Ransomware, Incident Response & Threat Intelligence

Ransomware remains the single largest source of operational damage in enterprise cybersecurity. The UK’s National Cyber Security Centre reported highly significant incidents rising 50% year-over-year for the third consecutive year. Nation-state intrusions — Volt Typhoon, Salt Typhoon, and their peers — continue to establish persistent access in critical infrastructure. And the economics of ransomware have shifted in ways that most corporate risk functions have not fully priced in: double-extortion is standard, triple-extortion is common, and the gap between “we paid” and “we recovered” has widened.

This category exists to be useful in the worst week of your career. The anchor piece is the 72-hour response playbook — written for the person who is six hours into an incident and needs specific, sequenced, defensible guidance. The adjacent coverage exists to reduce the probability that you end up there, and to increase the probability that if you do, you have the architecture, the insurance posture, and the vendor relationships to get through it.

What this category covers

Playbooks — the 72-hour response, tabletop exercises, containment procedures, and the recovery sequencing that separates organisations that have rehearsed from organisations that are reading blog posts during an active incident.

Threat actor hubs — permanent-URL profiles of the groups whose campaigns actually reach enterprise victims in 2026. Scattered Spider continues to dominate help-desk social-engineering intrusions. Qilin, Akira, and Lynx have emerged as the most operationally damaging ransomware-as-a-service crews. Volt Typhoon and Salt Typhoon are the nation-state stories with the longest implications. These hubs are refreshed as new campaigns emerge — the URLs stay stable.

BEC and deepfake — AI-generated business email compromise and voice fraud. This is the attack category where the defensive playbook has changed most in the past 18 months, and where the gap between what the security awareness vendors say and what actually stops attacks is widest.

Negotiation and recovery — the architecture, the insurance posture, and the judgment calls that determine whether paying a ransom is a defensible decision, a reckless one, or an illegal one. Our when-to-pay analysis is specific about the scenarios in a way that most coverage refuses to be.

How this category cross-sells

Ransomware is the authority-and-engagement category for the site. It drives session depth and cross-category flow in three directions:

Into Tools: every ransomware article links to the MDR comparison, the EDR/XDR comparison, and the backup tooling coverage. Ransomware readiness is the use case that separates MDR buyers who get their money’s worth from the ones who do not.

Into Compliance: every ransomware article links to the cyber insurance requirements piece. Insurer underwriting has moved ransomware readiness from a nice-to-have to a premium-affecting control area.

Into SMB/MSP: the ransomware material in the SMB category is necessarily more compressed — but the linkage pattern means an SMB reader researching basic controls can escalate into the enterprise playbook if they need to, and vice versa.

Editorial posture

A few positions that shape coverage in this category:

Sensationalism does not help people who are being attacked. Our coverage is urgent where urgency is warranted, calm where it is not, and specific in both cases.

Most “ransomware defence” content sells products. Ours does not. Our defensive recommendations are architectural first, operational second, and product-third. When we do recommend vendor categories, we link to the Tools comparisons — which carry no affiliate commissions.

Incident response vendor selection should happen before the incident. Our coverage is explicit about which IR retainers are worth the money, what a good one looks like, and what to ask for during the quiet pre-incident window where you still have leverage.

See the annual State of Ransomware 2026 hub for the category synthesis, refreshed each December.