised credentials and email/phishing.

Collaborating to Combat Threat Actors

CableLabs engages with several Information Sharing and Analysis Centers (ISACs) and anti-abuse groups. One of the more focused groups is the Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG), where we’re proud to have helped to both originally build (and then shepherd updates to) the “M³AAWG Ransomware Active Attack Response Best Common Practices” document.

We do this work because — although the dogma of cybersecurity defense is to prepare, prepare, prepare — the reality is that no matter how good a network’s defenses are, they can always be stronger.

The Best Common Practices document starts with advice from victims who were previously infected, moves on to steps to follow, lists numerous resources, provides a high-level view of what to expect and finally offers decision guideposts about who to involve and when. The document helps with detection, analysis and response activities; demonstrates how to communicate; and enumerates the deliverables necessary for each stage.

This document doesn’t prescribe specific behaviors, but it helps to make sure the reader is equipped with the right questions to ask, as well as the considered order of approach to tackling a problem.

There will be decisions to make about when to declare an event, whether you have reporting requirement, what law enforcement’s role will be, which disclosures are necessary, whether you pay a ransom (or whether that is legally permissible in your situation), when and how to engage on cybersecurity insurance, and what your potential negotiation options are.

There are always collateral victims in attacks like these, and there may be actions possible or preferable on those fronts that will need to be evaluated. That process is one of many that will involve others within the organization. This document helps lay out who should be considered in each step.

The Importance of Having a Plan

Everyone hopes that this aspect of the global economy will come to a decisive end but, in reality, that’s neither the trend nor the expectation. In a dangerous world, it’s best to have a plan for how your company will act in a multitude of situations — even the unpleasant ones.

The Best Common Practices document is a tool for checking existing policies, technologies and the people involved in the prevention plans, but it can also be a cheat sheet for those who have had to balance other needs against external threats and suddenly find themselves in a difficult situation.

Read the “M³AAWG Ransomware Active Attack Response Best Common Practices” document to learn more about the options that are available for victims of ransomware attacks. The document is one resource in a broader cross-sector toolkit that helps defend against and manage the risk of ransomware threats. For more, check out:

A Cybersecurity Framework 2.0 Community Profile from the National Institute of Standards and Technology (NIST)
StopRansomware.gov from CISA

Winston Churchill famously said, “If you’re going through hell, keep going.”

These resources can show you how.

READ THE BEST COMMON PRACTICES