In the relentless cat-and-mouse game between cybercriminals and defenders, ransomware operators are proving once again why they remain one of the most formidable threats in cybersecurity. According to Thom Langford, EMEA Chief Technology Officer at Rapid7, these groups are becoming leaner, smarter, and more efficient—adapting faster than many organizations can respond. In a candid interview at Infosecurity Europe 2026, Langford highlighted a noticeable pivot toward data theft and extortion tactics, driven in part by successful law enforcement disruptions that have forced attackers to rethink their playbooks.
This evolution isn’t just about surviving; it’s about maximizing profits with minimal effort. By focusing on stealing sensitive data and threatening to leak or sell it—rather than always encrypting systems—attackers reduce their operational footprint while increasing pressure on victims. For privacy and compliance professionals, this shift amplifies the stakes: it’s no longer solely about system downtime but about long-term reputational damage, regulatory violations, and the permanent exposure of personal information.
The Changing Face of Ransomware Operations
Ransomware has matured into a sophisticated underground economy. Langford noted that criminal groups are responding rapidly to disruptions, such as arrests or infrastructure takedowns, by streamlining their approaches. Service-based models, often referred to as Ransomware-as-a-Service (RaaS), continue to lower the barrier to entry, allowing less-skilled actors to participate through affiliate programs. This democratization of cybercrime means threats can come from anywhere, at any time.
One of the most significant tactical shifts is the emphasis on **data theft and extortion** over traditional full-system encryption. Why? It’s more efficient. Attackers can exfiltrate valuable data—customer records, intellectual property, employee details—and then demand payment to prevent its release on leak sites or dark web marketplaces. This tactic minimizes the need for persistent access and reduces the risk of detection during the encryption phase. For victims, the fear of public data dumps often proves more compelling than the threat of locked files, especially in regulated industries where breach notification laws kick in quickly.
Vulnerability Exploitation Overtakes Social Engineering
Langford pointed out another key trend: cybercriminals are increasingly relying on **organizational vulnerability exploitation** as the primary initial access vector, surpassing social engineering techniques like phishing. This shift reflects both the growing sophistication of attackers and the expanding attack surface in modern enterprises.
Complex, hybrid IT environments—spanning on-premises systems, cloud services, IoT devices, and third-party integrations—create numerous potential entry points. Attackers scan for unpatched vulnerabilities, misconfigurations, or weak perimeter defenses. Once inside, they move laterally, exfiltrate data, and deploy extortion demands. This approach is often quieter and harder to attribute than phishing campaigns that rely on human error.
“If you can’t distinguish what you need to patch versus what you don’t need to patch, you will just be lost under that tsunami.” — Thom Langford, EMEA CTO, Rapid7
This quote captures the overwhelming reality for many security teams. With thousands of new vulnerabilities disclosed monthly, prioritization is no longer optional—it’s survival. Langford stressed the importance of threat intelligence and contextual understanding to focus efforts on the risks that matter most to your specific environment.
Broader Context: Ransomware’s Resilience and Business Model Evolution
Ransomware groups have demonstrated remarkable resilience. Recent reports, including from Rapid7, show ransomware revenues surging nearly 40% year-over-year in early 2026. These organizations operate like legitimate businesses, with professionalized affiliate programs, customer support on dark web portals, and rapid adaptation to law enforcement pressure. When one group is disrupted, others emerge or rebrand quickly.
This adaptability is fueled by the cybercrime ecosystem. Initial access brokers sell credentials and vulnerabilities, while specialized teams handle data exfiltration, negotiation, and laundering of proceeds. The result is a resilient supply chain that’s difficult for authorities to dismantle entirely. For compliance leaders, this means preparing not just for technical incidents but for sophisticated extortion campaigns that intersect directly with data protection obligations under GDPR, CCPA/CPRA, and similar frameworks.
Key Insights from Thom Langford’s Interview
During the discussion at Infosecurity Europe 2026, Langford shared several critical observations:
-
- Ransomware operators are simplifying operations to maintain efficiency amid disruptions.
-
- Data theft and double (or triple) extortion tactics allow attackers to achieve goals with less exposure.
-
- Vulnerability exploitation has become the dominant entry method as defenses against phishing improve.
-
- Threat intelligence combined with business context is essential for effective vulnerability management.
-
- Compensating controls can bridge gaps when immediate patching isn’t feasible.
Practical Strategies for Organizations to Counter These Evolving Threats
Defending against this new wave requires a proactive, intelligence-driven approach. Here’s a detailed, numbered list of actionable recommendations drawn from Langford’s insights and broader best practices:
-
- Prioritize Vulnerability Management Ruthlessly: Implement a risk-based patching program. Use threat intelligence feeds to score vulnerabilities by exploitability, weaponization status, and relevance to your assets. Automate where possible but always layer in human context—does this flaw affect internet-facing systems holding regulated data?
-
- Strengthen Detection and Response Capabilities: Assume breach. Deploy advanced endpoint detection, network monitoring, and data loss prevention tools to catch exfiltration attempts early. Regularly test incident response plans with ransomware-specific scenarios, including data theft simulations.
-
- Enhance Third-Party and Supply Chain Security: Many attacks originate through partners. Conduct thorough due diligence, enforce contractual security requirements, and monitor for anomalous behavior across integrations.
-
- Implement Compensating Controls: When patching can’t happen immediately (legacy systems, operational constraints), use virtual patching, network segmentation, least-privilege access, and robust monitoring to reduce risk.
-
- Invest in Employee Awareness and Technical Controls: While social engineering is less dominant, it remains a threat. Combine ongoing training with technical safeguards like email filtering, MFA everywhere, and AI-powered anomaly detection.
-
- Develop a Comprehensive Extortion Response Plan: Work with legal, PR, and insurance teams in advance. Decide on ransom payment policies (many experts advise against), prepare breach notification templates, and understand regulatory timelines. Consider cyber insurance that covers data extortion specifically.
-
- Leverage AI and Automation Defensively: Use AI for faster threat detection and vulnerability prioritization, but maintain human oversight to avoid over-reliance or new attack vectors.
The Human and Regulatory Dimensions
Thom Langford brings a pragmatic perspective shaped by decades bridging technical security and business leadership. His emphasis on aligning security with organizational goals resonates deeply in today’s environment, where compliance teams must justify investments not just in risk reduction but in enabling resilient growth.
For organizations handling personal data, these ransomware tactics create direct privacy implications. Exfiltrated data can trigger mandatory notifications, massive fines, and class-action lawsuits. The ICO, GDPR regulators, and U.S. state attorneys general are increasingly scrutinizing incident response effectiveness. Proactive measures—like data minimization, encryption at rest/transit, and regular audits—become essential defensive layers.
Staying Ahead of Adaptive Adversaries
The ransomware landscape will continue evolving, potentially accelerated by AI tools that help attackers discover vulnerabilities or craft more convincing lures. Defenders must match this adaptability with continuous learning, investment in modern security platforms, and a culture of shared responsibility across the business.
Langford’s message is ultimately one of cautious optimism: while attackers are fast, organizations that invest in intelligence-driven programs, robust vulnerability management, and genuine resilience can significantly reduce their risk profile. This isn’t about achieving perfect security—an impossible goal—but about making your organization a harder, less attractive target while maintaining operational excellence.
In the words of experienced leaders like Langford, success comes from distinguishing the critical from the noise amid the vulnerability tsunami. For Captain Compliance readers and privacy practitioners, integrating these cybersecurity realities into broader data protection strategies is no longer optional—it’s fundamental to protecting individuals and organizations alike.
