← Back to Blogs

Ransomware just got promoted to the Cloud

Ami Hofman · January 7, 2026

Reflections of a concerned practitioner

You’ve definitely done the work after the last regulator report. You’ve locked the doors, patched the servers and armed your endpoints with more acronyms than a government tender. EDR. XDR. NGFW. You are using signature based detection, heuristics, sandbox, automated response and god knows what’s coming next year, job done – right ?

So why can’t you sleep at night?

Because the war has moved somewhere else. While we were busy fortifying endpoints, attackers quietly shifted the battlefield to our clouds, build pipelines and digital supply chains.

Unlike the old smash-and-grab model of ransomware, today’s attackers don’t even need to breach your office. They just need to compromise your software update, your CI/CD runner, or your storage bucket and suddenly, your entire business is held hostage. And you know what, all this is now offered as RaaS (Ransomware as Service) with a support team and agreed SLA.

From Big-Game Hunting to Cloud Extortion-as-a-Service

Once upon a time, ransomware was a blunt instrument. Break in, encrypt a few servers, demand Bitcoin and move on.

That was the era of “big-game hunting.” But the last two years has ushered in something far more organised, a full-blown Ransomware-as-a-Service (RaaS) economy.

It’s the Uber model of cybercrime:

  • Core developers build and maintain the malware.
  • Affiliates “rent” access, split profits, and even get customer support portals and FAQs.
  • Brokers sell stolen access credentials and initial footholds in cloud or SaaS environments.

The result? Scale and speed that defenders can barely match.

According to CrowdStrike’s 2025 Global Threat Report, RaaS operations now account for nearly 80% of all ransomware incidents worldwide, with triple-extortion models (data theft, encryption, and public leaks) up 120% year-over-year.

It’s industrialised crime and it’s moving to where the data and money now live: the cloud.

The Cloud: Freedom for You, Fortune for Them

Cloud adoption has unlocked agility, scalability, and innovation. It has also blown apart the traditional perimeter.

Last year the average enterprise used over 1,400 SaaS applications (BetterCloud). Each one is a potential entry point.

Groups like ALPHV, LockBit 3.0 and 8Base now operate specialised cloud units that:

  • Exploit IAM misconfigurations — a single over-privileged token can pivot across multiple accounts.
  • Abuse public storage (S3, Azure Blob) for exfiltration and extortion.
  • Weaponise API integrations, chaining trust relationships between apps to disable logging, delete backups, or wipe snapshots.

In one recent case analysed by Mandiant, a RaaS affiliate compromised a Kubernetes control plane, deleted cluster backups and exfiltrated data via legitimate cloud APIs, no endpoint agent ever saw the traffic.

And because the cloud runs on trust and automation, the same mechanisms that make your DevOps team fast also make attackers devastatingly efficient.

The Supply Chain: Your Blind Spot is Their Business Model

Remember when ransomware gangs went after hospitals and city councils? They’ve discovered something far more profitable: you, but indirectly.

Why target one enterprise when you can compromise the software vendor that services hundreds?

In the last two years, we’ve seen a 300% increase in attacks on build servers, CI/CD pipelines, and open-source repositories.

The playbook is chillingly consistent:

  1. Steal developer credentials or access tokens.
  2. Inject malicious code into a trusted component.
  3. Wait for the vendor to distribute the poisoned update.

When that happens, it’s not ransomware hitting a company, it’s ransomware hitting through a company.

The MOVEit, 3CX, and JetBrains TeamCity incidents are just the early warnings. Attackers are going upstream, treating the software supply chain like a high-yield multiplier.

And because cloud and CI/CD pipelines are so tightly coupled, one compromised artefact can cascade across hundreds of environments before anyone notices.

The Economics of Extortion, 2025-Style

Here’s the uncomfortable truth: ransomware isn’t dying, it’s evolving into a business model.

Blockchain anonymity, crypto-mixers, and bulletproof hosting make cashing out easier. AI-assisted reconnaissance makes targeting faster. RaaS franchise networks make operations scalable.

Check Point estimates global ransomware damage costs will exceed US $50 billion by the end of the year, while IBM’s Cost of a Data Breach report pegs the average cloud-related breach at US $5.2 million, a 16% premium over on-prem incidents.

The economics favour the attackers:

  • Marginal cost of attack: almost zero.
  • Marginal return: millions.
  • Prosecution risk: minimal.

Meanwhile, defenders face tooling sprawl, alert fatigue, and board pressure to cut costs, the perfect storm for complacency.

Practitioners’ Reality Check: Where We’re Getting It Wrong

Let’s be honest, many of our defensive postures are still built for 2015. We’re great at patching endpoints, but terrible at mapping cloud trust relationships. We chase compliance, not resilience. We still think ransomware starts with a dodgy email, not a poisoned build pipeline.

While we celebrate “shift left,” attackers are shifting further left, into the development lifecycle itself.

They don’t need to breach your production network if they can hijack your next deployment.

The Way Forward: Building Ransomware Resilience for 2025 and Beyond

The good news? Defenders can adapt just as quickly, if we stop thinking in silos.

Here’s where mature organisations are heading:

1. Secure the Cloud from the Inside Out

  • Treat your cloud environment as hostile by default.
  • Implement Zero Trust for IAM — no implicit trust between services, users, or automation tokens.
  • Continuously validate configurations using Cloud Security Posture Management (CSPM) and runtime protection (CWPP/CNAPP).
  • Protect backups from API deletion by isolating snapshots and enforcing MFA-delete policies.

2. Harden the Software Supply Chain

  • Maintain a living Software Bill of Materials (SBOM) for all applications and dependencies.
  • Implement signing and provenance verification for code and build artefacts.
  • Restrict developer secrets and enforce hardware-bound authentication for CI/CD systems.
  • Continuously scan artefacts post-build; don’t assume a successful compile means a safe binary.

3. Plan for Cloud-Scale Incident Response

  • Simulate attacks that disable your entire cloud tenancy.
  • Pre-stage out-of-band communication and backup credentials.
  • Practice pipeline compromise tabletop exercises — including your suppliers.
  • Measure readiness not by compliance, but by time to recover cloud control.

4. Leverage AI Defensively

AI isn’t just the attacker’s weapon; it can be ours too.

  • Use AI-driven anomaly detection for IAM activity and data egress.
  • Automate enrichment of cloud events to reduce analyst fatigue.
  • Couple vendor AI with local contextual data to catch behaviours unique to your environment.

5. Collaborate Relentlessly

Ransomware groups collaborate across borders; defenders must do the same.

  • Join sector ISACs, ACSC partnerships, and CISA advisories.
  • Share Indicators of Behaviour (IOBs), not just IOCs — it’s how you catch evolving tactics earlier.

Looking Ahead: The Next Mutation

As we go forward we should expect ransomware to become even more autonomous and data-centric:

  • AI agents that identify high-value data automatically.
  • Deepfake-driven extortion videos.
  • “Ransomware without encryption,” where attackers simply threaten exposure of sensitive cloud data.

As generative AI becomes embedded in DevOps and SaaS tools, attackers will weaponise AI supply chains just like they did with software ones.

This isn’t scaremongering. It’s already starting.

Final Reflection

Ransomware didn’t die, it got promoted to the cloud.

We’ve reached a point where resilience isn’t about blocking the payload. It’s about designing systems that can absorb failure without catastrophe.

We can’t out-spend these adversaries. But we can out-design them — through smarter architectures, faster detection, and deeper collaboration.

Because in this new world, the ransomware note isn’t left on your desktop anymore. It’s sitting in your pipeline, your vendor’s update server, and your cloud console. The question is: when it shows up, will you even see it coming?