By Ransomware hasn’t gone away—it’s gotten smarter. In Akamai’s latest look at the threat, attackers aren’t just encrypting data; they’re stacking tactics to force payment and maximize pressure. Advisory CISO Steve Winterfeld argues the playbook has shifted to a four‑front war: encryption, data theft, DDoS, and “compliance weaponization.” The takeaway for leaders is blunt: if “21 days offline” can end a company, then resilience—not just blocking—must drive strategy.
Winterfeld situates the research in Akamai’s State of the Internet series, built on visibility into 20–30% of daily web traffic across DDoS, edge protection, WAF, and zero trust controls. That vantage point shows ransomware still climbing—“ransomware globally rose by 37%”—and attackers following the money and momentum of AI. He notes criminal groups are already harnessing large language models (LLMs); the dual‑use reality is here.
📹 Going on record for 2026? We're recording the TFiR Prediction Series through mid-February. If you have a bold take on where AI Infrastructure, Cloud Native, or Enterprise IT is heading—we want to hear it. [Reserve your slot
The regional picture is lopsided and instructive. Asia Pacific surged to 51% while the global number sits at 37%. Europe, the Middle East, and Africa tallied 27%, and Latin America 29%. The industry lens matters just as much. In a special breakout on crypto miners—those parasitic drains on compute budgets—high tech and nonprofit sectors take the brunt. Winterfeld’s warning lands hard: even if miners aren’t existential like ransomware, “they’re inside my network… and I’m paying for that out of my budget.”
The attacker economy is modular. Initial access brokers specialize in getting in—recon, foothold, lateral spread—then sell a turnkey position to ransomware crews. That workflow explains why dwell time still matters. While the current report doesn’t call it out explicitly, Winterfeld recalls a prior figure around 14 days between initial infection and detonation, with longer windows when brokers are involved. Those days are the defender’s runway: “If seven systems have ransomware, that’s an incident. If the entire network goes down, I may be going out of business.”
The evolution of pressure tactics is the real story. Encryption led to data theft; today, some crews lead with DDoS, and others escalate to “compliance weaponization”—notifying customers they hold sensitive data to force the victim’s hand. He names groups that now map across all four tactics and emphasizes the public immediacy of DDoS and ransomware: “On day one, everybody sees your site’s down.” Crisis response starts instantly.
Winterfeld’s strategy stack is pragmatic and layered. First, treat detection as an inside game. Most controls still face outward, but lateral movement is the signal that matters. Second, elevate backup rigor: test restores, secure them from tampering, and plan for cloud and on‑prem simultaneously. Third, extend “classic protections” into the AI/API era—edge protections, API visibility, and full data‑lifecycle coverage, including outbound traffic that supports double extortion. Fourth, invest in the fundamentals—patching, vulnerability management, and human‑centric controls for social engineering.
If there’s a unifying model, it’s zero trust in the NIST sense: “protecting access and identity management, and segmenting the network.” The aim is blast‑radius reduction. When segmentation holds, “you’ve only lost 10 or 20% of your network, not 100%.” He pairs that with the MITRE ATT&CK framework to exercise defenses end‑to‑end—tabletop to red/blue team runs that mirror modern ransomware tradecraft.
The board conversation needs a refresh too. Winterfeld calls ransomware “a reverse lottery ticket”: the probability may be low, but the impact is catastrophic—whereas APIs and AI endpoints are under constant attack. Budgeting becomes culture work as much as control selection: prioritize overlaps where investments diminish multiple risks and be explicit about what you’re choosing not to fund.
Akamai’s contribution, as Winterfeld frames it, is taking whole categories off the table. DDoS protections span DNS (the internet’s phone book), websites and APIs, and L3/4 infrastructure, while zero trust helps verify identity, enforce segmentation, and surface suspicious cross‑segment traffic (“why do database systems talk to HR systems?”). The point isn’t vendor victory laps; it’s compressing the problem space so CISOs can focus on what remains.
Are we at peak ransomware? Winterfeld doubts it. With cryptocurrencies easing extortion and LLMs expanding both sides’ toolkits, he expects more iteration, not less. That’s why his closing prescription aims in two directions. Take the insights upstairs to validate or recalibrate risk appetite—“in the past you accepted risk; do we still want to?”—and take them downstairs to the SOC, threat intel, and MSSP to run gap‑driven validation and exercises. Resilience is a team sport that crosses BC/DR and cyber operations: fight through DDoS in real time while planning to operate without technology for days, then restore cleanly when it’s safe.
The message to leaders is clear. Prevention still matters, but resilience decides survival. Segment now. Test backups now. Put eyes inside the network now. Because if the next 21 days ever belong to an adversary, the only metric that will matter is whether your business sees day 22.
