SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dimly lit office worker shakes hands with shadowy hacker monitor
#
Data Protection
#
Ransomware
#
Endpoint Protection

Ransomware gangs step up insider recruitment, says NCC

Fri, 30th Jan 2026
Author image
By Mark Tarre, News Chief

NCC Group has reported a rise in ransomware attacks in December 2025 and warned that gangs increasingly recruit malicious insiders as part of their operating model.

The company said ransomware activity rose month on month by 13% in December 2025. It recorded 784 attacks for the month. NCC Group linked the increase to a seasonal pattern. It said attackers target organisations during the holiday period when teams can run understaffed.

NCC Group's cyber threat intelligence reporting described ransomware-as-a-service groups as more structured than in earlier years. It said gangs use affiliate models and now place more emphasis on sourcing access through employees, contractors and partners.

Insider access

The company said ransomware operators increasingly treat staff and trusted third parties as gateways into corporate networks. It said insider recruitment gives criminals legitimate access to credentials, systems and internal processes. NCC Group said this can reduce the need for technical intrusion and allow attackers to bypass security controls.

It said employees with broad access rights attract particular interest, especially those working in IT and technical roles. NCC Group said a single compromised account can provide multiple routes through a modern digital environment.

NCC Group also pointed to financial incentives as a driver for insider recruitment. It said groups offer commissions and promise anonymity for collaborators.

It cited an attempted approach to a BBC employee in September 2025 as an example. NCC Group said the Medusa ransomware gang offered 15% of a future ransomware payment in exchange for access to internal systems. It said Medusa later raised the offer to 25% after the attempt failed.

Matt Hull, Vice President of Cyber Intelligence and Respone, NCC Group, said: "Targeting high-profile organisations like the BBC is both financially attractive and commercially strategic. Even limited success against a well-known brand can generate notoriety and credibility, helping groups attract future affiliates and opportunities. Well-resourced groups like Medusa and Qilin can afford to use financial incentives to attract insiders, but smaller gangs often lack the means to compete."

"For organisations, this shifts the focus from purely technical defence to human risk management. Insider threat programmes, strong access governance and robust offboarding processes are critical to reducing the risk that current or former employees become part of the ransomware supply chain," added Hull.

Professionals involved

NCC Group said insider recruitment extends beyond employees inside a target organisation. It noted a case in December 2025 in which two cyber security professionals pleaded guilty to collaborating with the BlackCat/ALPHV ransomware operation. NCC Group said the individuals admitted involvement in ransomware attacks against five US-based organisations. It said the victims included companies in healthcare and manufacturing.

The company described the case as an early documented example of cyber professionals using their experience of security processes to support ransomware operations directly. It said financial incentives likely played a central role, alongside pressures such as rising living costs and dissatisfaction with pay.

Hull said: "Ransomware has evolved into an organised business model. These groups now think in terms of recruitment, incentives, scale and growth, rather than just attacks.

"What's striking is that these tactics aren't new. Trust, deception, social engineering and financial pressure have always worked, they're just being organised and scaled in new ways. The recruitment of cyber security professionals shows how far this has gone: ransomware groups are exploiting expertise, access and human trust to operate like structured criminal enterprises."

Sector exposure

NCC Group's data for December 2025 showed Industrials as the most targeted sector. It attributed 29% of attacks to that segment. Consumer Discretionary accounted for 22% and Information Technology for 10%, according to the company.

The reporting also highlighted concentration among certain ransomware groups. NCC Group said Qilin accounted for 22% of all attacks in December 2025. It said Qilin recorded 12% more attacks than Akira, which it described as the next closest group in activity for the month.

Geographically, NCC Group said North America represented half of all attacks recorded in December 2025. The company did not break out figures for other regions in its summary.

The company said organisations now face a mix of technical intrusion risk and internal exposure. It said identity and access controls, governance over privileged accounts, and processes for staff departures sit alongside traditional cyber defences as ransomware groups place more focus on recruitment and collaboration.

Related stories
Flare sees rapid MSSP uptake of external threat intel
Palo Alto revamps NextWave to reward AI security platforms
Chainguard hits 500m container manifests with AI boost
DigiCert sees record UltraDNS DDoS surge in December 2025
Arctic Wolf named Chubb’s preferred MDR cyber partner

Top stories

Siemens unveils virtualised substation protection platform
Cayosoft, XMS to bolster US War Department identity
Sygnia uncovers global law firm recovery scam network
Guardsquare buys Verimatrix XTD to boost mobile security
Acronis extends Manchester City data protection deal